Todays Internet economy has forever changed the way the world conducts business.

Risk Management

Today’s Internet economy has forever changed the way the world conducts business. At no other time in history has technology opened the doors to new markets at a faster pace. While e-Commerce presents tremendous opportunities, it also introduces an enormous amount of risk. After all, the same technology that connects companies to the global marketplace also makes their systems vulnerable to attack.

As organizations leverage computer networks and the Internet to scale their businesses and be more competitive, directors and managers must understand the new risks introduced and the responsibilities assumed by opening their critical business systems and data to a public network. Regulations, guidelines, and standards are emerging to help companies define and implement appropriate security and privacy practices. However, without a reliable mechanism for frequently assessing and improving compliance with these standards, there is no prudent way to strike the appropriate balance between the risks assumed and the additional opportunity realized through e-Business initiatives.

Security can only be evaluated by better understanding the tools and processes that dynamically interact to protect the computing environment. This interaction should occur in a way that is appropriate for the sensitivity of the environment’s data or the function it provides. Preventive controls stop inappropriate activity before it occurs. Detective controls track security events after they occur and provide information for investigations when an incident is noticed or data is missing or corrupted. Assessment controls identify weaknesses in the environment by evaluating system configurations, security settings, access control lists, and other security elements of a particular system or layer. Corrective controls are measures that strengthen a computer resource or environment. Enhancement controls are structures and frameworks that are put into place to assist in managing a computing environment.

Government (local, national, and international) attempts at establishing or influencing these requirements are prevalent in today’s security environment. HIPAA, Gramm-Leach-Bliley, and various Executive Orders are government-mandated requirements for security and privacy requirements in the healthcare, financial services, and government industry arenas, respectively. For example, every department and agency within the federal government has been mandated, by Executive Order, to develop, monitor, and manage an information security program. Such a mandate requires implementing a security policy and a process for certifying and accrediting that systems and networks comply with that policy. This typically manual and arduous certification and accreditation (C&A) process must be completed every three years or after each major system change.

In the absence of specific regulations, organizations in many nonregulated industries are now reviewing international standards as a starting point for defining appropriate security and privacy practices. International security compliance standards such as BS 7799 and ISO 17799 are being proposed as candidate standards for security compliance. In addition, de-facto standards bodies such as VISA are starting to publish security guidelines; if these guidelines are not implemented, VISA merchants risk losing use of the VISA logo.The implications are that companies may now have to include a compliance review for multiple, potentially conflicting mandates, have a policy for determining which standard to follow, perform an analysis of the cost of compliance, as well as noncompliance, with government standards in the countries where they do business, and evaluate the trade-off of complying with these standards.

Bibliography: