The Hindu Business Line : Talk about business value of security

Security makes business sense. So, get your tech experts to do the right kind of talking - not too secretive about security but not giving away secrets either.

BULLETPROOF your systems before you are hacked! That's the simple message of Roberta Bragg's Hardening Windows Systems, from Tata McGraw-Hill Publishing Co Ltd (www.tatamcgrawhill.com) . So, "mount your hardening, securing campaign in at least two directions," says chapter 1, titled `an immediate call to action'. One, the big picture, and two, the intimate reality of day-to-day work.

Hardening takes time and cultural change in organisations is slow. For this, you would need "evangelists and disciples, leaders and doers, talkers and strong, silent types". You can effect significant changes in the security posture and actual security status of your networks right now by doing things that are under your control, goads Bragg.

Among the tips is this: keep secrets. "Learn to shut your mouth. It's not rude, but a good practice, to refuse to talk about those things that might compromise security." That doesn't mean you turn non-communicative because: "It's one thing to share a security-hardening tip, or to alert someone to a bad practice that can be corrected. It's another thing to reveal your own system's security weaknesses by talking about them to others."

If there are high-risk systems in your organisation, requiring extra physical security, you may consider the following at workstation level: "a BIOS password; a required syskey Windows boot password; a smart-card, token, and/or biometric for administrator logon; removal of floppy, CD-ROM, or other removable drives; disabling of USB, serial, and other communications ports in the BIOS; hardware locks on cables and drives; physical locks that prevent theft of the workstation; and alarms that warn of computer movement."

`Harden WetWare' says the last chapter. WetWare? That's "the people part of an information system," explains the author. An important lesson for techies is to learn to speak business, because "management is not going to learn to speak geek." So, express security concerns in the context of business value, advises Bragg. "If you have trouble thinking what the business value is, just think money."

Ignorance of law is no excuse, and there are laws beyond Moore's and Murphy's. In the US context, there is the Gramm-Leach Bliley Act that requires financial institutions to implement a security program that safeguards customer info. HIPAA or the Health Insurance Portability and Accountability Act requires the protection of health-related personal information that is maintained electronically. Sarbanes-Oxley Act or SOX emphasises on internal controls. The Computer Fraud and Abuse Act "seeks to punish people whose unauthorised access to computer causes harm." Likewise, there are laws on wiretap, economic espionage, and electronic communications privacy.

It's hard to think of hardening if you trust too much in the goodness of the world. So, first harden your heart before bulletproofing your systems, because there are those with guns outside!

SOX is something you can't shoo away

YES, we're talking about Sarbanes Oxley Act that was born when the match between good and evil in the US was going in favour of the latter! To help you take SOX in the stride, Mohan R. Lavi has written A Practice Manual, published by Snow White (www.swpindia.com) . The book includes the IT Control Objectives issued by the IT Governance Institute. The author draws attention to the fact that the US Public Company Accounting Oversight Board (PCAOB) emphasises IT controls as having a pervasive effect on the achievement of many control objectives.

Thus, in drawing the IT Control Objectives, two things have been done: One, the IT controls from Control Objectives for Information and Related Technology (COBIT) were linked to the IT general control categories identified in the PCAOB standard; and two, control objectives were linked to the COSO (short for Committee of the Sponsoring Organisations of the Treadway Commission) internal control framework. It would be interesting to know that COSO was born in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, and the sponsoring organisations included the American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and Institute of Management Accountants (IMA).

There is a snatch about multi-location assessment considerations, talking about three situations: One, "where the financial business units within a territory are not significant individually, but if IT processing occurs in a central location, then the IT business unit may be significant." For this, example given is of "a US multinational's British financial business units that are not individually significant and most financial reporting IT processing is performed by a single IT business unit." Two, "where the financial business unit is not significant in a particular territory, but the local IT business unit is responsible for regional IT processing." Example, "an IT business unit in Singapore that is responsible for IT processing throughout Asia-pacific." And three, "where there is no financial business unit in a particular territory, but US-based IT responsibilities have been outsourced to that territory." Well, that seems to come closer home, and so the example is: "a US insurance company that outsources IT processing and maintenance to an IT business unit based in India."

Is it time to see SOX in the eye?

Ambient computers, interactive design

THIS is an unusual book from the Massachusetts Institute of Technology's stable: Digital Ground, by Malcolm McCullough (http://mitpress.mit.edu). The author is Associate Professor of Architecture and Design at the University of Michigan and the current work is "an architect's response to the design challenge posed by pervasive computing". You may wonder what the connection is if not familiar with the technology getting embedded in everyday things.

Interactivity has become ambient, pronounces the blurb, and the author argues that the ubiquitous technology does not obviate the human need for place. "An invitation to share in the author's inquiry," says McCullough in his preface. "Interaction design is poised to become one of the main liberal arts of the twenty-first century." Don't turn your backs to computer `saturating' our lives, exhorts the intro. Accept them, instead, as a design challenge. "Unlike cyberspace, which was conceived as a tabula rasa, pervasive computing has to be inscribed into the social and environmental complexity of the existing physical environment." (For starters, tabula rasa is no dish on the table but `blank slate' in Latin; meaning that individual human beings are born with no built-in mental content, and that identity gets defined by events after birth.)

Chapter 1, `Interactive Futures', indicates the need for a range of disciplines when IT becomes part of social infrastructure. "Social, psychological, aesthetic, and functional factors all must play a role in the design," because "appropriateness surpasses performance."

Human sustainability depends on the appropriateness of technology adaptation, McCullough says. "Technologies of world making become dangerous unless they are complemented by technologies of world knowing." As the British did in nineteenth century India, `going native' would help, after all. Let artifice, therefore, copy the resilience and wastelessness of nature, is a wish that the book wraps up with.

Interesting philosophy for those who consider IT as their religion.

Tailpiece

"Crossword clue says, `One K in money (6)'."

"Kilobyte?"

"No, that's 8. I guess it must be monkey!"

Books2Byte@TheHindu.co.in

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Store your treasure

On a fast drive

Sharing the harvest

Inspiring example

Find your file, with visuals