The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896


Contributed by Sierra Systems Inc.




Security starts with the mundane. Loss prevention, damage control, and prevention of liability are the initial targets of security planning. However, security in the context of information technology (IT) is not just the prevention of loss or damage. It is a business enabler that is increasing in prominence, especially with companies for whom communication and collaboration lead to increased functionality and revenue. Even for older organizations with well-established business practices, good information security allows safe and profitable ventures into activities that would have been foolish not long ago. Being able to perform legacy communications and transactions in a more secure way may not be the most captivating and seductive ability, but it forms the foundation for performing modem and progressive secure communications and transactions that set organizations apart from their competitors.

In this context, security is a process that allows you to maintain a level of confidentiality, integrity, and access appropriate to the resources you want to protect, such as systems, information, processes, or any other personal or organizational asset. By the same token, security is not a constant state, nor is it a tool. It cannot be purchased in a piece of software or hardware. It is an approach and a process of continuous control and improvement that must be considered along with any other requirements. It must be integral to the design, creation, operation, and retirement of any business­-critical resource.

Once the basics of IT security are addressed, security tools and processes help to create and optimize business processes and avenues that may not have previously been open. Appropriate security can allow you to enter regulated or controlled markets that are otherwise inaccessible.

Compliance with regulatory and industry security standards can become a competitive advantage if it is achieved in ways that enhance operational efficiency and effectiveness.  Customers that are wary of electronic transactions can be won over if the information security practices and infrastructure arc demonstrably dependable — especially if they can be audited by a known auditor. This paper explores these basic risks faced by any organization that depends on IT, and provides perspective and potential approaches to the business benefits that can he attained through better security.

Essential Security Risks

There are many risks faced by an organization that relies on its information technology for business-critical activities. These risks may include functional loss through direct electronic intrusion, functional, financial or intellectual damage through an information security breach, or indirect damages and liabilities that may fatally cripple an organization. It is important to recognize the differences in progressive degree of damage. A direct intrusion against an organization may be a serious affair, but indirect damages may be more damaging and less obvious. Indirect third-party damages may have far-reaching functional, financial and legal consequences.

“We have been Hacked!”

This distressed announcement indicates a direct intrusion event:

•     An unknown external entity has gained entry into your systems.

•     Discovery of system changes, the purposes of which are unclear.

•     A partner, competitor or other party informs you that illicit activity is coming from your systems.

This is the classic security incident — an electronic intrusion. You may not know who is behind the incident, or even if it is manual or automated. You may not know where the intruder is, or even if they are inside your organization. You don’t know their plans or extent of actions they’ve already taken. What is known is that you have lost control of your resources. This may lead to an immediate interruption of normal business and possibly lead to other consequential internal or external damages. Unfortunately, discovery of this type of event is comparable to finding the lock broken on the door to your office; while it maybe the work of vandals who made no entry, it often signals further damage inside.

“Hacker Accesses Patient Records” (The Washington Post) “A hacker gained access to confidential medical information at the University of Washington Medical Center, using the Internet to download thousands of files containing patient names, conditions, home addresses and Social Security numbers, hospital officials said yesterday. "The intruder ... tapped into two databases containing 4,000 or more patient records. [A] Web site in the Health Sciences Department of Pathology, which served as the platform for the hacker, previously had about as much security as a computer dedicated to history or literature, even though it was linked to databases containing patient records.”

“How did they know that?”

Strange events maybe your only clue to an incident that results in serious indirect damages:

•     A potential client suddenly cuts off negotiations and signs on with a competitor.

•     An unknown company files a patent on a critical unreleased product or process you have been working on.

•      Confidential customer information turns up in other organizations.

This sort of information security incident may be facilitated by anything from clerical errors to an undetected intrusion, and can be very damaging to an organization. In more complex forms, an intrusion that leads to the loss of sensitive information may undermine every action taken by the company — yet go undetected for long periods. Many organizations that fall victim to this choose not to publicize it, fearing additional loss of credibility and good will.

“Hacking of Web game EverQuest linked to local teen” (The Seattle Times) ... [A teenager’s hacking gave him] access to personal information on hundreds of thousands of players and Sony employees. The hacker.. .was able to access the home computer of the company’s vice president of product development, Brad McQuaid, and downloaded documents for an as-yet-unreleased version of the popular role-playing fantasy game. Sony, which declined comment on the investigation, says the game is played by as many as 400,000 people worldwide and reaps more than $50 million a year in revenue.”

“They are suing us!”

If consequential damages from an incident proceed to the point where they affect other parties, you may find yourself in a most serious situation:

•     Your organization is caught unprepared for a security incident, and the operations center is fully occupied with the recovery for several days. A company for which you provide service sues for failure to live up to your service level agreement.

•    Highly confidential information that you have licensed from another company is posted to the Internet. The licensor sues for trade secret damages and breach of contract.

•    Personal data that you are legally required to protect is released in a way that causes damage to the individuals. They file suit, and your company principals are held personally liable.

Direct intrusions and cracks with ongoing damage may not be the worst events an organization faces. Consequential damages such as the loss of personal information confidentiality may lead to a loss of continued access to business. Loss of financial or medical records that you are legally mandated to protect could mean stiff penalties. Losing control of critical systems in certain environments may lead to secondary or tertiary consequences that include the loss of life. These third-party liabilities can lead to loss of market share, loss of good will, and even to issues of criminal liability. Many people are unaware that company principals can actually be jailed for criminal negligence or other liability charges if poor company security practices are to blame for serious loss or injury.

“Mounting a Defense” (Government Executive Magazine) “In 1992, a reclusive young man from Portland, Ore., used his computer to gain [root-level] access to the control systems for all the dams in northern California. He first penetrated the Bureau of Land Management’s computers in Portland, which provided the system connections he needed to enter the dam controls. PhantomDialer, or PhantomD as he was known among hackers, could have opened the gates of the Oroville Dam and flooded the surrounding region, causing incalculable damage and loss of life. .. .60 miles south [of Oroville Dam] is metropolitan Sacramento with its 1.5 million people.”

Key Security Benefits

IT security that effectively balances the needs and risks faced by an organization should provide a number of functional benefits to the organization. These may include:

•     adding value to existing services by enabling new activities or services

•     preserving current organizational functions by meeting new regulatory requirements

•    increasing an existing customer base by increasing service levels

•    increasing an existing customer base by reducing transitive risk

•    opening new markets by meeting security requirements for entry

•     enabling positive revenue associated with new activities or services

•    increasing competitive advantage compared to other service providers

•    reducing costs associated with unstructured risks

Well-designed security architectures provide these benefits as well as risk reduction. While it comes as no surprise that good news never gets as much airplay as bad news, being recognized as having a good security infrastructure usually goes along with recognition for strategic and effective use of technology in general.

Conversely, poorly-designed architectures invite subversion of security measures and practices if they are not synchronized with the day-to-day reality of how the organization works. If individuals in an organization need to thwart or bypass standard security tools and pohcy m order to do their work, the current architecture and business activities are in need of re-examination and coordination. Generally this sort of internal lack of synchronization is evident to external parties as well, if only as an appearance of disorganization.

“We could not do that before!”

•     An improved network security policy makes it possible to design, deploy and   maintain value­adding extranet applications that were otherwise considered too risky.

•    With secure coding practices in place, you can attest to a system’s compliance with HIPAA security rule or Gramm-Leach-Bliley privacy regulations.

•     Your new information security policy and secure collaboration system allow you to work and exchange information directly with vendors and customers in a controlled environment, without undue risk to sensitive data.

Just a few years ago, it would have been considered too risky to share networked resources with vendors, partners, and customers. With a good security architecture and compliant infrastructure, it is now possible to have shared collaboration systems available over the Internet to international partners, using encryption and authentication tools that make it even more secure than the old manual methods.

“M.D. Anderson Cancer Center details plans to beef up wireless LAN security” (Computerworld) “The MID. Anderson Cancer Center in Houston plans to beef up security for a wireless LAN pilot project with technology that can rapidly and dynamically change encryption keys to block hackers from accessing private information.... Technical papers published this summer pointed out the vulnerability of encryption keys to over-the-air sniffing [and in response] the center has decided to augment WEP with dynamic key management [that can] change keys ‘as often as every three minutes, if that’s what they want.’ [B]ecause of security concerns and the strict privacy mandates of the federal Health Insurance Portability and Accountability Act (HIPAA), Anderson is ‘proceeding cautiously’ with its wireless LAN pilot pixject. [Thel system offers ‘a near-term solution to secuflty issues,” adding that other issues with WEP “must be addressed in the two-year window prior to HJPAA compliance’ ... ‘which requires data to be secure in transit and storage.”’’

“We can make money with this?”

•     Flexible extranet tools are now possible with an enhanced security & network architecture allowing you to provide revenue-generating services to clients that were previously impossible or prohibited.

•     With documented security practices and testing, you complete an SAS-70 assessment and can provide services to organizations that otherwise would have refused to do business.

•     New clients are interested and less apprehensive of new services when you have an auditor certify your compliance with industry security standards.   Increasing visible and real security gives your organization the ability to pursue profitable clients, partnerships, collaboration and other revenue enabling/enhancing activities

“Security—Building Trust to Enable eConimerce” (IDC) “... No longer just insurance, security is the foundation on which e-conimerce will be built, as security coupled with new business processes allows for the creation of trusted business relationships, whether business-to-business or business-to-consumer. [..j The improvements m a number of security technologies have allowed companies, especially large ones, to increasingly regard security as a positive infrastructure element. This infrastructure issue was driven by the need to expand trusted relationships with customers, partners, suppliers and channels. Most companies’ greatest asset is their content. The ability to use security technologies (e.g., authentication and authorization) to enable greater access to corporate content deepens and stabilizes relationships. These trusted relationships can yield numerous benefits, such as higher transaction rates with greater scalability, lower cost per transaction, transference of personnel from low-value interactions to high-value personalized service, and so on. Overall, enterprises increasingly use security products and services to help them dramatically scale revenue, transactions, and/or customers at high double-digit rates while confining cost increases to single- or low double-digit rates. If implemented successfully, this practice ensures profitable growth.

“This saves us money.”

•     Avoiding risk through improved resistance to attacks and outages allows higher service level agreements, reduces expenses for business continuity activities & insurance, and dependence on expensive recovery services

•     Improved security infrastructures permit safe and secure telecommuting, saving on recurring office space expenses and allowing more flexibility in tight real estate markets.

•    Operational streamlining through improved information security makes it quicker and easier for internal organizations to share information with each other.   In real terms, security policy and architecture should simply reflect the real values and risks of the organization, so compliance with a well- designed security policy is the same as compliance with a well-designed operational process. If done well, it is never a burden to improve security around your valuable resources.

“Radical move: States try tax outsourcing” (Computerworld) “A small group of companies is participating in a project to outsource sales tax collections. State government backers of the project hope it will revolutionize the way sales taxes are collected and paid. Taxware International Inc. in Salem, Mass., and subcontractor Hewlett-Packard Co. have developed a transaction server that interfaces with a merchant’s retail system via an Internet connection to automate tax calculation at the time of sale. What makes this project groundbreaking is the agreement by participating states to ...shift some of the potential routine tax audit liability—a major burden for businesses—to the outsourcing vendor. IT and tax managers said that for a remote tax transaction system to work, it must address security, the transaction- processing speed and the accuracy of the tax calculation. But if those concerns can be satisfied, the potential benefits, including reduced compliance costs, will be attractive to firms.”

Integrating security in an organization

How can your organization avoid undue loss and liability, and leverage security to provide tangible benefits? By having a plan, and following through. Overall, a proven way to integrate security is to start with these basic phases:

•      Know your organization - gather business and technical requirements, assess current logical and physical security capabilities

•      Know your assets, how you value them, and threats they face - perform an inventory of resources, risk assessment, and security infrastructure audit

•      Determine the manner in which you want to protect those assets - adopt or create an appropriate security policy; validate against industry standards and regulatory requirements

•      Define the most effective way to react to protect those assets - create and validate procedures that implement the policy, as well as refining the policy to reflect technical capabilities and optimizations

•      Implement security tools and procedures - bring your organization’s technical infrastructure into compliance with security requirements, and coordinate security plans and measures with partners and clients

•      Update and maintain the plans - revisit requirements, policy and operations on a regular basis to protect and optimize the organization’s activities

When defined and documented, these are the key aspects of a “security architecture” where each component builds on and supports the next Inventory, assessment and audit provide the information necessary to create a security policy synchronized with the real risks and requirements of the organization. With this policy in hand, security procedures and IT disaster recovery plans can be created. Operational experience using these procedures and plans creates feedback information that is useful in subsequent assessments and audits.

Within this architecture, risks should be addressed through prevention where appropriate, control for events that may still occur, mitigation if damage occurs, and plans for recovery and restoration. Design of a good security architecture hinges on good information and good judgment; extreme security is often extremely expensive and inappropriate.

Not all incidents or events can be prevented, and mitigation or acceptance should be considered as appropriate responses to some threats. Some threats may be simply accepted because the risk is very low. The risk of many normally-anticipated threats may be protected against through common security measures. Threats with a very low risk but extreme consequences may be addressed with mitigating actions, such as insurance and recovery plans, rather than taking preventive measures that are prohibitively expensive or hinder normal business practices.

Recommended solutions

Clearly there are risks present to any public or private organization, and the appropriate way to address these risks is through appropriate security architecture. Creation of this architecture is a nontrivial activity, but neither is it a long and drawn-out process. Even in the largest and most complex of organizations, the most effective approach is an iterative one, addressing immediate issues with tactical solutions and long-term issues with a process that contributes to continual refinement of the architecture.

Partnering with a security service organization that has experience in your line of business increases the likelihood of success in developing the most effective, most beneficial, and least intrusive security architecture for your organization.

Visit the Authors Web Site

Website URL:

Your Name:
Company Name:

Inquiry Only - No Cost Or Obligation

 3D Animation : red star  Click Here for The Business Forum Library of White Papers   3D Animation : red star

Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.


The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.    Please refer to:

legal description

Home    Calendar    The Business Forum Journal     Features    Concept    History
Library     Formats    Guest Testimonials    Client Testimonials    Experts    Search
News Wire
     Join    Why Sponsor     Tell-A-Friend     Contact The Business Forum

The Business Forum

Beverly Hills, California United States of America

Email:  [email protected]

Graphics by DawsonDesign


© Copyright The Business Forum Institute 1982 - 2009  All rights reserved.