Module 9: IS operational and security issues

Size: px
Start display at page:

Download "Module 9: IS operational and security issues"

Transcription

1 file:///f /Courses/ /CGA/MS2/06course/m09intro.htm Module 9: IS operational and security issues Overview Firms that make extensive use of information systems must contend with a number of ongoing challenges. Planning for systems, then building and implementing them, accounts for only about 20% of an IS department s budget. Maintaining systems and dealing with ongoing operations reflect the largest expenses of the IS department. There are many IS operations issues. Strategic planning, data quality, and the management of IS personnel, which relate to ongoing operations, were covered in Module 2. This module focuses on some other important operational and security issues, which can be categorized into three classes: structuring of the IS function, particularly the ownership of IS resources protecting IS resources from accidental or intentional threats addressing ethical challenges associated with IS operations Topic 9.1 deals with the ownership of resources. Decisions about what functions to outsource, what functions to own, and what kinds of providers to work with when outsourcing are critical to the structuring of the IS function. Not all resources have to be owned by the firm, and making these choices is an important general management role. Topics 9.2 to 9.4 address IS security issues, and Topic 9.5 provides an overview of the issues surrounding the ethics of IS. This module will help you develop the following professional competencies: Advise on the development of IT strategy. Prepare and advise on contract structure and enforcement. Advise on the financial implications of IT acquisitions and vendor selection, in this case, outsourcing. Identify and analyze risk factors. Implement and advise on measures to mitigate risk. Make recommendations to safeguard IT assets so as to ensure organizational ability to meet business objectives. Advise on the development of business continuity planning. Make recommendations and develop an IT disaster recovery plan. Evaluate and consult on the organization s assurance needs. Apply professional ethical standards. Assess and advise on the organization s policy of privacy of personal and corporate information. 9.1 Outsourcing and outsourcing models 9.2 IS security: Threats and vulnerability 9.3 Dealing with security issues 9.4 Role of auditing in IS security 9.5 Ethical issues file:///f /Courses/ /CGA/MS2/06course/m09intro.htm (1 of 2) [20/08/ :32:01 AM]

2 file:///f /Courses/ /CGA/MS2/06course/m09intro.htm Module Summary Print this module file:///f /Courses/ /CGA/MS2/06course/m09intro.htm (2 of 2) [20/08/ :32:01 AM]

3 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm 9.1 Outsourcing and outsourcing models Learning objectives Evaluate the advantages and disadvantages of outsourcing information systems, and assess different outsourcing models. (Level 1) Evaluate the key factors to address when considering an outsourcing arrangement. (Level 1) Required reading Chapter 11, Section 11.4, Technology Issues and Opportunities for Global Value Chains Review Chapter 9, Section 9.3, Alternative Systems Development Approaches LEVEL 1 The text provides a brief overview of the advantages and disadvantages of outsourcing in the context of alternative systems development approaches. Outsourcing is an effective way to provide a portion of a firm s information systems services. Outsourcing can result in lower costs and better performance, if managed well. But managing outsourcing arrangements is complex. It depends more on partnership management than on control, and there are many risks to be considered. Smart planning for outsourcing deals is an important way to improve the chances of productive and profitable relationships. Activity 9.1-1: Financial systems outsourcing CGAs with IS expertise have many opportunities in financial systems outsourcing projects. In this episode of Living It, you ll be introduced to a successful CGA practitioner who has made this his focus. (This presentation is approximately eight minutes long.) Print version What is outsourcing? Outsourcing is defined as "the practice of contracting computer centre operations, telecommunications networks, or applications development to external vendors." 1 Two aspects of this definition of outsourcing need further explanation. First, many texts describe outsourcing as an alternative to traditional systems development methods. Yet, to think about outsourcing as a systems development approach puts a great deal of emphasis on applications development while ignoring computer centre operations and telecommunications. Outsourcing is at least as much about the management of the function and dealing with operational issues as it is about systems development. Second, the definition does not explicitly acknowledge that outsourcing involves contracting for all or part of the functions described. Too many managers think about outsourcing as being about turning over the entire IS function, or at least the vast majority of it, to an external provider. Yet recent research suggests that there are only a handful of total outsourcing deals around the world. The most common paradigm for outsourcing is selective outsourcing. Outsourcing history Outsourcing has its historical roots in the timesharing systems of the late 1960s and early 1970s. In the earliest days of corporate computing, hardware was extremely expensive and there were relatively few specialists capable of designing and file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (1 of 8) [20/08/ :32:03 AM]

4 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm building systems. Most of the applications were highly structured (for example, payroll and general ledger), and it was common to purchase access to systems through a timesharing firm. For many firms, this was the only way they could ensure reliable processing of business data. As computer prices dropped dramatically (especially with the development of the minicomputer and then the PC), the financial incentive to pursue timesharing became less potent. Moreover, specialists became more common as educational institutions designed programs to teach them. At the same time, companies began to recognize that there were other things they could do with the information in their systems, things that might be best handled in proprietary ways to provide strategic advantage. The majority of companies began to build their own internal systems, own their own hardware, and control all (or nearly all) aspects of their IS operations. By the mid-1980s, IS costs were spiralling out of control (according to many senior managers), and it was not clear what benefits were being achieved. A few notable firms (for example, Eastman Kodak and First Fidelity Bancorporation) started to pursue outsourcing of their systems a new take on timesharing with new partners. One key difference was that the systems being outsourced were not generic applications but those that had previously been considered "strategic" by the firms. The accepted wisdom that you had to own resources that were considered strategic began to be questioned. Outsourcing models The following are different models and variations of outsourcing. The outsourcing market is worth more than $150B annually, with 7% annual growth expected through The top three players are still IBM Global Services, HP Enterprise Services, and Accenture, but India-based firms like Infosys Technologies, Tata Consulting and Wipro Technologies are growing at a faster pace and may soon challenge for the top spots. Traditional outsourcing model The traditional outsourcing model involves an outsourcing provider who runs custom designed applications for a firm. The outsourcing provider may maintain specific hardware for that firm or may have multiple firms using the same hardware (for example, a large mainframe running applications for three different firms). Telecommunications connections often include dedicated leased lines to ensure high performance through the network. The outsourcing provider adds value through its expertise, its ability to attract skilled professionals, and the economies of scale that accrue from combining applications on single hardware platforms. ASP model Today, outsourcing includes both traditional outsourcing and new models. The application service provider (ASP) model has had a rocky start, but appears to be emerging as a viable option for many firms. In the ASP approach, the provider runs relatively generic applications accessed through the Internet. Firms contracting with ASPs get very little choice in their application design, but can get very low rates for monthly access. ASP services were initially provided by third-party companies. These organizations would purchase applications from software companies and then offer to own and run them for clients. Many of these early firms struggled financially, and now the ASP market is dominated by software companies who seek alternative ways of marketing their products (such as leasing rather than licensing). Shared service facilities Other variations on the outsourcing model are common in web operations. Shared service facilities, where a provider and its customers work as a team in maintaining and operating systems, are used in both traditional data processing and e- commerce. Because of security concerns, many companies (correctly) want to run their website off computers separate from their in-house production systems. Limiting the points of connectivity between these systems limits the risk of outsiders gaining access to those internal systems. Also, when web operations were first becoming popular, many firms lacked the expertise in developing and managing websites. For both of these reasons, web hosting, which is contracting a company to design and/or operate a website, became a common practice. Various kinds of hosting facilities exist, ranging from those that only provide a place to store and operate hardware and a connection to the Internet (co-location facilities) to those that provide sophisticated development, implementation, and operational assistance, including performance monitoring, security, and disaster recovery services (shared and dedicated hosting facilities). The difference between shared and dedicated hosting facilities is whether your organization s applications are on a separate server from the other customers of the provider. Outsourcing in a global marketplace file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (2 of 8) [20/08/ :32:03 AM]

5 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm In the last ten years or so, new competitors in the outsourcing arena have emerged in the developing economies. India represents a key location of outsourcing suppliers, with clients based around the world. Historically, the motivation for offshore outsourcing has been largely financial. Estimates of the wage differential between North America and India suggest it might be five times cheaper to locate IS tasks in India. Even factoring in the so-called "hidden costs" of offshore outsourcing, (higher costs of negotiating and monitoring contracts, challenges in dealing with language, and so on) the savings can still be significant. In a global marketplace, however, chasing the lowest wage rate to gain high savings is ultimately a losing game. As Indian firms have become more globally competitive, their volume of work has increased and their staff needs have increased to the point where there is competition for key talent. As a result, salaries in the sector have increased, and new offshore destinations such as China and Korea have started to develop. Theoretically, over a long period of time, wage rates around the world will even out until there is little wage-rate benefit to any particular location. Indian software firms understand this challenge and have expended significant resources to become more than just a low cost player. The investment by Indian firms in developing capability maturity model (CMM) certification is one of the means by which they attempt to distinguish themselves as suppliers of choice. Not all IS jobs are amendable to offshore outsourcing; programming work is easily sent overseas since it can be done reasonably independently from the work of the organization (assuming good specifications are written). But some IS work is tightly coupled with the business processes it supports. The work of business analysts, for example, depends on regular interaction with users. While it is theoretically possible to do this work at a distance using technology mediated communications, it is practically quite difficult. Interestingly, in some of these areas that are closer to the user, Canada has become an offshore destination for U.S. companies. The practice is referred to as near-shoring. The financial savings are not as great as they would be with offshoring to an emerging economy, but there are benefits in terms of cultural similarity and ease of communication (for example, less significant time zone differences, and more potential for occasional face-to-face interaction). Outsourcing advantages and disadvantages Outsourcing offers many advantages to firms that pursue it as an IS management approach. Many risks and limitations are also associated with the approach. These pros and cons must be evaluated for each firm and each task that is considered a candidate for outsourcing. Advantages The key advantages of outsourcing can be summarized as follows: cost savings through economies of scale and scope infusion of cash through liquidation of computer assets facilitation of the transition of data centre from cost centre to profit/loss centre ability to rapidly introduce new technology and access IS talent focus on core competencies Cost savings Cost savings accrue from economies of scale (sharing a large mainframe computer across multiple different clients) and economies of scope (working across a larger range of projects and processes and allowing fixed cost resources to be spread over more kinds of work). The ability to save costs is a key management motivator for outsourcing and can be a very real benefit. Forrester estimates that firms can save between 12 and 17% of their current IT spending by effectively outsourcing some elements. 2 Infusion of cash The infusion of cash that often occurs at the start of an outsourcing deal, when assets are liquidated (often they are sold to the outsourcing provider), is a short-term benefit. On its own, it is a poor reason to pursue a long-term business arrangement such as outsourcing, but it can have a nice effect on the cash balance in the year in which the outsourcing deal is completed. Cost centre operation file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (3 of 8) [20/08/ :32:03 AM]

6 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm IS departments in organizations tends to operate as cost centres rather than as profit centres (in other words, because they are support services for the organization and do not generate revenue, they are evaluated based on their ability to control costs rather than based on profits). This is fine in principle, but there is a danger that costs will not be managed well enough because there is no revenue or "benefit" figure against which to compare them. Outsourcing arrangements, on the other hand, require an explicit comparison between revenues and costs and can thus result in more efficient operations within the IS function. This seems to be especially true with respect to data centre operations. Access to new technology and IS talent The next two benefits of outsourcing come from the expertise developed by the outsourcer. Because these firms are in the business of providing effective and efficient IS services to clients, it is in their business interest to develop deep expertise in technology and its application. An outsourcer may be able to more rapidly develop and implement a new technology. Moreover, outsourcers have better access to new technology and new IS talent because of their focus on IS. Focus on core competencies Finally, outsourcing arrangements, by turning over the IS operations to a firm that specializes in those tasks, allow the organization to focus its internal resources on its own core competencies. For most firms, IS is not a core competency. Working in partnership with a firm for whom it is a core competency frees up management attention to focus on other priorities. Risks and limitations The critical risks and limitations of outsourcing include loss of direct managerial control potential for lock-in (difficulty in reversing decision) dependence on the outsourcer s viability (financial strength, responsiveness, service, and so on) diluted strength of in-house staff lack of knowledge of the business by the vendor (outsourcer) lack of flexibility untenable long-term contracts; fixed price versus service trade-off requirement for skills in partnership management strategic factors Loss of direct management control The loss of direct management control concerns many managers. While control does not necessarily result in higher performance (especially when the outsourcer has better expertise and can take advantage of scale or scope economies), the loss of control does necessitate a new way of thinking about how to manage the function. Potential for lock-in and vendor dependence Outsourcing arrangements can be difficult to undo once they are started. IT assets have been liquidated, staff have gone to work at the outsourcer or have left altogether, and there is no easy way to get out of the arrangement if things aren t going well. As a result, there is a tendency towards creeping lock-in and dependence on the vendor. The organization s vulnerability increases over time as the arrangement continues, and its bargaining position worsens as its dependence increases. Viability of the outsourcer Dependency on the outsourcer plays a role in the ability to negotiate contracts, but it also exposes the organization to the business risks of the outsourcer. What happens if the outsourcer goes bankrupt, as happened to several ASPs in 2001? How file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (4 of 8) [20/08/ :32:03 AM]

7 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm will you deal with issues of data and resource ownership and ensure that your systems keep operating? What happens if the outsourcer decides to change its market focus? The outsourcer may continue to provide service, but the expertise you have come to rely on may not be maintained as other options are pursued. Understanding the viability and strategy of your outsourcing partner is a critical element of developing this kind of partnership. Dilution of in-house IT staff One of the reasons dependency increases is that the strength of your in-house IS staff is diluted over time. If data centre operations are outsourced, for example, most of your staff in this function will leave. They will either be "acquired" by the outsourcer along with your hardware and software, or they will leave the firm to work elsewhere, voluntarily or not. This is a necessary part of the outsourcing arrangement if cost savings are to be achieved. A small staff may be kept to act as relationship managers with the outsourcer, but the skills required of these employees will be different than those required in the past. As a result, much of your internal technical expertise will vanish. Not only does this decrease your ability to walk away from the arrangement, but it also makes it more difficult to manage the outsourcer, as it now has more expertise than you. Lack of knowledge of your business While a key advantage of outsourcing arrangements is the expertise that the outsourcer has in the management of IS, these firms lack detailed knowledge of your business. Because success in IS comes from matching IT opportunities with firm needs, understanding both the technology and business is necessary. This relates back to the strategic focus of the outsourcer. Companies that specialize in providing services in your industry or related industries likely have a better sense of the issues you will face. Without this expertise, there will be a greater education and communication requirement between the two firms to ensure that needs are understood and met. Reduced flexibility If economies of scale and scope are key reasons why outsourcers are able to charge lower prices for the same services, it stands to reason that they will try to limit the options for any one firm to increase similarity across organizations. The result is reduced flexibility in how applications are operated. Flexibility may also be lost in the provision of support services (for example, your help desk operations are merged with the outsourcer s central help desk), the handling of maintenance processes, and in other aspects of IS operations. The importance of this flexibility to the firm must be critically examined to determine whether it is worth the added cost that it usually involves. Risks of a fixed-price contract A related issue is the trade-off between fixed-price contracts and fee-for-service contracts, especially when the contracts are long-term. Deciding how to price an outsourcing contract is complex. The organization buying the contract would, ideally, like to have a known price that cannot be easily changed to protect it from the dependencies described earlier. Many outsourcing contracts are like this. However, if the costs of providing the service turn out to be substantially higher than expected, the outsourcer faced with a fixed-price contract will have little choice but to reduce service levels as much as possible. If such situations are not handled well, there is a risk that the IS operations will not provide adequate support to the business. Skills in partnership management Many of these factors point to the need for skills in partnership management in order to make outsourcing work successfully. Dealing with contract issues requires the development of a trusting relationship and a set of mechanisms for determining when the conditions of the contract have changed sufficiently to warrant renegotiation. Dealing with management of the outsourcer, when the resources are outside of your direct control, also requires partnership management skills. This is not really a limitation of outsourcing, but you should realize its importance in dealing with many of the limitations presented. Strategic factors A final concern with outsourcing relates to "strategic factors." This broad category refers to the idea that applications and processes that are core to the company may not be best handled by an outsourcer. This is not a simple decision. It may still be that outsourcing is the best approach, even for strategic applications such as supply chain and customer relationship management. The question is whether the way the processes are handled is sufficiently novel to warrant keeping direct control. ASP advantages and disadvantages file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (5 of 8) [20/08/ :32:03 AM]

8 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm The ASP approach to outsourcing is slightly different than the traditional approach. Along with the general advantages and disadvantages of outsourcing that have already been covered, there are some specific benefits and limitations relevant to the ASP approach. Advantages of ASP With the ASP approach, you access applications and data through any web browser worldwide, using a low-cost connection through the Internet. This results in simpler access, which may be particularly valuable to small firms who cannot afford the infrastructure to maintain their own communications platform and to firms with a high number of mobile workers. The ASP approach is a pay-as-you-use pricing model. Applications are leased rather than licensed. Like traditional outsourcing, this turns capital costs into operating costs. But ASP contracts tend to be much more usage-based than traditional outsourcing contracts. This is valuable to organizations that are growing rapidly, because they often need to buy services now that can be scaled up as additional capacity is needed. Finally, the ASP approach, relying on relatively more generic implementations of software applications, can result in a much faster implementation time. Limitations of ASP The primary limitation of the ASP approach is that the applications tend to be generic because they service so many clients. In fact, the value proposition of the ASP is access to generic applications at a very low cost. However, this limits the flexibility of the firm even more than a traditional outsourcing arrangement and may be unacceptable for organizations with more complex processes. Performance of an ASP application depends on Internet loading and outages, as well as on the transaction loads of other ASP clients. Finally, ASP applications are susceptible to Internet hackers worldwide. Security challenges must be carefully dealt with. Negotiating outsourcing contracts Most of the downsides of outsourcing relate to risk. There is the risk that you will become dependent on an outsourcer who will then take advantage of you or that you will partner with a company that will subsequently go out of business. You must create an arrangement (that is, select a partner and negotiate a contract) to try to minimize these risks, and thereby maximize the likelihood that the advantages will be obtained. A number of factors have been shown to lead to more successful outsourcing contracts, measured by the degree to which cost savings are realized. Selective outsourcing arrangements More successful experiences tend to happen with selective, rather than total, outsourcing arrangements. Selective outsourcing arrangements allow a firm to make function-by-function decisions about which functions to keep in the firm and which to outsource. They also minimize the risks of dependence and staff dilution by keeping a significant amount of functionality in-house. Involving IS and senior management Joint decision making by IS management and senior executives about how to implement outsourcing is also important to success, as is the consideration of formal internal and external bids. For many senior managers, outsourcing seems like an easy way to deal with the "problem" that they perceive IS to be. They see spending they don t understand, they hear from a vendor that it can be reduced by 20% or more, and they are tempted to leap at the opportunity to get rid of a headache. Because they think IS will resist, they may not involve senior IS management in the decision making, and they will not allow the internal group to make a competitive bid for services along with outside providers. This lack of trust results in decision making that may ignore critical variables that drive costs and may miss the opportunities to provide performance improvements in other ways. Astute IS managers will not resist selective outsourcing. They will understand it as a viable option for providing some services that can enhance their overall performance and value to the firm. Contract length file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (6 of 8) [20/08/ :32:03 AM]

9 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm The earliest outsourcing deals were 12 to 15 years in length. It was thought that such long deals were important to ensure that this valuable infrastructure was protected, and not subject to frequent changes. Moreover, longer deals would keep vendors from raising prices as soon as the deal was settled. Today, however, shorter term contracts (such as seven years) are becoming more common. There is a recognition that too many business variables change over time to make it sensible for either the vendor or the adopter to commit to such a long-term arrangement. Fee-for-service contracts Contracts should be detailed fee-for-service contracts as opposed to standard or "loose" contracts. Even though outsourcing involves the creation of a partnership, there must be sufficient detail in the contracts for both parties to feel comfortable with their protections and the inability of their partners to abuse them. Fee-for-service contracts are preferred to fixed-price contracts because they allow changes in service levels (either up or down) to be reflected in the costs. Standard contracts rarely contain sufficient information to handle dispute resolution and loose contracts leave too much room for interpretation. Some outsourcers offer value-pricing models. That is, they ask to be compensated based on specifics of performance improvements, in order to create aligned incentives with their clients. This can be a good form of arrangement, but it depends on having good baseline measurements against which to compare future performance. Details to include in an outsourcing contract Among the details that should be included in any outsourcing contract are service levels data protection and ownership change control mechanisms dispute resolution termination transition, including data migration, changing software licenses, testing, training, and providing specifications Clear statements about service levels make it apparent what exactly is being promised and paid for. Rules about data protection and ownership are essential to minimize the vulnerability associated with providing a third party with direct access to valuable corporate information. Change control and dispute resolution mechanisms are important to specify in advance, in recognition of the fact that over the course of a multi-year contract, things are going to change for both parties. Knowing in advance what things will cause the contract to be renegotiated and what procedures are in place to protect both parties can prevent a lot of problems later. Finally, it is critical to specify in advance the processes by which the contract can be terminated and the arrangements that are in place to ensure continuity of service during any transition to a new provider. If you make an outsourcing deal without such provisions and later decide not to renew the contract with a vendor, you want to know that you have already worked through how your systems will be operated during that changeover period. Expecting a partner you have just terminated to be responsive to a request for additional services beyond what was planned for is unrealistic. Example 9.1-1: The ASP model in a company An example of a large software company attempting to align some of its software offerings to an ASP model is Oracle. The company is perhaps best known for its enterprise-class database management systems (DBMS). Implementing an Oracle DBMS is normally associated with large organizations and relatively large IS budgets. Later, the company became involved with a venture called Oracle Small Business Suite, which is directed to growing and medium-sized businesses. The target market is those companies who are interested in Oracle software to help manage their businesses but cannot afford or don t need a large-scale, in-house implementation. Note that Oracle only licenses its name as part of the venture, and the actual service provider is NetLedger, Inc. For more details, go to the Oracle website. The extent to which services such as these will be accepted is, as yet, uncertain. file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (7 of 8) [20/08/ :32:03 AM]

10 file:///f /Courses/ /CGA/MS2/06course/m09t01.htm 1 Kenneth C. Laudon, Jane P. Laudon, and Mary Elizabeth Brabston, Management Information Systems: Managing the Digital Firm, Second Canadian Edition, 2002, page Roehrig, P., Ferrusi Ross, C., Thresher, A. (2007). Outsourcing Clients Can Expect 12% To 17% Savings 30, Forrester Research Report, August file:///f /Courses/ /CGA/MS2/06course/m09t01.htm (8 of 8) [20/08/ :32:03 AM]

11 file:///f /Courses/ /CGA/MS2/06course/m09t02.htm 9.2 IS security: Threats and vulnerability Learning objective Assess the different threats to information systems security, including physical and electronic threats and intentional and unintentional threats. (Level 1) Required reading Chapter 8, Sections 8.1, System Vulnerability and Abuse, and 8.2, Business Value of Security and Control LEVEL 1 Your textbook provides a brief overview of the vulnerabilities of firms to security failures and the sources of those problems. Exhibit describes and categorizes the various risks to computer systems. Exhibit 9.2-1: The columns separate physical from electronic threats. Not all security failings involve accessing files electronically. Breaking in to computing facilities to steal equipment or destroy sensitive information is as much a threat as is hacking into the data centre. A security plan must consider both kinds of risks. The rows in the matrix reflect the fact that risks to the security of information systems can be both intentional and unintentional. It is tempting to equate IT security with computer crime, but in reality, it involves all threats, including those that result from accidents. Threats to security from deliberate and inadvertent actions file:///f /Courses/ /CGA/MS2/06course/m09t02.htm (1 of 2) [20/08/ :32:03 AM]

12 file:///f /Courses/ /CGA/MS2/06course/m09t02.htm IS security is defined in the IBM Dictionary of Computing 1 (McDaniel, 1994) as Concepts, techniques, technical measures, and administrative measures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use. This is very close to the definition in the text, except that it explicitly recognizes the risk from both deliberate and inadvertent actions. In Exhibit 9.2-1, you can see that human error plays a big role in threats to security. The biggest single security vulnerability in most firms is, in fact, the users. Even beyond the explicit categories labeled human error, user mistakes account for many other security vulnerabilities. System errors caused by bugs are ultimately a form of human error on the part of the programmer. Social engineering is also a threat to IS security. This would include situations where a computer criminal tries to convince a system user to provide him or her with access to either facilities or systems. For example, if you wanted to gain access to sensitive systems in an organization, you might call employees and tell them you work for their IS department, are doing some routine maintenance, and require their password to check the status of their account. Or you might phone the help desk and impersonate the employee, asking for help with a password that cannot be remembered. In either case, if sensitive information is revealed, there is error on the part of the employee. Passwords should not be divulged to anyone for any reason. A critical element of any organizational security plan must be employee education (see Topic 9.3). Computer crime Computer crime is the most sensational aspect, though not necessarily the biggest risk, of computer security. Stories of denial of service (DoS) attacks and viruses are regular fodder for news outlets. Less common are reports of fraud perpetrated on companies through their information systems, though these themes are common in Hollywood movies (for example, Firewall, Entrapment, and Minority Report ). The statistics on computer crime give some clue as to the magnitude of the problem and the challenges in understanding it. Example 9.2-1: Computer crime and security survey Read about the latest CSI computer crime and security survey at the Computer Security Institute. Review the types and costs of security threats, and the methods used to combat them. The lack of reporting of computer crime makes it more difficult to deal with the problem, but it is understandable. After all, if you just found out that your corporate systems were vulnerable to attack (because you had been attacked) would you want to announce this fact to the world and potentially expose the organization to further attacks? What would happen to consumer confidence? Investor confidence? It is easy to see why many attacks go unreported. Manager s role in IS security As a manager, you must recognize the wide variety of threats to information systems security. It is easy to overlook things like human error in designing a security policy, even though human errors are by far the most common threat to security. It is also easy to think of security as dealing with "high tech" electronic threats and overlook vulnerabilities in physical facilities. Security measures should be determined by business need and should be designed to protect key business processes. As a manager, you must realize that your data is at risk. You should be involved in ensuring that it is protected from the various risks that have been identified. A well-designed security policy will address all of these risks. 1 George McDaniel, IBM Dictionary of Computing, ISBN , The McGraw-Hill Companies Inc., copyright file:///f /Courses/ /CGA/MS2/06course/m09t02.htm (2 of 2) [20/08/ :32:03 AM]

13 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm 9.3 Dealing with security threats Learning objectives Assess an organization s IS risks using the risk assessment framework. (Level 1) Formulate the critical elements of an organization s security plan. (Level 1) Explain the purpose and scope of a disaster recovery plan. (Level 1) Required reading Chapter 8, Sections 8.3, Establishing a Framework for Security and Control, and 8.4, Technologies and Tools for Security LEVEL 1 Dealing with security threats requires establishing detailed plans and procedures to both minimize the risks and deal with problems when they occur. Security policies have technological and human aspects. Training and education about the role of security and the ways of protecting vital resources are necessary because even the most secure systems can be defeated by users who do not adhere to the policies designed to protect them. Plans must also be updated constantly to deal with changing threats and emerging technologies and rehearsed in order to identify weaknesses and prepare people for crisis situations. As more organizations conduct business over telecommunications networks and the Internet, their vulnerability to both intentional and accidental security breaches increases. The consequences of a possible attack also increase because the company is increasingly dependent on IS for carrying out business procedures. (If you have doubts, try going to a bank or grocery store when their computer systems are down!) What can you do about it? Abandoning computer-based information systems or refusing to allow access to the Internet are extreme solutions and probably not workable for most companies. What is needed is a sensible approach to IS security. Exhibit 9.3-1: "8 Keys to a Sane Security Strategy" Steve Andriole (2001) developed the following 8 Keys to a Sane Security Strategy: 1. Linking the [security] strategy to the organization s business strategy 2. Creating a clear written policy that covers access to data, applications and networks, software, privacy, recovery, and systems development 3. Establishing procedures for user authentication, such as password schemes 4. Establishing clear user authorizations to define which users can access which resources 5. Monitoring usage (errors, violations, activity reporting) on an ongoing basis to enforce the security policies 6. Maintaining a disaster recovery plan and running simulations to test it out on a regular basis 7. Ensuring that security personnel have broad and deep skills, outsourcing where necessary to provide those skills 8. Monitoring developments in security technology, such as firewalls, anti-virus, certificate authority, biometrics, encryption, and privacy Andriole s approach shows a nice balance of technological and human elements, which is important because technology cannot solve all of the security challenges. It is also clearly tied to the business importance of security, which ensures that security decisions are made based on organizational realities. One area where it is lacking is in the process of setting security policy. It offers little guidance on who should be involved, what policies and procedures could be implemented, and how they should be determined. file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (1 of 6) [20/08/ :32:04 AM]

14 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm Do you agree with Andriole s eight elements of a successful security strategy? The following sections deal with each element in Andriole s approach in more detail, complementing the material in the text. Linking to the organization s business strategy As with all IS decisions, the determination of an appropriate security strategy demands consideration of business strategy and business issues. Faced with the security risks and consequences described above, it is tempting for managers to want to apply lots of security the highest level available to organizational processes, but this can be unnecessarily costly and can get in the way of doing work. Each security measure you put in place requires system users to add a step in their daily work. Each step may be small, but when you put them all together, security can seem like so much "red tape." It also encourages users to circumvent security policies, thus defeating their purpose. Security policies should be matched to the critical nature of the business processes being supported. Is it worth it to spend thousands of dollars on biometric identification for a small professional services firm? Not likely. But it probably is worthwhile in a high security weapons facility. Risk assessment The text describes risk assessment as a critical part of determining the costs and benefits of IT security. Risk assessment involves identifying possible threats, then evaluating both the likelihood and probability of each occurring and its consequence or impact should it occur. Exhibit shows a simplified version of how this might work. Exhibit 9.3-2: In practice, you may want to evaluate risks more finely low, medium, and high, or on a scale of 1 to 5. It is also valuable to assess your certainty about your judgments. If you think something is unlikely to happen (low probability) but have little to base that on, you may want to adjust your scoring. Common ways of obtaining guidance about relevant risks and their probabilities include referencing technical publications and government statistics, reviewing historical information from your own organization and industry, and consulting security specialists. file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (2 of 6) [20/08/ :32:04 AM]

15 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm Clear written policy Thinking in general terms about security as you make decisions is good, but it is not a substitute for having a clear written policy. The policy should cover each of the areas from this topic, as well as rules about software (controls), privacy (covered in Module 10), and systems development. The text describes software controls (Section 8.4) and the link between systems development practices and security (Section 8.3). You should review these sections to understand their role in ensuring the security of organizational information systems. A written policy forces you to think through the issues fully and makes it more difficult to gloss over important factors. It forces you to assign responsibilities for various factors to people or roles so that it will be clear to all how security is being maintained. Finally, it gives a greater weight to the decisions that have been made. People respond more seriously to a written document than to a lot of talk because the documentation demonstrates the value management places on the topic. Given the range of security threats discussed in Topic 9.2, it is important to remember that the written policy needs to cover not just high technology controls, but also controls on paper-based materials (what types of documents can go in a recycling bin and what types need to be shredded) and other low technology controls (security guards, training, and so on). In larger organizations, the written security policies are likely to be contained in a separate, specific document, whereas smaller organizations may incorporate security components within their standard policies and procedures manuals. Whatever the form, security policies are meant to be taken seriously and should be presented as such. Procedures for user authentication Procedures for user authentication are one of the most important aspects of security. When someone tries to log on to a network, it is important to be able to determine if the person is allowed to log on (authorization through a recognized username) if they are who they purport to be (authentication by providing the password associated with the given username; username is a form of identification) Bruce Schneier (Secrets & Lies: Digital Security in a Networked World, 2000, page 136) states Authentication is determined through a challenge to one, or a combination, of three factors, something you know (for example, a password or passphrase), something you have (for example, an access card or key), or something you are (for example, a physical characteristic). Something you know Passwords Passwords are the most common security mechanism for user authentication. You probably know the basic rules of secure passwords: They should include both upper and lower case letters, numbers, and symbols in seemingly random patterns. Longer passwords are also more secure. They should be changed frequently (every 30 days or so), and repetition of recently used passwords should not be allowed. They should not be words found in the dictionary because one password cracking technique is simply to try every word in the dictionary. They should not be names or other things that are easily guessed (important dates, phone numbers, and so on). Of course, all of these rules amount to passwords that are difficult for users to remember. Many people write down their passwords so that they re accessible, which defeats the purpose of passwords. There is a trade-off between the theoretical level of security enforced on passwords and their usability and security in practice. Passphrases file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (3 of 6) [20/08/ :32:04 AM]

16 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm Another alternative is the use of passphrases. These are short phrases of normal words that are assembled in a seemingly nonsensical way, such as "sheclimbed5.ten." The advantage of these passphrases is that they can be easier to remember than a completely random string of characters and symbols, but they are still difficult to crack (the example passphrase would be meaningful to rock climbers 5.10 is a difficulty rating, and the capitalized letters spell HELMET). Notice that the passphrase example here still complies with the basic rules. Single sign-on A goal in many organizations and a worthwhile one is single sign-on. When an organization has several different systems, each with its own security, users may be required to sign on to each system as they enter it. This, however, creates red tape for the user and frustrates them with the security requirements of the organization. Single sign-on involves creating programs that can pass sign-on information from one system to the next so that once a user is authenticated on the network, their access privileges and password information can be automatically given to the other systems they access. There are a number of challenges with this type of approach. First, a single point of attack may give an outsider access to multiple systems. Second, building single sign-on capability into unintegrated legacy systems can be an enormous programming challenge. Finally, implementing single sign-on often requires authorization information to be stored on the client PC, which is a security risk itself. Something you have Access cards can also be an important tool for security. Access cards can be required to access places, providing for physical security, but they can also be used with systems. Users have to insert a card into a reader and then give a password to access the system. This means that even if a password is guessed, it is unusable without the access card, or if an access card is lost, it is unusable without the password. Such overlapping schemes enhance the security of authentication tools. Something you are While authentication establishes "you are who you say you are," most security measures focus on "something you know and something you have." These are really indirect measures of who you are and can be circumvented. Biometric identification techniques are becoming more popular and less expensive, focusing more directly on authentication based on something you are. Because they measure physical characteristics (for example, fingerprints, hand scans, retinal scans, and handwriting), biometric identification techniques tend to be more secure. The disadvantages of biometrics include sometimes using intrusive measurement techniques (for example, retinal scans) concerns about data privacy (for example, storage of highly personal user data that is itself subject to access) the relative permanence of biometric data (for example, you only have two retinas; if their characteristics are digitally copied, they can no longer reliably be used for authentication). Biometric measures are still more costly than other authentication techniques, such as password schemes, and must be more closely evaluated from a risk management perspective. A useful website to learn more about biometrics is the United States government s Biometric Consortium. User authorizations Authentication procedures are used to allow access to resources (such as data, applications, and networks) that users need to perform their jobs, even though not all users need the same level of access. The concept of having different levels of access to resources depending on user requirements is called authorization. For example, although most users should probably have access to the office telephone numbers of their colleagues, they should not have access to their home telephone numbers or their salaries. Thus, different users require different levels of data access. Similarly, not all users would need access to an order entry system because not all users would be expected to process customer orders. They require different levels of application access. Finally, on a LAN, users should have access to file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (4 of 6) [20/08/ :32:04 AM]

17 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm their own files, but not to those of other users unless the files are intended to be shared. This requires different network access. All these levels of access must be formally defined by the organization. Designing access rules is part of the systems development process (systems design). You should start by considering organizational roles and the functionality needs driven by those roles. There are two basic ways to approach this sort of access identification inclusion and exclusion. Inclusion is the more secure approach. You begin with zero access for every user and then add access as needed to specific data, applications, or networks. The danger with this approach is that if it is not done well, users will be frustrated in their attempts to work on systems to which they have not been granted required access and calls to the IS group to change access rules will increase. Exclusion involves starting with access to everything and then excluding things that are not needed. It is easier to implement (less danger of forgetting to give users access to something they need) but far less secure. It is too easy to forget something that the user has no need for but that compromises security. As a result, security specialists recommend the inclusion approach, even though it may take more adjusting to ensure it is complete. Monitoring usage Having a security plan is not sufficient. Knowing that certain users are only allowed to access certain functions and that the system has been designed to accomplish this is great, but monitoring the network to ensure that it is working as intended is essential. The text describes intrusion detection systems that can be used to monitor unexpected network traffic. Network logging software can also be used to monitor who is logged on at any given time, what processes (applications) they are using, and what changes they are making. This log should be monitored to ensure security policies are being followed and violations are followed up. One technique for monitoring hackers is the creation of a honey pot. A honey pot is a dummy network set up to attract and monitor hackers. To improve defences on their production systems, organizations implement, maintain, and monitor these systems to track common intrusion techniques, popular service and port targets, trojans delivered, intruder source IP addresses, and so on. Honey pots are subjected to somewhat less security than production networks, but enough to make them credible to wouldbe intruders. However, their monitoring facilities are very sophisticated in order to track intrusions as they occur. Because monitoring takes system resources, it might not be practical to implement the same degree of monitoring on a production system as it might compromise overall performance. But on the honey pot, there is not the same volume of transaction processing, so the high level of monitoring is feasible. Of course, if implemented poorly, a honey pot could actually compromise security by providing an easy target and point of entry into corporate systems. In addition, the cost of creating and maintaining such a system makes it an impractical approach for small businesses. Business continuity planning Planning to minimize the likelihood of security failures is essential. Authentication and authorization procedures, as well as the controls described in the text, are all designed to minimize the probability that something will go wrong. But probability is only one aspect of risk; impact is the other crucial factor. Business continuity planning (or disaster recovery planning) deals with what happens when things do go wrong. Even a low probability event can sometimes occur. So what do you do when it does happen? For example, what do you do if your website is subject to a denial of service attack? Who is notified of the problem? What steps do they take, in what order, to end the attack, resume services when it is ended, and identify the source of the attack to undertake legal action? As another example, what do you do when a tornado or earthquake takes out your data centre? Your response may be that an organization should not put its data centre in a high tornado or earthquake activity location, but these things don t just happen where they are likely. Once it has happened, what are your policies for getting things back up and running? Backup data centres Most companies that rely heavily on information systems for business operations maintain backup data centres. This may be done internally within the firm in situations where processing is regionally separated. In such a case, the Manitoba data centre, for example, may be able to take on processing for the Nova Scotia data centre in the event of a catastrophic loss. Alternatively, firms may contract with outside providers for access to either a hot site (a site with office equipment and file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (5 of 6) [20/08/ :32:04 AM]

18 file:///f /Courses/ /CGA/MS2/06course/m09t03.htm hardware already installed, set up and running a recent backup of applications that can be ready in a matter of hours) or a cold site (a facility that is available but will require more setup, likely days). The choice of a hot or cold site depends on the degree to which immediate recovery is necessary. Hot sites are significantly more expensive to maintain and should only be considered in cases where the business losses associated with an outage would be very high. Regular data backups Data backup and recovery procedures are also an important element of a disaster recovery plan. Regular backups are necessary, daily for user files and in real-time for transaction data. Backups should be periodically tested to ensure that they are correct. More than one organization has found out only after a data loss that their backup processes did not work correctly. Test the plan Testing business continuity plans through simulations is also essential. Having the plan written down is only half the battle. Acting it out periodically ensures that people understand their responsibilities and can react effectively in times of crisis. Security personnel Security is a complex, highly specialized area of IS. It requires an in-depth understanding of hardware, software, and networks, and a strong analytical ability. Not all IS personnel are suited to working in this area. An organization should ensure that it has access to the right kind of person. This is harder for small organizations that require people to fulfill multiple roles. Outsourcing some parts of security planning and management is a realistic option if the right capabilities are not present in the organization or the cost of employing someone full-time is not justified based on the security risks. For smaller organizations, outsourcing of security planning and management is likely to be the preferred option. Monitoring developments in security technology Security technology and security risks change relatively quickly. Computer criminals seem to have an insatiable need to find new ways to circumvent systems, and keeping up with their attacks requires changes in the means of protecting resources. Once established, security procedures need to be regularly revisited to account for new developments. This is part of the responsibility of security personnel, either internal or external. file:///f /Courses/ /CGA/MS2/06course/m09t03.htm (6 of 6) [20/08/ :32:04 AM]

19 file:///f /Courses/ /CGA/MS2/06course/m09t04.htm 9.4 Role of auditing in IS security Learning objective Evaluate the role of auditing in a security plan. (Level 2) Required reading Review Chapter 8, Section 8.3 (subsection on "The Role of Auditing") LEVEL 2 The techniques for dealing with security threats all require an understanding of the current levels of security risk in organizational systems and ongoing monitoring of those risks against the security plan. IT changes too quickly to expect risks and plans to be stable. Monitoring organizational risk levels is the role of the IT/IS audit function. IS audit is a highly specialized function, often provided by public accounting firms and specialty consulting firms, but it is also not uncommon for internal audit departments to perform this function. As in all audits, it is important that the auditor be independent of the systems being audited. Security audits Security audits involve identifying every organizational process and the systems that support them, then tracking the security of those systems. Not all processes can be audited every year, so schedules based on criticality of processes are made to ensure a reasonable timeframe for dealing with all of an organization s processes. Regular audits of security processes are essential to ensure the correct procedures exist and that they are being implemented as intended. Auditing looks at computer facilities, such as data centres, and applications. It assesses employee understanding of security, as well as the technology in place. It involves using computer-based tools to test for security weaknesses (for example, ethical hacking or penetration testing), as well as simple non-technological tests (such as social engineering). For example, an external auditor may test for physical security procedures by trying to walk into a secure area and sitting down to use a computer without authorization. In a hospital years ago, the auditor was able to access the system without anyone in the facility recognizing her as an "intruder." She looked official, carrying a clipboard and acting as if she belonged, and no one wanted to challenge her. Once problems are identified, and they likely will be, a plan for addressing them needs to be constructed. The auditor makes recommendations about what is to be done, the urgency with which the problems need to be addressed, and sets some kind of process to ensure that it is undertaken perhaps certain functions will be added back into next year s audit to ensure that they are addressed. There is no sense in using resources to identify vulnerabilities if a plan and subsequent action is not undertaken to address deficiencies. file:///f /Courses/ /CGA/MS2/06course/m09t04.htm [20/08/ :32:05 AM]

20 file:///f /Courses/ /CGA/MS2/06course/m09t05.htm 9.5 Ethical issues Learning objectives Describe the five key ethical challenges related to information technology and interpret different ethical principles, including the CGA-Canada Code of Ethical Principles and Rules of Conduct, in guiding decision making about these challenges. (Level 1) Assess the importance of stakeholder analysis and involvement in ethical decision making. (Level 1) Required reading Chapter 4, Social, Legal and Ethical Issues in the Digital Firm Review Ethics Readings Handbook, Section A and Units C1, C2, C3, and C11 (For all ethics-related readings in this course, it is assumed that you are already familiar with Section A and Units C1, C2, C3, C4, and C6 of Section C of the Ethics Readings Handbook. ERH readings are provided electronically.) Notes on the textbook: Chapter 4, page 116 The last paragraph on page 116 of the textbook states: The only province with a privacy law governing the private sector is Quebec. It is also the only province that meets European Union private-sector privacy law standards. Both of these statements are out of date. BC, Alberta, and Quebec all have private sector legislation and all of Canada meets the European Union privacy law standards. For more current information, see the following websites: Office of the Privacy Commissioner of Canada European Commission LEVEL 1 Information technology, through its unique characteristics and applications, has demonstrated the power to radically reshape the social world. Coupled with other forces, IT has resulted in significant changes in the structuring of organizations, the patterns of employment throughout society, and the commercial and social relationships of millions of people. No change of this size can occur without creating difficult ethical or moral issues. The text provides an excellent overview of the challenges in IS ethics. This topic highlights and extends the text coverage. Ethics in context Ethical and moral choices are always defined within the context of a political and social environment. For example, in Victorian England, it was considered appropriate to lock up the mentally ill in asylums where they were treated like animals. In early Mayan civilizations, human sacrifice was considered not only moral, but a religious duty. From a contemporary perspective, both of these look like terribly one-sided codes of ethics that ignored the perspectives of those confined to asylums or offered as human sacrifices. As we look back on these historical periods, we cannot help but apply the frameworks of our own social and political environments to these situations and question the correctness of those choices. It is much harder, however, to look beyond our current environment. When large-scale change occurs, our social and political imperatives do not provide sufficient guidance on how to behave. For example, in the past, organizations did not have the capability to profile customers to determine shopping and product preferences. The technology simply did not exist to create the kinds of large databases that are becoming increasingly common. file:///f /Courses/ /CGA/MS2/06course/m09t05.htm (1 of 4) [20/08/ :32:06 AM]

1) Outsourcing ERP systems helps to lower the cost of software ownership and maintenance. Answer: TRUE Diff: 1 Page Ref: 268

1) Outsourcing ERP systems helps to lower the cost of software ownership and maintenance. Answer: TRUE Diff: 1 Page Ref: 268 Enterprise Systems for Management, 2e (Motiwalla/Thompson) Chapter 10 Global, Ethics, and Security Management 1) Outsourcing ERP systems helps to lower the cost of software ownership and maintenance. Diff:

More information

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and

More information

INTRODUCTION TO PENETRATION TESTING

INTRODUCTION TO PENETRATION TESTING 82-02-67 DATA SECURITY MANAGEMENT INTRODUCTION TO PENETRATION TESTING Stephen Fried INSIDE What is Penetration Testing? Terminology; Why Test? Types of Penetration Testing; What Allows Penetration Testing

More information

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM Chandramohan Muniraman, Meledath Damodaran, Amanda Ryan University of Houston-Victoria Abstract As in any information management system security

More information

WHITE PAPER. Let s do BI (Biometric Identification)

WHITE PAPER. Let s do BI (Biometric Identification) WHITE PAPER Let s do BI (Biometric Identification) Fingerprint authentication makes life easier by doing away with PINs, passwords and hint questions and answers. Since each fingerprint is unique to an

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

On offshore outsourcing IT and why India is the best bet. 3. The advantages of offshore outsourcing IT

On offshore outsourcing IT and why India is the best bet. 3. The advantages of offshore outsourcing IT On offshore outsourcing IT and why India is the best bet Contents 1. Introduction 2. Offshore Outsourcing IT 3. The advantages of offshore outsourcing IT 4. IT functions ideal for mid size companies to

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

Reprinted with permission from the January 2004 issue of the Intellectual Property & Technology Law Journal.

Reprinted with permission from the January 2004 issue of the Intellectual Property & Technology Law Journal. Reprinted with permission from the January 2004 issue of the Intellectual Property & Technology Law Journal. Beyond the NDA: Digital Rights Management Isn t Just for Music By Adam Petravicius and Joseph

More information

AUTOMATED PENETRATION TESTING PRODUCTS

AUTOMATED PENETRATION TESTING PRODUCTS AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for an automated penetration testing product and demonstrate

More information

E-commerce for accounting professionals Part 3: Opportunity knocks

E-commerce for accounting professionals Part 3: Opportunity knocks E-commerce for accounting professionals Part 3: Opportunity knocks By ROBIN DAY, CGA Opportunity knocks E-business transformations Risk management Assurance services New competencies Summary This document

More information

Business Case. for an. Information Security Awareness Program

Business Case. for an. Information Security Awareness Program Business Case (BS.ISAP.01) 1 (9) Business Case for an Information Security Business Case (BS.ISAP.01) 2 Contents 1. Background 3 2. Purpose of This Paper 3 3. Business Impact 3 4. The Importance of Security

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

The One Virtually Unknown Trick to Getting Onshore Call Center Quality with Offshore Pricing

The One Virtually Unknown Trick to Getting Onshore Call Center Quality with Offshore Pricing The One Virtually Unknown Trick to Getting Onshore Call Center Quality with Offshore Pricing The One Virtually Unknown Trick to Getting Onshore Call Center Quality with Offshore Pricing In an increasingly

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

National Cyber Security Month 2015: Daily Security Awareness Tips

National Cyber Security Month 2015: Daily Security Awareness Tips National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Network Security: Introduction

Network Security: Introduction Network Security: Introduction 1. Network security models 2. Vulnerabilities, threats and attacks 3. Basic types of attacks 4. Managing network security 1. Network security models Security Security has

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

Benefits and risks of cloud computing

Benefits and risks of cloud computing Benefits and risks of cloud computing Stephen Turner Known-Quantity.com and Holy Family University ABSTRACT Cloud computing vendors maintain data away from the facilities of their customers. This is compelling

More information

Getting a Secure Intranet

Getting a Secure Intranet 61-04-69 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like

More information

Small Business Checkup

Small Business Checkup Small Business Checkup How healthy is your business? www.aretehr.com TABLE OF CONTENTS The Four Keys to Business Health... 3 Management & Operations... 4 Marketing... 6 Financial & Legal... 8 Human Resources...

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Software As A Service

Software As A Service Software As A Service What Is ERP Hosting? Hosting is a software deployment and subscription model in which an application resides on the software provider s remote servers, rather than the customer s

More information

Security Basics: A Whitepaper

Security Basics: A Whitepaper Security Basics: A Whitepaper Todd Feinman, David Goldman, Ricky Wong and Neil Cooper PricewaterhouseCoopers LLP Resource Protection Services Introduction This paper will provide the reader with an overview

More information

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15. NCS 330 Information Assurance Policies, Ethics and Disaster Recovery NYC University Polices and Standards 4/15/15 Jess Yanarella Table of Contents: Introduction: Part One: Risk Analysis Threats Vulnerabilities

More information

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right

More information

Outsourcing Performance Management

Outsourcing Performance Management Outsourcing Performance Management June 2005 - Sam S. Adkins According to a study conducted in April 2004 by the Conference Board, only 9 percent of companies are entirely against outsourcing some or all

More information

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange The responsibility of safeguarding your personal information starts with you. Your information is critical and it must be protected from unauthorised disclosure, modification or destruction. Here we are

More information

How to Justify Your Security Assessment Budget

How to Justify Your Security Assessment Budget 2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How Network Security Is Breached Network Security Policy

More information

About Dorset Connects

About Dorset Connects About Dorset Connects Dorset Connects, a Chadds Ford, PA based IT consulting firm, was founded on the premise of providing businesses with a simplified way to procure, implement and manage their technology

More information

The problem with privileged users: What you don t know can hurt you

The problem with privileged users: What you don t know can hurt you The problem with privileged users: What you don t know can hurt you FOUR STEPS TO Why all the fuss about privileged users? Today s users need easy anytime, anywhere access to information and services so

More information

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST INFORMATION TECHNOLOGY & MANAGEMENT IT Checklist INTRODUCTION A small business is unlikely to have a dedicated IT Department or Help Desk. But all the tasks that a large organization requires of its IT

More information

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management This guide will show you how a properly implemented and managed SIEM solution can solve

More information

PASSWORD MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region

PASSWORD MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region PASSWORD MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

What are the benefits of Cloud Computing for Small Business?

What are the benefits of Cloud Computing for Small Business? Cloud Computing A Small Business Guide. Whilst more and more small businesses are adopting Cloud Computing services, it is fair to say that most small businesses are still unsure of what Cloud Computing

More information

Provide access control with innovative solutions from IBM.

Provide access control with innovative solutions from IBM. Security solutions To support your IT objectives Provide access control with innovative solutions from IBM. Highlights Help protect assets and information from unauthorized access and improve business

More information

It may look like this all has to do with your password, but that s not the only factor to worry about.

It may look like this all has to do with your password, but that s not the only factor to worry about. Account Security One of the easiest ways to lose control of private information is to use poor safeguards on internet accounts like web-based email, online banking and social media (Facebook, Twitter).

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is 1 2 This slide shows the areas where TCG is developing standards. Each image corresponds to a TCG work group. In order to understand Trusted Network Connect, it s best to look at it in context with the

More information

PCI Compliance for Healthcare

PCI Compliance for Healthcare PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?

More information

Guidelines 1 on Information Technology Security

Guidelines 1 on Information Technology Security Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical

More information

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

AUTOMATED PENETRATION TESTING PRODUCTS

AUTOMATED PENETRATION TESTING PRODUCTS AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for automated penetration testing software and demonstrate

More information

Effective Software Security Management

Effective Software Security Management Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1

More information

IDRBT Working Paper No. 11 Authentication factors for Internet banking

IDRBT Working Paper No. 11 Authentication factors for Internet banking IDRBT Working Paper No. 11 Authentication factors for Internet banking M V N K Prasad and S Ganesh Kumar ABSTRACT The all pervasive and continued growth being provided by technology coupled with the increased

More information

Internet Content Provider Safeguards Customer Networks and Services

Internet Content Provider Safeguards Customer Networks and Services Internet Content Provider Safeguards Customer Networks and Services Synacor used Cisco network infrastructure and security solutions to enhance network protection and streamline compliance. NAME Synacor

More information

A Guide to Information Technology Security in Trinity College Dublin

A Guide to Information Technology Security in Trinity College Dublin A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2

More information

Multi-Factor Authentication

Multi-Factor Authentication Making the Most of Multi-Factor Authentication Introduction The news stories are commonplace: Hackers steal or break passwords and gain access to a company s data, often causing huge financial losses to

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

Benefits and risks of cloud computing

Benefits and risks of cloud computing Stephen Turner Known-Quantity.com and Holy Family University ABSTRACT Cloud computing vendors maintain data away from the facilities of their customers. This is compelling because it enables companies

More information

Cloud Computing Guidelines

Cloud Computing Guidelines 1 Cloud Computing Guidelines Contents Introduction... 3 What is cloud computing?... 3 Why use cloud computing?... 4 The building blocks of cloud computing... 8 Best practice guidelines... 12 The legal

More information

Office of the City Auditor and Clerk

Office of the City Auditor and Clerk Office of the City Auditor and Clerk Externally Hosted IBM iseries System Arrangement For Utility Billing System Final Executive Summary Internal Audit Report Internal Audit Project # 08-05 May 28, 2008

More information

ELECTRONIC INFORMATION SECURITY A.R.

ELECTRONIC INFORMATION SECURITY A.R. A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

More information

SORTING OUT YOUR SIEM STRATEGY:

SORTING OUT YOUR SIEM STRATEGY: SORTING OUT YOUR SIEM STRATEGY: FIVE-STEP GUIDE TO TO FULL SECURITY INFORMATION VISIBILITY AND CONTROLLED THREAT MANAGEMENT INTRODUCTION It s your business to know what is happening on your network. Visibility

More information

Is your business secure in a hosted world?

Is your business secure in a hosted world? Is your business secure in a hosted world? Threats to the security of business data are constantly growing and evolving - What can you do ensure your data remains secure? Introduction The safe use of computer

More information

Chapter 4 Information Security Program Development

Chapter 4 Information Security Program Development Chapter 4 Information Security Program Development Introduction Formal adherence to detailed security standards for electronic information processing systems is necessary for industry and government survival.

More information

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

CORPORATE IDENTITY FRAUD: A PRIMER

CORPORATE IDENTITY FRAUD: A PRIMER CORPORATE IDENTITY FRAUD: A PRIMER Hanim Norza Baba, Head of Graduate Studies Center, Universiti Teknologi MARA, Melaka, Malaysia. drhanimnorzababa@gmail.com ABSTRACT Corporate identity fraud occurs when

More information

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C. Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

Is a Cloud ERP Solution Right for You?

Is a Cloud ERP Solution Right for You? Is a Cloud ERP Solution Right for You? By Spencer Arnesen, CPA There s been a lot of hype recently about how cloud software solutions are the wave of the future. In the consumer environment, you can use

More information

Evolution of the Data Center

Evolution of the Data Center CHAPTER 1 Evolution of the Data Center The need for consolidation in the data center didn't just occur overnight; we have been building up to it for a long time. In this chapter, we review the evolution

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

Considerations for Outsourcing Records Storage to the Cloud

Considerations for Outsourcing Records Storage to the Cloud Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Information Security By Bhupendra Ratha, Lecturer School of Library & Information Science D.A.V.V., Indore E-mail:bhu261@gmail.com Outline of Information Security Introduction Impact of information Need

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

Avaya TM G700 Media Gateway Security. White Paper

Avaya TM G700 Media Gateway Security. White Paper Avaya TM G700 Media Gateway Security White Paper March 2002 G700 Media Gateway Security Summary With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional

More information

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Database Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Table of Contents Chapter 1 Introduction... 4 1.1 Objective... 4 1.2 Prerequisites of this Guideline...

More information

Why you need an Automated Asset Management Solution

Why you need an Automated Asset Management Solution solution white paper Why you need an Automated Asset Management Solution By Nicolas Renard, Support and Professional Services Manager, BMC France Table of Contents 1 OVERVIEW Automated Asset Discovery

More information

Avaya G700 Media Gateway Security - Issue 1.0

Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional Enterprise

More information

Stay ahead of insiderthreats with predictive,intelligent security

Stay ahead of insiderthreats with predictive,intelligent security Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent

More information

Cloud Computing Secured. Thomas Mitchell CISSP. A Technical Communication

Cloud Computing Secured. Thomas Mitchell CISSP. A Technical Communication Cloud Computing Secured Thomas Mitchell CISSP A Technical Communication Abstract With the migration to Cloud Computing underway in many organizations IT infrastructure, this will cause a paradigm shift

More information

Outsourcing. What is it and what are the options? LODESTAR

Outsourcing. What is it and what are the options? LODESTAR Outsourcing What is it and what are the options? LODESTAR Executive summary Since it first emerged as an option in the mid eighties, outsourcing has been one of the most hotly debated issues in IT. These

More information

Acceptable Use of Information Technology Policy

Acceptable Use of Information Technology Policy Acceptable Use of Information Technology Policy Date created: January 2006 Updated Review date: April June 2008 Review date: Oct Dec 2009 Introduction VAW provides IT facilities for promoting its charitable

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

11.3 BREAK-EVEN ANALYSIS. Fixed and Variable Costs

11.3 BREAK-EVEN ANALYSIS. Fixed and Variable Costs 385 356 PART FOUR Capital Budgeting a large number of NPV estimates that we summarize by calculating the average value and some measure of how spread out the different possibilities are. For example, it

More information

Business benef its of managed ICT services

Business benef its of managed ICT services Business benef its of managed ICT services A leadership perspectives white paper Recommended next steps for business and industry executives Issue 7 in a series Executive Summary With the steady decline

More information

Terms and Conditions

Terms and Conditions - 1 - Terms and Conditions LEGAL NOTICE The Publisher has strived to be as accurate and complete as possible in the creation of this report, notwithstanding the fact that he does not warrant or represent

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500 INFO 1500 9. Information Assurance and Security, Protecting Information Resources 11. ecommerce and ebusiness Janeela Maraj Tutorial 9 21/11/2014 9. Information Assurance and Security, Protecting Information

More information

ITAR Compliance Best Practices Guide

ITAR Compliance Best Practices Guide ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations

More information

Remote Access Securing Your Employees Out of the Office

Remote Access Securing Your Employees Out of the Office Remote Access Securing Your Employees Out of the Office HSTE-NB0011-RV 1.0 Hypersecu Information Systems, Inc. #200-6191 Westminster Hwy Richmond BC V7C 4V4 Canada 1 (855) 497-3700 www.hypersecu.com Introduction

More information

Contracting With (or For) Application Service Providers. Thomas C. Carey Bromberg & Sunstein LLP Boston

Contracting With (or For) Application Service Providers. Thomas C. Carey Bromberg & Sunstein LLP Boston Contracting With (or For) Application Service Providers Thomas C. Carey Bromberg & Sunstein LLP Boston Table of Contents I. Glossary... 1 II. The Industry... 1 A. The Value Proposition... 1 B. The Players

More information

Risk Assessment Guide

Risk Assessment Guide KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment

More information

University of Northern Colorado. Data Security Policy for Research Projects

University of Northern Colorado. Data Security Policy for Research Projects University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

Zone Labs Integrity Smarter Enterprise Security

Zone Labs Integrity Smarter Enterprise Security Zone Labs Integrity Smarter Enterprise Security Every day: There are approximately 650 successful hacker attacks against enterprise and government locations. 1 Every year: Data security breaches at the

More information

Developing and Implementing a Strategy for Technology Deployment

Developing and Implementing a Strategy for Technology Deployment TechTrends Developing and Implementing a Strategy for Technology Deployment Successfully deploying information technology requires executive-level support, a structured decision-making process, and a strategy

More information

Making the leap to the cloud: IS my data private and secure?

Making the leap to the cloud: IS my data private and secure? Making the leap to the cloud: IS my data private and secure? tax & accounting MAKING THE LEAP TO THE CLOUD: IS MY DATA PRIVATE AND SECURE? Cloud computing: What s in it for me? The more you know about

More information

CYBERSECURITY POLICY

CYBERSECURITY POLICY * CYBERSECURITY POLICY THE CYBERSECURITY POLICY DEFINES THE DUTIES EMPLOYEES AND CONTRACTORS OF CU*ANSWERS MUST FULFILL IN SECURING SENSITIVE INFORMATION. THE CYBERSECURITY POLICY IS PART OF AND INCORPORATED

More information

STRONGER ONLINE SECURITY

STRONGER ONLINE SECURITY STRONGER ONLINE SECURITY Enhanced online banking without compromise Manage your business banking efficiently and securely Internet banking has given business leaders and treasurers greater control of financial

More information