Security Monitoring Strategies Creating a Unified, Enterprise-Wide
For an enterprise-wide security management strategy to be successful, the monitoring systems and processes must seek to accomplish three key strategic tasks. These tasks include improving situational awareness, proactive risk management and robust crisis and security incident management (Gellis, 2004). With these three objectives as the basis of the security monitoring strategies and recommended courses of action, an organization will be able to withstand security threats and interruptions while attaining its objectives.
Beginning with the internal systems including Accounts Payable, Accounts Receivable, Inventory, General Ledger, and Human Resources, monitoring needs to be designed to capture strategic threats at the operating system and application level to be effective (Nagaratnam, Nadalin, Hondo, McIntosh, Austel, 2005). Each of the applications in these areas of enterprise software is designed to be used in the context of user's roles and information needs. Restricting access to sensitive information by role as defined in these applications is critical to the monitoring of resources and their effectiveness in delivering value to the organization (Gordon, Loeb, Tseng, 2009). Creating a governance framework hat can provide for enough role-based flexibility while monitoring overall performance is critical for an organization to keep accomplishing its goals while also staying secure (Khoo, Harris, Hartman, 2010).
Often the many internal systems of a business are integrated into a common enterprise-wide information platform. Many organizations use Enterprise Resource Planning (ERP) system to unify these many systems into a single system of record to make security management and monitoring more cost-effective (Gellis, 2004). For the many internal IT systems that require IT monitoring, integrating them into a common system of record is also critical as it allows for auditing of cross-system and intra-system transactions. Too often organizations fail in their security monitoring strategies by allowing silos of systems to dominate their overall IT architecture (Nagaratnam, Nadalin, Hondo, McIntosh, Austel, 2005). By applying security monitoring at both the strategic IT level including the system of record and at the role-based access level of each application, organizations can attain a 360-degree level of system monitoring compliance and threat assessment.
Having an integrated system security structure also allows for more effective risk management strategies including the ability to isolate and act on security incidents more effectively than siloed systems allow for. Each of the mission-critical systems within a business, encompassing Accounts Payable, Accounts Receivable, Inventory, General Ledger, and Human Resources rely on integration with systems and processes external to the company as well. Integrating to systems outside the organization also present risks to the entire organization as well. These external integration links, whether automated through the use of advanced system technologies or defined through the use of logins and passwords, must be monitoring and audited as well (Gellis, 2004).
The risks and need for security are amplified by the use of Internet-based marketing, sales and e-commerce systems (Kesh, Ramanujan, Nerur, 2002). Monitoring of these applications is more challenging as they are open to the public. The first area of monitoring is on security authentication and attempts to break into sales, marketing and e-commerce systems through the use of password generation or cross-scripting attacks (Thompson, 2004). E-Commerce systems are increasingly relying on mobile platforms and support for smartphones running the Apple iOS and Google Android operating systems, both of which can be successfully broken into by hackers (Ghosh, Swaminatha, 2001). The monitoring of Internet-based customer facing systems including e-commerce need to be tracked at the transaction, application, and customer profile privacy levels to be effective (Desai, Richards, Desai, 2003). All of these factors need to be taken into account within a broader network monitoring strategy of inbound Internet traffic in an attempt to find patterns of intrusions that are most likely to occur (Hong, Park, Young-Min, Park, 2001)
Problem Solving Case Study Merging Information Technology
Both Compaq and DEC need to find a unified strategy direction to pursue, not keep fighting to see which programs or software platforms by business unit will survive or not. The case study is a classic example of what happens when IT infrastructure becomes more important than the strategic growth of a merged organization. The case also illustrates how powerful IT infrastructure and information flows are in creating an effective culture or not as well. If the management team had focused =more on IT initiatives that would unify and capture the best of both companies, there is a good chance they would still be independent today.
Second, the lack of strategic vision and insight into just how profitable the B2O and mass customization strategies could have been is remarkable. Compaq and Dell could have integrated their supply chain, sourcing, manufacturing, product planning, product management and services strategies under a consolidated ERP system and attained higher growth that the fractionalized, disconnected organization they grew into did. The fact it took nearly 20 days to complete even a basic quote for enterprise systems within Compaq during this time period shows just how disconnected, disparate the IT architectures had become (Columbus, 2003). Compaq and DEC needed to use IT architectures to create a unified corporate culture supporting by strongly integrating product, marketing, service and long-term customer relationship strategies.