| People used to close business deals with | | | | information: threats and vulnerabilities |
| a handshake. | | | | are identified; solutions are proposed |
| They looked one another in the eye. | | | | and refined; corporate policies are |
| Today, more and more transactions are | | | | tightened up; roles and responsibilities |
| electronic, anonymous and, in too many | | | | are assigned; standards and training are |
| cases, fraudulent. Any organization that | | | | developed. |
| stores or moves important information on | | | | The next step is the creation of a |
| an electronic network is putting its | | | | security plan, with its own procedures, |
| information at risk. A criminal on the | | | | budget and implementation timetable. |
| other side of the world or an apparently | | | | Once those steps are complete, any new |
| loyal employee may have the ability to | | | | architecture can be rolled out and new |
| wreak havoc, by stealing, deleting or | | | | procedures put in place. At this point, |
| exposing confidential information. | | | | the new system should be tested from the |
| The Computer Crime and Security Survey, | | | | outside for any remaining weak points. |
| conducted by the Computer Security | | | | Finally, to maintain system security, |
| Institute and the Federal Bureau of | | | | security should be audited on a regular |
| Investigation, indicates almost | | | | basis to keep pace with both internal |
| two-thirds of the large corporations and | | | | changes and evolving external threats. |
| government agencies it surveyed lost | | | | The TRA provides the map, but |
| money when their computer security broke | | | | organizations must make the journey. |
| down. | | | | Consulting companies have identified |
| The survey noted that 9 out of 10 | | | | factors that contribute to the success |
| respondents had computer security | | | | or failure of an IT security project. |
| breaches during the previous 12 months. | | | | Senior managers have to support the |
| Proprietary information worth $170.8 | | | | project and demonstrate their |
| million was stolen from 41 respondents. | | | | involvement. Otherwise, their staffs |
| Fraud cost 40 respondents $115.8 | | | | will place a higher priority on other |
| million. | | | | activities. |
| When only 45 per cent of executives in | | | | Business and technical experts should |
| North America said they conduct security | | | | both be involved because solutions that |
| audits on their e-commerce systems, | | | | overburden the enterprise are not |
| (around the world, fewer than 35 per | | | | acceptable. Individual business units |
| cent had conducted security audits) it | | | | should be responsible for their own TRA |
| becomes obvious that organizations must | | | | to prevent foot-dragging during |
| improve their defenses quickly. | | | | implementation and finger-pointing |
| The first step in protecting information | | | | later. Interestingly, one consultant |
| assets is a Threat and Risk Assessment | | | | recommended conducting assessments on a |
| (TRA). Without the information it | | | | department-by-department basis, rather |
| provides, organizations are in danger of | | | | than all at once. The reasoning is that |
| fixing only what is broken and ignoring | | | | valuable resources can be narrowly |
| potential hazards. While the specifics | | | | focused, and lessons learned can be |
| of a TRA will be unique at each | | | | carried over to subsequent assessments. |
| organization, a common methodology | | | | The Threat and Risk Assessment is an |
| provides a starting point. | | | | important tool. Recent reports show not |
| The first step is risk assessment, to | | | | enough organizations are using it. |
| identify the most important assets and | | | | |