IT SECURITY, an executive function

Technology shopping-lists and three-page security policies are no longer an adequate network security planning method for an insurance company. It used to be information technology (IT) management would seek funding approval for firewalls, anti-virus tools, and the computers to run them on. This budget would determine the investment in security technology, with no formal means of cost justification. It was also up to the IT group to select and implement the technology applications.

Unfortunately, most IT people are not security specialists and only have a cursory understanding of how to properly secure a company’s assets from the perspective of employee procedures, legislative issues, and matters of corporate liability. Executives, including board members, really only approved dollars, and did not get involved with security any further.

Basically, this model has become outdated. Executives must take an active, ongoing roll in the security process within their company for several reasons.

Avoiding revenue losses. When bad news about a company hits the media or their clients, it is always the senior executives, and not the IT people, who are held accountable. Bad news often results in sharp revenue losses. The four top examples of security breaches are:

Custodial responsibility for confidential client information is breached and client information is made public;

R&D is stolen or placed in the public domain such as on Internet bulletin boards;

The corporate business plan with details of upcoming key competitive endeavors is made available to competition or is announced publicly; and

Personal information about executives and personnel information in general is made available to all other employees or into the public domain.

These breaches are serious, especially given new legal obligations brought forward with the passing of Bill C-6 – the Personal Information Protection and Electronics Documents Act.

Mainstream business process. Executives can identify key corporate information assets and processes, since they are the ones who understand the dollars behind them. Executives determine which assets are the most important to protect, allocate dollar values to their potential loss, create a budget for protecting these assets and processes, and then enforce the process. The process is composed of four major components, the network security audit, the policy, the employee procedures plan and the security technology plan.

Ideally, executives originate the ideas set forth in the security policy. The policy is executed in the form of the procedures and technology plans, by the IT and network security group in conjunction with directors of human resources, legal, and R&D. Most Canadian insurance corporations, however, do not have a network security group. Thus this work falls to the IT department, or to a third party network security firm.

Once the plans have been created and are being implemented, executives need to remain involved on a regular basis to ensure they are being correctly executed. It is ultimately executives who must make the hard decisions and budget allocations constantly required to keep the security process healthy and alive.

Due diligence. Several of PTI Technologies’ clients have recently requested the company assist in the creation of network security audits, policies, and procedures documents as a result of their clients asking to see the same. Their clients are realistically concerned that the network security of the companies’ suppliers, who are also custodians of some of their confidential information, meet industry accepted standards.

Some clients need to start from square-one and create security policies and plans. Others need to completely revamp working documents that are several years out of date. In every instance, there is the need for companies to be able to document that their networks will adequately safeguard their clients’ valuable information.

It is clear that executives can no longer take a back seat in the creation and execution of their corporation’s network security process. They understand their involvement in the liability and financial consequences of a security breach, and they are gaining an understanding of security being an ongoing process, which they must mandate, manage, and enforce.

The Wired World welcomes your feedback. Contact us, via E-mail at <vspencer@corporate.southam.ca”>b>vspencer@corporate.southam.ca