Protecting Customer Provided Information

Protecting customer provided information is crucial to the success of the organization. In order to maintain existing customers and attract new ones, firms must have a strategy to safeguard the information that the customers provide. The burden of responsibility is on the shoulders of the firm. The firm that demonstrates value to the customer and provides the most cost effective means of doing so will win in the competitive market.

Aligning Assurance Requirements, Countermeasures, and Business

The latest year-end statistics from the highly regarded CERT Coordination Center (CERT-CC) at Carnegie Mellon University once again demonstrate that there is little evidence of improvement in information assurance. The number of incidents reported to CERT-CC once again nearly doubled from the previous year, and for the first time exceeded the six-figure mark at 137,529 for 2003 (CERT, 2004).

Architecture Issues

This chapter is focused on building the information architecture: what is important to consider, how to align the security, application and infrastructure architectures for maximum benefit, constructing multiple protection barriers, determining internal security threats and performing disaster planning in worst case scenarios.

Executive Overview

The convergence of many interdependent events, including the expansion of unprotected Internet connected applications, the global war on international terrorism and the large financial impacts of information and identity theft, has made IT security a core element of most corporate and government IT plans. During 2003, two examples illustrate the scope and cost of the security problem: Cyber attacks increased 40% in the first three quarters of the year, and the cost of cleaning up multiple worm and virus attacks during the summer cost $3.5 billion, according to the CERT Coordination Center, a cyber security-monitoring agency. Interwoven with capacity, performance and reliability factors, internal security strategies have expanded past keeping external hackers and crackers out to authenticating users through biometric and other factors, tracking authorized access inside firewalls by system users, and forensic analysis of destructive software. Given the economic con- straints placed on business expenses, however, these efforts have often been too little, too late to stop determined individuals from gaining access to information assets. Adding to the technical complexity of security are legal issues concerning user privacy, liability issues for not preventing the theft of customer records and identities, and government compliance with HIPAA, GLBA, FCRA, NORPDA, PIPEDA, SAFETY, Sarbanes- Oxley, and the U.S. Patriot Act regulations. Overlaying proactive longterm plans and operations are immediate reactive limitation activities to network and system-wide attacks caused by malicious software (also called “malware”) such as worms, viruses, Trojan horses and zombies. As technology reliability has moved user expectations to a 24×7 availability level, the level of management complexity associated with that degree of service has required larger equipment investments, more staffing, and increased awareness of the consequences of each decision made concerning IT security. By default, IT managers and executives have been forced to become experts — with associated responsibilities — on many different topics outside the traditional IT community.

Global IT Risk Management Strategies

This chapter describes why it is important for organizations to develop and implement an IT risk management function and use best practice risk assessment methodologies that provide a standard to measure and assess risk within organizations. Information technology risk management is a significant new function that can help companies achieve world class IT service. IT risk management includes regulatory compliance, information security, disaster recovery, and project risks. IT risk management should be part of a company’s risk management strategy on an equal footing with financial risk management and reputational risk management. As the complexity of IT infrastructures increases and as businesses continue to rely upon the Internet as the communication backbone for e-business, the associated risks increase. For these reasons, deciding upon and implementing a risk management process and a standard methodology will greatly reduce the risks associated with the introduction of new technologies that support the mission of the business.

Wireless Information Security

The proliferation of wireless local area networks in the enterprise and home domains has increased dramatically within the past several years as the 802.11b protocol has emerged as the standard of choice for wireless communication (Al-Saleh, 2002). A host of wireless networking products is now available to complete your home or enterprise wireless network. Since 2001, the product selection for the home user has multiplied ten-fold since that time. There are entire sections of the consumer electronics dedicated to the sale of products for the small office/home office (SOHO).