Security Basics

Scenario:
You are an independent consultant who specializes in Information Technology security issues. You have been retained by the Designer Distributions Company, a mid-sized and growing consumer goods distribution company, for an assignment to assess the state of their computing environment security situation. The company's newly hired VP of IT is conducting this project because she does not have a security specialist on her staff and has learned that the company does not have a comprehensive security strategy. In fact, she suspects lack of even basic security knowledge in both the IT staff and the user community.

The company has a headquarters office building, which includes the principal data center, and a separate warehouse linked to the office by an private data network. The warehouse has a small computing facility of its own for order shipment data entry and tracking. This computer is linked to the headquarters order entry systems through the network. Additionally, there are Internet-based data links to several key suppliers used to share reorder, production and shipping schedules and status information. When potential new suppliers compete for contracts with Designer Distributions, their proposals are received and negotiated via Email.

You have been interviewing executives and staff at the company and at key suppliers and are beginning to evaluate what you have learned in preparation for preparing your report to the VP of IT.

The hot topic at your security networking group is an organization's overall approach to security standards and procedures and authorizations. Which is more in line with your thinking:

Security policies and procedures should be designed at a point in time and then enforced without modification to prevent arbitrary compromising of any element of the complete security architecture.
Security policies and procedures need constant review and revision to take into account changes in the systems, staff, and business partners.