Security and the Internet

7. Planning Security

Look for the right balance between physical, technical and procedural controls.

7.1 Start by assessing the risks you face. Ask yourself:

• How sensitive is the information you hold?
• How important is your system to your business operation?
• Is there any reason why someone would want to target your system?

7.2 Decide how much it is worth spending on security. Unless you are involved in e-commerce, or heavily dependent on your system, you may not want to spend much.

• Good procedures and virus-checking software will be sufficient for most small businesses.

7.3 Review the effectiveness of your security on a regular basis.

• For some companies, this could form part of an annual audit.
• If employees are not following procedures, take steps to enforce them or change your security measures.
• Consider using external suppliers to assess or test your security.

7.4 The British Standards Institution's Information Security Management System standard (BS 7799) can be a useful tool for identifying and managing threats to your information security.

• Achieving the standard can be expensive, but you can choose to use it as a benchmark without undergoing the certification process.