Security best practices

Best security practices don't exist. If they did, the company implementing them would be spending too much money trying to secure its information, and worse, more than likely stopping the business from operating. The best practice an organization could do is to evaluate its risk, comply with applicable standards at the minimum level required, and implement just enough control to achieve that state.

There are organizations, such as certain three-letter government agencies, or R&D aspects of firms with high-value intellectual property, transactional or money transfer systems, that require best and state-of-the-art security. For most of the IT world, successful IT professionals balance the cost and onerousness of security controls, and IT costs in general, to obtain an appropriate and acceptable level of risk.

The Food and Drug Administration's Web page on information security states that GxP is the current standard for various regulatory compliance areas for pharmaceutical companies. GxP represents Good Practices, not best practices. That is, Good Manufacturing Practice or Good Clinical Practice. This is a bit odd: Good enough was the plan of the day for manufacturing life-saving drugs.

Looking further, building codes define "minimal acceptable standards" that homes, lots and structures have to meet to be used. Similarly, in the legal community, there is the standard of the reasonably prudent person. Doctors and other professionals are typically only held to a standard of reasonable or ordinary care, not excellent or the best possible care.

So IT and business professionals should not be asking for best practices, they should determine appropriate and reasonable controls to protect information and maintain compliance with federal regulations. Interestingly, even the regulatory guidelines allow flexibility in approach to controls, as long as the information is adequately protected and based on the use of a documented risk assessment to determine this reasonableness and appropriateness.

To determine if you're spending the appropriate amount on security controls, perform risk assessments for every significant technology decision. Documenting the outcome and how you arrived at your decision helps your organization meet regulatory and legal requirements, and earns you the respect and admiration of the business units and bean counters.

Take, for example, a network architecture migration. Engineers presented a fully redundant, resilient design for a branch office. The design specifications were based on what the engineers termed a "best practice" and on input from the remote workers who said they had to be on the network, or their work would grind to a halt.

A risk assessment was performed. Although important, the remote site could be down for several hours before a significant effect would be felt by the overall organization. The office and network staff overestimated the importance of the operation to the business and built a design almost four times as expensive as it needed to be, based on the cost to buy highly available equipment and twice as much of it. The security/risk team suggested a lower level of availability equipment and saved the organization money. The best practice was too much for the job.