Your World of Legal Intelligence
 United States | 1-800-335-6202

Making sensible investments in security.

Document Cited in Related
Vincent
AuthorGossels, Jonathan
PositionSpecial section

It's three o'clock in the morning, and your phone rings. A hacker has compromised your company's computers. Not only are your operations shut down, but confidential financial information about your firm and your customers has been disclosed. Immediately, you wonder, "What did we do wrong?"

That scenario is one of every executive's worst nightmares. Unfortunately, it is a recurring nightmare, because most business leaders don't know enough about computer and network security to understand what level of expenditure they need to make and what security programs and practices they have to implement to appropriately protect their business. Consequently, security efforts are often unfocused and under-funded.

Effective security is driven by business needs, so it is more important to think clearly about security from a business perspective than from a technical perspective. Start by understanding what you need to protect--it is usually a very short list. For example, a hedge fund company might determine that the three most important things it needs to protect are its analytics, its positions and investor information. With those clear goals in mind, it is straightforward to develop measures and control processes that will genuinely protect the business. Let's look at the key elements of a security program.

The Key Principles

Practical security rests on three key principles and a simple corollary. The key principles are authentication, authorization and auditing.

Authentication addresses the need to verify the identity of users and software processes. In its simplest form, this is usually accomplished with a user name and password (something you know). Applications handling highly sensitive data often require a higher level of identity verification. Sometimes hardware tokens or biometrics are used for this purpose (something you have, plus something you know). To verify the identity of servers, for example to make sure your systems are interacting with legitimate business partners, software mechanisms like digital certificates are often used.

Authorization addresses the need to manage access to resources. This principle applies at all levels in an IT environment, ranging from administrator access to devices like touters and computers to role-based access to particular applications. For example, a banking application may allow a teller to cash a check for up to $5,000, but requires a branch manager to perform withdrawals above that limit.

Auditing...

To continue reading

Request your trial
COPYRIGHT TV Trade Media, Inc.
COPYRIGHT GALE, Cengage Learning. All rights reserved.

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT