Companies are increasingly considering their security as world events cast doubt on their ability to deal with natural disaster, human error or malicious attack.

Spending on security has reached record levels, and continues to climb as businesses seek to reassure shareholders and comply with standards and changing legal requirements.

However, being secure is about more than simply buying firewalls, antivirus software and login technology.

"Good IT security is about good management. It's more important to maintain patches and to document systems and procedures than it is to install expensive new security devices," says Bart Vansevenant, director of European security strategies at security service provider Ubizen.

"Secure environments are typically well-documented, with a procedure for regularly patching systems, good monitoring and control of servers, and where good security is part of a culture."

It's the process of managing a security policy which is paramount, because without an actively maintained and enforced policy, the vast majority of your investment in security technology will have been wasted.

The policy is the defining part of any security process. It outlines exactly what needs to be done and identifies what is most important to the organisation, and it embodies some of the most vital messages that it wants to communicate.

Policies define the culture of the organisation and are crucial to the organisation's compliance with the many laws and regulations to which the business is subject.

Best practice policy
Most organisations have at least some documented policies, perhaps covering a limited range of issues key to the business. While some areas - especially human resources - normally have well-established procedures, there are a number of key areas which are often under-developed.

These often relate to IT, where the fast-changing world of software and hardware technology makes it difficult to keep on top of the latest technologies and issues while, at the same time, serving the users and the business.

But where do you start? For most organisations a security policy needs to be based on business need.

"To formulate an adequate security policy, it is vital that the organisation understands exactly what needs protecting, and from whom," says Gary Clarke, vice president of sales and marketing at Rainbow Technologies.

"Evaluating who within the organisation needs access to certain types of information is key to developing an adequate security strategy. Who should be granted access, for how long and under what circumstances?

"By answering such questions a company can tailor a security policy to its own specific needs, and, once the policy has been recognised and understood across the company, the relevant technology can be implemented to safeguard sensitive information."

For those organisations which do not have the expertise or time to write policies in-house, pro forma policies are available via the internet, often for free or for a nominal fee.

The problem is that the the policy is up-to-date only on the date of purchase. It is the buyer's responsibility to keep it updated. Another disadvantage with these policies is that they can often be difficult to tailor to your own needs.

"Protecting information and ensuring compliance with standards of good practice is an increasingly important part of good business management," says Jason Creasey, senior project manager, at the Information Security Forum. "Organisations need a clear definition of what constitutes good practice in information security."

The Information Security Forum publishes a standard of good practice, one of the most concise available for free.

"The standard provides a framework that has been created through the work and experience of our member organisations," says Creasey.

"It can be used to help an organisation to assess its security situation and performance, along with enhancing awareness, checking compliance with industry standards and regulations and maintaining business integrity."

A more practical option is to bring in an outside consultant to assist with policy drafting - or at least to review what has been produced in-house. This gives all concerned additional peace of mind and may be a more efficient use of management time.

The burden of updating a policy can also be shifted to the third party, allowing the IT department to concentrate on the task of implementation.

Wireless security best practice
Wireless local area network (Lan) technology is already common in many organisations, and has already proved itself to be useful as a means of quickly, easily and cheaply extending the reach of the corporate Lan, providing mobility and roaming, improving productivity by increasing access to network resources.

However, wireless networks are also one of the biggest potential crisis points for IT security, posing the risk of leaving the network wide open to the outside world, and so putting systems and data at risk.

Companies looking to deploy wireless Lans, or which already have them, must ensure that policy and administration take into account the potential risks of a wireless Lan, and that these are addressed rather than simply being documented.

Angelo Lamme, international wireless and security manager for 3Com, lists the following considerations for maintaining security and aiding administration of a wireless network:

The traditional approach to policy deployment is to issue a new employee with a staff handbook - with a clause in the contract obliging them to read the information. The reality, however, is that few people will take the trouble to carefully read a policy handbook, and they are rarely updated.

Baltimore Technologies principal consultant, Ian White says companies must pay more attention to education and communicating the point of their policy to staff, rather than just expecting it to be adhered to.

"One of the most cost-effective security measures that a company can implement is to raise the level of security awareness in staff and customers through the use of a small number of targeted security messages," he says.

Even a modest increase in the general level of security awareness is likely to result in more instances of unusual behaviour being noticed and may deter potential attackers.

Lack of understanding about policies is evident not only on the shop floor, but also in the boardroom. IT departments continue to battle to explain that a policy applies to all.

"The chief executive can unwittingly pose the greatest security threat," says Clarke. "While having unlimited access to all data and systems, it is also probable that he or she is least likely to appreciate the need for security controls.

"Consider the case of the chief executive who finds it difficult to remember new passwords. They inevitably will at best select a weak password, or in the worst case scenario will write down the new password on a Post-It note where it might be found and used by an unauthorised person."

This is a problem for IT departments, which sometimes find themselves placed in an unacceptable position where their authority and responsibility to the business is compromised by senior management.

So as well as laying down the reasons why operational policy is in place, it's also important that a policy details the business and productivity argument.

This, in turn, will make it easier to argue the case with the board on budget, let alone compliance.

"A chief executive's focus is not security, it's ensuring that they get the best for their stakeholders," says Clarke.

"This means that expensive deployments to ensure the security of the company could well be curtailed by the board, because they see the security measures they have in place as adequate because no damage has been done and new deployments are overkill.

"Only when a virus shuts down the network for a few days will they ask why security was not good enough."

While the consequences of not being able to demonstrate the required level of compliance are sometimes purely financial, it would be unwise to underestimate the hidden costs of lost management time and negative publicity that can stem from compliance failure.

Similarly, while penalties for compliance failures have traditionally been a problem for businesses, there is an increasing number of situations where there is a tendency to look behind the corporate veil towards those with stewardship of the organisation. The creation of well-drafted policies and their effective deployment can have a significant impact on minimising the occurrence of compliance breaches.

Making passwords work
In their simplest form, passwords are a string of characters chosen by a user to substantiate their identity, authority, access rights and so on, to the computer system that they wish to use. They remain central to all computer systems.

But choosing an 'impossible to guess' password is just the start. Management of the password will determine its effectiveness. The following best practice guidelines should be observed:

One of the biggest problems with antivirus technology is that, unlike many other security technologies, you cannot reliably use multiple antivirus applications on a single machine.

The invasive and probing techniques used in the process of looking for and removing viruses from a system often resemble the activities of viruses themselves, so running multiple antivirus applications on the same machine will usually result in one antivirus client mistaking another for a virus and vice versa.

The answer is often to use different brands of antivirus spread across the IT infrastructure, ensuring that there is antivirus coverage on file servers, application servers, mail gateways, desktops, laptops and so on, but using different brands on each to limit exposure resulting in a failure in any one make of antivirus.

But all this remains useless unless the applications are kept up-to-date. So prevalent are viruses that major antivirus vendors find themselves issuing def file updates (a def file is a database of known viruses and behavioural information to assist in heuristic scanning) on a daily basis.

Mechanisms need putting into place to ensure that applications on all platforms are up-to-date.

Most vendors have enterprise management tools that can automate the distribution of def files, application updates and patches at login and in the background, as well as allowing centralised management of all users of a given antivirus application.

Further reading:
A set of resources for network and application security can be found here.

Papers on policy management best practice can be found here.

A template for security best practice devised by the US Department of Energy can be found here.

The Information Security Forum's Standard for Information Security is available here.