| People used to close business deals with a | | | | identify the most important assets and |
| handshake. | | | | information: threats and vulnerabilities are |
| | | | identified; solutions are proposed and |
| They looked one another in the eye. Today, | | | | refined; corporate policies are tightened up; |
| more and more transactions are electronic, | | | | roles and responsibilities are assigned; |
| anonymous and, in too many cases, fraudulent. | | | | standards and training are developed. |
| Any organization that stores or moves | | | | |
| important information on an electronic | | | | The next step is the creation of a security |
| network is putting its information at risk. A | | | | plan, with its own procedures, budget and |
| criminal on the other side of the world or an | | | | implementation timetable. Once those steps |
| apparently loyal employee may have the | | | | are complete, any new architecture can be |
| ability to wreak havoc, by stealing, deleting | | | | rolled out and new procedures put in place. |
| or exposing confidential information. | | | | At this point, the new system should be |
| | | | tested from the outside for any remaining |
| The Computer Crime and Security Survey, | | | | weak points. |
| conducted by the Computer Security Institute | | | | |
| and the Federal Bureau of Investigation, | | | | Finally, to maintain system security, |
| indicates almost two-thirds of the large | | | | security should be audited on a regular basis |
| corporations and government agencies it | | | | to keep pace with both internal changes and |
| surveyed lost money when their computer | | | | evolving external threats. The TRA provides |
| security broke down. | | | | the map, but organizations must make the |
| | | | journey. Consulting companies have identified |
| The survey noted that 9 out of 10 respondents | | | | factors that contribute to the success or |
| had computer security breaches during the | | | | failure of an IT security project. Senior |
| previous 12 months. Proprietary information | | | | managers have to support the project and |
| worth $170.8 million was stolen from 41 | | | | demonstrate their involvement. Otherwise, |
| respondents. Fraud cost 40 respondents $115.8 | | | | their staffs will place a higher priority on |
| million. | | | | other activities. |
| | | | |
| When only 45 per cent of executives in North | | | | Business and technical experts should both be |
| America said they conduct security audits on | | | | involved because solutions that overburden |
| their e-commerce systems, (around the world, | | | | the enterprise are not acceptable. Individual |
| fewer than 35 per cent had conducted security | | | | business units should be responsible for |
| audits) it becomes obvious that organizations | | | | their own TRA to prevent foot-dragging during |
| must improve their defenses quickly. | | | | implementation and finger-pointing later. |
| | | | Interestingly, one consultant recommended |
| The first step in protecting information | | | | conducting assessments on a |
| assets is a Threat and Risk Assessment (TRA). | | | | department-by-department basis, rather than |
| Without the information it provides, | | | | all at once. The reasoning is that valuable |
| organizations are in danger of fixing only | | | | resources can be narrowly focused, and |
| what is broken and ignoring potential | | | | lessons learned can be carried over to |
| hazards. While the specifics of a TRA will be | | | | subsequent assessments. |
| unique at each organization, a common | | | | |
| methodology provides a starting point. | | | | The Threat and Risk Assessment is an |
| | | | important tool. Recent reports show not |
| The first step is risk assessment, to | | | | enough organizations are using it. |