The information technology department can often be under manned a lack of trained displayed personnel may be in place when trying to conform to industry standards for security. This can lead to poor or inadequate protection of data. Databases such as SQL, MySQL, SAP or Oracle can contain millions of customers and demographic information which needs to be protected. With this much data, the overall risk becomes greater because of the loss that can occur.
With databases such as those listed above, multiple servers can be used for redundancy creating a twice the workload on IT personnel. This researcher along with industry
experts agree that logs on all servers should be in place for an adequate auditing system. Industry leaders also agree that just because security logs are in place and if the internal controls are not in place for auditing (the reading of logs) this can lead to disaster and loss of data. Larger companies have a distinct advantage over smaller companies because of the minimal work required to keep their network infrastructure secure.
A small list of duties below is required to keep data protected:
• Periodic changes of passwords• Updating of policy and procedures• Auditing server logs• Auditing firewall logs• Researching new malicious threats at third party information sites• Physical security• Applying patches• Applying service packs• User management• Monitoring spyware/malware• Monitoring new installs• Monitoring performance• Monitoring IDS systems• Monitoring anti-virus protection Password policies are often overlooked after the inception of the computer network. Network administrators can use the group policy editor in workstations or rules in active directory to set password rules. Minimal, complex and history settings can greatly increase Computer and Network Security. Companies should look at the update of policy and procedures in order to keep up with changes across its infrastructure. These regulations help to guide all levels of information technology professionals. The consistent and concise update is critical to security in a network infrastructure. The auditing of logs at all levels is critical and cannot be stressed enough. These logs provide accurate details on the access and changes requested and made during a session.
All of the companies mentioned in this study review logs on a frequent basis. This becomes one of the single most important processes in looking for patterns and breeches of security.Research should be done on a daily basis at third party security sites. This action falls hand in hand with the monitoring of IDS systems, service packs and updates, antivirus suites, firewall and security logs along with the overall “health” of the network. This research becomes important to “not missing” information that can be critical to a company’s survival. According to Juniper Networks, 93% of companies who lose data center access for 10 days or more file for bankruptcy protection within a year of the loss and a breech can cost an average of $475,000 in losses and the recovery of the data . Physical security is likely caused by employees of companies.
Over 76% of companies surveyed by Juniper networks reported physical security and hacking was more than likely caused by internal resources.
Often companies overlook user management and fail to restrict access as needed and the companies fall short on maintaining an archive of users and former users/employees of a network infrastructure . All of these items are found in the policy and procedures at the Allen Company, Neill Company, Taylor Company and a higher education facility. Because of these standards, a distinct “upper hand” is given to the companies. Each of the above items are looked at on a daily basis and these companies review the overall standards set by third party vendors Smaller companies, on the other hand, may not have the financial or physical resources to comply with these standards. These companies may outsource their work to small firms or “mom and pop” companies that may not be properly trained in any of the above areas. Often small companies have no policy and procedures in place and when violations or breaches of security take place. These companies may not have any idea that data has been compromised. Larger companies often recommend an internal policy for small companies.
The research found through the interview of experts at the Allen, Neill and Taylor companies indicates that small companies should hire reputable outside companies that have certifications in the area of security. Policy and procedures are a set of directives used to outline the hierarchy of the Information Technology personnel department and their day to day procedures. The importance behind these directives can not be stressed enough. Included in these procedures is the “what ifs” for disaster recovery and planning. With millions of records in place, disaster planning becomes an integral part of Computer and Network Security.
The mentioned companies have all of implemented policies and procedures to protect the assets in their companies . Information technology departments often become stressed with the day to day activities of monitoring security and an air of complacency can fall over the staff. Management needs to have an internal auditing process available for the IT department to be sure that the department stays with in compliance of industry related security procedures . Auditing teams and committees need to be formed to review and to govern the actions of the information technology department .
This Article presented discussion and cited expert opinions on how Computer and Network Security can affect both managerial and IT personnel. Companies wishing to be secure must meet strict guidelines as outlined in order to protect their personal and client data. The ability for companies to protect their network through Internal Company Security and Auditing Controls and to understand new laws and technology will have a dynamic impact on the company’s survival. This research
shows that larger companies and corporations have a direct advantage of small companies. It could take small companies months to gain strict guidelines and regulations to conform to what industry experts call “in compliance”. Initial startup cost could be several thousand dollars along with several thousand dollars to train information technology personnel.