Home
Security assessments and audit
Security design and review
Policies, standards and procedures
Approach
Case studies
Check lists
Top 10s
Company information
Principal staff
Website map
Terms of use
Privacy notice
Legislation
Standards and codes of practice
Organisations
Publications
Addresses
Enquiry form
Website security best practice
services
Is your organisation using industry best practice? Security best practice is available for web application development or operations, security management including risk management, risk analysis, security policies, information classification and security awareness training. Web applications are increasing being built into the business model and any sudden unavailability or disruption can have a significant impact. Sufficient resilience to ensure business continuity is required.
Watson Hall provides independent security advice on best practice to organisations developing, operating or purchasing web applications.
Example website security best practice projects
Security control selection
There are a plethora of vendors, products, solutions and services in the information technology security market place, but without developing an organisational security model, the development of a security program and security requirements for the website or web application will be difficult.
Sometimes people 'at the coalface' can find it hard to view take the overall corporate view necessary to achieve a working, implementable, and safe information technology system or project. Departments and teams can have different expectations, desires and aims - sometimes they will speak different languages to each other. Moderation and facilitation of these discussions by people with the ability to understand the technological, creative and business needs will motivate staff and improve the security of IT systems.
Security specialisms
Security needs to be considered as a complete system. Various vendors, suppliers, advisors and staff often concentrate on a narrow aspect of information security. Watson Hall looks at the wider picture to determine what are the risks, what are the costs and what are the business benefits of security.
The fragmentation of systems security into those specialising in areas such as networks, firewalls, intrusion detection, intrusion prevention, hacking, social engineering, anti-virus, anti-Trojan, anti-worm, payments, physical, redundancy, business continuity, disaster recovery and so, means that the overview can sometimes be lost.
Organisations need the experts in all of these fields of IT security, but repeatedly dividing up and compartmentalising problems prevents a broader view. Only in this way can appropriate administrative controls, technical controls and physical controls be applied to build the security framework for the application or website.
Management
The web of security management legislation and information is huge. Are your policies, procedures, standards, guidance and practice in step with today's threats and emerging trends? What mechanisms do you have for reviewing, assessing and making changes to policies and procedures? Are you using or considering implementing ISO/IEC 27001 or ISO/IEC 27002 (17799)? Has anyone audited whether they are being followed? If not, does it matter? If so, what were the results and what actions have been taken to address these?
Successful management needs these management tools for information technology security best practice, but they must not become box-ticking exercises. They must be inherent to the organisation's life and grow and develop along with the organisations, its business needs and staff learning.
Evidence and goals
Do you have evidence that security best practice has been used through all these aspects of web application development? Your auditors, insurers, regulators or customers may ask you.
The business's operational, tactical and strategic goals need to be considered throughout the security framework.
Good corporate governance practice requires a corporate governance framework that ensures timely and accurate disclosure is made on all material matters regarding foreseeable risk factors, governance structures and policies including the processes by which the code or policy is implemented. Organisations need to identify and manage the security risks and ensure that security controls are working: web application security controls need to be validated and verified.
Most importantly, if a website or web application security breach occurs, how will an organisation know it occurred, will the organisation be able to respond and would it disable the business from working? The information security controls put in place need to be transparent and meet the triple-A (AAA) measure of being appropriate, affordable and acceptable. Organisations need to do, and prove, that within reason they did enough to prevent the breach occurring.
Other web security analysis services from Watson Hall
Web application development security and compliance, security due diligence and e-commerce security.
Contact Watson Hall
Best practice helps deploy security for your websites and web applications. It provides an initial framework for your own organisation's practices. Watson Hall, based in central London, provides web application security analysis services. Contact Watson Hall to see how we can assist and facilitate your own staff and resources to help build and operate better applications securely.
Act now
Best practice helps deploy security for your websites and web applications. It provides an initial framework for your own organisation's practices. Watson Hall, based in central London, provides web application security analysis services. Contact Watson Hall to see how we can assist and facilitate your own staff and resources to help build and operate better applications securely.
These pages contain general information only. Nothing in these pages constitutes professional advice. Please read the website's terms of use, and consult a suitably qualified information security professional on any specific problem or matter.