| People used to close business deals with a handshake. | | | | The first step is risk assessment, to identify the most |
| They looked one another in the eye. Today, more and | | | | important assets and information: threats and |
| more transactions are electronic, anonymous and, in | | | | vulnerabilities are identified; solutions are proposed and |
| too many cases, fraudulent. Any organization that | | | | refined; corporate policies are tightened up; roles and |
| stores or moves important information on an electronic | | | | responsibilities are assigned; standards and training are |
| network is putting its information at risk. A criminal on | | | | developed. |
| the other side of the world or an apparently loyal | | | | The next step is the creation of a security plan, with its |
| employee may have the ability to wreak havoc, by | | | | own procedures, budget and implementation timetable. |
| stealing, deleting or exposing confidential information. | | | | Once those steps are complete, any new architecture |
| The Computer Crime and Security Survey, conducted | | | | can be rolled out and new procedures put in place. At |
| by the Computer Security Institute and the Federal | | | | this point, the new system should be tested from the |
| Bureau of Investigation, indicates almost two-thirds of | | | | outside for any remaining weak points. |
| the large corporations and government agencies it | | | | Finally, to maintain system security, security should be |
| surveyed lost money when their computer security | | | | audited on a regular basis to keep pace with both |
| broke down. | | | | internal changes and evolving external threats. The |
| The survey noted that 9 out of 10 respondents had | | | | TRA provides the map, but organizations must make |
| computer security breaches during the previous 12 | | | | the journey. Consulting companies have identified |
| months. Proprietary information worth $170.8 million | | | | factors that contribute to the success or failure of an |
| was stolen from 41 respondents. Fraud cost 40 | | | | IT security project. Senior managers have to support |
| respondents $115.8 million. | | | | the project and demonstrate their involvement. |
| When only 45 per cent of executives in North | | | | Otherwise, their staffs will place a higher priority on |
| America said they conduct security audits on their | | | | other activities. |
| e-commerce systems, (around the world, fewer than | | | | Business and technical experts should both be involved |
| 35 per cent had conducted security audits) it becomes | | | | because solutions that overburden the enterprise are |
| obvious that organizations must improve their | | | | not acceptable. Individual business units should be |
| defenses quickly. | | | | responsible for their own TRA to prevent |
| The first step in protecting information assets is a | | | | foot-dragging during implementation and finger-pointing |
| Threat and Risk Assessment (TRA). Without the | | | | later. Interestingly, one consultant recommended |
| information it provides, organizations are in danger of | | | | conducting assessments on a |
| fixing only what is broken and ignoring potential | | | | department-by-department basis, rather than all at |
| hazards. While the specifics of a TRA will be unique at | | | | once. The reasoning is that valuable resources can be |
| each organization, a common methodology provides a | | | | narrowly focused, and lessons learned can be carried |
| starting point. | | | | over to subsequent assessments. |