Benchmarking Your Current Security Posture
Security administration is not about achieving some unobtainable goal of absolute security. Instead, it's about managing risk. There will never be "absolute" security when it comes to computing environments, but there are ways to effectively minimize risk levels through reducing the number of vulnerabilities.
The first thing most people do when they inherit the responsibility of securing an environment is panic. The second thing they usually do is attempt to ascertain the current state of affairs. Understanding the state of the terrain is essential before moves can be made to secure it. This is why most security efforts begin with an assessment of some sort. Whether this assessment comes from an outside third party, or through the use of well-trained internal staff, the following areas should be investigated:
The current state of the security policies
The current state of security on the network
The current state of the system security
The current state of security of network applications
The current state of employee awareness
The current state of management awareness
The current state of information securitytraining efforts
Often times, organizations hire outside consulting firms to assess either all of, or particular components of, the previous list. Although few organizations have all these efforts defined and operating efficiently, it's important to document the status of these efforts. Documentation can be used for a number of things later on, such as aiding in the production of status reports, benchmarking progress, gaining further security funding, and identifying areas that need the most help. Regardless of how it is done, or by whom, getting a good idea of where you presently are can help you define where you want to be headed.
This third edition of Maximum Security can be used to help with many of these needs. For example, Chapter 11 covers the selection of vulnerability assessment tools that can help identify system security holes. Part VI, "Platforms and Security," can help with some of the details surrounding the securing of specific operating systems. Finally, Chapter 26, "Policies, Procedures, and Enforcement," can help with policy definition efforts.