In the quest for an ironclad information-security program, organizations typically take a textbook approach: First, a business-impact analysis and asset-assessment study identify critical data needing protection and the servers where that data resides. Then, security policies are developed from these studies, your business plan and organizational goals.. . .
In the quest for an ironclad information-security program, organizations typically take a textbook approach: First, a business-impact analysis and asset-assessment study identify critical data needing protection and the servers where that data resides. Then, security policies are developed from these studies, your business plan and organizational goals. These policies drive the development of guideline documents defining the requirements necessary to achieve the goals of the policy--for example, if a specific server is designated as critical, your access policy for that server will be stringent.

Essentially, you're taking your policy statements and codifying them into a series of checks.

But even the most well-conceived policies will fail if the effectiveness of the program cannot be measured. How do you gauge the effectiveness of a firewall strategy or a VPN, IDS or antivirus deployment? More practically, how do you ensure that networked devices like desktops, servers, switches, routers and firewalls are configured properly? Absent tools that can provide a holistic view of the network, administrators are left to fumble along. Without measurements, you're blind.

The link for this article located at Network Computing is no longer available.