CTG: Security Solutions - How Much is Enough?
Scott D. Ramsey, global practice leader for CTG's information security solutions practice questions how organisations can strike the right balance between security and the free flow of data.
With global connectivity possible just by connecting a modem to a public phone or inserting a wireless card into one's laptop or PDA, corporations are becoming increasingly aware of their vulnerabilities relating to the misuse of information and technology resources.
However, management is also aware of the relationship between accessibility and productivity. The question is, what is the appropriate balance between flexibility and availability to ensure control without loss of productivity?
THE LURE OF THE INTERNET
The 'lure' of the Internet is not only the vast amount of information that can be found through it, but its relatively inexpensive cost to use, which has resulted in it being woven into the very fabric of global commerce. A fairly significant feat for a technology resource that is not owned or controlled by a multinational organisation, business or government!
Being on the information superhighway is no longer a luxury; in today's economy it is a necessity. But how secure are you when you are connected? How secure do you need to be? What are the issues related to the security and privacy of information that you are sending and receiving and how are you ensuring that only the intended recipients are receiving the information? These are questions that are being asked and addressed by corporate entities and governmental agencies concerned with the protection, integrity and accuracy of sensitive information.
FALSE SENSE OF SECURITY
However, many businesses have 'integrated' newer technologies and capabilities with little to no forethought to security. Additionally, many businesses have acquired security-related technologies and have not appropriately installed, integrated nor maintained them, posing a significant vulnerability in their security infrastructure. This has resulted in many businesses having a false 'secured comfort level' that they are safe from harm or abuse. Nothing could be farther from reality.
Over the past few years, there has been a rash of acquisitions and mergers around the globe. Many times, the acquired business was left alone to continue operations with very little oversight from the new parent, particularly in the area of IT. This has resulted in multiple tiers of sub-networks and extranets that are neither adequately documented nor controlled.
Furthermore, while the parent organisation provided connectivity to their internal networks, they provided little guidance to the acquired businesses on how they should control access to their own networks. This has created a potential vulnerability where the parent had a secured infrastructure, but has now given access to an unsecured environment, placing the parent organisation in jeopardy.
As well as the threat of cybercrime, organisations also have data security issues stemming from increased regulations such as:
- Gramm-Leach-Bliley Act (GLBA)
- Health Information Portability and Accountability Act (HIPAA)
- Breach Notification Laws (e.g. California SB 1386)
- FDA 21 CFR Part 11
- Fair and Accurate Credit Transactions Act of 2003
- Basel II Capital Accord
- European Union Directive 95/46/EC
- Payment Card Industry Data Security Standard (PCI)
- Sarbanes-Oxley Act
Regulated or not, all organisations have a responsibility to protect the assets owned by their investors, personal and financial data collected on consumers and citizens, and confidential information shared with business partners. Ever-increasing sophistication of attacks against web servers, databases, internal network servers and communications means that companies must have proactive security systems and processes for identifying, detecting and handling these new threats. Finally, to simply be a good internet citizen, and avoid down-stream liability, organisations must ensure they do not become a launching pad for attacks against other organisations.
The pressure for organisations to build or contract for robust information security programmes is on the rise. In this new age, traditional security technology solutions are no longer sufficient for adequate risk management.