|
|
|
Volume 3, Issue 3 - July 2007
|
|
|
|
 |
| Welcome to Common Sense: IT Procurement News |
|
Common Sense is a newsletter focused on helping you, the IT procurement/purchasing professional, access the information you need to:
- understand the value you are receiving from Compuware products
- identify opportunities to cut costs.
We hope you find Common Sense both helpful and interesting. It is our goal to provide useful information to help you build a compelling business case you can convey with confidence, guarding against the squandering of hard-earned IT budget money.
This quarter’s issue of Common Sense is the first in a two-part series examining how to minimize the risks associated with unauthorized exposure of your company’s business-critical applications and data.
Application Privacy Risks, Part I: Application Auditing—Protect Your Company From "Inside Jobs"
 |
Because of the onslaught of media attention exposing privacy breaches, you know you need to secure your mainframe data. Chances are, your company has taken steps to do so by installing a host of anti-intrusion technologies that keep unauthorized parties— both internal and external—from accessing your critical data.
But that’s not enough any more. Businesses also need to protect against data breaches caused by trusted insiders who have authorized access.
Study after study reveals that the biggest security threat organizations face is internal. Industry analysts indicate an overwhelming majority of security incidents incurring actual losses are inside jobs. According to Gartner, most attacks on legacy applications come from inside the enterprise, committed by its own employees.
|
Impact on the Corporate Stake
|
"Attacks on IT systems are a fact and will remain a fact of IT. They are inherent risks that any modern organization faces in the course of operations²," warned Martin Carmichael, Chief Security Officer at McAfee, in an article published this past February for CSOonline.com.
This reality—coupled with the heavy pressure to develop, test and deploy aggressively—is changing attitudes from "That will never happen to us" to "We’ll try to prevent it, but if it happens, we’d better be ready!"
According to a 2006 Ponemon Institute study³, the price paid due to these attacks on customer information directly relates to three core cost burdens:
- Direct incremental costs—Direct expenses to accomplish specific activities
- Indirect productivity costs—Time, effort and other organizational productivity
- Customer opportunity costs—Lost customers and brand damage
This cost liability derives from the necessary processes companies must follow to effectively locate, analyze, contain and report when compromised. The cost progression entails:
- discovery and escalation
- customer notification
- post-notification response
- lost business or customer turnover.
It is evident from this study that a proactive policy is still the best policy. Expenditures incurred in lost business translate to 10 times the dollars needed for detection and escalation. [See Figure #1]
¹"Implementing Security for Mainframe Legacy Applications Worth the Investment," Joseph Feiman, Gartner, Inc. —September 2006
²"Managing Reputation," Martin Carmichael, Chief Security Officer, McAfee, for CSOonline.com — February 2007
³"2006 Annual Study: Cost of a Data Breach" — Ponemon Institute, LLC & PGP
|
|
|
Figure 1
|
The most acute and public aftereffect resulting from a data compromise is loss of business, or what the Ponemon Institute calls "customer turnover." Consumers not only stop dealing with businesses burned by a security breach, they also take their fight to their representatives in government. An increasing number of laws in the United States, United Kingdom, Europe, Asia and Australia require notification of customers after a breach has taken place, so companies now have a legal obligation along with a bottom-line need to lessen the likelihood and contain the impact of data breaches. Surprisingly, even though organizations are faced with these new regulations, legal ramifications and possible damage to their corporate reputations, the Ponemon study reports, "… most companies have not yet put such protections in place."
|
Take Steps to Minimize and Prevent Damage
|
Thankfully, harmful notoriety and financial setbacks can be minimized if your company’s IT and Security professionals have the ability to both deter malicious activity and, if necessary, pinpoint the damage. Knowing specifically how the damage was caused, who caused it and which customers were exposed allows you to advise only those affected and avoid the costly task of contacting all customers.
Again, Michael Carmichael advises, "They (attacks on IT systems) are inherent risks that any modern organization faces in the course of operations. However, like the risks that stem from operating in any market, they can be understood and acted upon. This is the message that savvy CSOs are conveying to their colleagues and board members. They build their reputation within the business and protect it against unwelcome events by exercising a portfolio of skills. They must understand the nature and extent of the risks themselves, devise ways of communicating those risks to others, gather demonstrable evidence that risks are being met, and manage the contingencies that are necessary as and when breaches occur."
To ensure your company is doing all it can to prevent unauthorized access to business-critical applications and data, it is important to have:
- a written corporate security policy
- a policy compliant with your industry’s standards
- the capability to quickly determine the scope of an application or data security breach
- the ability to prove breach scope and due diligence to auditors
- the technology to reproduce evidence on demand for forensic investigations
- the skills and tools to secure and protect all data—whether used in test and/or derived from production (this topic will be covered in more detail in Part II of this series in next quarter’s Common Sense).
|
Use the Tools You May Already Own
|
Your company has the power to prevent and/or minimize the damage to your corporate purse and reputation due to a security breach—possibly by using tools you may already own.
Application Auditing Through Compuware Hiperstation—This solution builds on Compuware's application security leadership and award-winning products by enabling IT organizations to proactively address the enterprise application security challenge.
Compuware’s Application Auditing solution:
- serves as a deterrent to inappropriate activities
- contains—and lessens the impact of—a breach if one occurs
- lowers cost of regulatory compliance
- reduces risk and liability associated with production security and data privacy
- improves rapid response for auditing infractions and application problems.
To learn more about how to protect your critical applications, click here to download the Compuware white paper, "Application Auditing: Guidelines for Investigating Internal Data Breaches." Also view an on-demand webcast, "Take IT Security One Step Further—Investigating Internal Data Breaches."
|
Net Issue - Sneak Peek
|
Next quarter, Common Sense will again focus on helping your company negate the threat to its business applications in Part II of this series: Data Privacy.
Data Privacy Through Compuware File-AID, File-AID/RDX, and File-AID/Data Solutions—Our data privacy workbench enables you to scramble, translate, generate, age, analyze and validate test data. If you need additional help, we have people with the knowledge and experience to manage the process.
|
If you or someone in your IT organization would like to learn more about Compuware’s solutions, or
if you would like to tell us your story on how Compuware products saved your company money,
please send an e-mail message to: vomail@compuware.com
|
|
|
|
|
All Compuware products
and services listed within are trademarks or registered trademarks
of
Compuware Corporation. |
|
