| IBM Research: Press Resources | |
Return to Web version |
Nicholas Donofrio, senior vice president and group executive for IBM's Technology Group, spoke today at the White House's Internet Security Summit, a meeting of government and IT industry leaders to determine proactive measures for reducing the likelihood of security-related incidents.
"If you are going to establish your company as an e-business, you need an aggressive and proactive security policy," said Donofrio. "No company would ever consider establishing a physical presence without locks on their doors, video cameras, alarm systems and security people. Yet every day, hundreds of new Web enterprises do exactly that. The recent denial of service attacks are strong reminders that security needs to be the priority of every online business."
IBM security experts advise that companies use the following checklist to evaluate their online security practices:
e-business Security Checklist
1. Implement a thorough and aggressive security policy that is reflected throughout your business, including firewall configurations, access controls and employee communications.
2. Conduct a security awareness campaign to regularly remind employees of their security responsibilities (via web-based certification or regular emails, for example).
3. Install a firewall on outside borders, as well as internal (between HR and engineering departments, for example). Be sure to change the default settings, which can be easily defeated.
4. Use intrusion detection software. This is like having burglar alarms and motion detectors, but for your network. Just as with the firewall, it's important to have intrusion detection on external and internal networks.
5. Distribute antivirus software. The best antivirus systems will have an easy, effective update mechanism to ensure thorough coverage.
6. Establish rules for password selection. Determine very clear guidelines for passwords (such as "six characters with at least one numeral") and an easy way to verify whether or not a password is acceptable. Passwords should also be changed periodically.
7. Perform security audits on a regular basis. These should be unannounced and random -- some electronic, some physical; some stealthy, and others blatant. The ultimate goals of these audits are to get into the target system, access valuable data if possible, and determine if the intrusion was even noticed.
8. Designate someone as the main network security contact and determine clear procedures for reporting and responding to security issues. Employees should clearly understand who to report incidents to and should report all incidents that seem to breach the security policy
9. Ensure that system administrators stay abreast of security advisories make security-related changes in a timely manner. These are the folks on the front lines, so they need to be as proactive as possible and in a position to react quickly to security issues.
10. Have a clear policy for action when an employee leaves for any reason. Actions to take quickly include disabling an ex-employee's building and computer access, deleting or redistributing computer accounts, and changing all passwords and access codes that employee may have known.