Information Technology Security & Privacy Through the Eyes of:
Presented By:
Jim Beecher
Kadambari Goel
Wilfrid Hutagalung
Liang Liu
Jon Riek
8 December 2005
Professor Lacity
IS 6800
Executive Summary______
IT security and privacy have become ever more important recently. According to an MIS Quarterly survey, security ranked #1 in CIO’s list of concerns. Research has found that 5 to 10% of IT budgets are spent on security. On average, companies’ annual IT budgets represent about 5% of revenues. Every year, companies suffer losses caused by security breaches. The top three causes in 2005 were: viruses, unauthorized access, and theft of proprietary information. Financial loss caused by those security-related incidents is $130.1 million in 2005, and this figure comes just from 639 respondents surveyed by CSI/FBI Computer Crime and Security Survey. A more comprehensive survey from the Association of Certified Fraud Examiners (ACFE) “estimates that that the typical U.S. organization loses 6% of its annual revenues to fraud. When placed in context with the U.S. Gross Domestic Product for 2003, this amounts to roughly $660 billion in total losses.”
IT security and privacy goes way beyond just password and firewall protections. Companies need to develop a process-oriented portfolio strategy to protect their information assets. Federal and state laws and regulations also mandate governance of customer information and sensitive data. But still many companies are not in compliance with the laws and regulations that they must comply with.
In this paper, we are trying to identify the best practices of IT security and privacy that we have learned from three case studies, as well as additional resources. The three companies that were interviewed were: Fleishman-Hillard - a global communications firm, First Data - a financial transactions company and AT&T - a telecommunications company. The information from the three case studies came from personal interviews, websites and other publicly available sources.
Each company studied had strong information that lent better to particular area from the Functional Inventory Chart provided from Unisys. By comparing the information, we broke our study into three sections, and used one case study to illustrate each section. The first section was Threat and Vulnerability Assessment, which Fleishman-Hillard was able to cover well. The CIO that was interviewed was able to provide great insight on how and why they chose particular areas within IT security to focus their attention. The information from AT&T provided a tremendous amount of information on how secure networks should be designed and structured, so we used AT&T to highlight the Architecture and Designsection. The interview with First Data was with a “front line” employee, and provided a large amount of data on what a company needs to do on a day-to-day basis to be proactive while maintaining reactive capabilities. Thus we chose First Data to illustrate Threat and Vulnerability Management.
In our case studies, we found that they are all trying to be more proactive in protecting IT security and privacy. To better illustrate the best practices, we used the IT security program Functional Inventory developed by Unisys.
The functional inventory is broken into two parts: functional elements and organizational interactions. Due to the enormous amount of information that would take to cover all of the elements we have decided to cover only some of them to do them justice. Listed below are all of the elements on the Functional Inventory.The ones in bold are the ones that will be covered in the paper.
CISO
Threat and vulnerability assessment
Vulnerability management and incident response
Legal and regulatory
Strategy
Policies, procedures, principles and standards
Business continuance and disaster recovery
Educations and communications
Program governance
Architecture and design
Technology capability and evaluation
Key performance analysis and effectiveness
Information security oversight board
Legal (office of general council)
Vender and partner management
Privacy (Chief Privacy Officer and/or Privacy Office)
Business Units
Operations linage (IT, General Operations)
Audit and global compliance
Human resources
Change management
Physical security
At the end of this paper, we also mapped best practices from the three companies’ with ISO 17799, which is an internationally recognized standard in the field of information security management that is widely used for drafting security policies.
What is IT Security and Privacy? ______
IT Security is to provide protection of information systems against unauthorized access to or modification of information, whether in storage, processing or in transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.[i]
Privacy has been in place for much longer time than IT security. The earliest definition is from the 1890’s – it was defined as the right “to be left alone”. [ii]A more current definition is “informational self-determination” – a person gets to decide how their private information is going to be used.
Privacy is interlinked with freedom and property. It can also be defined in part as “the freedom to do things away from the eyes and ears of others”. Privacy is invaded when “individuals are unable to control their interactions with the social and physical environment”.[iii]
Why are they important?______
Security has become more and more important in the IT industry. The survey on CIO’s concerns has shown that in 2003 and 2004, security has ranked number 3 on the management side and in 2004 for the first time, security was included in the survey on the application side and ranked number 1. When you ask a CIO the question “what keeps you up at night”, the most common answer is security.[iv] So why are security and privacy so important in IT?
- Building Customer Trust
With more and more transactions being conducted without face to face, customer trust is a must. In some business models like e-commerce, “security and privacy” are vital. It is easy to understand if you know your business counterpart is going to use your private information without proper governance, you will not give them your private information and you will simply not do business with them at all.
- It is the Law
The federal and state laws require governance of customer information and sensitive data. Organizations are liable for security/privacy breaches. The two major laws are Gramm-Leach-Bliley Act and Sarbanes-Oxley Act.
- Security - Part of IT Infrastructure
Looking at almost any IT system, we can easily see security has been built in. Most systems cannot run without security. In the study of this course, we have learned that ABZ Insurance had seven weeks of outage due to the subcontracting issue between Siennax and BlueX on Verisign. What is Verisign? It is a digital signature. For ABZ Insurance, everything else was fine, but lack of security could not let the system run.
- Privacy – Invaded by IT-empowered Data Collection
IT did not change the way that personal data is collected, processed and exchanged. But it fundamentally changed the speed and scope in which it can be done. With more than ever personal information collected and so little control that individuals have over their own data, IT has made it possible to use available data to affect people’s lives deeply. An example is that generic data can be used to analyze one’s health risk and how it can affect that person’s health insurance and employment. That’s part of the reason why suddenly privacy has become such a big deal and why the European Union, made it a fundamental human right (European Union 200, Article 7). [v]
- Cost Issue
Whenever something costs a lot for an organization, or something has the potential to cost a lot, it is worth management’s time and energy. IT security and privacy are costly, but it is worth the cost, which can be seen in the following survey.
In August 2005, Computer Security Institute (CSI) conducted a Computer Crime and Security Survey, in participation with the FBI San Francisco Computer Intrusion Squad.[vi] The survey is in its 10th year. This year’s survey results are based on the responses of 700 computer security companies in U.S. Corporations, Government Agencies, Financial Institutions, Medical Institutions and Universities. The sizes of the responders vary from small to large. The following is the percentages of responders by number of employees: (1-99: 20%), (100-499: 14%), (500-1,499: 15%), (1,500-9,999: 23%), (10,000-49,999: 16%), (50,000 or more: 11%).[vii] To illustrate how much IT security can cost, we are going to use three charts from the survey. The three charts are:
- Dollar Amount Losses by Type
- Percentage of IT budget Spent on Security
- Average Computer Security Expenditure per Employee
Top 3 loss causes – different from 2004
Figure one shows that the top three loss causes in 2005 were: viruses, unauthorized access, and theft of proprietary information. Denial of service was no 2 in 2004 and now is replaced by unauthorized access.
Percentage of IT Budget on Security:
Figure 2 shows the percentage of IT budget spent on security. We want to say two things on this issue: one, there is essentially no change in percentage of IT budget allocated to security in 2005 comparing to 2004. Two, average security spending is about 5 to 10 percent. We got 14 percent from another source: CIO magazine. We intend to believe 5 to 10 percent is safer to say.
Security Expenditure – bigger organizations spend less per employee?
Figure 3 shows the average security expenditure per employee broken down by organization revenue. As you can see, the expenditure goes down when the size goes up and then beyond some point the economies of scale caused by fixed portion of computer security expenditures diminishes. So it is not always true that the bigger the organization the less they spend on security per employee. This actually makes perfect economic sense.
Beyond these three charts, we also want to point out that the sector with the highest security expenditure per employee was state government, whereas federal government was one of the sectors with the lowest number.
The Relationship between Security and Privacy______
IT security and privacy are two separate things. After we defined what they are and illustrated why they are important, let’s take a look at how they are related to each other.
- Complementary and Contradictory
They are complementary because we need security to protect our privacy. To understand the contradictory relationship, we have to note that security requires openness, clarity and accountability, whereas privacy often means the opposite.[viii]
- Privacy – matter of sacrifice to security
What is more important: privacy or security? Organizations typically care more about security. Since organizations have more power on the systems, privacy sometimes becomes matter of sacrifice to security.
- Avoid two extremes
- Complete Lack of Security usually means system failure.
- Complete Privacy: results in not letting any information out.
Functional Inventory for Security Program______
Below is everything a company needs in a comprehensive Security Management Program. This inventory chart comes from a Unisys presentation[ix] and includes both the Functional Elements and the Organization Interaction essential in the total security of a Corporate. You'll notice this includes many activities beyond firewalls and passwords and extends its limit to Structure, Strategy and Design, role of Human Resources, Education and Communication and Physical Security. In the rest of this paper, we are going to cover the blocks in yellow with the help of case studies and present Proactive & Reactive Practices associated with security assessment, design and management. Due to the overwhelming amount of information, we addressed only a few of the blocks in order to properly explain them in this paper.
9
CISO (Chief Information Security Officer)
More Jobs for CISO candidates
- In 2004 31% of companies hired CISO’s and in 2005 the percentage went up to 50%.
CISO is NOT just for IT – CISO need to protect all of the businesses information assets.
- CISO should implement a Process-Oriented Portfolio Strategy when dealing with security and privacy.
Major Federal and State Laws
- Gramm-Leach-Bliley Act (The Financial Modernization Act of 1999 or GLB)
- Sarbanes-Oxley Act (2002)
- Patriot Act (2001 after 9/11)
- HIPAA – Health Insurance Portability & Accountability Act (1996)
- California’s SB 1386 (July, 2003)
After the 9/11 attacks, government has tightened security. The Patriot Act requires all financial institutions to collect personal identification information to help government fight terrorism and money laundering. GLB, Sarbanes-Oxley Act and HIPAA combine to require governance of customer information and sensitive data.
Among those federal laws, Sarbanes-Oxley Act is the most recent. To demonstrate the effect caused by this law, let’s go back to the CSI/FBI Computer Crime and Security Survey and use one of their findings: in 2005, the respondents in eight out of 14 sector categories (i.e., utility, high-tech, manufacturing, medical, telecommunications, educational, financial and other) believe the Sarbanes-Oxley Act is having an impact on their organizations’ information security. In contrast, 2004 survey showed an impact in only five of the 14 sector categories. Due to the phased-in nature of the act, perhaps an even greater impact of the Sarbanes-Oxley Act on information security will be seen in future years.
CIO Magazine Survey[x]shows that not all companies are in compliance with the law. In addition the percentages below are not based on all companies, but only on the companies that must comply.
- 38% Companies not in compliance with Sarbanes-Oxley
- 23% Companies not in compliance with HIPAA
- 15% Companies not in compliance with California’s SB 1386
As seen in the Functional Inventory Chart from Unisys there are many elements that comprise Information Technology Security. The following three case studies will touch upon some of those elements. Fleishman-Hillard will touch upon one of the elements, Threat and Vulnerability Assessment, and will focus on the Reactive nature of IT security. In the second case study of AT&T focus is on Architecture and Design as well as the Proactive side of Threat and Vulnerability Assessment. In third case study First Data will touch upon Threat and Vulnerability Management.
Fleishman-Hillard______
The roots of Fleishman-Hillard go back to pre-World War II St. Louis, where Alfred Fleishman, then chief deputy circuit clerk for the city of St. Louis, met a reporter who was covering the courts for the St. Louis Star-Times. The reporter was Bob Hillard, and the two became good friends. After a wartime hitch at the Pentagon as chief information officer for the Air Force Rehabilitation Division, Fleishman decided to make public relations his postwar career. He invited Hillard to join him and, in 1946, the two rented three rooms above a Woolworth's Five and Dime store in midtown St. Louis. They sent out an announcement stating their aim "to achieve better understanding and good will among employees, customers, stockholders, plant-city townspeople, and all other "publics." Over 57 years later, Fleishman-Hillard has become a leader in global communications consulting, largely by adhering to those simple and enduring principles. For the next twenty-some years, the firm served a mainly regional client base, until 1974 when John Graham was named president. Under his leadership, Fleishman-Hillard has undergone the most dynamic period of domestic and international expansion. Fleishman-Hillard grew from two offices in St. Louis and Kansas City, to over 80 offices located throughout the world, which has enabled Fleishman-Hillard to experience a 25 percent compounding growth rate over the past 20 years.[xi]
Fleishman-Hillard consistently has been ranked one of the best public relations firms in the world. In the most recent Thomas L. Harris/Impulse Survey of PR agencies, Fleishman-Hillard led all national agencies in quality reputation among its clients and non-clients nationwide, as it has in all 12 years the survey has been conducted. Fleishman-Hillard is the only agency ever to finish first in the survey's two major categories — Quality Reputation and Brand Awareness — in the same year.[xii]
Fleishman-Hillard is organized into 19 different practice areas that include: Business-to-business marketing,business-to-consumer marketing, corporate/reputation management, energy, FH out front, financial communications, food and agribusiness, healthcare and biotechnology, homeland security, innovation, interactive, internal communications, litigation support, multicultural, public affairs, social impact marketing, technology, transportation, andtravel and tourism.[xiii]
Fleishman-Hillard’s goal is "To make ourselves as valuable to our clients as they are to us" which, grew from years of partnership with a number of excellent companies including Procter & Gamble, Dell Computer, Nortel, Wal-Mart and SBC Communications. Companies like these have not only set the standard in their respective industries for quality products and services; they also actively manage their reputations among employees, customers, shareholders, governments, and the communities in which they operate.[xiv]
Through its vast international network, Fleishman-Hillard offers global capabilities tailored to the needs of regional markets. Each FH office has access to the resources of the global network. At the same time, a local practitioner who understands regional business, government issues, regulations, marketing strategies, and social customs manages each office. With years of experience in national communications, their managers ensure that the clients' international programs are designed and implemented in the most effective and appropriate way. All FH offices provide full-scale communications services. Through one source, their clients receive maximum effectiveness in meeting their international public relations and communications needs and maximum convenience in managing international affairs.[xv]