The interconnectedness of our increasingly electronic economy poses business and security risks that together mandate new consciousness for responsible computing, asserts the Cutter Consortium Business Technology Council.
In the latest Cutter Consortium Business Technology Trends and Impacts Opinion, Cutter Consortium Fellows Lynne Ellyn, Ken Orr, Tim Lister, Peter O’Farrell, and Senior Consultant William Zucker discuss strategies for more responsible computing.
According to the Council, today’s hyperconnected world, cyberterror threats, fears of fostering a hostile work environment, and the growing presence of children in the cyberworld are defining “responsible computing.” Companies must understand that the corporate perimeter dissolved with the very first Internet connection. Lynne Ellyn>TextAccording to Lynne Ellyn, the lead author of the Opinion, “Companies must understand that the corporate perimeter dissolved with the very first Internet connection. Every business-to-business supply chain connection, every Internet storefront, every reverse auction that a company puts into operation opens the corporation’s virtual doors. Once connected to the World Wide Web or the Internet, a company actively occupies a virtual space that is peopled with competitors, terrorists, children, environmentalists, lawyers — every segment of society — or, actually, every segment of nearly every society on earth.
“Responsible computing strategies account for intended and unintended interactions with such communities. Responsible computing anticipates the potential for corporate computing assets to inflict harm on other companies or individuals. Responsible computing strategies create the framework for security policies and the definition of security architecture and set forth the corporate intention of a responsible computing culture.”
The Cutter Consortium Trends Council suggests some actions to consider as part of a responsible computing strategy:
Establish strong identity management for access to the network. The best identity management includes three things: (1) something you know(passwords); (2) something you have (smart cards); and (3) something you are (biometrics). At a minimum, you should require at least two of these things.
Password management and administration must be strictly controlled. Outsource this to a foreign country or an outside entity, at your peril.
Manage security patching aggressively.
Strive for a process that allows all desktops to be patched in two days or less.
Divide your network into subnets with firewalls in between.
Carefully control traffic through the firewalls.
Don’t rely on firewalls as the primary protection. They are necessary but insufficient as a means of protecting your company.
Manage all outbound traffic as aggressively as you manage all inbound traffic.
Conduct regular network vulnerability assessments with appropriate security companies.
Eliminate modems.
Secure all wireless networks.
Deploy intrusion protection devices and methods.
Deploy thin-client devices wherever possible; they aren’t vulnerable to infections.
Carefully manage all interfaces between your company and others. Protect yourself and your partners. Every contract should specify mutual security practices. Allow no connections to companies with sloppy security practices.
Inspect the software development practices of software vendors to determine their methods to control the insertion of back doors in their products.
Require the disclosure of all known back doors.
Develop a comprehensive, responsible computing policy and communicate this policy to every employee. Develop methods to enforce the policy.
Regularly review security scenarios and establish an emergency response plan.