Automating security. (Security).As a Finance Director, I have a legal duty to ensure that my organisation is financially viable, and the Treasurer of a Local Authority has a similar legal duty. Our financial system(s) enables me to monitor our financial position and manipulate the data to provide reports and "What If" analysis of the figures, but that is secondary to being able to ensure that invoices go out on time and cash flow is monitored. Everyone thinks that the part they play in an organisation is important and they are right, but "Cash is King". If we have no money, no one gets paid and the organisation goes into receivership receivership In law, state of being in the hands of a receiver, a person appointed by the court to administer, conserve, rehabilitate, or liquidate the assets of an insolvent corporation for the protection or relief of creditors. . What does basic economics have to do with ICT (1) (Information and Communications Technology) An umbrella term for the information technology field. See IT. (2) (International Computers and Tabulators) See ICL. 1. (testing) ICT - In Circuit Test. security, you ask? Well what do you think would be the impact on the finances of an organisation, which could not access its customer database, or had its financial data distorted? How successful would your product launch be if your presentation was known to your competitors in advance? It could be a case of front-page headlines for a public sector organisation that was unable to keep personal details personal details npl (on form etc) → coordonnées fpl personal details person npl → Personalien pl personal details safe and secure. With an ever-increasing service knowledge sector, it is not necessarily what you physically make in a factory that counts, it's what you do with the information you own and produce that brings in the revenue. If you lose control of that data, you lose your business. The damage may not be immediately visible, nor can you often quantify the loss (you need the computer system to do that), but it will be real, all the same. The real question is what could the potential damage be: * A drop in your share price, * Loss of customer / client confidence, * Unwillingness for business partners to share confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead in future. * A reputation for incompetence in·com·pe·tence or in·com·pe·ten·cy n. 1. The quality of being incompetent or incapable of performing a function, as the failure of the cardiac valves to close properly. 2. at best and a prosecution / fine / legal action at worst. * Inability to identify creditors and debtors. * Loss of business to competitors. Traditionally when investing in security, intangible benefits (often difficult to measure in financial terms) far outweigh the tangible benefits (easier to measure in terms of cost savings). This causes Finance Directors difficulties, as they are trained to look for cost justification prior to committing a budget. (How many times has the Head of ICT promised savings from new computer systems that somehow never appear?) Typically their focus is on `financial audits', revenue growth and cost reduction, plus a fiduciary duty Noun 1. fiduciary duty - the legal duty of a fiduciary to act in the best interests of the beneficiary legal duty - acts which the law requires be done or forborne to protect the assets of the company. The `financial audit' is used to provide a company with a clean bill of health a certificate from the proper authority that a ship is free from infection. See also: Clean i.e. there is a high level of integrity in the primary books and records. However, these audits rarely highlight the potential security threats to a company. Most internal security audits are `snapshot audits' at infrequent in·fre·quent adj. 1. Not occurring regularly; occasional or rare: an infrequent guest. 2. intervals, which usually involve an auditor going around with a tick list A tick list is a list of specific rock climbs compiled by a rock climber of either a list he has climbed, or a list of what he would like to climb. See also
Do you use passwords to restrict access?--Yes, oh good another tick, how however, do you know that they are changed every month, as per the organisations security policy? Automating Security What is needed for audits to be effective, and add value to a business, is a system that provides a recurrent automated proactive process that supplies `real time' information, enabling corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or to be taken before something goes wrong. The tendency of Finance Directors is to prioritise Verb 1. prioritise - assign a priority to; "we have too many things to do and must prioritize" prioritize grade, rate, rank, place, range, order - assign a rank or rating to; "how would you rank these students?"; "The restaurant is rated highly in the food spend based on Return on Investment (ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). ). This spend must provide direct quantifiable impact by either increasing revenues or containing costs. How much of a budget should be allocated to investing in an automated security system? Whilst automating business processes via technology is widely used to reduce the cost base of a company automating the security processes that protect the ICTshould also demonstrate cost savings. As an illustration regard the rapid ROI that can be gained with password management. As reported by Gartner, 40% of all help-desk calls are password related, while the Meta Group have estimated the average calls to a help desk are 1.75 calls per user per month at an estimated cost of 27 euros per call. Therefore for a company with a 1,000 employees, the cost alone to reset passwords for employees who have forgotten theirs, is 144,000 [pounds sterling] per year. An automated tool that can assist employees in resetting their own passwords, without Help Desk involvement, would show immediate cost savings and increase productivity levels. In a recent survey conducted by Infosecurity Europe, PentaSafe and humanfirewall.org, 75% of commuters at Victoria Station freely gave out their passwords and 54% said they would download competitive information to take with them to their next job. This demonstrates how critical it is to instill in·still v. To pour in drop by drop. in  stil·la tion n. in staff the
importance of protecting company information from unscrupulous
employees. The only way this can be achieved is by ensuring employees
are educated on the security policies relevant to their job function
within the company. Without an automated tool to perform this role, it
is a logistical lo·gis·tic also lo·gis·ti·caladj. 1. Of or relating to symbolic logic. 2. Of or relating to logistics. [Medieval Latin logisticus, of calculation nightmare to ensure education on policies. An automated tool can enable employees to read and understand policies, via an internal website, which also enables them to take related quizzes. The scores attained could be centrally collated to monitor the level of understanding within the company and to identify training needs. Real life experience has shown the cost for a medium size company to develop a comprehensive set of policies adapted by job function including communication to stair stair n. 1. A series or flight of steps; a staircase. Often used in the plural. 2. One of a flight of steps. [Middle English, from Old English and ensuring their understanding is in the region of 160,000 [pounds sterling] to 320,000 [pounds sterling]. An automated policy management tool could reduce this cost by 50% include the cost of the tool of 16,000 [pounds sterling] to 32,000 [pounds sterling]. The above scenarios only relate to tangible costs. Intangible costs could be anything from disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees damaging systems to the possible implications of industrial espionage industrial espionage Acquisition of trade secrets from business competitors. Industrial spying is a reaction to the efforts of many businesses to keep secret their designs, formulas, manufacturing processes, research, and future plans. . It has been estimated that the intangible costs of not having adequate security would be at least 10 times the tangible costs. It needs to be highlighted that it is not just the Finance Director's responsibility, but also the responsibility of the entire board to provide adequate security to safeguard the assets of a company/organisation. Most companies rarely have a separately identified security budget, having an overall IT budget, which is typically spent on tangible Hardware/Software/Telecommunications. Often security tends to get dropped off or fall to the bottom of the list. It is essential that security is given the right focus and has an appropriate budget allocated to it. Remember, I am working on the premise that the budget can be funded, after the initial period of investment, by transferring money from savings on the Help Desk budget, etc. Though I may understand the benefits and importance of ICT security, I am still the Finance Director! www.pentasafe.com |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion