Implementing an Enterprise-Wide Security Program
- Published on November 15, 2007
The focus of this article is to cause you to think the unthinkable about your enterprise and its computing environment, and to prompt consideration and decision-making that will lead to a reduction of risks. Doing so may mean suspending disbelief that your organization has adequately planned for the unknown and that all is therefore very well where you live at work. You will then be more attune to considering the unthinkable so you are more prepared should it occur. The adage from Louis Pasteur says it most appropriately — Chance favors only the prepared mind.
What follows will be a small sample of actual or coming events where pre-planning will make a difference, and some suggestions to hopefully help secure the way your business operates and how information is produced, processed and maintained. Let’s first consider potential threats.
Threats come in all sizes, shape, duration, and forewarning. They can be categorized within three categories and three levels. International, national, and regional threats that are either natural or those that are intentionally or unintentionally caused. Everyone can think of a myriad of threats they feel most probable due to their proximity and unique business environment, and agree that they have heard of threats where they learned about business risks they had not considered before. An example of this might be the impact of businesses located in the evidence zone around the J.P. Murrah building in Oklahoma that sustained devastating damage.
While most businesses in this four-block radius were not damaged, no one was permitted to return to their building to conduct business or even pick up the materials they needed to conduct business elsewhere. The tragedy of the horrible explosion was multiplied as many organizations went out of business as they were unable to resume business. Many were prompted as a result of this event to begin to consider business implications if something happened to someone down the street or to a sole sourced supplier.
Regrettably, daily news stories describing an incident that will have a direct or indirect effect on others appear to be increasing. Those of us who are in the Business Continuity Planning business are powerless to not also consider, when reading or listening to the news, the unspoken implications of natural catastrophes and other misfortunes that touch lives and disrupt normal business. The question is silently asked whether a succession plan had been developed and how much it would help those dealing with the business implications of the tragic shooting of Versace. Such a fate also befell organizations who lost one or more of their senior executives in the fateful airplane crash that took the life of the Secretary of Commerce, Ron Brown. This and reported events such as the recent UPS contract talks and concerns about how El Ni�o will affect weather around the world are examples of threats that have an effect on business.
Businesses will be far ahead of most, if not all of their competition, if they implement a project to assess and plan for potential risks to their organization. This is a good time to think the unthinkable so many of the non-traditional types of threats are also considered. Implementing safeguards to reduce the likelihood or frequency of a risk and reduce the level of damage that could be sustained is prudent. Not doing so is foolhardy! Reviewing security relative to an organization’s geographic location and proximity to other sensitive businesses or locations will help identify potential threats not previously considered. Including an assessment of physical and logical security that also addresses safety and other relevant areas within your specialized environment will highlight where existing controls and procedures may not be followed or areas where controls are needed.
An assessment of risks and potential vulnerabilities for your organization will be more cost-effective than correcting damage. It is a tragic truth that even simple and inexpensive fixes are often overlooked or considered unimportant, such as a proactive annual review of basement sump pumps. The recent flooding in the US resulted in needless damage of equipment and materials because installed basement sump pumps were not in working order. One company experienced disruption to their customer call center by water damage to computer equipment stored on the first floor of the building when their sump pumps failed to respond. While this event is a regional example since many businesses do not have basements, it illustrates how a small and inexpensive fix can pay huge dividends. Organizations are advised to perform regular and periodic risk reviews to ensure established controls are operational and to address new threats that may be introduced with anticipated changes in business and technology.
Data Centers, long considered the bastion for automated processing, are typically also the most secured of computing environments. This is particularly the case when we compare the inherent safeguards applied for most Data Centers with what generally exists within departmental LAN environments. The Data Center stronghold that may contain big iron mainframes with built-in controls or servers and workstations is often also buttressed by software, monitoring and procedural safeguards applied and managed by well-trained and skilled personnel.
What could go wrong in this locked and secured room regardless of the platforms they store? The answer is, Plenty! Without careful planning, even the most secured Data Center operated by the most competent staff will be at risk. If this is so with the mighty Data Center, how much greater is the risk to ancillary and core processing environments that exist in other unprotected areas within the organization?
A risk review conducted by an organization should always focus on inherent risks to equipment and data. Things to consider include the physical and logical controls supporting the computing area. How vulnerable is the equipment, communication and data? Is the computer equipment vulnerable to fire or water damage? What is the potential for intentional and unintentional damage? Are people without a need to be in the area able to easily walk in and out of the computing environment? What paper documentation and vital records should be stored offsite? Is critical data backed up and stored offsite? What would happen if you were unable to return to the building? Has a Business Continuity Plan been developed that identifies key roles, responsibilities, vendors, important contact information, and procedures to follow in the event of a significant disruption? In short, could you resume essential applications and services at another location?
Kudos if you have already considered and planned for these potential issues for the Data Center and double-kudos if this type of critical risk analysis is extended across the enterprise. The question that naturally follows, however, is when is the last time these plans and strategies were reviewed, tested or exercised? It is important to regularly validate procedures, plans and assumptions related to recoverability. Particularly with the influx of technological and business changes that occur in most organizations today. An organization that conducts regular and periodic risk analyses will experience greater assurance about its ability to mitigate security and contingency risks. Identifying vulnerabilities will afford an opportunity to plan and implement appropriate procedures and controls so that risks and the effects of risk are minimized.
Everyone is talking about the Year 2000 but what about the Year 1999? Do you know if the advent of January 1, 1999 could affect the way your business processes financial information? The start of 1999 marks the beginning of the scheduled third stage of the Maastricht Treaty, signed in 1991 at a meeting of European Union countries in Maastricht, Netherlands. The treaty, an outcome of agreements formed earlier at an inter-government conference in Bretton Woods, New Hampshire on July 1, 1944, was developed to foster greater European economic and monetary cooperation that includes the introduction of a single currency known as the eurodollar.
European countries planning to join the European Money Union (EMU) and those who do not should be assessing and planning how they will handle and automatically process transactions. It may not affect your business but it is worth analysis, especially if you represent a multi-national organization. Euro and national currency banknotes and coins are slated to move into circulation beginning January 1, 1999 through 2002 when the euro’s implementation for EMU countries is complete.
Business leaders are urged to begin considering potential technology, business and legal implications that may exist within their unique business environment. Affected IT applications can include those designed to process payroll, accounting, price control and stocks. Addressing duality in these systems may be an approach some organizations must take. It is wise to consider its potential impact on your organization, what your customers will be expecting, any planning your suppliers will or should be doing, and how your competitors are dealing with the issue related to dual currency during this time.
A working group of the European Commission is working to establish a definition of what constitutes adequate protection. The results provided under the European Union’s Data Privacy Directive have consequences that address how information is transmitted and used throughout the world. A business located in the US or Italy that maintained information specifically governed by Germany’s data privacy ruling would need to similarly protect the data even if that country’s ruling differed. While the jury is still out on how countries will address the issue of data privacy, it is clear to all that this is a key topic as we move further along the technological path. The location of where information is created, obtained, stored, and used is more ambiguous as we are able to work, bank, buy, and sell wherever our established links and data paths virtually send us across the globe.
Data Center personnel are familiar with increased maintenance and potential risks as a result of our network revolution. Now, the focus is on other risks such as the threat to an organization’s intellectual property and how secure the data is we are sending across our networks. A formalization of data privacy standards that are expected to differ between countries will place a greater burden on the controls and procedures used to process information so that privacy of data is assured wherever it exists across the world.
Much has already been written about the implications of the upcoming millennium and the importance of ensuring that hardware and software will accommodate this important milestone. As a result, the focus for this topic is directed toward a somewhat more obscure area worth considering when engaged in Year 2000 planning. The key benefit of thinking the unthinkable is that angles not previously considered are brought into scrutiny so that ample time is available to plan for risks not previously known.
One such example involves individuals addressing Year 2000 computer changes for a large financial institution. They wondered whether embedded chips would also be affected by the millennium’s approach. Good thing they stopped to consider other non-traditional implications of the Year 2000. They discovered that the locking mechanism situated inside their primary safe would not allow access on January 1, 2000. Had they failed to evaluate other effects of the Year 2000 date change, they would have needed to break into their own safe.
One can only imagine the headlines and embarrassment that would likely have occurred had they not considered alternative date change within their unique environment. There is so much discussed in the media about this topic that it is unlikely businesses have failed to plan for this event. If they have, they do so at their own peril because it will affect all of us. Particularly businesses that utilize electronic information that they or others have produced.
How many organizations continue to rely upon outdated technology where obtaining parts is a difficult and time-consuming process? Often, organizations have no choice and must make do with what they have. If this is your organization, you should be doubly certain you are equipped to handle unplanned part requirements.
One organization that provides computing capabilities to outside clients felt assured of recovery capabilities as they had taken the time to develop a Business Continuity Plan. Unfortunately their risk analysis or contingency approach had not addressed how they could minimize risks as a result of their outdated and non-standard technology. They identified this gap when a $30 part nearly caused them to activate their disaster recovery plan. A plan that would have required the recovery team to fly to an out-of-the-way hot-site suitable for their particularly unique computing needs. The cost for airfare alone would have been nearly $26,000.
The necessary part was fortunately tracked down before this desperate step was necessary. There was some apologizing to clients unhappy with the two-day down time by senior management but the organization learned about a significant risk they had not been aware of previously. Organizations often find it far more beneficial and less expensive to upgrade their computing infrastructure. The benefits include the ability to comparison shop hot-site providers based on cost, service and proximity, easy access of equipment parts and maintenance expertise, in addition to increased equipment reliability.
News reports abound these days about how warmer waters in the Pacific Ocean have begun to affect weather in patterns not seen since 1982-1983. The Pacific warming indicator of this unusual weather occurs every three to seven years and is referred to as the El Ni�o. This phenomenon is the harbinger of a drier and wetter climates throughout the world. Scientists are making predictions as to the strength and likely targets of El Ni�o. Predictions so far are that there is a potential of more than normal hurricanes in the central Pacific, heavier than average rainfalls and snows throughout the US, and increased dryness in other parts of the world.
It is imperative that individuals and businesses prepare for this event. Governmental agencies are already doing so by repairing damaged levees, cleaning brush and debris from dry water ways to reduce flooding when the rains come, conducting training classes, and basically working to mitigate risks and developing plans for how they will deal with the effects of risks they believe can occur with anticipated weather trends.
Organizations are urged to begin developing their own process to mitigate risks wherever possible and to establish safety procedures and contingency plans that are communicated throughout the enterprise. While it is not possible or even appropriate to develop a contingency plan that resumes all organization services immediately after an outage, it is wise to identify and prioritize those business and technology processes that are crucial to sustaining the organization. Long, medium, and short-term plans should be developed that identify how individuals and those with a recovery role are to react during and after an unplanned disruption.
There are a number of resources available from Federal Emergency Management Association (FEMA) and the American Red Cross that will help you assess particular weather risks for your geographic location in addition to material related to how you can initiate mitigation and contingency planning so you are able to better plan for anticipated emergency and evacuation situations. External consulting firms also provide business services to facilitate the development of a Business Continuity Plan. However, implementing a review program is a good start to addressing and planning for business continuity.
Organizations, particularly those exposed to greater threats as a result of their operational environment and proximity, should embark on a process to conduct site reviews and develop a Business Continuity Plan. One benefit of Site Reviews is that potential risks will be minimized. Whereas, a Business Continuity Plan will then outline the organization’s approach and procedures to safeguard lives, protect assets and resume operations following a disaster or significant service interruption. The key goal of continuity planning is to make the critical decisions that will affect the survivability of staff and the business before a crisis occurs.
Moving forward to identify and eradicate risks wherever possible through out-of-the-box thinking and careful planning takes senior management support and coordination throughout the organization. What follows is a three-step program that can be used as a basis for establishing a review program to minimize interruptions and prevent potential disasters from affecting your organization on an ongoing basis.
1.Develop and receive adoption of a comprehensive and complete corporate policy that sanctions the efforts of the Site Review process as part of Information Systems Security activities.
2. Establish an interdepartmental team of subject matter experts to develop detailed site review methods and procedures relative to implementing the Site Review Program.
3. Schedule and perform a site review of each processing center.
Step 1 — Policy
A comprehensive policy will help ensure buy-in from all corporate departments expected to either provide input into the process or to abide by the findings and procedures established as a result. Without a formal policy statement from on high, the program faces inattention, low priority and possible non-conformance. External consulting support with experience in Information Systems Security and Business Continuity Planning may also be obtained at this stage to provide needed organization and direction if this resource is not available internally or if adjunct support is needed to facilitate the process.
Step 2 — Team
A core team of individuals with specific qualifications and knowledge will be needed to develop detailed procedures and standards for the Site Review Program. Subject matter experts from key departments such as Information Technology, Security, Data Processing Operations, Building Operations and Management, Physical Security, Finance, and other user organizations will form the initial team. Procedures developed by this team will include components and related key elements identified below:
Step 3 — Review
It will be necessary to also establish a review schedule with identified time intervals between reviews of given sites. Intervals between reviews for selected sites should not be longer than 12 to 24 months so that organizational and technological changes that often introduce new risks are quickly addressed. One national organization with five major processing sites elected to schedule a site review each quarter. This resulted in a site review for every processing center every 15 to 18 months.
The review team for this organization visited the site and with the assistance of local personnel performed the review using the Site Review Checklist to annotate each checklist item and document findings on the Findings Report. The findings were then shared with local management for concurrence at the end of the review.
Recurring site visits will be necessary to effectively address findings noted from previous site reviews to ensure risks are properly resolved and to confirm the resolution status of open or new issues is documented accordingly. Recurring site visits will also emphasize the importance of the program to local site personnel.
The development of universal reporting forms makes it far easier to document, summarize and track each site review within the program. It is also advised that you consider assigning specific management personnel to participate in a Steering Committee that will meet periodically to review and sanction Site Review Program activities.
Team member responsibilities will include support of the on-site review process, documentation of findings, development of corrective action plans that present the business case and financial statement development, and presenting the results at the Steering Committee meeting. The team is usually chaired by the Information Technology departmental representative.
Executive status reporting provided to Senior Management will be needed on an as-needed basis to indicate the progress on corrections to findings, explain potential operational impacts of findings, and provide general overall information relative to the process. The typical senior management reporting schedule will be a quarterly written report that is followed by a year-end summary presentation to the Board of Directors and officers.
The Site Review Program can provide an organization with a formal process to address routine and preventive issues that otherwise may not be addressed. The benefits of such a process where participants are open to consider potential threats to business will accrue in the form of smoother business operations. Other benefits include the consistent availability of essential business services at lower resource costs and the deployment of a well run and controlled environment.
Kathleen Tudor, CBCP, is a manager in the Information Risk Management Practice of KPMG Peat Marwick LLP.