You need to understand what you mean by
"security" before you can go about
the task of securing a computer system. Traditionally, information
security has meant ensuring confidentiality, data integrity,
availability, consistency, control, and audit. But the relative
importance of these items will be different for different
One way to grapple with these differences is to perform a detailed
assessment of the risks that your organization faces, the impact that
each risk could have, and the cost of defending against each risk.
This is a long and involved process that few organizations are
prepared to execute properly. For this reason, many organizations
outsource their computer security work—the policy formation,
the monitoring, or even the implementation. Other organizations adopt
industry "best practices" and hope
for the best.
No matter what you do, it's best if your decisions
are informed by conscious policy choices, rather than by inertia,
inattention, or incompetence.