Operating systems like Windows Server 2003 provide powerful tools to protect data, including the Encrypting File System (EFS), file permissions, user accounts and passwords, and much more. As powerful as those tools are, though, they can’t provide a completely secure environment by themselves. For example, Windows can ensure that only authorized users have access to a particular file, but Windows can’t stop users from leaving hardcopies of the document lying on their desks. All the computer security in the world is useless if information that is protected on your computers can be compromised in other ways. Similarly, suppose you implement a complete security plan includes computer-based file protection and locked filing cabinets. Without a well-thought-out physical security plan, there might not be anything stopping someone from carrying away a computer or filing cabinet, which would completely defeat your security measures.

Any useful computer security plan has to provide a complete security solution: one that addresses both technological solutions and administration solutions to security threats. If you find that your company is unwilling or unable to implement a complete security plan, you probably don’t need to spend a lot of time worrying about the computer-specific aspects of security. Again, you don’t need to spend weeks locking down your servers against intruders if your company won’t keep sensitive computers in a locked room where they can’t ...