Printer Friendly

The Dos and Don'ts of DISE.

WHEN THEY ARRIVED ON THE market, PCs started a revolution. Nontechnical users gained direct access to computers. Local area networks (LANs) and client/server applications also added resource sharing and communications to the PC's power. The combination of these developments has changed the nature of electronic data processing and significantly affected information security.

The current economic climate is forcing all businesses to reexamine their information systems (IS) expenses. A cost-cutting solution often involves creating a distributed information system environment (DISE). A DISE is an information system in more than one physical location. Each location carries out an IS activity, and operating communications link it with other sites.

Cost control is not the only factor. Today, users have a more sophisticated understanding of IS. They demand better functionality from systems. But with these extra functions come higher risks for companies using a DISE. Companies must have the knowledge and controls to prevent loss through error, fraud, and disaster.

Preventing such losses demands wide-ranging administrative requirements. Greater technical expertise is needed than in the past. Therefore, training and security awareness in IS has become critical.

It is difficult to get a clear picture of the problem. Companies are understandably reluctant to admit a lack of security, but those that do not have policies and procedures to protect against these forms of attack expose themselves to risks.

Companies must first be able to evaluate the risks to their information. Most, however, lack staff with the necessary understanding of how new technology impacts their businesses, and the high rate of development makes it difficult for companies to keep up with these changes.

Companies also lack formal procedures for developing, issuing, implementing, and reviewing security policies and procedures. This can mean their approaches will be inconsistent and security will deteriorate.

Another essential ingredient in creating effective policies is commitment from senior management. Commitment is necessary not only in implementing policies but also in establishing the consequences of failure to comply.

For the best protection, managers should share policies with all employees and continuously monitor compliance. Policies need to remain in step with practical situations and be effective. Suggestions should be heard from all sites, not just from headquarters.

SECURITY STARTS WITH HIRING THE BEST personnel. Companies often overlook recruitment as part of the security process. Hiring the wrong people can cause as many problems as not hiring enough people.

Preemployment screening and psychological testing for staff recruitment is on the rise. These techniques can appear excessive and intrusive, but they may help a company avoid future problems.

Effective IS professionals, particularly those with security experience, are rare. As a result, it is difficult to find the right people to set up training programs. One way around this problem is to establish a permanent training and recruitment program for IS security. This way a company does not lose its best people to other firms.

The first step in assigning IS security responsibilities is to establish a company policy defining the required level of security. Senior management should perform this task. The head of IS security should help formulate the policy. His or her mandate should also be defined at the same time. This clearly defines responsibility at the top level.

Management should look at IS security as a priority function and employ staff of the appropriate caliber. Staff must have the necessary technical expertise to understand and evaluate new systems in terms of IS security. They should also be able to formulate and implement cost-effective solutions.

The next step in formulating an IS security plan is for the security staff and IS users to coordinate security measures. Allowing each unit in a DISE to decide its own security arrangements without reference to a coordinating body can lead to inconsistent security procedures. Coordination of the development, distribution, and review of security standards allows organizations to maintain high quality.

A coordinating body should be formed and charged with overseeing security. It should collect and maintain a data base of information and investigate and recommend security equipment to all sites. Therefore, the company will receive volume discounts on purchases.

The coordinating body should not only be concerned with equipment but also with data security. It is of critical importance in a DISE. Moving sensitive data safely within an organization and storing it securely is a central requirement of IS security.

Products designed for DISE configurations are now being marketed. They are not yet perfect, but these systems will become more effective over the next few years. In the meantime, strong manual procedures must control weaknesses in the access systems.

A good IS security plan also looks at the big picture. Recovery from a computer fraud or a security breach is difficult and expensive no matter how well prepared a company is. Without a structured disaster recovery plan that includes action plans, written procedures, and assigned responsibilities, companies risk chaos, ineffective recovery, loss of funds, and irreparable damage to business.

A coordinated and integrated recovery plan for all segments of business should be formulated. This makes it possible for a company to resume operations after a disaster.

Planning is one of the keys to success, but effective security is only possible when people are aware of the risks. Employees must be trained in security awareness so that they do not overlook or ignore risk situations.

Several companies have established a formal system for collecting comments and suggestions from staff. Particularly valuable are suggestions from nonexpert staff and non-IS security management.

These people have to live with the rules that the IS security people develop. They can help create workable security initiatives that are cost- and staff effective and not disruptive to the daily work flow.

Responses from employees allow the company to gauge whether its awareness measures work. Promoting security awareness requires using all available media. It is not enough to send an occasional memo to staff telling them to comply with security regulations. Security lessons need to be repeated to keep the staff aware; this applies to IS security as well.

WHAT DOES THE FUTURE HOLD FOR A DISE? One safe prediction is that PCs will continue to develop. Work on the personnel/machine interface did not end with the windows/mouse idea. Current research includes object-oriented design. This is still a new approach to the design and construction of computer systems. It is gaining acceptance, however, as the most logical approach for windowed applications.

One of the developmental trends is learning programs. These are applications that include elements of self-programming so the programs can adapt their operations in response to input.

Also, the field of virtual reality (VR) will probably start influencing DISE. VR is a technique of projecting a computer-generated landscape via specially designed goggles. The operators of the system feel they are in another world. They can walk around a projected landscape as if it were real.

Besides wearing goggles, each operator of a system also wears special gloves with built-in sensors; the computer detects the operator's hand movements and creates a real-time image of a hand. This image then interacts with the generated scene.

At present, this technique requires enormous computer power and speed. But VR will have a major impact on IS in the next few years. As processor development continues, VR applications will achieve the necessary speed and flexibility for widespread acceptance in the industry.

Many data analysts are studying ways of representing large quantities of data visually. It is no use displaying millions of similar numbers on a spreadsheet. The human brain is not capable of seeing trends or drawing conclusions from only bare figures, however, it is good at detecting variations in a pattern.

Normal graphs are not always effective for representing complex data. Other methods, such as three-dimensional modeling, varying sound according to data values, and other techniques are being examined. These techniques take advantage of the eye's ability to detect small irregularities in a surface and the ear's ability to detect small changes in a sound.

Security facilities may begin to include photographs of staff and voice prints. Retinal scanning may also be widely used, as well as a data base of past incidents. The PC will allow access to and monitoring of all this information. The security system will analyze the data on the data base and predict likely areas of attack and suggest countermeasures.

DISEs will spread to include public data bases, service organizations, and trading markets. In this way all DISEs will eventually interconnect. This web of connections represents the largest future risk for DISEs.

Considerable resources must be used to develop the necessary security systems. These systems may have to be integrated with learning programs that will reprogram themselves to meet external attacks.

In the end, effective security in a DISE, or any environment, relies on the quality of the staff. It relies on their commitment to security and their awareness of security requirements.

Sohail A. Syed is an independent consultant in London and Mark S. Totton is information technology security advisor for KPMG Peat Marwick in Oslo, Norway.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:distributed information system environment
Author:Syed, Sohail A.; Totton, Mark S.
Publication:Security Management
Date:Sep 1, 1992
Previous Article:A gallery of security.
Next Article:Bolstering your computer's immune system.

Related Articles
When Yes Means NO (or yes or maybe) How to negotiate a Deal in China.
Fashion bashin': Vice magazine's take-no prisoners fashion guide is universally offensive and very funny.
According to the 2004 National Management of an Accounting Practice (MAP) survey--conducted by Practice Management for CPA Success (PCPS): the AICPA...
Prescription drug dos and don'ts.
Dance Yourself Thin.
Enterprise Readiness 101.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters