Handbook of Information Security Management:Policy, Standards, and Organization

Previous Table of Contents Next


Rapid Evolution of Business Technologies

The past decade has seen a precipitous decline in the significance of mainframe-based processing in many organizations and a concomitant increase in importance of client server and LAN-WAN-based computing infrastructures. Although no one expects all mainframe systems to disappear in the near term, the “Centralized Systems” model for operations and, therefore, protection has fallen from favor at present. This means the IPS organization must now find ways to effectively protect the critical informational content of hundreds or thousands of servers and perhaps tens of thousands of end-user workstations/personal computers. Any of these systems may in fact provide a point of access to critical information stored locally or accessed through networks.

The evolution and implementation of the “networked computing paradigm” has been accompanied by the distributed systems and rise of client server-based applications. SUN Microsystems has popularized the slogan “The network IS the computer”. If this is true, then IPS has a responsibility to help the organization determine where and what gets protected, and most importantly, by whom.

The increasing prevalence of client server applications further challenges and blurs classical accountability. Typical lifecycle-based development checkpoints for information systems auditors and security staff are often overlooked by the line IS groups in their rush to meet required delivery dates to support business unit priorities. The absence of rigorous systems development standards are often compounded by a lack of robust tools for ensuring that baseline security measures are implemented. Audit trails and change controls are often limited or lacking and easily bypassed at the server’s operating system level, and access controls are often limited to little more than fixed passwords. Data warehouses and high-value data bases are often married to internal Web servers in the push to deploy a corporate “intranet” to facilitate easy access to information by authorized users. However, little or no effort is invested to prevent or detect unauthorized access to sensitive information by the users who may operate worldwide.

Access to corporate information has been dramatically increased via the rapid deployment of microcomputers, LANs, WANs, and soon by the next generation of “personal digital assistants”. Most medium and large organizations are rapidly moving to an information systems distribution environment where critical information pulses through the global network on a 24-hour basis and is accessible by a wide array of devices which may be linked through the Internet or via remote dial-up connections or may employ wireless cellular technologies. The combination of these advanced devices promises to provide access to information unlimited by time, location, or distance. Structuring a program for identifying and safeguarding essential information against the wide array of threats at this level of complexity is substantially more difficult than protecting information safely inside a fixed location.

Globalization of operations further compounds the information protection challenge. As business organizations face increased competition from both domestic and foreign rivals the organization often responds by increasing foreign operations itself. Many medium-size organizations now have a presence in many nations — something that in the past was the privilege of the large and sophisticated multinational organizations. Lacking a deep bench of international business experience to draw against, managers of such organizations may make poor decisions which will increase risks to systems and information.

“Business: Anywhere, Anytime, Anyway” seems to be the implicit mission of many organizations. The most important fact to emphasize in considering the new risks arising from global operations and associated global networks information systems infrastructure is that the organization truly is “only as strong as the weakest link” whether that is an unlocked file cabinet in Cairo, an unsecured desktop workstation logged on to a corporate system in Munich, or a laptop computer forgotten at an airport.

IPS managers now must deal with unique cultural aspects of many other nations. This can complicate the already daunting task of fashioning a corporate protection program, as missteps can diminish or destroy fragile support for the corporate “head office” program by the local management and staff. Typical areas that can lead to breakdowns include:

  Motives — For each operational region it’s important to understand what causes people to commit unauthorized, possibly illegal activities, as well as what motivates them to comply with management-directed protection methods.
  Misunderstandings — It’s very easy for both language and cultural nuances to adversely impact the effectiveness of the protection measures.
  Management Consistency — It is essential to ensure that a minimum baseline of protection is applied worldwide, but this is very difficult to achieve. Given a wide range of management styles it is difficult to ensure minimum baseline measures are applied, which complicates efforts to ensure that none of the remote or foreign office locations becomes the weakest link. Every major continent contains a wide array of cultural management styles which impact willingness to deal with forms, procedures, and incidents.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.