Of course, like health and safety, security is everyone’s responsibility. But, when it comes to the software systems you use, it’s important to have a named person or team who work to ensure the security of your data.
How much this person/team has to do will depend on the approach to risk that you’re taking (see my post on Weighing up the risks: a sensible attitude to security).
If you’re in a high-risk situation, where it’s essential to maintain the integrity of your systems (and to be seen to have done so), then there are common tasks that need to be done:
- Regular (at least annual) security testing against the OWASP Top Ten
- Installing software updates as they are released
- Ensuring that bespoke or 3rd party code without regular updates is looked at regularly to ensure it is still secure
- Ensuring the server environment is hardened appropriately
- Monitoring for attacks
Whether this role is done by someone inside your organisation, or outsourced to another company depends on a number of factors:
- Do your people have the skills needed?
- Do your people have time to do the job properly?
- Do you have enough people to cover for absences?
It’s tempting to think you can go it alone. Particularly with common open-source software like WordPress, Drupal and Moodle. It’s often easy to set up and to add additional functionality using plugins. But keeping it secure and well-maintained can become a significant task.
In most cases, I would tend to recommend outsourcing. Unless you’re prepared to create a team that has in-depth knowledge of the application software and underlying server platforms, it’s far better to work with an existing company to mitigate your risk.
I can help you understand your risks and advise on your particular options for mitigating them. Contact us to find out more about my services.
Posted: 08 May 2014
Tags: System implementation Supplier selection