Categories Featured in this Issue:
Security
Management/Financial Strategy

View all Insider Weekly Categories

Contact Us:
Call us at 1-877-440-0477
OR
Email Us With Your Comments

Privacy Policy
Insider Weekly

Policies provide framework to secure 400

By Sarah Kimmel
Monday, August 5, 2002

           Think your data is secure as it passes through the lines, over the Web and from employee to employee? Maybe not.

      “Most people don’t understand that they need a security policy,” says Patrick Botz, iSeries security architect, IBM, Rochester, MN.

      In reality, without a firm security policy in place there is no way to know and control what is happening to your data. This policy is a way of thinking about security in your shop, rather than the actual steps to achieving that security.

      “A security policy is making decisions about if and how data will be available to others. You can’t take steps to enhance security if you don’t know where you want to be,” says Botz.

      While the iSeries has a stellar reputation for its security architecture, every shop needs an individualized framework to define who can have access to data and sometimes, what can be done with it.

      “Defining who is allowed to get at what data, and then what they are allowed to do with it, is a big portion of a security policy,” says Botz.

      Regardless of whether a shop is participating in B2B or B2C, any data that is transacted should be considered in planning. (For questions to ask when creating a security policy, see box, below.)

Security: Questions to ask

Here are some questions to ask about your shop’s security:

  • What kinds of applications do users need to access for day-to-day business?
  • What users, or groups of users, need access to what information?
  • What is the sensitivity of that data and how can I protect it from corruption?
  • Do I have a legal responsibility to secure my data (or certain types of data)?
  • Where are my users - within the walls of the building, or remote?
  • How are remote users connecting in and do I need to protect these connections?
  • What is the impact on my business if the data is stolen, unavailable to me, or the integrity has become suspect?

Abiding by security laws

      Even shops without industry-specific security mandates should learn about how legislation like this could affect their current policy.

      “There is legislation making its way through the United States that talks about privacy for information about the individual, regardless of industry,” says Jim Raisio, sr product manager, NetManage, Kirkland, WA.

      The European Union has already passed such laws, including the Safe Harbor Act, which states that companies outside the EU that want to do business within the EU must also comply by these security mandates.

      Currently in the U.S., there are industry-specific security mandates, such as the Health Insurance Portability and Accountability Act (HIPAA). While these are concerned with distinct areas of business, their framework is a guide for future privacy and security laws.

      “HIPAA regulations are, in part, concerned with what people can do with data once it is accessed. Tools that help with implementing HIPAA will help define any policy of what people can do with data,” says Botz.

      From the heightened privacy of Acts such as HIPAA, to simply a way to protect customer data, shops need to think about a structured policy defining security rules.

      “Any security policy is better than no security policy,” says Botz.

      IBM offers a starting point with an on-line security planner which gives recommendations. See www.ibm.com/security.

Categories:  Security, Management/Financial Strategy

Copyright 2000 ucg. All rights reserved. Do not duplicate or redistribute in any form. The 400 Group is available for internal use only by authorized users. The 400 Group, 11300 Rockville Pike, Suite 1100, Rockville, MD 20852.
phone: 301/287-2700 fax: 301/816-8945