IT Security in 2006: Four Areas to Take Action

After a year filled with information security breaches, one security expert is wondering, did we learn anything in 2005? And, even more importantly, what does it mean for 2006?

According to an opinion piece by security expert Penny Klein on the Security Planet website, 2005 raised a number of questions in IT security. “During 2005, did we embrace our information assurance policies and enforce the rules? Did our renewed contingency planning and disaster recovery efforts help when disasters struck? Have we, as information assurance professionals, kept pace with technology, and those who would do malicious harm to our systems?”

Throughout the article, Klein highlights some of the IT security issues from last year to see if we really did learn the lessons of 2005. Those highlights include:

-Regulations, policies and standards, including many by the National Institute of Standards and Technology (NIST) addressing security controls and risk managements. “We have the policies and procedures for great security,” Klein says. “What is lacking is the enforcement of these policies.”

- Enforcement of information assurance policies. “The General Auditing Organization (GAO) is publishing more reports on agencies that have not correctly or thoroughly implemented security in their environments,” she says.

-Progress in technical controls. This year has “seen a progression from defensive features to proactive features,” Klein says, a trend that needs to continue.

- Increased continuity & disaster recovery, particularly post-Katrina. “Those companies that had plans in place and had tested those plans, survived,” she says. This year, however, “continuity planning must move from being system-based to enterprise levels, taking into account people and processes.”