While nothing is ever "completely secure," and there is no magic product to make every organization immune from unwanted attackers,this Razorpoint document outlines 10 keys to consider seriously regarding effective network security.

1. 10 Keys To Effective Network Security
[ WHITE PAPER ]
™
Author:
Razorpoint Security Team
Version:
1.3
Date of current version:
2006-10/05
Date of original version:
2001-04/04
Copyright © 2001-2006 Razorpoint Security Technologies, Inc.
All Rights Reserved.

2. 10 Keys To Effective Network Security
The following 10 keys outline a foundation in building an effective security policy for your network operating environment.
They explain the realities of network security and how to apply corporate resources toward the ongoing effort of securing
a network environment.
KEY 1: Executive level needs to be responsible (Establish accountability).
Think of network security in terms of system survival and business continuity. As such, accountability should be shouldered
at senior levels much like a company’s financial position falls upon a CFO or CEO. Effective security policies should be
implemented and maintained by a skilled and experienced technology staff directed by a senior company officer or
director (CTO, Director of Technology, etc.). Technology departments should be empowered with the resources (skilled
staff, budget, hardware, software, etc.) and autonomy to react effectively on an ongoing basis. The senior company
director must ensure the availability of these resources, while the entire senior management maintains accountability.
KEY 2: Educate staff and promote awareness.
People are almost always the weakest link in any organization’s security chain. It is for this reason that proper education
and awareness of network security and security policies be understood by not only technology staff, but all employees.
While more detailed technology expertise should be mandatory within technology departments, awareness and training
must be provided to all company employees. Company employment documents should include a detailed explanation of
the company’s policy on technology usage including, but not limited to, computers (laptops, desktops, servers), network
access, Internet access, email, the worldwide web, and remote access to company resources.
KEY 3: A process, not a product (Security is ongoing, never ending).
There is no single answer. As part of employee security awareness, the fact that security is never realized by a single
product or technique should be stressed. The myth of “You just install this one shrink-wrapped package and you’re
done” is a dangerous pitfall many firms fall into. The overall security posture of a company needs to be part of the
business decision-making process. Security is a process, not a product.
KEY 4: Exhibit cautious, but prudent, spending (Don’t “just throw money at it”).
Security is not just “having a firewall.” Many of the “all-things-to-all-people” products are not sufficient. These general
tools (firewalls, VPNs, packet filters, etc.) can still leave company-specific systems vulnerable. A solution of this nature
can end up costing an overwhelming amount due to an unforeseen security compromise. Purchasing and properly
deploying tools such as firewalls, intrusion detection systems, VPNs, etc. as part of an overall security policy is an
excellent way to promote a secure operating environment. Regular maintenance of these security tools should be a
mandatory exercise in enforcing a company’s security policy.
KEY 5: Regular assessment of the “threatscape” – Be proactive.
Hire a security firm to regularly audit the security of your network infrastructure. This is similar to an outside accounting
firm auditing a company’s financial records. As a proactive security measure, a qualified, third party should be retained to
regularly audit the state of a company’s security. Security firms test, externally as well as internally, the true strength of
an infrastructure’s security. An audit of this type provides a “hacker’s eye view” of a network operating environment.
October 5, 2006 10 Keys To Effective Network Security [v1.3] Page 1 of 3
31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com
Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.
™

3. KEY 6: Deploy and maintain a balanced, flexible security policy.
An effective security policy should also include physical security, disaster recovery and user training. A “one size fits
all” approach should be avoided. Design a security policy, or “process,” that is geared toward your current technology
infrastructure as well as future iterations. It should evolve as your organization evolves. A balanced and flexible
security policy should encompass firewalls, VPNs, good password usage, remote access procedures, security of physical
resources (file cabinets, computer rooms, network access points, confidential documents, etc.), disaster recovery
scenarios and provide for the ongoing effort of keeping all company employees aware of changes as they occur.
KEY 7: Incorporate security early.
It is always more efficient and effective to design security into an infrastructure from the beginning. Imagine only after
finishing a bank realizing you needed a vault, alarms and security glass. Because of the lack of security consciousness at
the outset, everything must now be redone. Similarly, security must be a primary focus when designing and maintaining
an technology infrastructure. While security components can certainly be added afterward, incorporating security early
yields better results. When necessary, hire an outside firm to perform a security design review of existing or upcoming
technology rollouts. If nothing else, this “extra set of eyes” can provide another perspective on your needs, your
technology and your security choices. Be sure to choose a firm with a proven track record performing security audits
and services.
KEY 8: Outsource security maintenance as necessary.
In some circumstances, it makes business sense for firms to outsource their security needs. Understaffed or undertrained
technology departments may not be equipped to adequately maintain effective network security. In these cases
outsourcing can be an answer. Some or all of a company’s network security can be given to a security firm whose sole
responsibility is securing your environment. Firewalls, VPNs, remote access, and other security-related necessities can
be facilitated by an outside firm. This can also help a company to more slowly, and effectively, grow their own in-house
staff. With security maintained by an outside firm, CTOs and CIOs can take more time staffing in-house teams with the
appropriate, qualified personnel.
KEY 9: Staff your technology team correctly.
Be sure your technology staff is well-rounded in terms of technology expertise (network infrastructure design and
management, security implementation, multiple operating system experience, etc.) and is trained in all necessary areas
of your company’s technology. In addition to necessary certifications (CISSP, Check Point CCSA & CCSE, Cisco CCNA,
etc.) security technology professionals must be able to demonstrate previous experience with relevant technology and
provide references that can support previous career successes.
KEY 10: Maintain vigilance.
No one ever asks “When can we stop doing sales or marketing?” It is the same with security; it is never ending. Y2K was
perceived as a business issue, security is even more so. It needs to be fully understood at the most senior levels why
security is as large a business concern as sales or marketing. A security breach of financial records, confidential company
data, client information or other sensitive material could be disastrous. Security compromises can destroy relationships
with customers and investors. Financial liability, lost revenue, damage to a company’s brand and reputation could prove
irreparable. Security concerns should extend well beyond “stopping a virus” or “installing a firewall,” it should be viewed
as a business continuity issue and, as such, funded, staffed and maintained accordingly.
October 5, 2006 10 Keys To Effective Network Security [v1.3] Page 2 of 3
31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com
Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.

4. About Razorpoint Security.
Razorpoint Security Technologies, Inc. specializes in researching and analyzing security vulnerabilities and
conducting comprehensive security assessments. These assessments provide business leaders and corporate
clients the necessary security services and solutions that help keep corporate networks secure. Razorpoint Security
has exceptional expertise in network security, attack/penetration testing and identifying security vulnerabilities
especially as they relate to Internet solutions and web applications. Razorpoint offers all sectors of business the
services necessary to maintain a firm grasp on the evolving state of network security.
For more information, Razorpoint Security Technologies, Inc. can be reached at their headquarters at Madison
Avenue and 32nd Street in New York City.
Razorpoint Security Technologies, Inc.
31 East 32nd Street
Sixth Floor
New York City, NY 10016-5509
t: 212.744.6900
f: 212.744.6344
e: security@razorpointsecurity.com
w: www.razorpointsecurity.com
™
October 5, 2006 10 Keys To Effective Network Security [v1.3] Page 3 of 3
31 east 32nd street, sixth floor | new york city, new york 10016-5509 usa | tel: 212.744.6900 | fax: 212.744.6344 | www.razorpointsecurity.com | security@razorpointsecurity.com
Copyright © 2001-2006 Razorpoint Security Technologies, Inc. All Rights Reserved.