Enterprise Security Management Security and Ethics at

Enterprise Security Management Security and Ethics at Cincom Systems Cincom Systems is a global leader in the development, implementation and service of enterprise software that is specifically designed for the needs of complex manufacturers. Its security and ethics policies reflect the company's long-standing customer relationships with defense contractors both in the U.S., and in the United Kingdom, France and Australia. Each of these nations use Cincom's software to manage their complex defense systems.

As a result of these long-standing and trust-based relationships, Cincom must adhere to very stringent requirements for data and information security. The intent of this analysis is to explain how Cincom Systems used the Confidentiality, Integrity, and Availability (CIA) triad to better manage security requirements, and to also define the formal and informal security policies the company has in place.

Having served as an intern for the company for two years, specifically during summer and winter breaks, much of the information shared in this paper was a result of those experiences. The main security information threats, how information security is managed, and how Cincom monitors computer and online usage are also discussed. Restrictions on the access to company data is also provided in this analysis.

Cincom's Adoption of the Confidentiality, Integrity and Availability (CIA) Triad The Cincom security platform is predicated on the security requirements triad of Confidentiality, Integrity and Availability (CIA) and there are formal, audit-based procedures in place for gaining access to specific information assets based on the use of this model. As a former intern for the company in their IT and marketing services organization over the span of two years, many of these aspects of their security strategy became clear.

The CIA triad model is supported through a series of user and data taxonomies, each role-based, that define the specific data sets, fields and in the case of transaction systems, specific records and customer data (Bertino, Sandhu, 2005). The CIA Model is also used for managing the reporting analytics and metrics that drive overall security strategies and are also provided to the U.S. Department of Defense as part of their yearly audits, in addition to defense audits from the UK, France and Australia.

These audits completed to ensure Department of Defense (DoD) compliance are also predicated on having servers for their projects physically located in a completely separate section of the computer room, with different security processes and procedures to gain access. Consistent with the use of the CIA Model, Cincom also has aligned their CIA framework to the strategic IT Plan and overall strategic plan of the entire enterprise.

One of the most challenging aspects of using the CIA triad is to ensure enough agility in the business model to attain strategic plans while also having enough of the security infrastructure and frameworks in place to protect information assets and access (Knapp, Marshall, Rainer, Ford, 2006). Cincom has adopted the CIA triad in conjunction with the role-based access control (RBAC) model (Bertino, Sandhu, 2005) as the audit and security requirements of the U.S.

Department of Defense and foreign ministries of defense require this level of auditability, visibility and verifiability of activity within each database and across the entire IT complex of systems the company has. Cincom adopted the RBAC Model specifically to allow for greater agility in their global software development, testing and selling efforts while also ensuring a hardened and secure IT infrastructure. The CIA triad is specifically designed to provide enterprises with the flexibility of attaining these strategic objectives (Knapp, Marshall, Rainer, Ford, 2006).

Cincom has designed in compliance to their IT strategic plan with specific focus on attaining the shared objectives of confidentiality, integrity and availability of data while also ensuring its authenticity, as it is verified every six months or more by government agencies whose projects Cincom completes. The formal and informal security policies in place within Cincom vary significantly across the divisions of the company. For those divisions actively involved in projects and programs with the U.S.

Department of Defense and related ministries, the requirements are very stringent to the server level. There is an exceptionally larger amount of auditing and monitoring going on with regard to the network connections, which cannot be used in VPN configurations and with no available Web access. Web server software is prohibited on servers running any kind of government project for example.

Analysis of Threats to Cincom's Systems The main threats the company faces include competitors attempting to bypass the firewall and get to the contract management system, the use of phishing attacks on executives to gain access to the corporate bank accounts, and pervasive use of impersonation of Virtual Private Network (VPN) sessions. The majority of the treats are relatively easily stopped.

The more sophisticated approaches by Indian-based competitors who attempted to emulate the entire Cincom Intranet and have executives log into to initiate wire transfers was exceptional in its depth of emulation of internal processes. The goal of this attack was to get executives to log into the Cintranet portal form their remote offices and capture bank routing numbers, passwords and intercept bank transfers between Cincom global subsidiaries and the home office.

This was discovered within the control center in Cincinnati, where the Hewlett-Packard application form Mercury Interactive evaluates risks and monitors overall traffic flows. An entire series of bank transfer requests emanating from Australia were hijacked in less than a second to India where the hackers attempted to decode the packets and keep the transaction going, only having the funds and access flow to a small Indian bank in Mumbai.

The Mercury Interactive application captured the entire scheme down to the IP address and probable physical location in addition to freezing all accounts in real-time. This happened at 2am on a Sunday morning Cincinnati time. After an intensive investigation it was found a former general manager of Cincom India has perpetrated the entire scheme and had hired a team of programmers to create the shadow Cintranet site so the Australian executives would not suspect anything.

Information Security Management and Network Monitoring at Cincom Systems Information security is managed in Cincom through a variety of techniques including hardware and software-based firewalls. Network monitoring is based on an aggregated measure of overall load times by system and network connection, and the availability.