Information Security in Organisations
Information security is always the top priority in any organization in management mind but when it comes to cost it always takes a back seat. Many organization works on the prioritizing the security work but it lost in the day to day work. What should be considered in this aspect?
- Improve software development and operations’ security practices.
- Unify the security practice across all product development and operations teams
- Understand Company Information Security or IT security policy
The most critical difference between secure software and insecure software lies in the nature of the processes and practices used to specify, design, and develop the software . . . Its all about building secure software!
The process of designing, building, and testing software for security,
Taking the pro-active approach: building security into the software as opposed to securing it after building it. Software security is a system-wide issue that involves both built-in security mechanisms and designing the system to be robust. You can’t spray paint security features onto design and expect it to become secure. Most approaches in practice today involve securing the software after it’s been built. Not the best approach, and certainly not effective enough as has been proved (we still have issues with our software being meddled with by hackers don’t we!)
When we talk about security Management Practice we should think about security practice activities at various stages:
- Define Security standards and policies
- Follow the System Development Life Cycle (SDLC)
- Govern the Deployment or Implementation with secure guidelines
- Continuous Operations and maintenance governance with security in mind.
The Primary advantages of pursuing a Secure SDLC approach are:
- More secure software as security is a continuous concern
- Awareness of security considerations by stakeholders
- Early detection of flaws in the system
- Cost reduction as a result of early detection and resolution of issues
- Overall reduction of intrinsic business risks for the organization
For all the SDLC, Information exchange and securing business data following approach guideline can be adopted.
In order to have proper governing and improvement following sample RACI matrix could be used.
Security can not be built in one day it is evolutionary and can not be forced in organisation, it is developed in culture. So organisation should work on security every day right from the begining.
Author : Daya Shanker
