Managing enterprise security is one of the most complex and time-consuming jobs imaginable. However, applying the simplest and most basic security measures will protect companies from close to 90 percent of the threats they might face. Here are the five basic steps recommended by eWEEK Labs.

Assessment

Step 1

Security risks in enterprise IT systems have many technical elements, but the magnitude of risk is largely determined by nontechnical factors, including business relationships and IT users' attitudes. Vulnerability assessment demands a multidisciplinary approach—especially because risk analysis shapes every subsequent aspect of an IT security process.

Unlike other assets, information can be stolen without being lost. It's not enough, therefore, to ensure that data remains available to those who are authorized to use it. Data access also must be denied to others, not just in the course of transactions but also during archive storage and even after disposal.

Every aspect of software availability must be scrutinized and addressed. Specific risk assessment steps include the identification of all software and hardware elements—perhaps including license files or authentication tokens—that need to be present for a particular application to be usable, followed by preparation of contingency plans for any disruption of those resources.

Managers also should discuss with risk-management professionals the extent of an organization's network interactions with suppliers and customers, and should participate in drafting appropriate agreements that limit liability for consequential damage not directly caused by the organization's own actions.

Security plans should also work hand-in-hand with regulatory-compliance mandates such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley. Many security applications and monitoring systems can serve double-duty in enforcing and monitoring regulatory compliance.

Click here for Step 2.