Académique Documents
Professionnel Documents
Culture Documents
June 2005
Sponsored by
Best Practices in Security: Information and Access
Executive Summary
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup i
Best Practices in Security: Information and Access
The ability to maintain auditable control and security for these networks and systems is
becoming more difficult and more important as external auditors expand the purview of
their testing and are increasingly using automated test tools to root out problems.
Its no small wonder that Aberdeens research shows that best practices for security in an
environment involving less direct control means firms are having to dramatically im-
prove procedures to verify the sanctity of the interconnected networks, systems, applica-
tions and underlying data throughout their value chains to operate their missions and
business functions. Enterprises are struggling with trying to balance flexibility and agility
with managing the risk that comes with unfettered access to information among employ-
ees, customers, business partners, and suppliers. Further, government regulations cover-
ing financial data and customer information are complicating this balance between busi-
ness agility and business risk. Without the correct balance, Aberdeen conservatively es-
timates that industries are missing the mark on customer loyalty, repeat orders, top-line
revenue, cost savings, and profits each year through inefficient alignment and automa-
tion of information access for core business operations.
This report, one in a series of three, looks at the pressures, challenges, and responses of
six best practice firms in improving security information and access. The other reports
examine the practices that are making a difference in network and infrastructure security,
and practices making a difference in security governance.
The firms profiled in this report are listed with their solution providers in Table 1. All
prefer to remain anonymous. A reality of information security is that many firms dont
want to paint red targets on their backs by divulging their practices, out of fear that any
additional information made available to hackers and thieves will negatively impact the
organizations. While preserving anonymity, Aberdeen is committed to improving the
results that other organizations not operating at best-in-class levels can achieve.
All print and electronic rights are the property of AberdeenGroup 2005.
ii AberdeenGroup
Best Practices in Security: Information and Access
Aberdeen was also able to qualify two solution providers as having best-in-class security
operations and whose results place them in the winners circle as well. One is IBM, the
other is McAfee. Information on IBM is in governance edition of the report, while infor-
mation on McAfee is provided in the network and infrastructure edition.
All companies selected for this report use multiple automation tools to assist their secu-
rity programs. This multiplicity of use shows up in all domains, including network, infra-
structure, information, access, and governance. Most share this sentiment expressed by
one respondent: There is no such thing as a silver bullet or a single-source for security,
and there never will be. But most organizations automate when speed, business cycles,
or business seasonality force them. Many of the firms humbly admit their security pro-
grams still have a long way to go before reaching their full promise.
Despite the differences among the firms in this series, they share a few key metrics, in-
cluding large populations of users, which include employees, sites, locations, customers,
suppliers and business partners that must be serviced, seasonal business cycles that de-
mand extraordinary capabilities at peak times, low security incident rates, and a laser fo-
cus on segmenting and limiting access to sensitive customer and corporate information.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup iii
Best Practices in Security: Information and Access
Table of Contents
Executive Summary .............................................................................................. i
Key Business Value Findings.......................................................................... i
Recommendations for Action.........................................................................iii
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup
Best Practices in Security: Informatiion and Access
Table of Contents
Chapter Four: Recommendations for Action ...................................................... 24
Health Benefits Organizations Full-Disk Encryption Boosts Business,
Data Protection, Compliance ....................................................................... 25
Information Access for Diverse Global Operations
Drives Security at Major Automotive Firm.................................................... 27
Turning Traditional Security Model Inside-Out Pays
Big Dividends for Financial Services Firm.................................................... 29
Accelerating Information Access: a Key to Regional Banks Growth
and Compliance Strategy ............................................................................ 32
Internet Information Access Controls, Better Desktop
Security Improve Results for Ad Company .................................................. 34
Financial Services Company Restricts Outbound
Information Flow, Minimizes Business Harm ............................................... 36
Access Controls for Internet Information Content
and Flow Improve Results for Insurance Company ..................................... 38
Secure E-Mail Helps Health Care Organization Accelerate Patient Care
and Comply with HIPAA............................................................................... 40
Health Care Organization Improves Information Access
while Complying with HIPAA Mandates ....................................................... 42
Automating Access Helps Pharmaceutical Company
with Business and Compliance.................................................................... 44
Featured Sponsors............................................................................................. 46
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup
Best Practices in Security: Information and Access
Figures
Tables
Table 1: Best Practice Winners and Solution Providers........................................ ii
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup
Best Pracitces in Security: Information and Access
Chapter One:
Issue at Hand
Best practices for information and access is a poorly managed category at most com-
panies.
Key Takeaways
Effective security programs require holistic and integrated approaches that reach
throughout the organization and across all disciplines.
Avoiding fallout from customer and corporate data leakages, sustaining regulatory audit,
and maintaining agility in a rapidly changing global economy are making best security
practices a major improvement initiative for senior executives.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 1
Best Practices in Security: Information and Access
PACE Key For more detailed The swing from no classification to classi-
fying users and resources is a huge turnabout
description, see Appendix A in such a short period of time. Unfortunately,
Aberdeen applies a methodology to benchmark theres a little issue yet to be resolved: Few
research that evaluates the business pressures, firms are actually placing controls on data, a
actions, capabilities, and enablers (PACE) that common practice among the military and in-
indicate corporate behavior in specific business
processes. These terms are defined as follows:
telligence services. The classification of data
has seen ebb and flow even among these ad-
Pressures: external forces that impact an or- herents. At a minimum, the firms in this re-
ganizations market position, competitiveness, port classify data by two, three, or even four
or business operations levels.
Actions: the strategic approaches that an
organization takes in response to industry For some, the classification schema goes
pressures deeper and broader. Despite the lack of uni-
versal data tagging associated with company
Capabilities: the business process
classification schema, one firm in the report
competencies required to execute
corporate strategy has already implemented a data-tagging sys-
tems and is about to finish tagging all its his-
Enablers : the key functionality torical data. Another is testing its own data
of technology solutions re-
tagging program in production, and several
quired to support the organiza-
tions enabling business others are test-piloting data-tagging systems
practices to ensure alignment with company policies
and business usage needs.
Almost all respondents interviewed for this report say security automation technologies
are perhaps the easiest part of the job. But these observations come from industry veter-
ans who have been running security programs for many years. These same people readily
admit that ongoing tutoring, training and mentoring of less-skilled practitioners is a re-
quirement, especially for younger people with less knowledge and experience.
The difficult part about security is making sure its aligned with the organizations needs,
business missions, and external regulatory pressures. To perform this balancing act, prac-
titioners are active members of the IT steering committees, made up of senior members
of the organization, including legal, finance, IT, business lines, sales, customer service,
manufacturing, logistics, and distribution.
In addition, these managers have dotted-line interactions with internal audit and controls,
while managing people who are most often not part of security teams. As a formal proce-
dure, some organizations have installed security teams into new application development
projects to bake security into all new business procedures. Other organizations are im-
proving security by aligning team members with internal controls and Six Sigma black
belts as part of the remediation process for rectifying Sarbanes-Oxley deficiencies and
improving inefficient business procedures.
All print and electronic rights are the property of AberdeenGroup 2005.
2 AberdeenGroup
Best Pracitces in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 3
Best Practices in Security: Information and Access
In short, companies implementing best practices for information and access are more suc-
cessful in dealing with the business pressures impacting their organizations and in over-
coming the challenges they face.
All print and electronic rights are the property of AberdeenGroup 2005.
4 AberdeenGroup
Best Pracitces in Security: Information and Access
As the data in Table 2 shows, security for information and access is seen as something
that will assist directly in relieving the most important business pressures.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 5
Best Practices in Security: Information and Access
Chapter Two:
Key Business Value Findings
Focus on major business processes that drive the need for accelerated access to
Key Takeaways
information.
Establish measurable performance objectives that tie back to the major business
processes.
Remember, best practices for information and access are the nexus of business results,
people, procedures, practices, and policies.
I nformation is the business, now that companies are operating on global scales to
manage their supply chains to meet local market demand. In fact, two of the biggest
changes over the past five years are what organizations are doing with their informa-
tion and the value of security automation tools.
The Internet has become the network of choice for interconnecting business operations.
The old private networks have largely been replaced with virtual private networks operat-
ing over the Internet. In addition, regional data centers have been largely consolidated
into one corporate data center. Five years ago, 50% of all firms employed multi-data-
center approaches, involving two, three, and sometimes four centers around the world.
Mostly based on a hub-and-spoke system, regional data centers were the workhorses em-
ployed to serve local markets and manage local supply chains.
Today, only 17% of firms are employing the hub-and-spoke approach involving one or
more regional data centers in addition to the data center at corporate headquarters. An
overwhelming 83% use one data center at headquarters. This has resulted in managing a
global supply chain from corporate headquarters, complemented by Internet interconnec-
tions to local sales and customer service operations.
All print and electronic rights are the property of AberdeenGroup 2005.
6 AberdeenGroup
Best Pracitces in Security: Information and Access
The corporations customers are the key constituency being provided with access to
automated information. This makes sense. After all, employees should interact with cus-
tomers to improve financial results (Figure 3).
The number of companies automating access to information for customers is almost the
same as the number that focuses on automating access for employees. This shouldnt be
surprising given the strong linkage between customer sales and service, and the business
imperative to increase customer retention and improve top-line growth.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 7
Best Practices in Security: Information and Access
And, despite its third-place showing, automating information for business partners and
suppliers is a focal point for more than half of all firms. The motivation for including all
three constituent groups is intertwined with the desire to increase revenues, decrease
costs, and increase profits.
All print and electronic rights are the property of AberdeenGroup 2005.
8 AberdeenGroup
Best Pracitces in Security: Information and Access
The primary benefit of accelerating the flow of information between supply sources, dis-
tribution networks, and customer networks is reductions in the business cycle.
The next most common benefit cited is improvements to profit margins due to top-line
sales growth and product cost reductions. The last area most respondents cited was a re-
duction in internal costs (Table 3).
Information and access are considered key contributing factors to the improvements, not
the sole reasons. One respondent stated, (Information and access are) important but
weve had a hard time splitting hairs because there are so many factors at play (contribut-
ing to the improvement). Most of the companies listed in this report consider informa-
tion and access critical to their businesses.
For some, there is wide agreement that spending additional time and money to automate
more information security is contributing to bottom-line improvements across all finan-
cial metrics listed in Table 3. For others, the financial benefits have been measured in
only one or two of the metrics.
Whats interesting to note is that all companies in this report are realizing the benefits
security is providing business operations, especially lower costs in support and IT opera-
tions from their information security practices. Further, almost all the companies rate pro-
tection, segmentation, and monitoring of customer and corporate data among the most
important criteria for their security programs.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 9
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
10 AberdeenGroup
Best Pracitces in Security: Information and Access
Chapter Three:
Implications & Analysis
information.
Best-performing firms are automating inbound and outbound flow information based on
business use, role, and major job functions.
Industry leaders are using a variety of automation tools to manage inbound and
outbound information flow.
A
s the global economy continues to spread, best-in-class companies see effective
information and access programs as an opportunity to improve results from busi-
ness operations, while reducing risk associated with accelerating access to
information.
Because of the benefits accelerating access for business purposes and minimizing
downside risk from the accelerated access best-in-class performers are realizing secu-
rity best practices focused on information and access is an area of business process auto-
mation drawing these firms increased attention.
Perhaps the most important finding from Aberdeens research is the influence different
maturity capabilities have on information and access performance and the scope of ma-
turity of these companies, which include ad-hoc, defined systems and procedures, man-
aged, and optimized systems and procedures.
Aberdeens research clearly indicates that its nearly impossible for an organization to
leap from operating at an ad-hoc maturity level to the characteristics of firms operating at
managed and optimized levels. Nevertheless, the journey toward well managed optimiza-
tion through security best practices starts with taking steps toward these best prac-
tices.
The practices being implemented for procedures, data and knowledge, the organizational
structure, and enabling technologies are very different for best-in-class companies than
for firms operating as industry laggards, where most are implementing ad-hoc systems
and procedures (Figure 4).
When companies implement best practices for information and access, they yield value
by delivering an appropriate balance between access to information for business and or-
ganizational missions with managing the risks involved in operating information systems
to compete in the global economy. Whats interesting to note is that all people
interviewed for this research indicate that improvements being made to their information
and access programs are helping with regulatory audits.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 11
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
12 AberdeenGroup
Best Pracitces in Security: Information and Access
Lastly, companies operating as industry laggards often depend on one or two key tech-
nology providers for network and infrastructure, might be using automation technologies
for information and access, and rarely consider the influence governance plays in their
performance outcomes.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 13
Best Practices in Security: Information and Access
ees, the HR database acts as the authoritative source of record (ASOR). For new cus-
tomer access, the master sales order database acts as the ASOR; for new suppliers, its
the ERP purchasing systems master database.
Using directory-enabled linkages between these sources and multiple sales channel
sources of record, these firms are automating most of the common business workflows
and leaving the task of customer service to lower-priced and outsourced IT help desk
functions.
Unlike network and infrastructure security, which is implemented on the backs of the
network, systems and network administrators, the workload for information and access is
actually being reduced, and, in some situations, removed from IT.
One of the notable practices the firms in this report engage in is a continual polling and
analysis of performance results that are being experienced by customers, sales, suppliers,
employees and business partners. Much of the polling is centered on adequate service
levels, satisfaction levels and improvements that would make a difference.
Whats interesting to note is that users are not being asked to weigh in on difficulties.
According to most respondents, negative feedback happens immediately when informa-
tion is not available, applications are not accessible, and changes have taken place. For
this reason, most organizations employ the IT help desk to field the majority of problem
calls, including those related to information access.
All print and electronic rights are the property of AberdeenGroup 2005.
14 AberdeenGroup
Best Pracitces in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 15
Best Practices in Security: Information and Access
Once the options were prioritized, the interdisciplinary teams were asked to map the busi-
ness processes for each of the top 10 ranked priorities that would deliver the most signifi-
cant reductions in costs and the business cycle. These process mappings were reviewed
and actually simulated to determine the impact a change would have on both the business
cycle and costs.
After making adjustments, the project plans were defined. Where project dependencies
existed, these plans were aligned against changes to existing business processes and costs
for training, along with project management charts to track progress.
Once completed, it took this company about a year to start realizing significant savings in
parts procurement costs. Business cycle reductions, although not final, are now measur-
able.
When it comes to protecting information that should not be disseminated, the picture is a
bit different. Although the security frameworks provide guidance, very few are specific
enough to tell the winners what to do and how to do it. As a result, many of the firms
grew through trial and error as they discovered the best practice steps to balance
information freely available, versus information being unavailable. The steps include:
Classify data, people, business procedures and information flows;
Employ a variety of automation tools to manage inbound and outbound informa-
tion flow;
Changing business procedures with caution;
Harden the IT databases;
Monitor access to information;
Protect data on laptops;
Limit the flow of information;
Prevent the flow of information;
Harden information in transit and in storage;
Document and audit sensitive data disclosure; and
Obtain signed release forms from participants.
In addition to sensitive customer and corporate date, theres another form of data running
through the enterprise network, most of which has negative consequences. Taking the
form of pornography, religious jokes, ethnic jokes, spyware, trojan horses, and automated
All print and electronic rights are the property of AberdeenGroup 2005.
16 AberdeenGroup
Best Pracitces in Security: Information and Access
scripts embedded into PowerPoint decks and Excel spreadsheets, these forms represent
the dark side of opening access to the Internet and increasing information flow between
the enterprise, its customers, suppliers and business partners.
For example, one of the scripts found in an Excel spreadsheet was actually copying all
data in memory on the CFOs laptop and sending it back out through the Internet to some
rogue sites.
Another case involved a loss of revenue in a quarter because employee jokes about relig-
ion offended resellers the company depended on for business on another continent.
The downside of information acceleration is being met more straightforwardly with tech-
nology and service alternatives, without the need to conduct business impact analysis and
stage the introduction of changes to accomplish objectives. In the case of the winner
listed, it was simply a matter of flipping the switch to a service and connecting to the
supplier. Once turned on, bad stuff went away forever. The only procedures that survive
today are minor processes involved with reporting, updates, and selection criteria to ac-
commodate different filtering requirements for people with different job functions.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 17
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
18 AberdeenGroup
Best Pracitces in Security: Information and Access
Figure 5 shows four rings. This is not the most common implementation of this approach.
In fact, some firms implement only two layers of information: public and private. For
private information, everyone on the inside ring is provided access, largely based on rules
employed in Microsoft AD.
Multi-layered approaches tend to also be sites that integrate business partners, suppliers
and customers into the information-acceleration activities to reduce business cycles, in-
crease customer orders, and better retain customers.
Despite the widespread use of directories, theres a trust but verify philosophy among
these sites, taking the form of vulnerability management tools to verify the integrity of
websites, application servers, e-mail portals, and critical information databases. For some
sites, these tools are continuously monitored.
In addition, some of these sites employ a combination of virtual private networks and
encrypted e-mail services and products to ensure information in transit is protected be-
tween the enterprise and its customers, partners and suppliers.
Further, some of these organizations are taking information content analysis to the next
level by using products and services that are able to inspect the content of the message
traffic to trap and eliminate all problems, including, pornography, spyware, viruses,
worms, and information that flows to competitors.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 19
Best Practices in Security: Information and Access
Lastly, most of these sites are using role-based access controls to segment access to in-
formation and information access resources (applications, network software services, di-
rectories, etc). For some organizations, this has included the use of automated user provi-
sioning, single sign on, and password management systems to tie the use of access to in-
formation and IT resources to the organizations policies and procedures. Acting across
e-mail, directories, web portals, virtual private networks, and other information access
services (e.g., FTP, Telnet, Instant messaging, Wi-Fi access, and remote access,), these
systems make it much easier for the organizations to further automate provisioning and
access to information and applications, while restraining access to information resources.
The other benefits these organizations achieve through the use of role-based access con-
trols (e.g., automated provisioning and access systems), are built-in controls and audit
logs that are used to provide assurance with compliance programs, including Sarbanes-
Oxley, European data privacy laws, and Gramm Leach Bliley, among other mandated
regulatory initiatives.
All print and electronic rights are the property of AberdeenGroup 2005.
20 AberdeenGroup
Best Pracitces in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 21
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
22 AberdeenGroup
Best Pracitces in Security: Information and Access
training for employees, business partners, suppliers, and customers. By leveraging more
eyes and ears, these firms encourage everyone who interacts with the organization to
think security as a part of his or her job.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 23
Best Practices in Security: Information and Access
Chapter Four:
Recommendations for Action
Detailed Aberdeen research, covering more than 70 information and programs, has identified
Key Takeaways
All print and electronic rights are the property of AberdeenGroup 2005.
24 AberdeenGroup
Best Pracitces in Security: Information and Access
Strategy
Strategy
To improve sales, customer service, and Avoid any sensitive-data leakage, even from
benefits administration, the company data downloaded to PC laptops.
worked to make information access via the
web ubiquitous to people across its delivery Value Achieved
network. It also had to adhere to rigorous
Data leakage via laptops avoided and
regulations and mandates governing access eliminated
to, and protection of, patient data.
HIPAA compliance made easier
The organization has already invested in its
security governance programs by broaden-
ing its coverage, using frameworks such as ISO 17999, employing multi-layered defen-
sive systems for its IT infrastructure, and relying on best-practice solutions to accelerate
the flow of critical business information to authorized personnel. The company is also
using data classification, segregation of duties based on job function, and need-to-know
access control principles.
Adjusting to changing business requirements, the organization allows access to, and stor-
age of, critical business data on portable PC laptops. To address the vulnerabilities asso-
ciated with portable laptop systems (e.g., theft of the systems, loss of sensitive business
information, and loss of personally identifiable data) the company evaluated
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 25
Best Practices in Security: Information and Access
Deployment Experience
The solutions were deployed in 2001 and 2002, long before the trade press began report-
ing the current wave of security breaches or hacking of confidential customer data plagu-
ing many industries. The firm found the PC Guardian solution set easy to use and largely
free of the problems associated with user errors and overrides. Moreover, it came with
FIPS and DoD approvals that assured safety and security compliance throughout imple-
mentation.
Results
This company has significantly diminished the risk associated with sensitive data being
downloaded or acquired through secure communication methods and stored on portable
PC laptops. This problem has been mitigated. Now, all new laptops are outfitted with the
encryption/decryption package and tested before being issued.
Lessons Learned
Technology deployments can be simple and effective. PC Guardian is one example of an
effective, easy-to-use, and worry-free solution. Other lessons learned include:
Some security controls and mechanisms need to be as transparent as possible to not
hinder daily business operations.
All threat vulnerabilities require formal risk assessment, executive-level awareness;
and remediation by senior executives, business operations, and IT security;
Governing policies and standards must be as clear and concise as possible, including
consideration of the interactions between physical and electronic security;
Keeping data classification simple (e.g., company confidential, company private,
company unclassified); and
Deliver user and awareness training regularly.
Future Outlook
This company plans to separate its standards and compliance function from its security
implementation and operations in the near future. The objective is to place the develop-
ment and maintenance of standards, along with testing and audit, as an oversight function
to work alongside internal controls. The company also plans to integrate wireless tech-
nology while locking-down all devices that attach to the network.
Aberdeen Conclusions
This is a site with a very mature security program, a seasoned management team, and
stellar performance results. It has been in the forefront of security for years and contin-
ues to demonstrate excellence and commitment to security for its own business as well as
its customers, suppliers, and business partners.
All print and electronic rights are the property of AberdeenGroup 2005.
26 AberdeenGroup
Best Pracitces in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 27
Best Practices in Security: Information and Access
Results
To date, about 300,000 users are enrolled in the program, with at least another 100,000 to
come. This project-funded program, which the operating business divisions have identi-
fied as a critical need, enables design teams from around the world to complete work
more rapidly and deliver information to advanced manufacturing centers, which can fast-
track concepts into the companys mainstream product rollout procedures.
Reflecting a need-to-know bias, the role-based, job-function access to information has
made it easier for the appropriate people to acquire needed information while protecting
information assets.
Lessons Learned
The senior manager on this project advises to not underestimate the time it takes to bring
people on board with changes to business and information access procedures. Build addi-
tional time into projects to handle human factors, and involve all constituents at the front
end. Expect people to forget and have to be reminded several times before new behavior
patterns take over from older, more comfortable patterns.
Also, the manager advises, dont invest in firewalls at the periphery; there is no periphery
anymore, especially for companies operating globally and acting locally. Firewalls are
necessary, but firms must take their security programs up to the level of information con-
tent and access to content that flows through the firewalls.
Future Outlook
This company plans to use a common identity and access management framework for use
with its partner, sales, and dealer networks, as well as within its own operations. As part
of this activity, the company plans to classify roles, business functions, and relationships
to ensure access to information follows policies and standards.
Aberdeen Conclusions
This automotive company, a leader in information and access, is on the brink of automat-
ing its security governance programs for itself and its business partners. The company
has learned, through its own efforts, the fine balance thats needed to optimize the rela-
tionship between access to information for business operations versus ratcheting down
too much on access to information, systems and networks. The results: reduced business
cycles, lowered risk levels, and greater alignment across its value chain.
All print and electronic rights are the property of AberdeenGroup 2005.
28 AberdeenGroup
Best Pracitces in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 29
Best Practices in Security: Information and Access
mate security scanning, vulnerability assessment, and remediation for where most core
data resided: in databases.
Results
The use of the IPLocks solutions has enabled this firm to harden its databases and avoid
privilege-race conditions that tend to lead to fraud and theft, while avoiding any undue
performance loads that would be noticeable to business operations. The solutions are be-
ing used at granular-levels that make a difference, including database queries, database
builds, database patches, privileged operations accessible to database administrators, da-
tabase schemas, and database metadata.
In addition, the companys risk-based approach to security, utilizing the OCTAVE meth-
odology from Carnegie Mellon University, has enabled it to evangelize the value of in-
formation security risk management throughout the organization because it bridges the
gaps between the business lines, the finance organization and the technology controls.
Lessons Learned
In this day and age of data privacy, publicity about data-leakages and corporate value,
one of the primary lessons this company learned is that it was correct to undertake two
fundamental changes in the way it approached security: (1) Start where the valuable data
is, and (2) Make security usable to the business by managing it as a risk underwriting and
transfer activity focused on the core data assets of the organization. In addition, the com-
pany learned that security awareness is critical to results: once everyone understands his
or her role, it turns in performance results much more rapidly.
Future Outlook
This company is well on its way to security governance now that it has all the pieces in
place to balance the acceleration of access to information and the inherent risks that ac-
celerating access poses to the organization. Instead of focusing on what the security
frameworks say, this company is focusing on how to achieve results.
Aberdeen Conclusions
Despite the large foray into network security that grips most firms, this company is proof
that, after network and infrastructure security, the next rung up the security value ladder
All print and electronic rights are the property of AberdeenGroup 2005.
30 AberdeenGroup
Best Pracitces in Security: Information and Access
is information and access. While its focused on information and access, this firm is also
accelerating quickly into security governance to achieve its business objectives.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 31
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
32 AberdeenGroup
Best Pracitces in Security: Information and Access
databases, application systems, customers, employees and business partners. For this rea-
son the bank selected solutions from Hewlett-Packard (HP) out of a range of finalists.
Results
The first phase of the project has been a success. All components are working as ex-
pected, and the solution will continue to make a significant difference to infrastructure
operations, customer service, and the product lines as additional phases are rolled out.
According to the bank, the relationship with HP has made it much easier for it to acquire
pre-integration software solutions from third-party solution providers, including its moni-
toring, console dashboards, and compliance needs. Principals at the bank say user train-
ing and awareness are essential for these programs to succeed. Moreover, audit require-
ments imposed by the OCC are far more stringent than other audits the firm faces.
Lessons Learned
One senior manager warned to not underestimate the time it takes to bring people on
board with changes to business and information access procedures. Also,build in addi-
tional time to handle human factors, and involve all stakeholders and constituents at the
front end.
Future Outlook
This company is facing additional regulatory controls in the form of Basel and is plan-
ning how it will accommodate its procedures to conform to the operational risk require-
ments of this mandate. This company also recommends using data and knowledge about
information flow as it relates to business processes to stay ahead of the curve, especially
when measuring and tracking performance against plan.
Aberdeen Conclusions
With its very advanced technology focus, this bank is planning to stir up competition
across the banking industry. Its metrics and performance results certainly qualify it for
selection as a winner and its practices, especially those for its information risk manage-
ment program, elevate the bank to a level that would be compelling for some of the larg-
est and most pervasive financial service providers.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 33
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
34 AberdeenGroup
Best Pracitces in Security: Information and Access
Deployment Experience
The St. Bernard solutions block employees from restricted websites. In addition, new
capabilities are being employed to keep employees from visiting sites that are known
perpetrators of spyware, Trojan horses, and security exploit scripts.
The solution has been used on several occasions to shut down Internet access during
emergencies. Monthly reports are circulated to management to show how much time em-
ployees spend on the Internet and websites that, though not banned, may be reason for
management concern.
The Microsoft XP migration was smooth and resulted in marked improvements to desk-
top security. Although the administrator at this company does not like having to update
desktops with every Microsoft patch release, the company would rather deal with this
expense than the expense involved in recovering systems and data.
Results
Not only was network bandwidth restored, but employee productivity increased follow-
ing deployment of the St. Bernard solutions. One IT administrator also mentioned that
the XP desktops are working well, especially compared to what the company had.
Lessons Learned
Changing behavior and improving results could not have been achieved manually, and
the IT security organization did not want to become online babysitters. By documenting
the procedures and reports, this firm has improved workforce productivity, its networks,
and overall business information flow.
Future Outlook
Security performance metrics drive results for this companys program. More are being
added during the coming year. In addition to the solutions already mentioned, the com-
pany uses a third-party e-mail filtering service to achieve similar results with external e-
mail. To date, it has been able to filter 45% of the junk mail, quarantine the other 45%,
and deal with the 10% that might be at risk. The company plans to ratchet up its capa-
bilities in this area to close the gap and edge closer to 100%.
Aberdeen Conclusions
The performance results, practices, procedures, enabling technologies, and standards this
company employs qualify it to be among the best practice profiles. This company is em-
ploying a formal risk assessment and management program to track performance metrics
and operate based on thresholds, all to better manage performance results.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 35
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
36 AberdeenGroup
Best Pracitces in Security: Information and Access
of the problem in the test area revealed, the company decided to scale the inspection of
outbound flow of sensitive data to other business areas, as well.
Results
Managing an extensive amount of sensitive data on employees, customers, and its own
mergers and acquisitions, the company sought to reduce misappropriated information
flow (through omission or commission) by its employees and business partners.
The Vontu solutions have reduced the amount of outbound flow of sensitive data to a
trickle, while identifying new problems. It used the Vontu solution to: (1) advise man-
agement about which sensitive information is flowing out of the organization; (2) run
training and awareness programs for employees; (3) notify line managers and human re-
sources about problem situations; (4) stop sensitive data from flowing outbound to unau-
thorized people and locations; and (5) increase SOX compliance.
Despite an initial learning period, the solution has worked better than anticipated.
Lessons Learned
The company has learned that security maturity and performance results are mostly about
people. Although the technology side can be vexing, its not as unpredictable as people.
As a result, the decision-maker advises that focusing on the people part of security will
probably pay bigger dividends than focusing exclusively on the technology will.
Another important lesson this firm learned is to sweep everything devices, networks,
systems, applications, information, people, behavior, and usage spikes, as well as all de-
tailed inner workings. Without such a comprehensive approach, its impossible to know
where the performance of security programs has been, or could be, compromised.
Future Outlook
This organization has rolled out its controls to monitor compliance down to the technol-
ogy platforms and networks that enable its business operations. It anticipates spending
additional time on the people part of SOX compliance and plans to continue looking at
additional information flow monitoring.
Aberdeen Conclusions
This company has one of the top-tier security programs in the industry, thanks to the sen-
ior staff and veteran managers operating and managing it. The security initiatives and
performance results registered to date set this company apart and ahead of the curve, par-
ticularly when compared with most other companies.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 37
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
38 AberdeenGroup
Best Pracitces in Security: Information and Access
A number of years ago the company realized that to optimize its use of network services
including servicing its sales channels and managing its partner relationships it
would need to monitor and assess Internet usage associated with business processes. The
goal was to determine what portion of bandwidth was allocated to business versus per-
sonal use. Some of the usage problems were corrected by management actions. To re-
dedicate its resources to business use and keep employees from introducing additional
business risk, the firm opted to deploy solutions from Websense.
Deployment Experience
The Websense solutions are blocking employees from restricted websites. In addition,
recent capabilities are being employed to keep employees from visiting sites known to be
perpetrators of spyware, Trojan horses, and security exploit scripts.
The solution has been used on several occasions to shut down Internet access in emer-
gencies. Featuring Internet access tracking by employee, monthly management reports
show how much time employees are spending on the Internet and visiting sites that, al-
though not banned, may be reason for management concern.
Results
Network bandwidth was restored, and employee productivity increased as a result of de-
ploying Websense solutions.
Lessons Learned
Changing behavior and improving results could not have been achieved manually, and
the IT security organization did not want to become online babysitters. By documenting
new procedures and the usage tracking reports, this firm has improved workforce produc-
tivity, its networks, and its business information flow.
More importantly, security capabilities have enabled the firm to avoid having its PCs and
databases infected, information and systems hijacked, and its core data transferred to un-
authorized parts of the world without its knowledge.
Future Outlook
Metrics drive the performance results for this company and more are being added during
the coming year. In addition, its risk management systems will leverage an existing inte-
gration between business and technology with regulatory and governance risk assessment
and analysis.
Aberdeen Conclusions
The insurance company is one of the top-tier players in its space. Beyond the security
solution itself, its success can be attributed in large part to a seasoned security manage-
ment team and executive management. Advocacy and ongoing support for security as
fundamentally good for the business are making a difference, not only for measuring
results, but also for teaching employees to be more effective and productive.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 39
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
40 AberdeenGroup
Best Pracitces in Security: Information and Access
Deployment Experience
The CertifiedMail solution is being used to protect patient information and records
transmitted by e-mail. In addition, it covers billing and invoicing. Further, the organiza-
tion is using CertifiedMail solutions to transmit what it considers sensitive non-patient
data via e-mail.
Results
The CertifiedMail deployment has gone smoothly. The only areas that required a little
additional work was employee training and awareness covering sensitive data and use of
the solution. The results have improved patient care delivery services and billing, and
have delivered the necessary documentation for HIPAA audits.
Lessons Learned
The technology involved in security is the easy part. The difficult part is anticipating the
range of behavior to design and deliver employee training and awareness programs. This
site recommends keeping training programs simple, with as many analogues to everyday
life experiences as possible. It also recommends focusing risk analysis on the business
impact, especially the specific business risks the organization faces. Further, the site rec-
ommends staying ahead of the curve on knowledge and data, including new security
threats, new techniques, and new methods of governance for the security program.
Future Outlook
This site is using performance metrics to drive improved security results, and plans to
add metrics during the coming year that would cover business processes and performance
results. It also plans to improve some risk management methodologies to ensure a clear
linkage between business and technology risk.
Aberdeen Conclusions
The performance results of this company qualify it to be in our list of best practice or-
ganizations. For example, over a five-year span, there was only one significant security
incident that caused a reduction in business operations. This was caused by an Internet
worm that introduced a portable device to the internal network. Fortunately, this incident
was quickly contained before becoming widespread due to a quick reaction from the IT
staff and some enterprise network controls. The use of secure e-mail, although a small
contribution to the overall security program, has resulted in large business and compli-
ance improvements.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 41
Best Practices in Security: Information and Access
All print and electronic rights are the property of AberdeenGroup 2005.
42 AberdeenGroup
Best Pracitces in Security: Information and Access
been rolled out and covers the entire organization, from patient delivery to non-patient
delivery functions such as finance, purchasing, and human resources.
Integrated with Active Directory, the combination has made it possible for this organiza-
tion to automate access to applications, information, and other IT resources while grant-
ing particular access by job functions and in compliance with HIPAA mandates.
Results
To date, the organization has experienced three major benefits from this deployment: (1)
reduced health-care delivery costs, (2) improved access to information and data, and (3)
improved security controls that also comply with HIPAA mandates.
The integration with Active Directory has enabled this organization to make access to
information more seamless, making the job of health care delivery easier.
Lessons Learned
One of the lessons the organization learned is to not underestimate user training require-
ments. Despite delivering training, notifications, and more training, the IT organization
still finds itself in the business of holding hands for people who are being forced to
change old habits regarding how they interact with computer systems. The problem that
must be factored in, according to these IT decision-makers: human nature. And the rec-
ommendation: Plan to deal with it.
The biggest problem this organization ran into was inadequate testing of older applica-
tions that would not run on the latest version of Windows XP. Despite XPs compatibil-
ity mode capabilities, some of the older programs wrote directly to memory locations and
drivers that - for reliability and security reasons - are no longer supported in the newer
Windows XP environment. The incompatible software caused delays in schedules until
the organization received replacement software. Although this delayed project schedules,
the improved stability and security of XP were the reasons the organization made the
transition. As with many IT projects, this organization learned that unexpected problems
can - and do - impact project schedules.
Future Outlook
This organization is rolling-out additional capabilities from Avatier, including single
sign-on, user provisioning and de-provisioning, and user administration capabilities to
improve customer service through access to information.
Aberdeen Conclusions
This organization is converting lessons from Six Sigma to the delivery of health care ser-
vices and because access to information is critical to improving patient results while re-
ducing delivery costs. As a result, the organization is dramatically altering its security
approach to service the needs of organizational missions while meeting and exceeding
regulatory mandates.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 43
Best Practices in Security: Information and Access
Deployment Experience
The company deployed the Avatier solution to improve user access to information while
reducing the costs of delivering the required support services. In addition, the company
decided to employ the solution to authenticate end users to help desk personnel who de-
liver support services. Access to the companys SAP systems with the use of Active Di-
rectory and the Avatier solutions have been complemented with password management
features that allow users to self-subscribe, enroll, and change their profiles within con-
straints mapped to authoritative data governing employees job functions.
All print and electronic rights are the property of AberdeenGroup 2005.
44 AberdeenGroup
Best Pracitces in Security: Information and Access
Results
The company has seen an increase in self-service password resets being performed by
users while the number of calls to the help desk has dropped. The drop in call volume has
enabled help desk personnel to focus on more pressing service level delivery issues. Al-
though the company has seen a strong correlation between higher service delivery-level
times before using the Avatier solution, and lower service level delivery times after de-
ploying the Avatier solution, these have not yet been quantified.
The company believes there is better information access to decision-making employees
in the operating divisions where the solutions have been deployed, better management of
supply sources, and shorter development and manufacturing cycles, thus reducing busi-
ness cycle times. Also, the company has been able to demonstrate improved security in
self-service password changes, which aids regulatory compliance audits.
Lessons Learned
Some of this firms IT resources and functions are outsourced, prompting a need to re-
solve complications between the kind of data available to these external providers, access
privileges these suppliers need to do their work, and a careful review of the companys
standards and regulatory requirements. In addition, the company has learned that solid
procedures are critical to security performance results. Although procedures are more
than adequate in the manufacturing divisions, theyre less so in other parts of the com-
pany. As part of further improvement efforts, the company is realigning technology staff
in other business divisions to approximate the performance results being achieved in the
divisions that have deployed the Avatier solutions.
Future Outlook
The firm plans to complete the global rollout of the Avatier solution to drive further im-
provement. However, a short-term decision to outsource solution support to an out-
sourced help desk might result in longer project schedules unless the company is careful
to institute formal reporting metrics from its outsourcing partner, and train appropriate
staff in using them.
Aberdeen Conclusions
This is one of the top-tier companies in the pharmaceuticals industry, and its use of the
Avatier solution demonstrates the business value of accelerating information flow, im-
proving security, and demonstrating audit compliance in a highly regulated business en-
vironment.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 45
Best Practices in Security: Information and Access
Featured Sponsors
IP Locks, Inc. protects business continuity, safeguards company brand reputation and
eases the pain of corporate governance by securing critical information assets from negli-
gent and malicious acts. The IP Locks Information Risk Management Platform alerts
management to information risks from security and business policy violations, attacks on
data, compromised structural integrity and information theft, which other security solu-
tions fail to detect. IP Locks secures business-critical data for financial services, tele-
communications, media services, health care, public utilities, and other industries.
Founded in 2002, IP Locks is a privately held global corporation with customers
throughout North America, Asia Pacific, South America, and Europe.
All print and electronic rights are the property of AberdeenGroup 2005.
46 AberdeenGroup
Best Pracitces in Security: Information and Access
Sponsor Directory
IPLocks, Inc.
441-A West Trimble Road
San Jose, CA 95131
USA
408-383-1037
www.iplocks.com
info@iplocks.com
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 47
Best Practices in Security: Information and Access
Author Profile
All print and electronic rights are the property of AberdeenGroup 2005.
48 AberdeenGroup
Best Pracitces in Security: Information and Access
Appendix A:
Research Methodology
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 49
Best Practices in Security: Information and Access
PACE Key
Aberdeen applies a methodology to benchmark research that evaluates the business pressures, actions,
capabilities, and enablers (PACE) that indicate corporate behavior in specific business processes. These
terms are defined as follows:
Pressures external forces that impact an organizations market position, competitiveness, or business
operations (e.g., economic, political and regulatory, technology, changing customer preferences, com-
petitive)
Actions the strategic approaches that an organization takes in response to industry pressures
(e.g., align the corporate business model to leverage industry opportunities, such as product/service
strategy, target markets, financial strategy, go-to-market, and sales strategy)
Capabilities the business process competencies required to execute corporate strategy
(e.g., skilled people, brand, market positioning, viable products/services, ecosystem partners,
financing)
Enablers the key functionality of technology solutions required to support the organiza-
tions enabling business practices (e.g., development platform, applications, network con-
nectivity, user interface, training and support, partner interfaces, data cleansing, and man-
agement)
All print and electronic rights are the property of AberdeenGroup 2005.
50 AberdeenGroup
Best Pracitces in Security: Information and Access
Appendix B:
Related Aberdeen Research & Tools
Some of the related Aberdeen research that forms a companion or reference to this report
includes:
SOX Compliance and Automation Benchmark (March 2005)
Security Spend Management Benchmark (December 2004)
Automating Information Access Benchmark (September 2004)
The Value of User Provisioning for SOX Compliance (February 2005)
Actions for Improving Security (February 2005)
Choosing Business Information Performance Objectives Carefully (November, 2004)
Information on these and other Aberdeen publications can be found at
www.aberdeen.com.
All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 51
Best Practices in Security: Information and Access
About
AberdeenGroup
Our Mission
To be the trusted advisor and business value research destination of choice for the Global
Business Executive.
Our Approach
Aberdeen delivers unbiased, primary research that helps enterprises derive tangible busi-
ness value from technology-enabled solutions. Through continuous benchmarking and
analysis of value chain practices, Aberdeen offers a unique mix of research, tools, and
services to help Global Business Executives accomplish the following:
IMPROVE the financial and competitive position of their business now
PRIORITIZE operational improvement areas to drive immediate, tangible value
to their business
LEVERAGE information technology for tangible business value.
Aberdeen also offers selected solution providers fact-based tools and services to em-
power and equip them to accomplish the following:
CREATE DEMAND, by reaching the right level of executives in companies
where their solutions can deliver differentiated results
ACCELERATE SALES, by accessing executive decision-makers who need a so-
lution and arming the sales team with fact-based differentiation around business
impact
EXPAND CUSTOMERS, by fortifying their value proposition with independent
fact-based research and demonstrating installed base proof points
All print and electronic rights are the property of AberdeenGroup 2005.
52 AberdeenGroup
Best Pracitces in Security: Information and Access
This publication is protected by United States copyright laws and international treaties. Unless otherwise
noted in the Purchase Agreement, the entire contents of this publication are copyrighted by Aberdeen
Group, Inc., and may not be reproduced, stored in another retrieval system, posted on a Web site, or
transmitted in any form or by any means without prior written consent of the publisher. Unauthorized
reproduction or distribution of this publication, or any portion of it, may result in severe civil and criminal
penalties, and will be prosecuted to the maximum extent necessary to protect the rights of the publisher.
The trademarks and registered trademarks of the corporations mentioned in this publication are the
property of their respective holders.
All information contained in this report is current as of publication date. Information contained in this
publication has been obtained from sources Aberdeen believes to be reliable, but is not warranted by the
publisher. Opinions reflect judgment at the time of publication and are subject to change without notice.
Usage Tips
Report viewing in this PDF format offers several benefits:
Table of Contents: A dynamic Table of Contents (TOC) helps you navigate through the
report. Simply select "Show Bookmarks" from the "Windows" menu, or click on the bookmark
icon (fourth icon from the left on the standard toolbar) to access this feature. The TOC is both
expandable and collapsible; simply click on the plus sign to the left of the chapter titles listed
in the TOC. This feature enables you to change your view of the TOC, depending on whether
you would rather see an overview of the report or focus on any given chapter in greater
depth.
Scroll Bar: Another online navigation feature can be accessed from the scroll bar to the right
of your document window. By dragging the scroll bar, you can easily navigate through the
entire document page by page. If you continue to press the mouse button while dragging the
scroll bar, Acrobat Reader will list each page number as you scroll. This feature is helpful if
you are searching for a specific page reference.
Text-Based Searching: The PDF format also offers online text-based searching capabilities.
This can be a great asset if you are searching for references to a specific type of technology
or any other elements within the report.
Reader Guide: To further explore the benefits of the PDF file format, please consult the
Reader Guide available from the Help menu.