How strong is your safety net?
* "Our company is too small to have technology security breaches. Only big companies need to worry about that."
* "We must focus all of our security efforts on keeping out hackers."
* "All information security violations are intentional."
* "We don't have the technical sophistication or the resources to address technology controls adequately."
* "Systems security and reliability are two separate issues."
The answers? All false, says Barbara Bashein, assistant professor at the College of Business Administration at California State University in San Marcos, Calif. She's one of the authors of Meeting the Control Challenges of New Information Technologies, a soon-to-be-published Financial Executives Research Foundation study. Bashein maintains these five misconceptions are widespread in Corporate America and leave companies vulnerable to internal and external security breaches, whether intentional or unintentional. "For example, one survey found that more than 70 percent of the responding companies had lost work hours because of a computer virus," she reports.
FERF's study, co-authored by Bashein; M. Lynne Markus, professor of information science at The Claremont Graduate School in Claremont, Calif.; and Jane B. Finley, assistant professor of accounting at Belmont University in Nashville, Tenn., aims to dispel the notion that "it can't happen to us" and to demonstrate, through five case-study companies, that it's possible to implement effective, inexpensive control measures, Bashein says. All the companies (American Standard, BankAmerica, Microsoft, Norell and USAA) consider technology controls a serious business strategy issue, Bashein notes, and all have multiple safety nets, with social controls - that is, peer pressure from other employees to behave responsibly and take good security precautions - as the last line of defense. These safety nets include written procedures and guidelines, training on security issues and written contracts with employees specifying what they can and can't do.
At USAA, for example, employees are prohibited from browsing the customer database. Automated controls alert management that the individual is in forbidden territory. USAA employees also must log off their computers whenever they go on a break, and to prevent computer viruses, they aren't allowed to bring diskettes from home. To reinforce this behavior, the company allows employees who want to do homework or civic and charitable activities on their lunch hour to use stand-alone systems on its premises (with prior company approval).
And American Standard, Microsoft and Norell have all addressed operational risk by carefully staging their rollout of new client-server systems, Bashein reveals. At each company, one function or location installed the new applications at once, allowing the company to ensure the new systems were operating properly before they went on to the next. "This also enabled American Standard, Microsoft and Norell to determine whether their new installations affected systems performance in the areas already operating in the client-server environment," Bashein observes.
How does this need for adequate control of technology mesh with companies' visions of empowered employees? "It's a tightrope walk," Bashein acknowledges. "You don't want controls that are so rigid they discourage initiative and creativity. That's why having numerous safety nets, rather than a solid wall that keeps everybody out, makes the most sense. This also shows why it's so important to make social controls the final tier."
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||information technology controls|
|Date:||Mar 1, 1997|
|Previous Article:||Teach your people well.|
|Next Article:||FEI Canada unveils new studies.|