The Statement
The Statement

Technology safety in post-Sept. 11 times

NOTE: Chaim Yudkowsky, CPA, CITP, is an MACPA member and chief information officer at Textilease Corp., a uniform and first aid services company serving the Southeast.

By Chaim Yudkowsky, CPA, CITP

"Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing."

Helen Keller, a woman who courageously faced disabilities and succeeded, warned of trying to create too much of a cocoon to protect oneself from the dangers of life. Still, in the aftermath of Sept. 11, we as managers have responsibilities to enhance and increase the personal safety of our employees and physical safety of our corporate assets. Thus, it is no surprise that security is experiencing more interest.

In information technology areas alone, there is an expected significant increase in growth. IDC predicts that "fear of cyberterrorism and viruses will help the security-software market grow 18 percent." This is but one aspect of the new areas of attention that we are seeing within corporate IT.

Risk

The first step in addressing any problem is awareness. To address the problem of security, we must first become aware of risk.

Recently, I was privileged to hear Patrick McBride of Meta Secur e-COM Solutions speak about security. McBride's definition of risk is an equation: Risk is equal to threats times vulnerabilities times asset value.

Let's discuss McBride's variables:

  • Threats are people. While we can create disincentives like "you will get fired if …", this is a variable that cannot be much managed or predicted.
  • Vulnerabilities are the likelihood of events happening. With this variable, the operative question is, "Who will notice if ...?" This variable can be most managed.
  • Asset value is the economic value and human effect of data. This variable is what it is.

Goals in IT security

After developing an awareness of the risk, we need IT security goals. The abstract nature of some of IT requires that we have this context to understand why we need IT security.

Goals include:

  • Confidentiality. We do not want credit card or personal health information open to the public. Similarly, we do not want our financial information or even transaction history available.
  • Possession. Keeping information private is usually not enough. We want to limit who has access to information and where it resides. With portability and miniaturization of storage devices, often we do not know where or how many places our customer or vendor lists reside.
  • Availability and utility. Data that are in a guarded vault with no digital access points are useless for anything. Businesses are not (or at least should not be) collecting data for collection sake. The reasons we create these repositories is for them to be available. There is a purpose for them and we must not hamper their usefulness.
  • Non-repudiation. With the advent of transactions that are nearly entirely digital, we must have a way to make sure we can rely on the veracity and integrity of transactions and electronic events. This includes who was involved in them and when they occurred.
  • Auditable data. Over the last 20 years, we have significantly more data around and about our businesses than ever. If we are progressing, we are trying to use these data to create information that can be dissected in detail, to understand its meaning. But this requires not only all of the above goals, but a way of verifying the truth of the data analyzed after-the-fact.

How to do it

All security, including IT, is a process. McBride simplifies the process to a few steps that will work for a security. I have added to his list.

  1. Identify security vulnerabilities.
  2. Map all system connectivity.
  3. Define and enforce a security policy. (Do you have a security policy beyond e-mail usage?)
  4. Educate users and management about IT security.
  5. Configure security devices.
  6. Hire the experts to teach you or more. (Outsource management?)
  7. Baseline all system activities.
  8. Refine security policy and develop alarms.

While this list is short and general, it encompasses a lot of work within your organization. To help you begin, let's examine some common areas of vulnerability:

  • Remote access for mobile users and telecommuting users. According to one survey, 75 percent were vulnerable to Internet attack and 65 percent were vulnerable to dial-in attack. A point to think about: Does your IT department know all of the phone lines and pcAnywhere users in your organization?
  • Firewall. Patch management of fixes to discovered holes in firewall software, improper setup configuration or maintenance, and monitoring for intrusion attempts or denial-of-service attacks can all be challenging. The average IT department needs training on these possibilities for entry by a malcontent.
  • Compliance monitoring of security policies. Especially in more casual business environments, this can be difficult. Internal people present a 100-percent vulnerability!
  • Viruses. Though Computer Economics Inc. is projecting that increased national security is actually dropping the economic impact, viruses pose a significant IT threat at $12.3 billion in 2001. Are you ready?
  • Disaster preparedness. Security is at risk if you are only prepared for the norm but are vulnerable if the first plan fails. A component could be referred to as "carrying on a fault-resolution process after a security breach." What about other crises that do not begin with IT but create new IT security openings?

Helen Keller was right: There is no silver bullet that can make life perfectly safe. We can, however, execute a plan to eliminate the most obvious danger. IT must be a vital partner in that plan.

This content has not yet been Rated.

To Rate content, please Login.