Data Security Management in Tomorrow’s context
With the evolution of the World Wide Web came the corresponding growth in cyber and online threats to information systems security which can no longer be addressed with traditional methods. The increase of sophisticated viruses, worms, and hackers have changed and challenged the perspective of how the cyber landscape should be governed. This was the message that was put across by Oracle when it held its security symposium in July of 2008. During the symposium, keynote speakers brought the question to the audience to challenge them on the traditional thinking of information management and, especially, protection.
The results of a 2007 survey by PricewaterhouseCoopers showed that in Singapore alone, a considerable part of data security threats originated from insiders, financial fraud, and third party security issues. In terms of third party security, as little as 15 percent of respondents to the survey said that they were confident about it.
The Developing Threat Environment
It has always been a usual supposition that there is security on the internet especially since online criminals do not know passwords and other private information. However, according to Wong Loke Yeow, the Regional Director of Oracle in its Asia-Pacific Technology Solutions (Security) this assumption no longer applies.
With the developing threats to security of information since 1996, there has also been the development in the sophistication of attackers online over the years, states Wong. They have become more sophisticated to the point that cybercrime has developed into more organized forms that are used by fortune seekers who mainly aim at financial fraud. Crimes in theft of identities are becoming more rampant and often cause great damage to victims and companies.
However, correspondingly, there has also been an improvement in security solutions along with evolving threats. Wong describes how firewalls and invasion detection systems are first generation solutions that address external threats to a company. On the other hand, there are also second generation answers, such as patch management, which respond quicker than the first generation solutions.
Wong also warns that with the increasing trend in evolving threats, the rate of improvements in protecting information systems still lag behind. He is counting on the development of third generation solutions to sort out internal threats in more practical ways; to offer uninterrupted security; and to utilize accessible resources most effectively.
Gone are the days when only the IT staff of a company or organization is responsible for security of information on computer systems. Now is the time that everyone one on every level should be involved in information security. Standards, policies, and procedures are worthless if people are not there to enforce them.
Reacting to Weaknesses
The president of Information Systems Audit and Control Association based in Singapore, Larry Lam, explains that recent advancements in the internet environment have increased apprehensions in terms of information security.
For instance in early 2008, the director of penetration testing for OIActive, Dan Kaminsky, discovered a weakness in the Domain Name System. Specialists now foresee a possible situation when a cybercriminal may use this fault in the system to attack internet service providers. This would allow the attacker to change whole websites, and worse, replace them with malicious content.
With this information, Dan Kaminsky, went to Sun, Cisco, and Microsoft and encouraged them to secretly develop patches to prevent such future scenarios. As a result of this, many of these major vendors released and circulated these patches in early July of 2008.
Lam reflects that as the threats evolve, the management and governance of information security and associated policies and regulations may turn into more prescriptive measures. But there is the danger of security issues continuing if organizations follow them too closely without asking themselves if these decisions are really the best solutions for their business objectives.
Enhancing Governance in IT
Ramesh Moosah of PricewaterhouseCoopers (Singapore), and director of advisory services, states that the governance of information technology is a structure and aptitude for making decisions and implementing them with the inherent requirement of managing, controlling and monitoring IT of an organization.
Moosa emphasizes that IT is a competitive tool, and that investing or creating leverage on leading, reliable, competent, and mature technologies should be the IT governance philosophies that companies should aim to adhere to. There is no ‘best’ IT model to follow since these models need to have flexibility and should be able to change according to business needs, strategies, and environment.
There are many ways, however, that information technology governance may be improved, he says. First, IT managers should view IT as a critical factor to the success of their organization, and then recognize the organization’s requirements in culture and change to accommodate that.
Finally, they should position themselves to achieve tangible and realistic expectations and targets when connecting IT governance to the needs of their organization. Also, it is critical to identify the maturity levels of their enterprise to ensure a smooth transition and more perfect fit.