Steps Towards Developing a Secure System Ranalli offers strategies based on his experience for developing secure systems, as well as an important caveat: No system can be completely secure, partly because changes to software and practices occur almost every week. However, being proactive can help create an environment of awareness that reduces the possibility of the system being compromised. Ranalli offers these additional strategies: Start at the very beginning Thinking about security once a system is ready to be deployed is much too late. All applications and procedures in a system must be designed and built with security in mind. Establish ownership and accountability In the business world, security is the responsibility of a senior executive. Schools should consider a similar model. A security officer should be educated on security issues and should be the proactive force behind seeking regular evidence that the system is working. Create a security policy This is the security officer's first project. Make the policy comprehensive, so it covers development of the system, the network, and the physical deployment. Review it and revise it, then establish procedures to ensure it is put into practice. Insist that sufficient resources be allocated Allow enough time to develop an adequate system and to monitor its effect. Money is necessary, but is best spent on keeping the system you need running smoothly. Rather than purchasing the latest tool, focus on meeting your own goals. Ranalli also warns about the tendency to develop "security through obscurity." This occurs when very few developers are involved and little outside review is conducted. The strongest system is one that is widely reviewed by people who can expose its weaknesses and offer solutions. Test, test, test Assuming the system is secure will leave it open to breaches. Ranalli suggests assuming your system is insecure and acting accordingly. Review the system regularly and do not rely on a single person to monitor the entire system. Did You Know? These organizations can provide industry-accredited training. The SANS (System Administration, Networking, and Security) Institute CISSP (Certification for System Security Professional)