Improving Enterprise Security: From Parts, the Whole

Letter From the Editor

Vic Wheatman

1 February 2002

Security is now front and center because of world events and also because of continual waves of new technologies and vulnerabilities. This turmoil means that security initiatives must be ongoing and never finished. Enterprises should strive for "due care," "due diligence" and "commercially reasonable security." However, there are no specific definitions for these terms. Also, in some cases, "good enough" is not good enough; in others, it's perfectly fine.

This issue of the Security and Privacy Spotlight shows how enterprises can improve their security, regardless of the status of their security programs. Enterprises must also do what is appropriate, which seems a little vague, especially because most enterprises want specifics. Generality is necessary, however, in the case of security, because boundaries are unclear — risk profiles, threats, vulnerabilities and cultures are different for each industry, enterprise and geography. Read More

spotlight.feedback@gartner.com

Improving Enterprise Security
1 February 2002
Ant Allan

Security is a balancing act. Enterprises need security that is appropriate to the risks to their information assets; to attain that goal, they must find the right mix of people, processes and technology.

It's Time to Get Smart About Smart Cards
15 October 2001
John Pescatore

Everyone complains about passwords, but no one does anything about them. We believe the gain from using strong authentication has increased and the pain of implementation has decreased enough to make smart cards the way to go.

Policy, Process, Awareness ... and Smart Cards
17 January 2002
Conal Mannion

Just $10 per employee can improve the security of an enterprise's network and information systems, but there are two possible approaches. Here, we examine the future of user education and awareness.

Unmasking Social-Engineering Attacks
19 December 2001
Kristen Noakes-Fry

Attacks on enterprise security defenses often use social-engineering principles to trick users into violating policies and procedures. The best deterrent is to maintain and enforce these policies, as well as employee education.

Building a Security-Aware Enterprise
17 January 2002
Rich Mogull

Don't wait until tragedy strikes your enterprise. Use our framework to build a security-aware company.

Elements of a Successful IT Risk Management Program
8 January 2002
Roberta Witty

An IT risk management program systematically manages enterprisewide IT risk exposures to minimize the effects of exploited risks and to preserve the interests of management, customers and shareholders.

Information Security Policies
8 January 2002
Roberta Witty

Enterprises should establish enterprisewide definitions of information security requirements and a baseline set of information security policies.

Enterprise Smart Cards: Securing Buildings, PCs and Corporate Networks
14 January 2002
Andrew Phillips

Smart cards can be used to control access to PCs, networks and buildings, offering two-factor authentication when combined with a PIN or biometric. Planning is needed to overcome the pitfalls for such use.

The NSM 'Big Four': Security Dynamos or Dinosaurs?
21 December 2001
Alain Dang Van Mien

In network and systems management (NSM), four enterprises dominate — BMC Software, Hewlett-Packard (HP), Computer Associates (CA) and IBM. We examine how they have positioned their security products.