Lecture 21

Enterprise Security

Enterprise security
Putting Security on the Strategy Agenda

John Hartwright

Introduction
j What is your idea of security?
Traditional view
Its all about access control

Introduction
j What is your idea of security?
New technology view Its the job of the IT People

Does this have anything to do with strategy?

j Strategy concerns objectives at a high level large numbers of variables tend to be long term be applicable across an organisation tend towards generality

Computer security
j Often summed up by the acronym CIA Confidentiality Integrity Availability j Balance needed between all three

aspects

Technical fixes
j Anti virus software j Encryption j Passwords and biometrics j Firewalls

Weakness of technical fixes

j Hoax viruses j Social engineering j Users j Black box fixes

Human fixes
j Hard to define what you are securing j Changes in location of data j Changes in nature of viruses and

malware j Increasing use of email j Increasing need to use e-commerce

Physical security
j Alarm systems j CCTV j Security tagging j Panic alarms/screens j Guards

What do you need to secure?

Details of planned takeover

Order for paperclips

Crucial

Trivial

Disaster planning
j What will we do if we cant use the

computer? j Backup systems

e.g. hot sites, cold sites, mobile solutions

j Backup data e.g. tape drives need secure accessible storage

Business Continuity Planning

j What destroys the computer may

destroy the office j Need to consider

IT Personnel Office space Communications links Public relations

Business Continuity Planning

j Its about business survival j It wont mean the business is unaffected j It does need testing j Cannot predict all eventualities but the

plan is improved by testing

Employee security
j IT may check for viruses on email but who checks the post for anthrax? who knows what to do when they take a phone call and its a bomb threat? who checks that the windows are designed to cope with a car bomb? who knows if the Chairmans chauffeur understands how to avoid a hijack?

Forgotten dimensions
j Public relations

turning adversity into positive news who is talking to the media?

j Stress
what support is available to staff?

Structured security
j The security department is the

protector or guardian of the companys property, product or merchandise, assets, equipment, reputation and employees (Sennewald, 1998) j May also need to consider nonemployees such as visitors and customers

Bringing it together
j Increasing recognition that

organisations need a coherent and cohesive strategy

It will be expensive It will affect the whole organisation It will change the way we organise and do business

Key issues
j Mail handling j Travel j Employee protection j Risk assessment j Infrastructure protection j Office and plant protection j Employee morale

None of these are traditional issues for a security department

Final thought
j There is no end to the imagination of

the terrorist so we should not be surprised when what they do surprises us. Yonah Alexander, Potomac Institute for Policy Studies

Enterprise security
Putting Security on the Strategy Agenda

John Hartwright