[ISN] Handle Corporate Security As Single Entity, Users Say

From: InfoSec News (isnat_private)
Date: Tue Apr 08 2003 - 04:15:17 PDT

  • Next message: InfoSec News: "[ISN] Samba flaw threatens Linux file servers"

    http://www.computerworld.com/securitytopics/security/story/0,10801,80069,00.html
    
    By JAIKUMAR VIJAYAN 
    APRIL 07, 2003
    Computerworld 
    
    Chicago - Companies can improve their ability to detect and respond to
    both cyber and physical threats by tying their IT security to other
    aspects of corporate security.
    
    But the cultural and business-process changes involved in implementing
    such a holistic view of security can be daunting for most
    corporations, users said here last week at a conference organized by
    ASIS International, an Alexandria, Va.-based organization of security
    professionals.
    
    "The benefits of integrating corporate security with IT security can
    be tremendous," said Lew Wagner, chief information security officer at
    the MD Anderson Cancer Center at the University of Texas in Houston.
    
    Coordinating IT security functions with areas such as physical
    protection, facilities management, human resources and legal and audit
    functions has helped enhance overall threat-detection and
    incident-response capabilities at the hospital, Wagner said.
    
    "It streamlines corporate investigations. Whenever somebody runs afoul
    of the policies of the institution, you don't have a bunch of people
    doing stovepipe things," he said.
    
    A holistic view of enterprise security can help plug gaps that might
    otherwise be missed, said James Litchko, president of Litchko &
    Associates Inc., a security consultancy in Kensington, Md.
    
    
    Outside Factors
    
    For instance, the majority of IT-related security threats still stem
    from procedural and process flaws - such as failure to secure access
    to crucial systems, inadequate backups and lack of auditing - rather
    than from technology glitches, Litchko said. Consequently, it's
    important to factor in physical and personnel security when
    implementing IT security, he added.
    
    "To some degree, this is happening naturally as IT becomes intertwined
    in almost all aspects of corporate life," said David Rymal, director
    of technology at Everett, Wash.-based Providence Health System.
    
    "Even physical security is tied to IT, as all of our electronic access
    controls feed databases," Rymal said.
    
    In the case of the health care industry, regulations such as the
    Health Insurance Portability and Accountability Act are driving such
    collaboration further in order to protect patients' privacy, Rymal
    said.
    
    As more computing devices become mobile, "we must guard against not
    only theft of the devices but [also] protection of the data on those
    devices," he said.
    
    Integration of security functions can also lead to better operational
    efficiency, said Steve Hunt, an analyst at Forrester Research Inc. in
    Cambridge, Mass.
    
    "The greatest sin of all for a CEO is to have different business units
    with the same mission so everyone is feeling some pressure to justify
    what they are doing," Hunt said.
    
    Even so, few corporations are embarking on such a venture, he said.  
    That's because implementing an enterprisewide security and risk
    management program can be a cultural and business-process challenge,
    given the silos that security-related functions are relegated to
    within many corporations, users said.
    
    For instance, IT functions may report to a CIO, while facilities
    management is handled by finance and risk management and business
    continuity are handled by yet another group.
    
    Connecting these silos can lead to "better identification and
    mitigation" of risks, said Robert Gerden, director of corporate and
    systems security at Brampton, Ontario-based Nortel Networks Ltd.  
    during a presentation at the conference.
    
    But it can be "very hard to quantify the ROI" on the benefits gained
    from such integration, Gerden said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 07:22:10 PDT