Baking in security with a technology, practices, projects approach

Archive for September, 2005

Baking in security with a technology, practices, projects approach

Posted by

How can we keep our IT systems secure?

It comes down to baking in the security from the beginning. Each new technology initiative is an opportunity to increase our overall security.

So we get a new project. In the beginning phases, while evaluating projects, we push to ensure that security is a consideration and that the vendors are asked about the security features as well as the functional features. Once the technology is selected and purchased, we work with the project team to ensure that security steps are included in the project plan. We pull the software in-house, install it, beat up on it, and assess for any vulnerabilities. When the project completes and the system is released to the end-users, it goes out the door in a secure state.

Such a secure state comes in part from experience, in part from training, and in part from industry practices. Proven practices such as deployment guides or NIST publications are excellent sources of information security. As part of any project or as part of securing any technology, such practices should be tried and evaluated. The goal is to apply not only what we know works, but also what the industry has found to work.

Researching and applying proven practices needs to be a task in every technology project. Take a Linux or a Windows server, install the new software for the project, and apply best practice guidance to it. At the very beginning of the project, lock down files and registry keys. Work thru any issues that the security may cause early on in the project before other departments get involved. The result is a system as tight and neat as is possible. By baking these steps into the project plan, we ensure that new systems come online securely.

Security is technology, practices, and project-centric.