What Executives Should Know and Do.
As technology is becoming more and more prevalent in today’s societies businesses are looking for more ways to secure account information that might include, home address, telephones, birthdays, and social security numbers. This information must be secured for people who might want to access it for unauthorized use including identity thieves. If account and personal information is stolen from consumers, your company might face serious consequences from the federal government and you could lose support from the very consumers you depend on.
Todd Fitzgerald from the National Government Services outlined 13 Questions that the Chief Information Office must ask of the Chief Executive Officer to ensure that all accounts, personal information, and company knowledge is kept secure. The questions are below. Fitzgerald examines how the changing workplace is affecting security at companies. Companies are having to evaluate how much money they need to spend on securing information without hurting the company’s bottom line. He argues that an employee’s security to certain types of information should be based on their position in the company, “Attention to security should be on a risk adjusted basis, with the higher priority projects receiving increased, formalized attention, while the smaller efforts could be accomplished by the development team through the use of internal peer reviews of the security requirements” (Fitzgerald 4). He goes on to point out that a CIO’s responsibility does not end there. CIO’s are responsible for making sure that servers are protected, codes secure, and insure that high standards are met by performing internal and external audits.
1. What is the minimum necessary effort required to produce code that is secure?
2. What do we need to do to avoid audit issues in the application development process without adding significant expense or delays to our projects?
3. Do you see your role as an after-the-fact reviewer of security controls or engaged in the implementation of the controls?
4. What technologies are available to reduce the labor intensive process of keeping up with the latest patches, system vulnerabilities, configuration management and compliance monitoring?
5. Can you provide information on the “real risks” that are present in our specific industry and the appropriate implementation alternatives that companies use to mitigate these risks?
6. How can we ensure that we have reduced our exposure to an acceptable risk?
7. What tangible benefit will we receive from the security investments that will enable the business?
8. Which internal/external audit issues will these investments eliminate?
9. What other information technology resources are required, in addition to ssstems Security staff, to implement the security solution presented? What support is required from the business?
10. How do the security requirements integrate with the systems development life cycle? Are we performing these tasks already?
11. Do we have the necessary experience in-house to implement these solutions? Should we consider outsourcing some of the functions?
12. What are the critical success factors for achieving success in our security efforts? How much security is “enough”?13. How can you help reduce the time I spend on compliance- related efforts in gathering documentation
Custom Search
Subscribe to:
Post Comments (Atom)
4 comments:
Yeah, I know that a lot of companies have spent tons of hours and lots of money trying to meet HIPAA privacy regulations. Technology is great, but it gives criminals even more ways to steal.
Pulaski County, Arkansas has a web site, like most counties do, and for a while it provided access to the real estate records of its residents. The address is pulaskiclerk.com. I visited the site when it first opened earlier this year and I, of course, searched under my name first. My address, SS#, loan papers, finance papers, etc., were all displayed for public viewing. Even my application to become a Notary Public was available. Of course my name was linked to my ex-husband because we once owned property together. I was able to find out his new wife's name, their address, and I was able to view all their finance and re-finance papers on the various properties they own, etc. Pulaski County has since blocked access to this area of their web site because I am sure they received an enormous number of complaints. What I wonder is, with the world being the way it is today especially with regard to Identity Theft, and just as this blog suggests, most every business out there is trying to find ways to keep its information safe and secure and to not go broke doing it, why do you think Pulaski County would feel it is okay to make available via a web site the most personal of information concerning its residents?
This aspect of technology is the most scary part. Of course we see all the great benefits, but we often forget about all the bad things that can happen until it actually happens to us.
And I'm sure we've all encountered someone who has either had a problem with public information or known someone who had. It's awful, but isn't it the price we pay in order to reap all of the benefits? Or if you don't want to pay the price, then you must take all the extra steps in order to protect yourself. No one is going to do it for you.
At my place of employment, there are high security walls that do not allow a large influx of incoming emails and even outgoing emails to certain addresses. The security system also has set permissions that prevent users from downloading any kind of software, accessing gaming sites, deleting certain files and even browsing through Windows Explorer. I would say the system is quite secure, but the tightness of the system creates havoc on the three field employees throughout the organization of over 20000 workers. Some of the simple problems could be worked through via a help-desk “walk-thru”; however, security in this case has more weight than productivity.
Post a Comment