Taking Stock of Security
Everyone's aware that the boundary between the inside and the outside of an organization is where the barriers against bad guys are needed. Unfortunately, the barriers inside an organization, which are far too often overlooked, may be even more important than those on its periphery. An FBI analysis of security exploits from 2000 indicates that over 70 percent of all such events originate inside organizational boundaries.
That's why any systematic attempt to take control over system and network security must begin with an assessment and review of the current state of security in that environment. This means inspecting and analyzing user rights to systems and resources as well as file and folder permissions on servers, desktops, and in distributed file systems. A thorough understanding of default security settings on the operating systems and in the applications you use is also required. This is because in most cases, access controls seldom deviate from those defaults.
On the other hand, it's essential to understand what kinds of security requirements can meet your organization's needs to protect valuable assets, restrict access to confidential or sensitive information, and manage access to routine information on the right kind of "need to know" basis. (For example, if Bob is Fred's manager, Bob needs to know how much Fred earns; if Sally doesn't work for Bob, he probably doesn't need to know how much she makes.) This kind of information needs to be compiled on the basis of job roles and information resources across an entire organization. When represented properly, a document called a security policy states these requirements in an intelligible way.
Proper security management is possible only when a series of surveys is performed, and changes are instituted to match actual security settings and controls to an organization's security policy. At that point, the security routine can begin, as you monitor your systems and networks for potential vulnerabilities and respond to threats or incursions, and start to execute regularly scheduled security maintenance activities. This ongoing round of work explains why some experts think of security as a "state of mind" and why others call it process rather than a destination. For my part, I like to state that security is something that's never finished there's always something more to do!