It is vital for all organizations (government and industry) to recognize that the most leak-proof firewall in the world would not have prevented the recent top-secret government cables from walking out the door on a CD. The biggest security threats to your organization are internal.  Proper data protection--meaning encryption at the file level-- is the only way to prevent the "sneaker-net" threat.

Recently a top research scientist with a US pharmaceutical company walked out the door with all of his company confidential research on a flash drive and moved to China to produce the drug. I am sure he made himself a pretty penny.  Again, the tightest firewall could not have prevented this corporate espionage.

The US Chamber of Commerce estimates the cost to organizations of the negative consequences of security breaches or intellectual property loss,at $250 billion per year.

Enterprise Rights Management (ERM) enables organizations to manage, monitor, and enforce policies governing the access and use of data at rest, in motion, and in use. Security policies for access and use are embedded directly into the information itself, providing companies with the security they need and where they need it. According to CIO/Insight, no legacy solutions have been able to address the ‘unstructured data’ security dilemma like enterprise rights management.  Click here to read more on Getting Data Protection Right.

Background

Our client is a major international consumer products company. They worked with an Application Service Provider (ASP) who contracted with them to hold and supply all of their MSDS documents. Due to poor service from the ASP they wanted to create a custom system allowing them to manage their own access to the MSDS documents.

Business Challenge

Our client wanted to leverage their existing Documentum repository where the MSDS documents already existed. In addition they wanted to create a Web-Based application for their users to access the documents. The site needed to be able to print, fax, or email large amounts of documents as well as track each request.

Objectives

• Deploy application in Piscataway, New Jersey for use by the Consumer Affairs division located in New York City, New York.
• Leverage the existing Documentum DocBase located in Piscataway, New Jersey.
• Build a Web-Based Architecture with a consistent user interface across all desktops.

Technical Solutions

Sitrof Technologies, Inc. was able to build a system that met all of the user requirements. The system consisted of an ASP/COM+ architecture with HTML/JavaScript user interface. The application connected to, and retrieved the documents from their existing Documentum DocBase and handled all of the reporting requirements.

Results

Our client is now able to access the MSDS documents on time and without problems. What used to take minutes or hours now takes seconds. They are now confident that all the documents are sent to their customers and if any problems do arise; they can respond in minutes as opposed to hours and days. The project was completed on time and within budget. In addition, the project won a company award for the Best Managed Project of the Year.

Security of information is critical to all corporations and is one of the many areas of competency established with Enterprise Risk Management. The weakness of traditional risk management is the focus on historical precedence rather than forward looking investigative approach. For example, the number of cases reported historically leads corporate IT to the usual suspects such as external hackers. This leads to heavy investments in systems infrastructure and many times overly burdensome security restrictions that interfere with daily business activities. Unlike traditional risk management, Enterprise Risk Management avoids this silo mentality by using a root cause approach to take a comprehensive view of risk. The root cause method looks at risks, such as information security, from all angles including processes and relationships as well as people, systems and external sources. Enterprise Risk Management recognizes that the chain is only as strong as the weakest link. Over investment in one area without the others is understood as not a good use of resources.

Leading corporations are quickly adopting Enterprise Risk Management for this reason. However, some corporations are slow to adopt Enterprise Risk Management best practices and extend their programs to line management. According to a recent survey, although 70 percent of corporations say they intend to adopt Enterprise Risk Management in the next few years, many organizations have not met their Enterprise Risk Management goals. The following true story highlights the peril of not putting urgency behind rolling out an Enterprise Risk Management program to operational areas across the enterprise.

ChoicePoint is the largest data broker that assembles personal information records on all of us. ChoicePoint, like so many corporations, make assurances on data security. They probably truly believes that they are aware of all risks facing them as they claim and also believe that their organizations are effectively addressing those risks as needed. Certainty of conviction should not be mistaken for investigative knowledge, especially if that investigation may rely on a flawed process. According to a recent New York Times article, “Keeping Your Enemies Close” for years, ChoicePoint’s top management had assured the world that it carefully protected its databases from intruders: “Our systems are bulletproof. Intruder-proof. Believe us.”

However in February 2005, according to the New York Times, ChoicePoint had to acknowledge that it had focused so intently on preventing hackers from gaining access to its computers through digital back doors that it had simply overlooked real-world con artists entering unnoticed through the front door. This year, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency's history, for security and record-handling procedures that violated the rights of consumers. The ChoicePoint operations process for approving business partners was vulnerable. Fraudsters were officially becoming business partners by exploiting ChoicePoint's business process and practices. That kind of vulnerability can best be uncovered by using risk assessments conducted by the operations team which is typical of an Enterprise Risk Management approach. The more rigorous the Enterprise Risk Management framework used to conduct this assessment the more effective and valuable the results will be. Process-driven software with embedded frameworks can help create a repeatable and sustainable process.

Lessons learned from this story:

1) Roll-out your Enterprise Risk Management charter to your line managers

2) Use root cause as part of self-assessments to understand the source of risk

3) Use best practice risk indicators that are forward looking in nature to uncover risks

4) Develop clear measures of the penetration of your Enterprise Risk Management program

5) Measure the progress of your Enterprise Risk Management program roll-out and don’t allow the timetable to slip.

Review lesson number one or your successor may be doing that for you.