Bridging the Gap Between Organizations Policies and the Network Security and Systems Administration in SMEs

Abstract:

The  administration  of  systems  and  networks  is  a technical  specialized  complex  task.  If  large organizations can have in their Information Technology (IT) departments systems and network security specialists, Small and Medium Enterprises (SMEs) typically can’t; they have only some computers  science  broadband  IT  collaborators  that  respond  by  the  maintenance  of  the  IT resources, and, in some cases, accumulate with some software development. We make of this view the start point of our research, allying the growing need of securing the IT resources and the  information sources  which  are  becoming  more  and  more  valuable  for  every  single organization.
  
For SMEs the solution for implement security is, many times, an outsourcing task. The problem is that implementing security is an exercise that overflows the common IT domain, but it starts by  fully  understanding  the  organization  culture,  policies  and  procedures.  This  knowledge  is something that collaborators learn day by day and not something that we can put on paper easily and tell some outsourced specialists to secure. Even if that could be done, the daily maintenance of the security would be a very hard task.

This paper makes considerations about security on SMEs reality and presents a framework that permit a high level approach for implement security, more focused on the organization vision of what we want to do than on a technical vision of how to implement it. The framework hard core is one abstraction layer focused on the organizations perspective and a translator layer of them into  technical rules  capable  of  been applied  on  the  IT  resources, like  servers, computers and network equipments.