Vigilance and communication
You make a good point. As I said in another post, some studies indicate as much as 80% of security breaches are from internal sources, which is to say a company's own employees and trusted contractors. All the security in the world won't help if everyone doesn't take it seriously. An ongoing training and outreach program to make sure all staffers know what's expected of them can be effective. In addition, whoever's responsible for overall technology security needs to make sure senior management is aware of the risks and what's being done to mitigate them. If the top layer of the organization pays short shrift to this area, everyone else will too.
In the private sector Sarbanes-Oxley has required an enormous effort over the last few years to review internal controls and as a consequence improve the amount and quality of documentation of policies and procedures. In the public sector we have OMB directive A-123 and a process called Certification & Accreditation, which is pretty much the same thing. Smaller companies, which so far have been but are no longer exempt from these compliance requirements, are now starting to go through the same process, although Congressional guidance on just how far that sector needs to go is still forthcoming. Security and documentation should be built into all system development project plans such that budget, time, resources, and scope can be adequately assessed and assigned.
Thanks for your contribution.
