Over and above the best practices and buying tips explained above, there are some other points which needs to be always considered. These points refer to the day-to-day security challenges that will come about in the course of running your business.

l Awareness: Awareness of threats and vulnerabilities is often low in most organizations. So is the awareness about security dos and don'ts. Often, security threats are not taken seriously because users are not aware of their seriousness.

l Monitoring and Management: A major challenge that every enterprise CIO faces is the constant monitoring and management of the public-facing core elements in the network. A viable solution is to outsource the monitoring and management of either all or parts of the network infrastructure to a remote infrastructure management provider.

l Policies and Procedures: They are a must for secure management of network resources and the introduction of new resources. Conversely, restrictive and inflexible policies and procedures are also a problem.

l Asset Identification and Valuation: Conduct the asset identification and valuation exercise along with the end-users who use and own data on the resources. Certifications like BS7799 can help implement a system of procedures and controls to ensure that the asset identification is always up to date.

l Viruses, Worms, and Antivirus Updating: Unfortunately, not just infected servers, but even one infected PC can result in havoc for the entire network. Add to these mobile users who are constantly shuttle between insecure networks outside and your organization's sanitized networks. A new virus could enter your network through any of these. Thus, the antivirus must be kept updated to handle newer viruses.

l Patch Management: Till date, according to CERT, there have been at least 4200 network vulnerabilities. With a plethora of platforms running in an organization, keeping pace with testing of patches and updating them on the production servers can severely tax the IT team. Security patch management is, thus, a major concern. Currently, majority of the corporations do only manual and need-based patch management. This leaves the organization vulnerable and drains its limited IT resources.

l Standardization: According to the research group META during 2006-08, IT-operation organizations will begin standardizing their work-sustaining activities to platform-agnostic standards. The integration points between these activities would also be platform-agnostic, bolstering the IT organizations' abilities to enhance performance across the IT-delivery lifecycle and the reporting/improvement activities (like quality, cost reduction, and reporting structures).

l Portability: This creates several obvious risks. The loss of a laptop is an obvious one. Other risks are less obvious, such as a worker letting his friends use the sanitized company laptop to surf the Net. Such activities can expose the laptop to inadvertent virus and trojan infections, and can later threaten the internal network when the portable computer connects to it. Even if the laptop is sanitized before re-entering the network, the threat is still present. A worm that sends infected emails to an employee's entire address list can pose a serious PR problem for the company, without infecting its network.

l Complexity: This is a major challenge for information security. Every new policy or procedure comes with the possibility of being misinterpreted or poorly executed. A simple security axiom is the KISS rule (keep it simple, stupid!). Unfortunately, the regulatory environment is becoming ever more complicated because of mandatory controls. These can lead to confusing and burdensome policies and procedures.

l Resource Misconfiguration: Standardize your resource-management procedures and deploy process-automation procedures to mitigate human error.

l Educating End Users: Malware or spyware can invade the nodes if end users are careless while surfing.

l Log Analysis: Various IT resources generate a large number of logs, which contain usage and trends data. Without log-data analysis, network administrators may overlook the possible warning signals.