Note: Sample below may appear distorted but all corresponding word document files contain proper formattingExcerpt from Research Paper:
The reality is however that legacy systems pose the greatest potential risk to any enterprise, as these platforms are anachronistic in terms of security support, lack many common safeguards, and don't have the necessary Application Programmer Interfaces (APIs) to scale globally as a secured platform (Gupta, Roth, 2007). Legacy systems were designed in an era where single authentication for an entire enterprise system was sufficient enough, and the concept of role-based access and computing was not considered a core requirement. Architects of these systems could not anticipate the breadth, depth and sophistication of attacks being carried out today against enterprise systems, websites, EDI links and every other potentially vulnerable entry point to a system. Enterprise software vendors including Oracle, SAP, Infor and others have opted to port or migrate their legacy ERP systems to Enterprise Application Infrastructure (EAI)-based platforms to increase their security while retaining compatibility with legacy databases and programs (Harney, 2006).
Legacy systems are the single greatest threat to any enterprise today (Talbot, 2006). This is because their initial architecture, design and implementation did not take into account the breadth, depth and sophistication of attacks today were not anticipated or forecasted decades previously. The retrofitting of legacy application is a formidable task with the costs for an ERP system being well over $16M or more for a typical distributed order management system for example (Talbot, 2006). Given the high costs of transforming legacy and home-grown ERP and enterprise systems into secured, scalable and role-based platforms, it is understandable why many companies today are looking at how their investments in compliance requirements can also attain a high level of risk mitigation and management. The following section illustrates how enterprises are pursuing compliance to government reporting requirements while working to quantify the financial value of their security management strategies.
Assessing the financial impact of enterprise security management strategies on an enterprise needs to capture the business improvements possible from role-based access to data and information while taking into account the measurable gains in performance due to reducing risk and increasing reporting accuracy. Measuring the financial impact of risk management needs to take a causal approach to best capture the return on investment (ROI) possible from greater security, risk mitigation and preventative security initiatives. These investments at the strategic level drive greater business improvements supported by highly scalable compliance platforms capable of supporting cost reductions while ensuring highly efficient use of assets. The relationships of these factors are shown in Figure 2 are used by enterprises to create unified, enterprise-wide strategies for security management that can have measurable, significant financial results over time. Figure 2, Causality of Security Management Strategies to Shareholder Value shows how compliance, security and compliance platforms, when coordinated, can deliver significant shareholder value over time.
Figure 2: Causality of Security Management Strategies to Shareholder Value
Source: (Nagaratnam, et.al, 2005)
The continual pursuit of security's contribution to shareholder value shown in Figure 2 is managed as an iterative workflow, with continual improvements made over time to system processes, procedures and integration points throughout enterprises. This iterative approach to continually strengthening and focusing enterprise security management investments to gain the greatest impact on financial performance has shown potential in reducing operating systems by reducing cost-based leakage, supply chain errors, and losses from pilferage and data loss including theft (Nagaratnam, Nadalin, Hondo, McIntosh, Austel, 2005). This model also illustrates how closely aligned enterprise risk management strategies are to the financial performance of enterprises that rely on them (Garbani, 2005). Each enterprise needs to take into account their specific strategic plans, IT integration points for core strategies, and the ability to quantify how risk management contributes to greater financial performance. While averting an attack that decimates information assets can't be calculated, when the performance of these systems are taken into account from a process improvement standpoint as part of a risk management strategy, their contributions can be clearly tracked (Nagaratnam, et.al, 2005). More efficient and highly targeted security management strategies can help an enterprise be more efficient in meeting the three triad requirements mentioned earlier in this analysis. Quantifying the value of risk management has the greatest impact in streamlining how IT resources are used in the attainment of long-term strategic plans and initiatives.
Too often organizations rely on a tactical, short-term orientation for solving strategic, complex and intricate security problems. This leads to many enterprises continually churning through risk management programs and initiatives. Burning thousands of hours and millions of dollars in the process (Kangasharju, Lindholm, Tarkoma, 2008). Enterprise security management is more than just migrating legacy applications from outmoded and often outdated operating systems. It involves the development of an entirely new platform for security management across the entire enterprise. While enterprise software companies have much to gain in terms of incremental sales by positioning role-based add-on applications including entire Enterprise Application Integration (EAI) layers, the best practices in this area center on those enterprises that are taking the extra step of aligning risk and security management to their strategic plans (Kangasharju, Lindholm, Tarkoma, 2008).
Making that causal link between investments in security management, risk management, compliance, analytics to enable more accurate financial reporting can form a powerful catalyst for enterprise security management (ESM) frameworks for the future. By integrating in compliance and financial reporting, enterprises have the ability to quantify the contributions of risk management over time (Ma, Orgun, 2008). Taking into account the triad of factors that research in this area has shown to be significant and mapping how they are integrated together leads to the development of a model that takes into account each factor. Figure 3: Proposed Enterprise Security Management Model shows how the triad of factors can be integrated with one another, creating an effective framework for enterprises to plan, implement, evaluate, monitor and change their risk and security management strategies over time. Transparency and information velocity form the balancing element of the model, linking COBIT (and SOX) compliance initiatives and strategies to the evaluation and certification processes across companies. These two areas rely on the enterprise information security policy and strategies to define how risk and security management initiatives and investments will be made over time. Balancing all of these factors are the two objectives of minimizing risk and the department and divisional level and defining cost controls and quantifying revenue opportunities over the long-term on the other. These two aspects of the model are embedded within the process workflows of the Enterprise Risk Management (ERM) module of the system. Also included in this area of the model is support for continual updating of business processes and business process re-engineering (BPR) specifically. The baseline component for ERM will also need to include support for Business Process Engineering Language (BPEL) functionality as well to support continually improving business processes based on risk analysis and mitigation.
Figure 3: Proposed Enterprise Security Management Model
Summary and Conclusion
Securing an enterprise at the most basic level involves hardening each potential entry point to its systems and ensuring network-based security is in place to protect information assets. The problem is that many enterprises have legacy and home-grown systems that are decades old. The stop-gap measure that many companies rely on is the use of Enterprise Application Integration (EAI) based security management. This approach does help to alleviate problems, yet it can potentially slow down the integration of enterprise systems corporate-wide, crippling productivity for the sake of security., This is especially true in legacy systems that lack the necessary APIs and coding platforms to ensure security across all systems while also enabling security management to the application level. One potential strategy companies have relied on over time to alleviate this problem is to acquire, install and continually customize role-based applications that can have authentication defined to the user level. Role-based authentication and security management have also proven to be highly effective in mitigating security threats, minimizing losses from lack of consistency security across enterprise systems, and greater traceability of performance attained. These three areas of an enterprise system including role-based access, compliance to government reporting and auditing, and quantifying the financial value of systems when combined form an effective framework for an enterprise security management model that this paper has proposed. The greater the level of synchronization of these elements, the greater the level of overall progress made in an enterprise to their strategic plans and goals.
Cuppens, F., and N. Cuppens-Boulahia. 2008. Modeling contextual security policies. International Journal of Information Security 7, no. 4, (August 1): 285-305.
Samar Das, Raj Echambadi, Michael McCardle, Michael Luckett. 2003. The Effect of Interpersonal Trust, Need for Cognition, and Social Loneliness on Shopping, Information Seeking and Surfing on the Web. Marketing Letters 14, no. 3 (October 1): 185-202.
Sushil Gupta, and Aleda V Roth. 2007. Martin K. Starr: A Visionary Proponent for System Integration, Modular Production, and Catastrophe Avoidance.…[continue]
"Security Management Defining An Effective" (2011, August 11) Retrieved December 9, 2016, from http://www.paperdue.com/essay/security-management-defining-an-effective-43903
"Security Management Defining An Effective" 11 August 2011. Web.9 December. 2016. <http://www.paperdue.com/essay/security-management-defining-an-effective-43903>
"Security Management Defining An Effective", 11 August 2011, Accessed.9 December. 2016, http://www.paperdue.com/essay/security-management-defining-an-effective-43903
Security Management Strategies for Increasing Security Employee Retention Design Effective Job Characteristic Model Skill Variety Task Identity and Task Significance Autonomy and Feedback Meeting Expectations Market Competitive Package Strategies for Increasing Security Employee Retention Security employees constitute the most important component of organizational workforce. It is because; they ensure the core survival of organization and its assets. However, the ironic fact is the security employees are considered blue collar workers and their compensation packages are low (Hodson & Sullivan,
Security management is "described in some quarters as a function of risk management," (Bulletin 2, Part 2). Although there is some crossover with public sector security functions, such as policing, security management is generally considered a private sector domain. "Whilst private security has a predominantly commercial basis, it should not be forgotten that it does interact with the public to a considerable degree," (Bulletin 2, Part 2). Security management is
Security Management The role of a security manager varies widely according to the particular organization and its needs, but despite this variety, there remain certain best practices and policies that can help maintain security and stability. This is nowhere more true than in the case of organizational loss, because while loss can mean widely different things depending on the field, the underlying theoretical concepts which inform attempts to minimize loss are
Another aspect of the security management area of a network management system is the development of policy-based auditing and alerts by role in the organization (Merilainen, Lemmetyinen, 2011). This is one of the areas of knowledge-enabled security management, specifically in the area of role-based access and advanced auditing and reporting. Fault management is also an area that no single suite of network management systems can completely meet per the ISO standards
Security Manager Leadership Analysis & Assessment of Main Management Skills of Security Managers The role of security managers and their progression to Chief Information Security Officers (CISO) in their careers is often delineated by a very broad base of experiences, expertise, skills and the continual development of management and leadership skills. The intent of this analysis and assessment is to define the most critically important management skills for security managers, including those
Security Monitoring Strategies Creating a unified, enterprise-wide security monitoring strategy for any organization must be based on a series of strategic goals and objectives that encompass every functional area and system of a business. The intent of this analysis is to define the objectives that must anchor a security monitoring strategy to ensure its success, followed by specific recommendations for security monitoring of each major functional area. Defining Security Monitoring Strategies For an
Security in Cloud Computing Security issues associated with the cloud Cloud Security Controls Deterrent Controls Preventative Controls Corrective Controls Detective Controls Dimensions of cloud security Security and privacy Compliance Business continuity and data recovery Logs and audit trails Legal and contractual issues Public records The identified shortcomings in the cloud computing services and established opportunities for growth regarding security aspects are discussed in the current research. The security of services is regarded as the first obstacle. The opportunity for growth is provided as combination