Safe from prying eyes.

Sensitive data in any business has to be kept secret. Effectively managing that data and keeping it secure requires constant vigilance. Royal LePage has a way to do this that makes the company, and its clients, feel a lot safer.

Buying products online and sending sensitive material through email have become more commonplace, but they still elicit a nervous twinge in most people. You wonder how secure the information is, who's going to see it and how great is the threat of it getting into the wrong hands.

Paul Vendittelli, CMA, contemplates these problems every day. His job, as the vice-president and CIO of Royal LePage Real Estate Services, is to maintain an innovative Web strategy that is both highly functional and very secure. The task makes him philosophical about security. The practical questions he has to address are many and varied: How much security is enough for a system? How do you test the security? How do you maintain it? These are the practical applications that Vendittelli's teams take care of on a day-to-day basis.

The philosophical question that vexes him is, where does it end?

Royal LePage has built up its Web capabilities rapidly in the past five years. With the second busiest residential brokerage site in North America, it boasts more than 200 million hits and a half million unique visitors every month. For the casual visitor it will even map out the location of houses with a GIS system. It was also the first in Canada to run virtual tours of its properties online.

For the past six years, Vendittelli has been part of a team pushing Royal LePage into the technology forefront -- a mission that the executive considers a crucial, central element of their business. "We want to make sure our agents are the most advanced out there," Vendittelli insists.

Royal LePage is involved in much more than just residential real estate. Vendittelli also has the mandate to secure all the Web services that the company uses in its relocation division. The division's name doesn't capture the immensity of the undertaking. Fortune 500 clients and government departments depend on Royal LePage to relocate their top execs. This means helping employees sell their houses, buy new ones, assist in the relocation, manage the legal work, appraisals, and mortgages. The security models have grown more sophisticated to handle this vast amount of sensitive information.

"We assign consultants to do the legwork, get the equity from the old house, deal with the tax implications, etc.," explains Vendittelli. "We manage the money to buy the new house and all of the interim steps involved in a move. At the end of the process, the corporate client gets one bill for all of these services."

Audit trail

His client list doesn't allow him to play any guesswork with security. "Clients have varying demands for security, so we have to set the bar very high," he notes. "You can lose large, valuable contracts if you don't have a good enough security system. These are companies with enormous resources and they don't want to leave anything to chance. Some audit our security system as well, to make sure we have all they need."

Security audits are one of the cornerstones of Vendittelli's approach to system security. Royal LePage maintains an internal audit department that does security and network audits. While these are very beneficial, and keep most things in check, it also uses outside experts. There's an annual third party audit of the overall network, and specific checks are made on all new Web-based initiatives. "Probably every quarter we introduce one significant new Web initiative," he notes.

"You put anything out on a Web site and you will get hacked," warns Vendittelli. "It may not be a targeted attack -- a lot of people are hacking to see what sites they can get into, just surfing through. But there are instances where people will purposely deface your site. As new sites go up, hackers go to them." These threats can come from anywhere.

A security audit helps to reassure clients of the security of a site. The audit includes an ethical hack. Essentially this involves having a third party attack your system with as much vigor as any external hacker would. A consultant that does an ethical hack gives a written assurance that the system is secure.

Vendittelli has worked with three different audit companies in the three years since Royal LePage mandated security audits and has finally found a company that he's happy with.

"When you hire a security audit company, it's basically like giving someone the keys to your home," he explains. "You're dealing in a rather shadowy world, and you have to trust these people 100%, and be perfectly certain of their credentials. The first company that we hired just couldn't give us that assurance.

"The second consultant we worked with was an expert on the topic and was quite good, but was very expensive. And he was strictly an auditor, whereas we needed someone with broader consulting skills.

"The company we're with now gives us a broader offering, issues written opinions and has a brand name attached to it."

The consultant of choice was DMR Consulting, recently renamed Fujitsu Consulting, to better reflect its long association with the corporation. Fujitsu has a three-phase process for the security audits it does of Royal LePage's systems.

In the first phase, the company's Toronto-based team of consultants critiques Royal LePage's security. In the second phase, Vendittelli and his colleagues review the critique and decide which issues they will address.

"This is the hard part," he says. "We want to improve our security but we may not want to jeopardize the functionality of the system. It's a very tough trade-off. Generally we err on the side of more secure. For instance, it may be easier if a client can use a simple password to gain access to their critical information. But we insist that they have a more complicated combination of characters and letters, for security. Passwords and IDs can't be English words. Some people are turned off by this, but it's the way the world is moving." Vendittelli does note, of course, that the level of these precautions depends on the sensitivity of the information at risk.

For the third phase of the audit, consultants from Fujitsu's Ottawa office conduct the ethical hack. Without knowing anything about the earlier two phases of the project, these consultants test the strength of the system.

Security best practices

Paul Lewis, associate director of security, privacy and technical risk at Fujitsu Consulting in Toronto, insists that the ethical hack is really the least critical of all of the processes that they manage.

"We follow ISO 17799, Information Security Management Best Practices, to help manage security better," he notes. "The ethical hack is a good diagnostic, but we also like to review a company's IT security management processes.

"Companies need to have a good security management process in place. That's why you are now seeing more corporate security officers (CSOs) and the use of ISO processes. Business continuity systems need to be strong enough to survive any threat."

The critical question Lewis asks his clients is, "If you fell victim to an intrusion, how long do you have to manage the process before it affects you?" It's critical to manage and avoid problems, which means a lot of people should be dusting off their Y2K continuity plans and making sure they're up to snuff. "With the Web, this has become something that has to be managed more actively," Lewis insists.

Vendittelli keeps a close and constant eye on Royal LePage's security concerns. He employs one security officer who monitors the system full time, updating virus software daily and scanning all email -- inbound and outbound -- for viruses. He also manages the IT preparations for the annual audits.

"The audits are a great way to keep the IT department on top of security operations," says Vendittelli. "If you let them know that they'll be hacked, they become part of the process and are much more motivated to do the extra work involved."

As Vendittelli points out, Fujitsu comes with a name that his clients recognize -- a strong brand. The organization is a large one as well: 9,000 people worldwide, six or seven consulting specialties and representation in most major Canadian cities. Currently Lewis manages 20 people in the Toronto office.

The company also benefits from having managed security concerns for 25 years. By the time ethical hacking became an imperative, they had many seasoned professionals who knew the ins and outs of network vulnerabilities. No need to resort to hiring ex-hackers with dubious pasts.

Lewis is the first to admit that his work can't guarantee security. "It is so easy to share the vulnerabilities of a system," he notes. "More and more companies are using systems for critical applications, and the sheer number of people with the skills to affect systems put them at greater risk."

Lewis' job is to make the best effort at establishing best practices. The question that Vendittelli asks, and the rest of us may also wonder, is where does it end?

"It's like an arms race, trying to stay in step with the hackers. A port scan is the simplest security provision you can run, which will cost you around $2,000 or less," Vendittelli says. "But then you add intrusion detection systems to let you know if you are being hacked, and eventually you're doing a full audit and constantly adding barriers. It's costing us hundreds of thousands of dollars, but is it doing what you need it to? What is ever enough?"

RELATED ARTICLE: Privacy Protection

New privacy laws are going to put more pressure on companies to manage clients' sensitive information securely as well. Bill C-6, Personal Information Protection and Electronic Document Act, as welt as a raft of new provincial legislation, changes the nature of how companies are allowed to handle critical client information. Bill C-6 requires an individual's consent before personal information is collected or disseminated to a third party. It also requires that companies disclose how the collected information will be used and it limits the use of the information to the purposes identified. The hope is that this will reduce consumers' fears about conducting transactions online. Companies will have to be able to secure, dispose of and disseminate this information in a controlled manner. They will also have to be sure that they can respond promptly to freedom of information requests.

Although the federal legislation will not affect everyone until January 1, 2004 (provincial legislation will likely hit home sooner), Paul Lewis, associate director of security, privacy and technical risk at Fujitsu Consulting, insists that it's best that companies build it into their operations sooner rather than later. "The cost of reverse engineering is significant," he points out. What's certain is that those who deal with these issues sooner rather than later will give themselves an edge in the marketplace.

COPYRIGHT 2002 Society of Management Accountants of Canada
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Author:	Colman, Robert
Publication:	CMA Management
Article Type:	Interview
Geographic Code:	1CANA
Date:	Jul 1, 2002
Words:	1834
Previous Article:	Technology in the toolbox: optimizing the IT you currently have on hand could be the best tech investment option out there. Here's how a few...
Next Article:	Montreal's big attraction.
Topics:	Confidential communications Technology application Real estate developers Innovations