Securing your IT environment requires a combination of techniques, tools, and technologies.
Computer security is both physical and virtual; a computer system or network is vulnerable to both physical access or theft, and online access or theft. For example, a computer criminal can break into a computer system using hacking techniques and tools and steal information that way; alternatively, he or she can simply steal a physical machine and gain access to its data by turning it on and reading the screen.
The first step in an IT security protocol is to secure the physical environment.
Only those with legitimate need for access to the physical machines should have access to the room or rooms where they are located. A computer lab should have access restrictions so that vendors, visitors, or other non-authorized personnel simply do not come into contact with the physical computer systems.
From there, additional security can be imposed by the creation and use of software and hardware barriers.
Hardware barriers might involve technical solutions such as a dongle which must be plugged into a system for a particular software application to be able to run. Software approaches are divided into operating system mechanisms and program mechanisms. The operating system can impose rules on programs, for example, by requiring that only certain users are authorized to access certain programs. Programs themselves can enforce security rules, for example by requiring a password in order to access a data file.
One security technique operates effectively by enforcing a privilege of least principle.
This means that any entity within the computer system (a user, a program, or a code module) only has the privileges within the system necessary for its own function. For example, a user who has no need to access data files stored on another part of the network might have no access to that portion of the network. This model ensures that even if an attacker gets access to part of the system, he or she has no ability to access other portions of the system.
Security systems should always take an approach known as "defense in depth".
This means that more than one security layer must be penetrated in order for an attacker to gain access to information or programs. Rather than creating one layer of security (for example, making the physical computer lab highly secure, and then leaving the machines inside it unguarded), defense in depth slows down attackers by requiring them to keep overcoming new mechanisms. However, it is important to remember that a series of easy barriers to overcome is not as effective as a single difficult barrier; defense in depth requires strong barriers, not weak systems.
Security systems should not rely on purely electronic or software mechanisms.
Security designers sometimes forget that lightning storms or utility blackouts can shut down all the technologically-based security systems; don't rely on just an electric fence. You need bars on the door as well.