Handle Corporate Security As Single Entity, Users Say

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,80069,00.html

By JAIKUMAR VIJAYAN 
APRIL 07, 2003
Computerworld 

Chicago - Companies can improve their ability to detect and respond to
both cyber and physical threats by tying their IT security to other
aspects of corporate security.

But the cultural and business-process changes involved in implementing
such a holistic view of security can be daunting for most
corporations, users said here last week at a conference organized by
ASIS International, an Alexandria, Va.-based organization of security
professionals.

"The benefits of integrating corporate security with IT security can
be tremendous," said Lew Wagner, chief information security officer at
the MD Anderson Cancer Center at the University of Texas in Houston.

Coordinating IT security functions with areas such as physical
protection, facilities management, human resources and legal and audit
functions has helped enhance overall threat-detection and
incident-response capabilities at the hospital, Wagner said.

"It streamlines corporate investigations. Whenever somebody runs afoul
of the policies of the institution, you don't have a bunch of people
doing stovepipe things," he said.

A holistic view of enterprise security can help plug gaps that might
otherwise be missed, said James Litchko, president of Litchko &
Associates Inc., a security consultancy in Kensington, Md.


Outside Factors

For instance, the majority of IT-related security threats still stem
from procedural and process flaws - such as failure to secure access
to crucial systems, inadequate backups and lack of auditing - rather
than from technology glitches, Litchko said. Consequently, it's
important to factor in physical and personnel security when
implementing IT security, he added.

"To some degree, this is happening naturally as IT becomes intertwined
in almost all aspects of corporate life," said David Rymal, director
of technology at Everett, Wash.-based Providence Health System.

"Even physical security is tied to IT, as all of our electronic access
controls feed databases," Rymal said.

In the case of the health care industry, regulations such as the
Health Insurance Portability and Accountability Act are driving such
collaboration further in order to protect patients' privacy, Rymal
said.

As more computing devices become mobile, "we must guard against not
only theft of the devices but [also] protection of the data on those
devices," he said.

Integration of security functions can also lead to better operational
efficiency, said Steve Hunt, an analyst at Forrester Research Inc. in
Cambridge, Mass.

"The greatest sin of all for a CEO is to have different business units
with the same mission so everyone is feeling some pressure to justify
what they are doing," Hunt said.

Even so, few corporations are embarking on such a venture, he said.  
That's because implementing an enterprisewide security and risk
management program can be a cultural and business-process challenge,
given the silos that security-related functions are relegated to
within many corporations, users said.

For instance, IT functions may report to a CIO, while facilities
management is handled by finance and risk management and business
continuity are handled by yet another group.

Connecting these silos can lead to "better identification and
mitigation" of risks, said Robert Gerden, director of corporate and
systems security at Brampton, Ontario-based Nortel Networks Ltd.  
during a presentation at the conference.

But it can be "very hard to quantify the ROI" on the benefits gained
from such integration, Gerden said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.