feature This article will present the basic parame- ters that everyone (buyers and providers of service) should know in evaluating the right people to deal with and the best approach to addressing the associated issues. The key concepts There are some basic concepts that you should know regarding company infor- mation security. The mistake is often made of thinking there are ‘big’ or ‘small’ problems and that a company is at risk only if it belongs to the enterprise seg- ment. This is clearly wrong; there is only one category of problem and companies whose information is vulnerable all run the same risk. The key points in information security are the following: • Understand the company’s security needs in relation to the type of business it is engaged in. • Develop and adhere to security policies. This crucial element is subsequent to the initial audit of the company situa- tion. • Review and (re)design security architecture. • Organize interaction procedures between users and technical staff. • Decide on investment processes and accident intervention procedures. The procedural outline By ‘Information Security Assessment’ (ISA) we mean the set of procedures to use for security packaging IT infrastruc- ture. An ISA procedure comprises the fol- lowing steps: • Analysis of company core business. The firm’s main activities are assessed in order to determine company objectives (current, past and future over a three- year time span). A full understanding of the core business is essential for obtain- ing a sufficiently detailed initial picture of the points in the infrastructure potentially at risk of attack. • Description of preliminary issues and objectives. This is usually done after having carried out a management audit, which in turn is composed of various steps. Specifically, such an audit com- prises a series of interviews with compa- ny technical managers, followed by a Network vulnerability analysis. We’ll get into this in more detail later. • Policy design. Where security policy is lacking or imperfectly implemented a thorough revision of the pertinent doc- umentation is carried out. • Infrastructure design/engineering. This part has to do with the procurement of hardware and software. • Disaster and incident recovery plan- ning. It is hoped that this part of the security plan is never put into practice. However, one must be ready for every- thing. Analysis of company core business This task is generally carried out by an external auditor who conducts a series of interviews with company middle man- agement. There is usually a sort of initial questionnaire tailored to the specific responsibilities of the interviewee. The main objective is to gather as much infor- mation as possible on the company’s background and future prospects. Specifically, the following information is sought: • Information on the company’s opera- tional objectives over the preceding three years, with particular emphasis on marketing and publicity investments. Although apparently unrelated to the subject at hand, this factor is actually of fundamental relevance, since it is very important to know what sorts of opera- tors (client or competitor) have know- ledge of company operations. • Financial data on the current fiscal year as well as the subsequent two-year peri- od. This is helpful in reviewing the types of technological investments planned within the framework of the company’s strategic vision. • If the company has past experience in electronic commerce, information on turnover by segment (business-to-busi- ness and business-to-consumer) is requested. This information is relevant for a subsequent analysis of the virtual private network (VPN) in the business- to-business case, and horizontal ‘cryp- tosystems’ in the business-to-consumer case. 9 Information Security Assessment: Procedures and Methodology When investing in technology isn’t enough Dario Forte It very often happens while setting up or renovating company IT infrastructure that most of the investment goes into purchasing new products. In particular, this may occur in the area of security, which is often not given the attention it deserves. The worst error one can commit is that of spending hundreds of thou- sands of dollars on perimeter protection products (firewalls, content filtering, etc.) and rearguard products (intrusion detection systems) without having assessed vulnerabilities and assets, and developed a post-implementation security management program.