Sometimes we get so wrapped up in what we're doing down in the security trenches, that we lose sight of the overall objectives. When that happens, bad things can occur.
I have mentioned before that I live in a remote community deep in the Adirondack Park in upstate New York. Our house is on one of the larger lakes, and that lake is interconnected with a huge system of creeks, streams, smaller lakes and ponds. It is a canoeist's dream. On a recent weekend, my wife and I packed off for an 8-mile paddle. It was a beautiful day and the trip was great -- until the end. On our return, when we left the protected creek that we'd been traveling on and saw every canoeist's nightmare: a powerboat pulling a water skier heading straight for us. The boat had the required two people in it, but they were both looking backwards at the skier. It was the skier who finally saw us (as I was waving my paddle furiously in the air) and motioned to the driver to look around.
What was wrong is that the driver forgot his primary objective. He should have been driving the boat, not watching the skier. After I settled down from this, and survived the wake from this close call, it occurred to me that when we get down in the trenches in our jobs as security officers that we, too, can easily forget to "drive the boat."
What do I mean by that? I mean your overall corporate objectives. Why are you in business? What's your end product? How is it getting delivered? What is your place in the process? Is what you're doing helping to meet the objectives? Or, if you've forgotten to "drive the boat," is what you're doing making it harder for everyone else to keep on track?
Often, in our zeal to keep things safe, we make it hard for everyone else to just do their jobs. If that's happening in your shop, you should take a second look at what you're doing. Security should be done in such a way that legitimate users (your customers) should be able to do their jobs without having to jump through any hoops, not even little ones. At the same time, you need to be able to identify risk areas and set up an environment where unauthorized users cannot easily get to automated company assets.
So, how do you know how you are doing? Start with checking on your phone calls and end user e-mail. What's the most common complaint in the past few weeks? If you get a lot for the same reason, then that might be an area where you need some attention. For example, do you have situations where you require multiple log-ons to gain access to your system? Each additional log-on takes time and is not very productive. If your risk assessment is fairly low, look at ways to implement a single signon. Do you often get calls from users who can't access some bit of data that they need? If so, then it might be time to reassess your data access policies to bring them up to date. Every time someone has to call to get a security change implemented, they aren't "driving the boat" and the results could be very bad.
I'd love to hear your war story along these lines. If you have a good one, send it in and I'll collect and publish them at some point down the road. If you have any questions about anything in this tip, just ask me and I'll give you my best shot. My e-mail address is firstname.lastname@example.org. All e-mail will be answered.
About the author:
Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the AS/400 market.
MORE INFORMATION ON THIS TOPIC
Secure your iSeries
The iSeries is one of the most secure systems, but there are still ways for data to be compromised -- network holes and users with too much authority, for example. The information in this Search400.com Featured Topic helps you close up any gaps you may have.
iSeries owners regularly boast about the security built into their systems, and rightly so, but if you don't implement and use the features, they're not going to do anything for you. Be safe. Don't leave your system exposed; learn more about locking down your iSeries.
Free book excerpt: Information Security Best Practices -- 205 Basic Rules
As a registered member of Search400.com, you're entitled to a complimentary copy of Chapter 9 of Information Security Best Practices - 205 Basic Rules -- written by George L. Stefanek and published by the Morgan Kaufmann division of Elsevier. This chapter, "Operating System Security Rules," addresses best practices for setting up security within operating systems. Authentication, file protection, virus checking, file sharing, network software and security logging are discussed.