Stage two

In Stage Two, management and IT agree to get more serious about computer security. Anti-virus software is purchased for e-mail servers or installed on user desktops. A network firewall is installed (but with an allow-by-default rule set), password lengths increase, and end-users are educated about the most common threats. An existing employee is told they are in charge of security, but in reality they have little to no authority and their major job task is assigning and removing passwords to multiple systems.

Management thinks it has addressed the problem. Worm and spyware outbreaks happen less often, but the entire system still goes down a few times a year. If a major worm or virus gets announced in the media, it always hits the company badly. Another major security event happens, just as bad as the first one. Things aren't fine.

Stage three

This is the first step into what I think is a real security environment. A real security officer, with a security certification or training, is hired or created. All employees sign an acceptable use policy when they are hired, and passwords get longer and are required to be changed at least twice a year. There's a focus on automating computer security. Anti-virus software is installed on all desktops and automatically updated from location-specific servers, patch management software is utilized, and additional scanning programs to find malicious software are set up.