Summary, Recommendations and Conclusions
Introduction
To support the Conclusion and Recommendations, it is import to understand and to restate the problems of Infrastructure
Security. “Companies must put all means of security in place both internally and externally”. This chapter will discuss whether this study supports the problem statement and it will provide a conclusion concerning what companies need to do in order to protect their assets. It will also provide additional recommendations related to the research findings. Conclusions and Recommendations
“Companies must put all means of security in place both internally and externally”
The research has been abundantly clear that the
initial requirements to meet standards set by the industry should include policy and procedures and guidelines to effectively protect internal assets as well as ecommerce assets from companies or individuals doing business.
With the FBI’s cyber report on crime and related organizations producing reports on cyber related security, businesses should keep a parallel focus on security as well as staying on focus with their main product(s).
“Companies will have to stay ahead of the game and should not question or wavier away from protecting their internal assets.”
With guidance and support of peer companies, companies should network with software and hardware vendors, other non competitive companies and with organizations that specialize in security. Past examples of hackers, and thieves on the internet should awaken sleeping companies.In answering “why security is needed and how to implement security”, companies should look at past examples and the ever increasing number of companies who have had security violations throughout their infrastructure. This provides a learning basis for all companies. This is one area companies do not want to lead by example.
The problem statement components of “when security is needed, and how to implement it” are answered as follows: - Industry wide compliance of recommendations by industry leading experts.- Restating the key elements from previous chapters include:- Employ trustworthy Information Technology workforce to protect assets from within the companies as though assets were their own.- Focus on industry statistics and separate fact from fiction for the best protection of the security infrastructure.- Utilize all means of security including beta based security tools, physical tools and update policys and procedures as necessary. Document all deficiencies and follow thorough with any and all short comings to insure the best and most adequate protection from thieves, whether internal or external- Ongoing communications between all levels of employees from help desk to the CIO (Chief Information Officer).- CIOs cannot lose touch with reality of the “real” world of security.- A quality control program should be put into place to maintain site wide integrity. - Policy and procedures must be reviewed.- Internet usage policies should exist and all employees should review and sign acceptance letters.- Email usage policies should exist and all employees should review and sign acceptance letters.- Systems must be tested in order to ensure quality.- Ongoing training must be put into place for IT professionals and accurate records must be maintained in order to verify training and training needs.
“Companies must provide high level training to meet the needs of industry growth while maintaining a balanced budget and customer security”.
In the early stages of security and ecommerce, the selected companies and corporations had to have the foresight to look at the “What ifs” of protection and hold onto paranoia for the “just in case” scenarios that crop up with business forecast and predictions. These companies in the early years of ecommerce were beginning to provide SSL (Secure Socket Layer) protection of their websites along with early Cisco firewalls and web servers. The Allen, Neill, Taylor Companies and a higher education facility all provided above average protection for their clients and the exchange of data along their local area connections and their extranets. This protection provided customer reassurance and customer growth that in turn provided growth for the revenue of the company.
With this electronic protection in place, the Allen, Neill and Taylor companies along with a higher education facility all provide digital certificates and SSL encryption for their clients or consumers. This extra protection allows for the companies to exchange critical demographic and financial data including credit card numbers and personal account information.
Each of the above listed companies use web databases that “dump” the client information to a printer and purges any critical data. This practice is becoming a trend for companies. By purging data, the database is empty and in the event a breech is successful by a hacker, no data will be lost.
During a recent event, the A local technical college in Middle Tennessee accepted over 200 credit card orders for a regional conference and the data was accepted, purged to a printer and the database emptied for security reasons.
This type of transaction allows for the security of the corporate infrastructure to remain intact even in the event of an ecommerce breach.
Although many companies use databases on the web, the above practice is new in the industry and allows the company to reenter the data into an internal server that has been NATed behind a firewall, thus adding an extra layer of security.
This practice requires more work on the company side of taking and automating orders but helps keep hackers at bay. An empty database discourages these individuals from returning to an empty nest.
Since the Internal Company Security and Auditing Controls of security infrastructure throughout the companies under consideration were compliant with industry standards the impact on the companies’ operations was minimal. The operations and organization of the companies’ functionality prove to be industry leaders in setting industry examples. With the ever changing world of security, and with ecommerce and the precarious balancing of performance of business, these companies along with other companies have to look at performance and new technologies to protect their business without sacrificing customer
demands from their business. Budget constraints within the economy of 2004 cannot sacrifice the cost of loss due to neglecting the protection of customers and internal assets. The companies used in this study have to balance the monies available for security while looking at the cost of loosing customers due to possible security breeches.
In conclusion, the emphasis on strong Internal Company Security and Auditing Controls with the area of security for companies is vital. These controls should be dynamically flexible throughout the company, from the help desk employee to the Chief Information Officer. These controls encompass from the overall operations of the Information Systems department throughout
the entire organizational structure and should be in place to help companies stay on the leading edge in protection of their assets.
The recommendations from this study are as follows:
• Companies should do extensive background checks on their Information Technology employees. Checks should include financial, criminal and past employment checks.
• Companies should put Policy and Procedures into place to make sure that all aspects of disaster recovery and planning
are covered including hardware failure, software failure, network setup, personnel hierarchy, team responsibilities, deployment of all software and appropriate licensing and other mission critical objectives.
• Companies should have a consistent audit practice in place for server logs, firewall logs, patches, service packs and updates.
• The network infrastructure for companies needs a consistent quarterly overview committee to look at security needs and challenges. This would provide quarterly updates of mission statements and policies as needed.
• Companies need training programs in place for Junior as well as Senior level analysts to understand the challenging environment of security. These training programs need to include industry leaders and seminars from software vendors.
• Companies need consistent and open forums within their infrastructure for communication of daily changes affecting the security environment.
• The hierarchal level of the internal department of Information Systems/Technology needs to be dynamically flexible to meet the needs and challenges facing the ever changing world of information technology security in the workplace.
• Small Ecommerce servers should “dump” data to a printer
and be reentered as a precautionary measure in case of a breach on an internal file server.
Large ecommerce servers should have multileveled security in place and should require re-registration in the event a consumer does not frequent the site. Records should be archived off of the server for non-returning or one time customers.