Effective Information Security Within Government

Effective information security within government Government departments can no longer afford to sit back and allow security consultants to assess their risk levels. In addition to deploying security systems in order to ensure that the environment is secure, security consultants must also understand what the bad guys (hackers) are doing, and test the systems on a regular basis, says Hugo Van Niekerk, specialized services director of Carrick Holdings. "Use the services of an ethical hacker, or get fresh eyes to test your system," he says.

Van Niekerk adds that organisations should also ensure that the solutions being deployed fit the risks that the organization faces so that they do not over-invest in systems, says. He advises that the CIO invite top technical staff to the assessment meetings with potential security consultants, so that they can ask technical questions as to the solutions that will be deployed. The information that comes out of the assessment should be used to draw up a clear and clean service level agreement, he adds.

Haroon Meer, technical director of Sensepost South Africa says while laying out the expectations in important in terms of service level agreements, that the organization should not restrict the security company to only use tactics that were previously agreed upon during the assessment stage. Max Melamed, information security manager for Ernest and Young South Africa however cautions that organizations should not be too obsessed with detailed policy documents that outline information security measures.

"Policies do not stop a hacker," he says. The development of detailed policy documents also delays the implementation of security measures, he says. The human element should also be factored into information security measures that are taken, delegates.

"Government should do background checks in order to build a workforce that is not populated by white collar thieves," Van Niekerk says.