How will your company deal with the asset attack? If you are CIO, what will you do again?
No matter what is willing, the CEO is also the chief information security official. If your company's information system is fragile, you must be responsible for it. CIOs to do include:
Responsible for security
CIO should think that the security, complete and usability of the company's computer network is one of its own important responsibilities. This work cannot be outdooted. CIO should have a concession so that as long as the information security violations can be collected, analyzed and surveyed at any time, and no matter where the violation occurs. CIO should have a means of monitoring whether someone complies with information guarantee policies. Board of directors, especially chairman, should supervise CIOs to ensure that information security risks are not higher than specific expectations.
CIO should also guide the developers under the hand to ensure that information security has become an indispensable part of the information system design. The system designed to improve the security and honest assumption is often not expensive, it is too late, it is not worth it.
Configuring an independent security staff
Big companies need to see and trustworthy experts, because they can analyze the critical levels of the company, implement measures to prevent information attacks. This includes those attacks that require trustworthiness of employees and contractors to give help. These employees should supervise the following:
Information security guarantee. To notify high-level management personnel, sound and reliability of existing information security functions.
Safety coordination. Ensure that functions affect information security as an integrated process rather than independent tasks.
Event assessment. Evaluate and interpret information security is jeopardized or have jeopardized every case.
Security staff should have power to review all activities and procedures for handling information, and ensure that the system is safe.
The company also needs an independent technical review organization to ensure information security design principles. If there is no independent prove, there is usually in this danger, and those who bring information security risks have not been able to bring risks.
Protection safety budget
CIO should strive to invest considerable share information system resources in security projects. Safety funds are facing two questions: the information system requires high costs; the return is too late.
Pay close attention to the budget for each person to assume a certain amount of amount to undertake safety costs: safety ID card, anti-virus software, Internet firewall server, the employees on the way give safety identification number, encryption software, intrusion detection system, centralized security Management and safety testing staff. It is also necessary to add the cost of delays and inconvenience caused by safety routines, so that each year's cost has increased to $ 1,000, up to 10% to 15% of the cost of workstation.
One of the solutions is to prohibit the network from using various disks, floppy disks, movable cassettes, and removable hard drives unless there is a verification that prevents the use records from being made. At least a quarter of the cost can be pursued on the head involving removable media. If the user adds an incompatible or wrong software, he has caused an unfavorable situation, and it has increased support service needs. Almost every vulnerability of information security can be held accessed through a mobile disk.
The company's high-level supervisor sometimes believes that the above information security view is too frightened. I want to say to them: "The failure of the crucial computer facilities caused serious damage is just a time problem. Biacaramn, that is, some people have a mentality that constitutes a harm to themselves, is not always imagined. If you think there is Competitors want your company to be harmful, so you may be absolutely necessary to be careful for survival. "
