Enterprise Security Policies: Protecting Corporate Systems And Proprietary Data Assets

Are your corporate networks, intranets, extranets and e-commerce transactions secure from attack? Increased use of the Internet, networking capabilities and e-commerce transactions by organizations have tremendously increased the potential losses from inadequate security. A recent survey of management at several top public and private sector organizations in the United Kingdom, commissioned by Dimension Data, showed that fifty four percent of information technology managers admitted their organizations did not have a security plan in place or were not sure one existed. These statistics are not surprising considering recent security breaches at companies such as Yahoo and Microsoft. In the case of Microsoft, a teenage hacker may have accessed proprietary source code for a significant period of time. The Computer Security Institute also announced that of respondents to their recent survey, primarily large corporations and government agencies, ninety percent reported cyber attacks in 2000 resulting in more than $275 million in financial losses.

Inadequate security can cause short-term losses to an organization including website damage, viruses, system downtime, fraud, theft or access to proprietary data and the cost of repair and recovery. Long-term, these damages may result in loss of business and revenue as well as bad publicity to the benefit of competitors. Worse yet, these threats more likely originate from within an organization than from outside. These perpetrators are often employees who have access and codes to penetrate corporate systems. Every organization needs an enterprise security policy to protect corporate data and technology assets. An effective security policy is a continuous process developed and implemented by management, affecting all aspects of corporate data assets, fundamental business processes and functions throughout an organization.

Development of an enterprise security policy begins with a technology assessment measuring vulnerability of existing systems and potential for loss and a risk assessment identifying and valuing data assets to determine an acceptable level or risk. These preliminary assessments result in short and long-term goals and parameters of an enterprise security policy. With these assessments appropriate controls can be implemented to effectuate the goals of the enterprise security plan.

The enterprise security policy, the reasons for it and related controls must then be communicated to employees, continually reinforced, maintained, updated and supported by management. Lack of support and reinforcement by management can lead to circumvention of controls and decreased productivity of employees. Statistically the number one security risk in an organization is an unhappy employee or former employee, which is amplified by today’s high turnover rate.

An organization must consider its particular business objectives and technology needs in developing an enterprise security policy. The development process should begin with assessment of the security of existing systems. Technology assessments can be conducted in-house or by numerous companies that provide total system assessments to detect vulnerabilities and security threats to corporate systems. This assessment will provide an overall picture of enterprise security and will suggest means for upgrading and improvement from a technology and management standpoint. Technology assessments, whether in-house or by third parties, should be performed on a regular basis as part of ongoing maintenance. Frequent third party assessments may allow for an objective nonpolitical assessment of the effectiveness of an enterprise security policy.

Short-term, a technology assessment will result in undertaking preliminary security measures that can be implemented quickly and inexpensively until a comprehensive security policy is developed. Some preliminary measures include non-technology-based security measures such as securing employee workstations, desks, offices, disks, and physical access to sensitive data generally. Failure to implement short-term measures against known vulnerabilities may be considered negligent when there is an obligation or duty on the part of management, an employee, or the organization to protect proprietary data assets.

The next step in the development process is undertaking a risk assessment. This step requires that management identify and value the data assets of an organization. The function of a risk assessment is to identify what data assets need protection, what level of protection is required, and developing appropriate controls without losing sight of business goals and objectives. From this assessment management must determine appropriate controls and the level of acceptable risk for the organization. Organizations must be clear and establish the levels of risk they are willing to accept in developing controls. Only comprehensive technology and risk assessments will yield accurate measurements of enterprise security and enable management to set parameters for development of a successful enterprise security policy.

In selecting appropriate controls an organization should consider new and pending legislation as well as regulations governing its business. Management must decide how to address unacceptable risks. An organization’s security controls should generally address access, acceptable use, enforcement, and maintenance of security measures and policies.

Implementation of an enterprise security policy and procedures can affect the culture, productivity and innovation of an organization. Generally, the more difficult issues to address with regard to implementation of a security policy are organizational and strategic rather than technical. The benefit of an enterprise security policy and controls must therefore be tailored and balanced against its potential burden on operations and productivity. After all, absolute security will lead to zero productivity. Once appropriate controls are developed they must be implemented throughout the organization. In order to effectively implement security controls employees must be provided with guidelines and training on proper use and compliance. Lack of training and understanding can lead to resistance and undermining of the goals and effectiveness of the security policy.

A basic control of an enterprise security policy is governance of access. Who maintains the integrity of an organization’s hardware systems, software systems, and system security? Who authorizes and issues access accounts, passwords, and remote access?

The force behind a strong security policy is in centralized access. Some of the basic weaknesses in systems and networks are inadequate or ineffective access control. Users having multiple passwords and/or remote access can willingly or unwillingly permit unauthorized access to corporate systems or networks by writing down or sharing passwords. In addition, permitting employees to access systems remotely can lead to intrusions by hackers or even worse, employees themselves. Having controls in place governing access by employees, as well as partners or vendors, can reduce an organization’s vulnerability.

Compartmentalizing data access and securing data can also bolster security efforts. Compartmentalizing data access means that access to corporate systems is given only to those parts of the corporate system required for each particular employee to perform his or her job function. Sensitive data such as salary information, proprietary data such as customer lists and trade secrets may require extra security to protect them and in some cases to prevent loss of their legal proprietary status. These measures may include physically securing servers upon which sensitive data is stored, implementing multiple levels of file protection, tracking user access, installing firewalls, restricting access and data encryption. The methods for implementing these security measures should be tailored to each particular organization and are generally a product of a technology assessment. Insurance coverage is also available to protect from loss of data assets. However, security measures need to implemented and maintained in order to qualify for such coverage.

In today’s economy, partnerships, strategic alliances and mobility are essential to doing business. Use of capabilities such as intranets and extranets have allowed for increased collaboration and mobility; however, these efforts can lead to long term disadvantages if not properly implemented and controlled.

Implementation of these capabilities generally provides an organization with minimal control over end user information flow. Once data has arrived at a partner or remote user, there is little to prevent them from transferring it. Once access is granted and data obtained there is no way to take it back. These types of relationships also lend themselves to long-term aggregation of strategic information. Over time partners may be able to aggregate enough data to produce a competitive product itself or with a new partner. In order to minimize such risk an organization should consider all partners as competitors and grant access to data prudently. Data must be protected, controlled and valued as any physical assets of an organization. Exposure can be significant if extranets are large, i.e. including numerous sales reps, distributors, and resellers making protection and data control very difficult. In addition, such partners may possibly deal with your competitors. Controls governing access should address partners or vendors with remote access and any data made available to them.

As a partner accessing data from another organization, such a relationship can have significant legal implications. Under the Economic Espionage Act of 1996 (EEA) organizations can face fines up to $5,000,000 and imprisonment up to 10 years for the domestic theft of trade secrets. Given the extent of potential penalties under the EEA, organizations should conduct thorough and periodic legal, technical and management assessments of trade secret protection measures and employment practices with regard to its data assets. Such assessments and diligent record keeping can decrease substantially the potential liability under the EEA. Understanding the legal issues involved in an enterprise security policy and its related controls is paramount to its success and in the best interests of the organization.

Enterprise security may also be affected by an organization’s relationships with Internet Service Providers and Application Service Providers (ISP’s and ASP’s). According to a recent report by IDC the number one criteria for selecting an ISP, among IT executives, is the strength of their security measures. As with partners and vendors, developing relationships with ISP’s and ASP’s should be carefully controlled so as to not undermine enterprise security or create vulnerability. In addition, technology developments such as e-signatures, smart cards and wireless accessibility may also affect the strength of an enterprise security policy long-term. Enterprise security must be considered in the process of entering such relationships or adding new technology to corporate systems.

Once access controls have been implemented, employees must be provided with guidelines and training on proper use and compliance. Lack of training and understanding can lead to resistance by employees, undermining the goals of the security policy. Management often fails to take the time and spend the money to train people about protecting its data assets. A security policy establishes an organization’s attitude toward data and announces that data, like any tangible asset, is property of the organization to be protected from unauthorized access, modification, disclosure or destruction. An organization should respond promptly and swiftly to any violation of its security policy to reinforce the importance of protecting data assets.

One of the primary concerns and security mistakes cited by technology professionals and management across industries is a lack of adequate procedures and policies to maintain existing security systems. Continuing assessment, training, upgrades and monitoring are essential to the long-term success of an enterprise security policy. Enterprise security must always be considered in the evolution of an organization, the process of entering new relationships with partners and vendors and when adding new technology to corporate systems.

Data security is crucial in today’s business environment. A comprehensive enterprise security policy is the proper way to protect an organization’s valuable data assets. An effective enterprise security policy begins with a Technology Assessment to uncover vulnerabilities of existing corporate systems. Preliminary security measures should be implemented as a result of the Technology Assessment to minimize short-term risk. Next, a Risk Assessment is performed to identify and value the data assets of an organization and determine an acceptable level or risk. These preliminary assessments result in goals and parameters for developing a comprehensive enterprise security policy. Once goals and parameters are developed appropriate technology and management controls can be implemented and employees trained in proper use and the importance of compliance with the security policy. In developing appropriate controls an organization must consider the people that enable it to do business such as ISP’s, ASP’s, vendors, partners, and most importantly employees. In order to be successful and effective, management must balance the business objectives of an organization with the goals of its security policy and productivity of its employees. The ultimate success of an enterprise security policy will depend on reinforcement and support by management and ongoing, continuous maintenance including training, adapting to new technology and new business objectives.