• Evaluate Risks: Assess your business and security environment. Analyze the historical data to look for patterns and identify vulnerabilities. Try to answer questions like: What are the special features of your business? What is your network architecture like? Is your current network security infrastructure adequate? How critical is the network to your business?

• Formulate a Security Policy: Based on your risk evaluation, design and implement a security policy and link it to your business risks.

• Involve Business Managers in Risk Assessment: Involving business managers in identifying potential threats, vulnerabilities, and the consequent impact on business operations helps them better understand the imperatives of network security.

• Establish a Central Management Focal Point: Designate a central group to carry out the key activities. Provide it with ready and independent access to senior management. Allocate dedicated funding and designate staff for key activities. Enhance staff professionalism and technical skills.

• Promote Awareness: Use attention-gaining and user-friendly techniques to constantly educate the users on risks and related security policies.

• Monitor and Evaluate the Policy and Controls: Monitor the factors that indicate security effectiveness. Also monitor the factors that can affect the risks. Use the results to direct future efforts. Fix the accountability of managers. Stay alert to new monitoring tools and techniques.

• Distinguish Between Policy and Guidelines: The security policy should only outline what the senior management considers imperative. Guidelines should provide more detailed rules, for implementing the policies. Guidelines can also be designed as educational tools that can help network users to understand and follow desired security practices.

• Create an Incident-handling Mechanism for Security Breaches: Formulate an investigation procedure that addresses evidence preservation and forensic examination. Designate a trained response team so that emergencies can be tackled when they arise.

• Go For Third-party Assessment: Carry out third-party audits regularly to get an independent assessment of your network security's effectiveness.

• Look For These in All-in-one Boxes: If you are looking for a complete security appliance then it must have: a firewall, an antivirus, IDS, and content-inspection functions. However, do check out if too many features in one box are affecting its ability to perform. This is likely in many cases. So, avoid the everything-in-one box if your security requirements are complex.

• The Box Must Complement Your Security Policy: This is the most important factor that any enterprise should look for before buying a security appliance. Do not buy a box just because it can perform elaborate security functions. Check if the box is capable of meeting the stated objectives of your security policy. Also, security appliances are deployed in extremely dynamic environments and require constant appraisal to manage the threats. So, check the box for scalability.

• Step-by-step Buying: Organizations have a diverse range of security needs, ranging from antivirus protection, malicious content inspection, and hacker attacks. However, an organization may not need all the security features at one go. Depending on the current requirement, buy only what is needed today. However, keep the option open for upgrading later.

Must Haves

• Firewall

• Network IDS

• Antivirus

• Spam filter

• Authentication/Token

• Vulnerability Scanning

Desirable

• Monitoring

• Compliance Management

• Digital Certificates