Related Topics: Sarbanes Oxley on Ulitzer

Sarbanes Oxley: Article

"Information Risk": A New Approach to Information Technology Security

For Corporate Executives and Directors

Understanding the potential benefits and risks of information technology (IT) - particularly information security - has become a mission-critical imperative for today's business leaders. Cyber-attacks, computer abuse, privacy issues, identity theft, and fraud have not only raised the level of corporate awareness, but also ushered in a new wave of regulatory requirements. Cyber-threats and new regulations can both lead to serious consequences for the company and its leadership.

Company executives need to recognize that threats are not simply a technology issue, but have become a serious concern for the enterprise. Addressing information risk and security at an enterprise level requires an approach that cuts across people, processes, and technology. Many companies have invested heavily in security technology solutions, but have not made similar levels of investment in the supporting processes and human resources. Of course, technology is a critical element of an effective security program, but it is not a panacea, as several high-profile breaches have shown.

On August 11, 2003, for example, the "Blaster" computer virus invaded Microsoft, flooding its product support Web site with millions of requests for software updates. The virus created havoc on the Internet, eventually costing businesses and governments upwards of $10 billion. Although serious, an external cyber-attack is only one type of threat - just as critical are internal breaches affecting the confidentiality and integrity of information.

Corporate executives need to take a much more supportive role in IT security to enable the protection of their networks and data. Information risk and security needs to be defined within the organization as a critical function in order to make optimal investments to protect the critical assets.

Sarbanes-Oxley and Other IT Security Wake-Up Calls
Traditionally, information risk and security issues have been relegated to the IT department, but this scenario is changing for a number of reasons. Companies have developed a significant operational dependency upon the use of IT and networks, and to some extent this has raised the level of organizational awareness. The business disruptions caused by external threats - such as malicious code and viruses - have also elevated the issue of managing information risks. Identity theft is one of the fastest growing areas of cyber-crime and many companies - particularly e-commerce firms - are extremely concerned. California law SB1386, a consumer privacy protection act, mandates that companies publicly post any potential breaches of consumer identity or privacy.

A recent survey sponsored by BNX Systems and Institutional Investor found that 25% of CIOs plan to implement identity management software this year. In another survey, the top IT security-related concerns were preventing the identify theft of customers and preserving intellectual property (IP).

One of the most compelling reasons for executive-level attention to information risk is the 2002 enactment of the Sarbanes-Oxley legislation. Section 404 of Sarbanes-Oxley mandates that public company CEOs and CFOs personally vouch for a company's internal control structure, and that board members monitor this process.

One of the primary internal controls of any company is IT security, and companies are making heavy investments in projects related to security controls for compliance with Sarbanes-Oxley. Under Sarbanes-Oxley, executives and board members who knowingly approve nonexistent or ineffective internal controls may face significant penalties, including criminal prosecution. Given these consequences, it is not surprising that the law is driving tremendous interest among management teams and boards of directors in formulating a more comprehensive, organization-wide approach to IT security.

Companies are primarily guarding against worst-case scenarios: a debilitating cyber-attack, noncompliance with Sarbanes-Oxley or other regulations, customer litigation over identify theft, and theft of intellectual property. However, there are positive consequences as well: by conducting risk assessments aligned to the core business processes, companies are also able to develop a business case for investing in information security.

Step 1: Remove IT Security from the IT "Silo"
It was Charles De Gaulle who once said, "I have come to the conclusion that politics is too serious a matter to be left to politicians." In much the same sense, the first step towards an enterprise-wide approach to managing information risk and security is to elevate it beyond the IT department. As a respected member of the executive management team, the chief information officer (CIO) needs to carry the message across the organization.

In general, IT organizations do a reasonably effective job of protecting their infrastructure and information technology assets, but may not be fully aligned with the company's business community. Often, the IT department is asked to manage initiatives that require the support, involvement, or sponsorship of the business, but does not get the business commitment needed to succeed. For example, Role Based Access Control (RBAC) can be a very effective tool for protecting information assets from both internal and external threats. There are certainly technology aspects to implementing RBAC, but to fully achieve the goals the business must be involved. Defining the user roles and making decisions about which systems individuals will be allowed to access is a dangerous role for IT to assume.

To be effective, today's CIO must be a good communicator and advisor, providing information risk and security knowledge to the other executives throughout the organization. In addition to the primary role of providing cost-effective, reliable information services, the CIO needs to also provide advice and the business case for protecting the critical information assets.

Not only will risks be far better understood when IT security is emphasized at the higher levels of the organization, but better investment decisions can be made. For example, spending on big IT projects (including IT security) is finally on the upswing among Fortune 1000 companies. In the past, many large IT projects did not achieve the benefits promised at the start of the project. When strong trusted-advisor relationships are forged between the CIO and the business executives, this is much less likely to occur.

Step 2: Develop an Understanding of the Risk Landscape
Effective IT security is difficult to achieve without first understanding the threats to the information environment and the associated risks. Often, companies make inaccurate assumptions about the threats and risk impacts or do not align them to the critical business processes. For example, software companies, during a busy season, often hire fleets of part-time programmers to write software code on-site at the company. This can create a variety of new risks for the company, but without a thorough risk assessment and analysis process the potential risks may be missed until an incident actually occurs.

An information risk assessment process needs to be integrated into the overall business strategy, and conducted in a continuous and validated manner. When properly designed, the risk assessment process can be performed quickly with a minimum of disruption to the organization. IT risk workshops can be an excellent tool for initializing a comprehensive risk assessment process, and can help develop awareness and buy-in for the process. The overall information risk assessment process needs to provide useful, relevant information and take the organization beyond a "check-box" mentality.

Another concept that has started to gain traction is the regular participation of IT leadership at the board-of-director level. With the members acutely aware of their Sarbanes-Oxley-related liabilities, there is no better time to propose this idea. If the board understands information risk and the company's ability to handle it, then better decisions can be made. For example, many companies defer investments in emerging technologies because they do not understand the risks or how to manage them.

The accounting scandals of 2001 and 2002 ultimately led to the creation of new regulations that required more accounting representation on boards, specifically for audit committee members. Hopefully, it won't take a debilitating IT security disaster to convince more companies that IT knowledge on the board is as crucial as financial or business knowledge.

Step 3: Integrate IT Security with Business Continuity Planning
Most companies today have a business continuity plan, but few have incorporated an information risk and security strategy within it. Given the business dependency that most companies have on information technology, it is nearly impossible to have effective business continuity capabilities without an equally effective IT security framework.

Clearly, e-commerce businesses and financial services firms have the most significant need to align security and continuity. But companies across all industry sectors have similar issues to varying degrees. For example, the supply chain is a critical business process in most manufacturing companies, and nearly all modern supply chain processes are highly dependent on software and networks to function. If the main supply chain information systems were compromised due to a cyber-attack, the ability to manage the flow of goods and services would be severely hampered. A well-publicized example occurred in 2002 at a major rail transportation company, when a computer virus shut down the central control center. This left the company in a position of very high risk exposure with no way to track the location of their trains, combined with the shut-down of crossing signals in 23 states.

Technology risks affect other areas as well. For instance, much of the physical plant today is highly dependent on technology to operate, e.g., HVAC, elevator service, water controls, automated door access systems, and fire alarms and sprinklers. In the event of a technology failure these types of process and safety systems might not function, unless they were included in the overall business continuity plan.

Step 4: Periodic Assessments for Vulnerabilities
Given the ever-increasing threat environment, the expanding role of networks and technology, it is imperative that the company continuously perform vulnerability assessments. Such assessments should not be limited to network or system vulnerabilities to external attacks, but should also cover weaknesses in the processes, policies, and internal access.

Business changes occur for a number of reasons - e.g., mergers, acquisitions, new customers, regulations - and the information risk and security posture needs to be reassessed in line with the changes. For example, employee access rights to systems need to be monitored and changed if business needs require it. If an employee is terminated, his/her access to systems should be turned off immediately.

A recent example points out the importance of managing this process. A terminated employee planted a logic bomb in the main computer, which, after he left, deleted 10 billion files. This incident was the result of vulnerability within the internal access policies and processes.

In other cases, companies have found that lapses in external network security have allowed their proprietary product information to wind up in the hands of foreign manufacturers who are illegally producing their product. In one instance, a not-for-profit institution did a vulnerability assessment and found that hackers were using its servers as a platform-base to attack other companies. Regular assessments of security across people, processes, and technology will detect these types of incidents, and if done properly reduce the number of incidents in the future.

By adopting an organizational view of information risk, companies can begin to design an improved information security architecture that encompasses policies, technologies, and people. Senior management awareness and support of the information technology security function needs to become a reality, if the appropriate investments are to be made for protecting the critical information assets.


  • "Teenager Arrested in ?Blaster' Internet attack." September 27, 2003.
  • Business Wire. "BNX Survey Finds Asset Managers Plan Rapid Deployment of Identity Management Solutions to Strengthen Security." August 8, 2004.
  • Business Wire. "Survey of CFOs Finds Value of Information Technology Goes Well Beyond Regulatory Compliance." September 29, 2004.
  • American Banker. "Tech Execs Discuss What Is And Isn't Driving Spending." September 23, 2004.
  • More Stories By Troy Smith

    Troy D. Smith is senior vice president and national leader of the Marsh U.S. Information Risk and Security Consulting practice. He is responsible for developing and deploying solutions to help organizations secure their information technology and data, mitigate corporate and personal liability, and minimize abuse of computing resources. He has over 20 years of experience in technology services and management consulting and has worked in numerous industries including insurance, consumer products, aerospace, health care, manufacturing, and transportation. Troy holds an undergraduate degree from Purdue University and an MBA from Loyola University of Chicago. He has completed the MIT Executive Program for Technology as well as the SANS Institute for Information Security program.

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.