Vous êtes sur la page 1sur 61

AberdeenGroup

Best Practices in Security


Information and Access

June 2005

Sponsored by
Best Practices in Security: Information and Access

Executive Summary

Key Business Value Findings


Six primary business pressures drive electronic security today. The first three - external
pressures - are intimately linked to market performance and valuation. The last three are
IT security and external audits that rely increasingly on more sophisticated automation
tools to ferret out security and compliance gaps.
The pressures are:
1) Agile access to information to support global trade;
2) Leakage of customer and confidential data;
3) Financial and operational losses from compromised and disrupted business
operations;
4) Sharpened regulatory oversight and increasingly automated regulatory audits;
5) Risk posed by privileged access to information not available otherwise; and
6) Risk posed by security incidents, hackers, and compromised networks and
systems.
Information access, one of the core issues most organizations face, has been largely ig-
nored until recently, and the performance results validate the lack of attention to this is-
sue. About 40% of all firms are performing at sub-par levels; another 40% are perform-
ing at an industry norm.
However, these performance results are for a very low benchmark of 40% of business
functions that have automated access to core business information. If the performance bar
were higher, say 60%, most firms would find their organizations to be performing at sub-
par levels.
On the one hand, the networks, devices, computing platforms, data storage systems, e-
mail, web and information that are employed to enable business operations must be
available, often 24/7. However, not all enterprise IT resources are under enterprise con-
trol.
Currently, more than 80% of organizations outsource one or more administrative func-
tions involving network, data, and systems or applications, including such functions as
payroll and employee benefits administration.
Firms are also outsourcing operational aspects of their businesses to partners along their
value chains, from design and manufacture, to sourcing, distribution, logistics, and cus-
tomer service. Each partnership, outsourced business arrangement and reverse business
function is placing additional strain on the ability to verify and preserve the sanctity of
the underlying networks and computing infrastructures that are employed to operate the
enterprises missions and business functions.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup i
Best Practices in Security: Information and Access

The ability to maintain auditable control and security for these networks and systems is
becoming more difficult and more important as external auditors expand the purview of
their testing and are increasingly using automated test tools to root out problems.
Its no small wonder that Aberdeens research shows that best practices for security in an
environment involving less direct control means firms are having to dramatically im-
prove procedures to verify the sanctity of the interconnected networks, systems, applica-
tions and underlying data throughout their value chains to operate their missions and
business functions. Enterprises are struggling with trying to balance flexibility and agility
with managing the risk that comes with unfettered access to information among employ-
ees, customers, business partners, and suppliers. Further, government regulations cover-
ing financial data and customer information are complicating this balance between busi-
ness agility and business risk. Without the correct balance, Aberdeen conservatively es-
timates that industries are missing the mark on customer loyalty, repeat orders, top-line
revenue, cost savings, and profits each year through inefficient alignment and automa-
tion of information access for core business operations.
This report, one in a series of three, looks at the pressures, challenges, and responses of
six best practice firms in improving security information and access. The other reports
examine the practices that are making a difference in network and infrastructure security,
and practices making a difference in security governance.
The firms profiled in this report are listed with their solution providers in Table 1. All
prefer to remain anonymous. A reality of information security is that many firms dont
want to paint red targets on their backs by divulging their practices, out of fear that any
additional information made available to hackers and thieves will negatively impact the
organizations. While preserving anonymity, Aberdeen is committed to improving the
results that other organizations not operating at best-in-class levels can achieve.

Table 1: Best Practice Winners and Solution Providers


Enterprise Winners Solution Providers Used
Automotive company BMC (Best in Study)
Bank Hewlett Packard
Health insurance and benefits PC Guardian
company
Insurance company Vontu
Financial services company IPLocks
Insurance company Websense
Health care organization CertifiedMail
Advertising agency St. Bernard
Health care organization Avatier, Microsoft
Pharmaceutical company Avatier
Source: AberdeenGroup, June 2005

All print and electronic rights are the property of AberdeenGroup 2005.
ii AberdeenGroup
Best Practices in Security: Information and Access

Aberdeen was also able to qualify two solution providers as having best-in-class security
operations and whose results place them in the winners circle as well. One is IBM, the
other is McAfee. Information on IBM is in governance edition of the report, while infor-
mation on McAfee is provided in the network and infrastructure edition.
All companies selected for this report use multiple automation tools to assist their secu-
rity programs. This multiplicity of use shows up in all domains, including network, infra-
structure, information, access, and governance. Most share this sentiment expressed by
one respondent: There is no such thing as a silver bullet or a single-source for security,
and there never will be. But most organizations automate when speed, business cycles,
or business seasonality force them. Many of the firms humbly admit their security pro-
grams still have a long way to go before reaching their full promise.
Despite the differences among the firms in this series, they share a few key metrics, in-
cluding large populations of users, which include employees, sites, locations, customers,
suppliers and business partners that must be serviced, seasonal business cycles that de-
mand extraordinary capabilities at peak times, low security incident rates, and a laser fo-
cus on segmenting and limiting access to sensitive customer and corporate information.

Recommendations for Action


Aberdeen recommends that organizations take the following actions to improve security
for information and access:
Link business drivers and pressures with automating information access;
Appropriate, business-focused performance metrics to drive results faster than
traditional IT-selected security performance metrics will;
Map business performance metrics with those that can be monitored;
Foster a corporate culture and business processes oriented around the end user;
Consider implementing the practices of the profile organizations; and
Build a leadership council that includes business leaders.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup iii
Best Practices in Security: Information and Access

Table of Contents
Executive Summary .............................................................................................. i
Key Business Value Findings.......................................................................... i
Recommendations for Action.........................................................................iii

Chapter One: Issue at Hand.................................................................................1


What Are Security Best Practices? ................................................................ 3
Why Embrace Security Best Practices? ........................................................ 3
Pressures and Challenges............................................................................. 4
Responding to Pressure and Overcoming Challenges .................................. 4

Chapter Two: Key Business Value Findings .........................................................6


Automating Business Processes and Information Access ............................. 6
People: The Core Vector for Automating Information Access ........................ 6
The Benefits of Information and Access Security........................................... 8

Chapter Three: Implications & Analysis............................................................. 11


The Influence of Enabling Information and Access Technologies ................ 12
Best Practice Framework: Organizational Structure and Strategy............... 13
Best Practice Framework: Processes .......................................................... 14
Best Practice Framework: Data and Knowledge.......................................... 17
Best Practice Framework: Technology......................................................... 18
Best Practice Framework: Performance and Metrics................................... 20
Aberdeen Group Recommendations ........................................................... 20
Structure a layered information and access posture ............................. 21
Segment access to information............................................................. 21
Detect, then prevent.............................................................................. 21
Take inventory and monitor continuously .............................................. 21
Consolidate security into `black belt and `green belt teams................. 21
Keep to the standards ........................................................................... 22
Yield to executive sponsorship.............................................................. 22
Automation: business pressures, scope, scale, and speed................... 22
Strategically reevaluate service levels against third-party sources ....... 22
Classify, reclassify, and involve everyone ............................................. 22
Focus on managing risk while delivering operational agility .................. 23
Dont assume; determine and verify the facts ....................................... 23
Measure twice, cut once ....................................................................... 23
Be careful about segregation ................................................................ 23

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup
Best Practices in Security: Informatiion and Access

Table of Contents
Chapter Four: Recommendations for Action ...................................................... 24
Health Benefits Organizations Full-Disk Encryption Boosts Business,
Data Protection, Compliance ....................................................................... 25
Information Access for Diverse Global Operations
Drives Security at Major Automotive Firm.................................................... 27
Turning Traditional Security Model Inside-Out Pays
Big Dividends for Financial Services Firm.................................................... 29
Accelerating Information Access: a Key to Regional Banks Growth
and Compliance Strategy ............................................................................ 32
Internet Information Access Controls, Better Desktop
Security Improve Results for Ad Company .................................................. 34
Financial Services Company Restricts Outbound
Information Flow, Minimizes Business Harm ............................................... 36
Access Controls for Internet Information Content
and Flow Improve Results for Insurance Company ..................................... 38
Secure E-Mail Helps Health Care Organization Accelerate Patient Care
and Comply with HIPAA............................................................................... 40
Health Care Organization Improves Information Access
while Complying with HIPAA Mandates ....................................................... 42
Automating Access Helps Pharmaceutical Company
with Business and Compliance.................................................................... 44

Featured Sponsors............................................................................................. 46

Sponsor Directory .............................................................................................. 47

Author Profile ..................................................................................................... 48

Appendix A: Research Methodology .................................................................. 49

Appendix B: Related Aberdeen Research & Tools ............................................. 51

About AberdeenGroup ...................................................................................... 52

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup
Best Practices in Security: Information and Access

Figures

Figure 1: Framework for Best Practices in Security .............................................4

Figure 2: Business Pressures Facing Companies................................................7

Figure 3: Focus of Business Improvements: Automate Information, Access .......8

Figure 4: Maturity and Security Best Practices................................................... 12

Figure 5: Best Practices, Enabling Technologies................................................ 19

Tables
Table 1: Best Practice Winners and Solution Providers........................................ ii

Table 2: Primary Pressures, Challenges and Responses: All Companies............5

Table 3: Benefits of Information and Access Security......................................... 10

Table 4: Best Practices in Security: Competitive Matrix...................................... 15

Table 5: PACE Framework ................................................................................. 50

Table 6: PACE and Competitive Framework Interaction..................................... 50

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup
Best Pracitces in Security: Information and Access

Chapter One:
Issue at Hand

Best practices for information and access is a poorly managed category at most com-
panies.
Key Takeaways

Effective security programs require holistic and integrated approaches that reach
throughout the organization and across all disciplines.
Avoiding fallout from customer and corporate data leakages, sustaining regulatory audit,
and maintaining agility in a rapidly changing global economy are making best security
practices a major improvement initiative for senior executives.

T he economy is improving, but global competition, regulatory oversight, and em-


barrassing publicity over data leaks are keeping companies focused on improving
the performance of their electronic security programs.
Firms operating at best-in-class levels are lowering financial
losses to less than 1% of revenue, whereas other organiza- Competitive Framework
tions are experiencing loss rates that exceed 5%. In addition, Key
these organizations are delivering unique Zen-like capabili- The Aberdeen Competitive
ties for their information and access programs: Information Framework defines enter-
is available to meet business needs and is being protected prises as falling into one of
from negative consequences. Despite having their best prac- the three following levels of
tices highlighted, these sites say there is always another se- practices and performance:
curity wrinkle that comes to light. The latest involves the
increased public embarrassment over sensitive customer data Laggard (40%) practices
being lost, stolen, or otherwise mishandled. that are significantly behind
the industry average
In an age of increased electronic access to information and
offsite storage, even the firms in this report are scrambling Industry norm (40%)
to re-evaluate how they handle sensitive customer data, es- practices that represent the
pecially in light of extraordinary data-leakage incidents that average or norm
have been publicized over the past nine months. Best in class (20%)
practices that are the best
Organizations operating at best-in-class levels for security
and significantly superior to
focus on more than technology. According to many respon-
the industry norm
dents, 50% of the job is about managing people. One
stated: Seventy-five percent of the reason for success is that people know what to expect
from (themselves) and how they fit into the security effort. Further, many of the compa-
nies selected for this series state: Its all about information flow, in and out (of the or-
ganization) and what kind of information.
About five years ago, senior IT security managers regularly scoffed when were asked if
their firms classified data. Not only did they not, but they often said they couldnt afford
to do so. All firms in this report not only classify data; they classify it into multiple levels
of sensitivity.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 1
Best Practices in Security: Information and Access

The classification of data is accompanied by classification of employees, business part-


ners, suppliers, and even customers, by what they can access and how. For example, di-
rectories, different levels of authentication, user provisioning, and applications are now
forming part of the classification by business unit, role and function. This is accompanied
by software controls.

PACE Key For more detailed The swing from no classification to classi-
fying users and resources is a huge turnabout
description, see Appendix A in such a short period of time. Unfortunately,
Aberdeen applies a methodology to benchmark theres a little issue yet to be resolved: Few
research that evaluates the business pressures, firms are actually placing controls on data, a
actions, capabilities, and enablers (PACE) that common practice among the military and in-
indicate corporate behavior in specific business
processes. These terms are defined as follows:
telligence services. The classification of data
has seen ebb and flow even among these ad-
Pressures: external forces that impact an or- herents. At a minimum, the firms in this re-
ganizations market position, competitiveness, port classify data by two, three, or even four
or business operations levels.
Actions: the strategic approaches that an
organization takes in response to industry For some, the classification schema goes
pressures deeper and broader. Despite the lack of uni-
versal data tagging associated with company
Capabilities: the business process
classification schema, one firm in the report
competencies required to execute
corporate strategy has already implemented a data-tagging sys-
tems and is about to finish tagging all its his-
Enablers : the key functionality torical data. Another is testing its own data
of technology solutions re-
tagging program in production, and several
quired to support the organiza-
tions enabling business others are test-piloting data-tagging systems
practices to ensure alignment with company policies
and business usage needs.
Almost all respondents interviewed for this report say security automation technologies
are perhaps the easiest part of the job. But these observations come from industry veter-
ans who have been running security programs for many years. These same people readily
admit that ongoing tutoring, training and mentoring of less-skilled practitioners is a re-
quirement, especially for younger people with less knowledge and experience.
The difficult part about security is making sure its aligned with the organizations needs,
business missions, and external regulatory pressures. To perform this balancing act, prac-
titioners are active members of the IT steering committees, made up of senior members
of the organization, including legal, finance, IT, business lines, sales, customer service,
manufacturing, logistics, and distribution.
In addition, these managers have dotted-line interactions with internal audit and controls,
while managing people who are most often not part of security teams. As a formal proce-
dure, some organizations have installed security teams into new application development
projects to bake security into all new business procedures. Other organizations are im-
proving security by aligning team members with internal controls and Six Sigma black
belts as part of the remediation process for rectifying Sarbanes-Oxley deficiencies and
improving inefficient business procedures.

All print and electronic rights are the property of AberdeenGroup 2005.
2 AberdeenGroup
Best Pracitces in Security: Information and Access

What Are Security Best Practices?


Best practices for governing security span a wide range, from board involvement to what
happens daily within the enabling technologies that support an organizations missions.
In between, security is fundamentally about how people interact with information sys-
tems.
More specifically, Aberdeen research shows that firms operating at best-in-class levels
emphasize repeatable procedures, effective management of data and knowledge, an effi-
cient and transparent organizational structure and strategy, and enabling automation
technologies that assist with responses to business pressures.
Furthermore, best-in-class firms place a strong emphasis on standards and policies to en-
sure everyone in the organization understands whats expected, and the role everyone
plays in improving security performance.
Moreover, firms performing at best-in-class levels for governing security define their
performance objectives and measurement metrics, continually measure themselves
against these objectives, and update performance objectives to keep pace with changing
business pressures.
Best practices for security cover far more than the technology. Based on Aberdeens on-
going research, the fundamental balancing issue for most security programs is how much
unfettered access will be provided to resources for delivering business results against
business risks and regulatory audit requirements. To achieve optimization, best-in-class
firms are placing more emphasis on governance (Figure 1).
It is nearly impossible for a firm that operates its security program on an ad-hoc basis to
achieve this balance between unfettered access and appropriate access. Rather, almost all
such firms are operating as industry laggards, with financial loss rates 8 to 12 times that
of organizations with best-in-class security programs. Moreover, the business pressures
and strategic actions laggard firms are taking to relieve these pressures differ markedly
from the best in class.

Why Embrace Security Best Practices?


Best practices are also enabling best-in-class firms to reduce business cycles, respond to
local market conditions more aggressively and timely, and manage their supply chains
more efficiently.
These practices are also resulting in lower financial losses in operations, and little, if any,
visible publicity that can harm an organization. The best practices are also making it rela-
tively easy for an organization to sail through regulatory audits.
Secondly, the fruit of security best practices for these firms is improvement in operational
efficiency, increased customer loyalty and retention, and decreases in product costs and
time-to-market.
Lastly, companies implementing security best practices are more successful in dealing
with changes in company structure, including mergers, divestitures, and new legal enti-
ties. These firms are also leveraging information and access best practices to reduce costs
for plant, equipment, and labor. Further, these companies are laser-focused on increasing
customer self-service sales and higher retention rates for existing customers.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 3
Best Practices in Security: Information and Access

In short, companies implementing best practices for information and access are more suc-
cessful in dealing with the business pressures impacting their organizations and in over-
coming the challenges they face.

Figure 1: Framework for Best Practices in Security

Source: AberdeenGroup, June 2005

Pressures and Challenges


Organizations face unique pressures when it comes to access to information. They in-
clude operational efficiency in customer sales and service operations, retention of cus-
tomer loyalty and repeat business, and reduction of product costs and time to market. To
relieve these pressures, many organizations go through initial manual efforts to document
business rules, roles, processes and workflow before trying to automate information flow,
while avoiding data leakage. The primary challenges to cope with these pressures in-
clude a need to show business benefits and results, worries about performance and scal-
ability to support business needs, and the impact the changes may have on regulatory
audit performance (Table 2).

Responding to Pressure and Overcoming Challenges


Overcoming challenges is most successful at companies that are initiating their informa-
tion and access efforts with smaller pilot projects before making a commitment to enter-
prise deployments involving new procedures, new systems, and new technologies. In

All print and electronic rights are the property of AberdeenGroup 2005.
4 AberdeenGroup
Best Pracitces in Security: Information and Access

addition, organizations standardizing on policies, procedures, and computing platforms


are those with the best performance when it comes to security results. Lastly, firms that
are evaluating third-party options, including service provider offerings, to supplement
security for information flow across large regions and diverse continents to accelerate
information flow between supply chains and local markets, are among the best perform-
ers (Table 2).

Table 2: Primary Pressures, Challenges and Responses: All Companies

Business % of All Business % of All Business % of All


Pressure Companies Challenge Companies Response Companies
Citing Citing Citing

Improve Overcome Standardize


operational 74.2 performance 74..2 on 60.1
efficiency, and scalability procedures,
especially in issues IT platforms,
customer sales and software
and service

Retain existing Demonstrate Start with


customers and 61.3 business 70.2 small pilot 60.1
repeat orders results programs

Conform with Evaluate


Reduce product 58.1 regulatory 57.5 third-party 54
costs and time audit and managed
to market requirements service
alternatives
and costs

Source: AberdeenGroup, June 2005

As the data in Table 2 shows, security for information and access is seen as something
that will assist directly in relieving the most important business pressures.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 5
Best Practices in Security: Information and Access

Chapter Two:
Key Business Value Findings

Focus on major business processes that drive the need for accelerated access to
Key Takeaways

information.
Establish measurable performance objectives that tie back to the major business
processes.
Remember, best practices for information and access are the nexus of business results,
people, procedures, practices, and policies.

I nformation is the business, now that companies are operating on global scales to
manage their supply chains to meet local market demand. In fact, two of the biggest
changes over the past five years are what organizations are doing with their informa-
tion and the value of security automation tools.
The Internet has become the network of choice for interconnecting business operations.
The old private networks have largely been replaced with virtual private networks operat-
ing over the Internet. In addition, regional data centers have been largely consolidated
into one corporate data center. Five years ago, 50% of all firms employed multi-data-
center approaches, involving two, three, and sometimes four centers around the world.
Mostly based on a hub-and-spoke system, regional data centers were the workhorses em-
ployed to serve local markets and manage local supply chains.
Today, only 17% of firms are employing the hub-and-spoke approach involving one or
more regional data centers in addition to the data center at corporate headquarters. An
overwhelming 83% use one data center at headquarters. This has resulted in managing a
global supply chain from corporate headquarters, complemented by Internet interconnec-
tions to local sales and customer service operations.

Automating Business Processes and Information Access


Core business functions provide arguably the clearest example of improvements to auto-
mating information access. Improving information access for customer sales and service
is the primary area of focus for more than half of all firms Aberdeen surveyed. (Figure 2).
Customer retention and repeat business, combined with operational improvements, form
the nexus for many improvements firms are expecting will yield better top-line growth by
automating access to information.

People: The Core Vector for Automating Information Access


Information is useless unless its made available to the right people at the right time. Al-
though employees are still the major focus in automating access to information, our 2004
benchmark study clearly shows that people not employed by the corporation are also be-
ing provided with access to corporate information.

All print and electronic rights are the property of AberdeenGroup 2005.
6 AberdeenGroup
Best Pracitces in Security: Information and Access

Figure 2: Business Pressures Facing Companies

Source: AberdeenGroup, June 2005

The corporations customers are the key constituency being provided with access to
automated information. This makes sense. After all, employees should interact with cus-
tomers to improve financial results (Figure 3).
The number of companies automating access to information for customers is almost the
same as the number that focuses on automating access for employees. This shouldnt be
surprising given the strong linkage between customer sales and service, and the business
imperative to increase customer retention and improve top-line growth.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 7
Best Practices in Security: Information and Access

Figure 3: Focus of Business Improvements: Automate Information, Access

Source: AberdeenGroup, June 2005

And, despite its third-place showing, automating information for business partners and
suppliers is a focal point for more than half of all firms. The motivation for including all
three constituent groups is intertwined with the desire to increase revenues, decrease
costs, and increase profits.

The Benefits of Information and Access Security


In addition to the business benefits, many firms cite regulatory audit pressures for mov-
ing ahead with greater controls over access to information. The inverse of accelerated
sharing of information, the security controls imposed on who can access what informa-
tion, under what circumstances, and when, depend on the nature of three critical inputs:
1) The organizations polices and standards;
2) The need to keep the firms name out of the media by avoiding mishandling of
customer data; and
3) The need to pass a number of different audits.
As a result, information and access controls are seen as a combination of an accelerator
and brake pedal; one is being pushed down to accelerate the flow of information through
the value chain, while the other is being pressed to brake the flow of information to avoid
potential mishaps.

All print and electronic rights are the property of AberdeenGroup 2005.
8 AberdeenGroup
Best Pracitces in Security: Information and Access

The primary benefit of accelerating the flow of information between supply sources, dis-
tribution networks, and customer networks is reductions in the business cycle.
The next most common benefit cited is improvements to profit margins due to top-line
sales growth and product cost reductions. The last area most respondents cited was a re-
duction in internal costs (Table 3).
Information and access are considered key contributing factors to the improvements, not
the sole reasons. One respondent stated, (Information and access are) important but
weve had a hard time splitting hairs because there are so many factors at play (contribut-
ing to the improvement). Most of the companies listed in this report consider informa-
tion and access critical to their businesses.
For some, there is wide agreement that spending additional time and money to automate
more information security is contributing to bottom-line improvements across all finan-
cial metrics listed in Table 3. For others, the financial benefits have been measured in
only one or two of the metrics.
Whats interesting to note is that all companies in this report are realizing the benefits
security is providing business operations, especially lower costs in support and IT opera-
tions from their information security practices. Further, almost all the companies rate pro-
tection, segmentation, and monitoring of customer and corporate data among the most
important criteria for their security programs.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 9
Best Practices in Security: Information and Access

Table 3: Benefits of Information and Access Security


Improvement Without Measured Results with
Area of Impact Objective Automation Automation
Profit margin improve- Up to 5% Flat and declining Most common measure is
ment from acceleration profits customer accounts. The
of information for sales most common ranges
and customer retention cited: 2% to 3%.
Product cost and distri- 15% to 50%, depend- Flat or increasing Measured for cost reduc-
bution reductions from ing on sourcing loca- costs tions. The most common
information to support tions, methods of dis- range for direct
more efficient global tributions, tariffs, etc contribution is 5% to 10%.
supply chains
Internal cost and ex- Up to 5% No improvements Well documented. The
pense reductions from common range is 2% to
more effective informa- 4%
tion and workflows
Business cycle 10% to 50% of No improvements Ranges from 15% to 25%,
reductions pre-existing cycle time but results depend on
industry, length of busi-
ness cycle, etc.
Audit improvements Identification and Negligible to Deficiencies reduced
decrease in audit marginal significantly. Ranges from
deficiencies improvement 20% to 45% of all
deficiencies.
Information vulnerability Identification, remedia- No improvement Hundreds of vulnerabilities
tion, privilege controls, discovered, remediated,
and avoidance and remaining compliance
gaps plugged.
Information leakage Identification, remedia- No improvement Sensitive customer and
tion, privilege controls, corporate data leakage,
and avoidance legal costs, lost business
cycles, etc.
Source: AberdeenGroup, June 2005

All print and electronic rights are the property of AberdeenGroup 2005.
10 AberdeenGroup
Best Pracitces in Security: Information and Access

Chapter Three:
Implications & Analysis

Best-performing organizations classify data, people, business procedures, and


Key Takeaways

information.
Best-performing firms are automating inbound and outbound flow information based on
business use, role, and major job functions.
Industry leaders are using a variety of automation tools to manage inbound and
outbound information flow.

A
s the global economy continues to spread, best-in-class companies see effective
information and access programs as an opportunity to improve results from busi-
ness operations, while reducing risk associated with accelerating access to
information.
Because of the benefits accelerating access for business purposes and minimizing
downside risk from the accelerated access best-in-class performers are realizing secu-
rity best practices focused on information and access is an area of business process auto-
mation drawing these firms increased attention.
Perhaps the most important finding from Aberdeens research is the influence different
maturity capabilities have on information and access performance and the scope of ma-
turity of these companies, which include ad-hoc, defined systems and procedures, man-
aged, and optimized systems and procedures.
Aberdeens research clearly indicates that its nearly impossible for an organization to
leap from operating at an ad-hoc maturity level to the characteristics of firms operating at
managed and optimized levels. Nevertheless, the journey toward well managed optimiza-
tion through security best practices starts with taking steps toward these best prac-
tices.
The practices being implemented for procedures, data and knowledge, the organizational
structure, and enabling technologies are very different for best-in-class companies than
for firms operating as industry laggards, where most are implementing ad-hoc systems
and procedures (Figure 4).
When companies implement best practices for information and access, they yield value
by delivering an appropriate balance between access to information for business and or-
ganizational missions with managing the risks involved in operating information systems
to compete in the global economy. Whats interesting to note is that all people
interviewed for this research indicate that improvements being made to their information
and access programs are helping with regulatory audits.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 11
Best Practices in Security: Information and Access

Figure 4: Maturity and Security Best Practices

Source: AberdeenGroup, June 2005

The Influence of Enabling Information and Access Technologies


Although much of this report focuses on security best practices, security technologies are
said to be an absolute requirement when it comes to safely accelerating access to infor-
mation in the global economy. Involving everything from customers to suppliers, compa-
nies operating at best-in-class levels state that automated security technologies are neces-
sary tools that must be placed in the context of best practices to yield fruit.
Information and access technology solutions are also responsible for enabling business
agility by ensuring that the information needed to fulfill company missions is available at
the right time and for the right people. Unfortunately, there are more than 500 suppliers
fielding security solutions and a lot of noise.
Aberdeens research clearly shows that firms operating at best-in-class levels are deploy-
ing and relying on more than one solution supplier and more than one enabling technol-
ogy solution in each of the three main areas: network security and infrastructure, infor-
mation and access, and governance.
By contrast, the research reveals that firms operating at industry norm are typically oper-
ating at managed to defined levels, and relying on at least one solution in the information
and access category and multiple solutions in the network and infrastructure segment.

All print and electronic rights are the property of AberdeenGroup 2005.
12 AberdeenGroup
Best Pracitces in Security: Information and Access

Lastly, companies operating as industry laggards often depend on one or two key tech-
nology providers for network and infrastructure, might be using automation technologies
for information and access, and rarely consider the influence governance plays in their
performance outcomes.

Best Practice Framework: Organizational Structure and Strategy


For information and access, the best-in-class companies in this report share these traits:
Large populations of users (500 and up) that must be serviced on a continuous
basis;
Large numbers of sites (15 and more) that must be serviced continuously;
Seasonality changes in the business cycle that demand methodical approaches;
Global supply chains that require consistent servicing;
Lots of different local markets in regional centers and around the world;
Highly automated audit testing applied to information assets;
A laser focus on classifying and limiting access to customer and corporate data;
A laser focus on preventing sensitive customer and corporate data from leaving
the enterprise, against policy;
A need to pass and sustain audit review; and
More mature processes, organizational structure, management of data and knowl-
edge, and technology usage.
As a result, best-in-class firms levels are operating at a competitive advantage because
they are leveraging their security programs for two distinct purposes: enabling business
operations to function at full throttle while limiting and mitigating business risk. This
competitive advantage is the result of the practices and management oversight being
dedicated to security (Table 4).
Management of the security function at most of the firms covered in this report is based
on the ISO 17799 Code of Practice for Information Security Management. In addition,
European firms covered in this report adopted the earlier version of this framework, the
BS 17999 standard. Despite some minor differences in these frameworks, all firms in
this report look at these frameworks for guidance and customize the implementation of
their security programs to meet the business needs of their organizations. The firms also
credit sources that include FISMA, Cobit, NIST, NSA, and the Common Criteria as im-
portant framework contributions.
For government organizations in the U.S., the standard framework for security manage-
ment is dictated by FISMA. Like their commercial counterparts, the management teams
at government sites use FISMA as a framework for guidance and implement the intent
of the framework, which is usually above the minimum requirements mentioned in the
framework and the guidelines.
For day-to-day operations, most information and access operations are relegated to the IT
help desk. The other key best-in-class organizations demonstrate is the inclusion of other
parts of the organization. For example, for provisioning and de-provisioning of employ-

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 13
Best Practices in Security: Information and Access

ees, the HR database acts as the authoritative source of record (ASOR). For new cus-
tomer access, the master sales order database acts as the ASOR; for new suppliers, its
the ERP purchasing systems master database.
Using directory-enabled linkages between these sources and multiple sales channel
sources of record, these firms are automating most of the common business workflows
and leaving the task of customer service to lower-priced and outsourced IT help desk
functions.
Unlike network and infrastructure security, which is implemented on the backs of the
network, systems and network administrators, the workload for information and access is
actually being reduced, and, in some situations, removed from IT.
One of the notable practices the firms in this report engage in is a continual polling and
analysis of performance results that are being experienced by customers, sales, suppliers,
employees and business partners. Much of the polling is centered on adequate service
levels, satisfaction levels and improvements that would make a difference.
Whats interesting to note is that users are not being asked to weigh in on difficulties.
According to most respondents, negative feedback happens immediately when informa-
tion is not available, applications are not accessible, and changes have taken place. For
this reason, most organizations employ the IT help desk to field the majority of problem
calls, including those related to information access.

Best Practice Framework: Processes


Most processes implemented by the companies in this report revolve around ISO 17799,
which has become the de-facto standard framework among these firms for implementing
their own information security management programs.
Unfortunately, ISO 17999 and other resources do not provide a good template for accel-
erating information flow, although there is some coverage for protecting information as-
sets. As a result, most best-in-class firms have made significant strides
because they instituted cross-functional teams between the IT and business units. Its
what the cross-functional teams are doing, not some security framework, thats making
the difference.
For example, at one site, management identified the pressing business functions that
needed further automation to reduce business cycles among thousands of suppliers, more
than 25 manufacturing sites, and hundreds of sales networks.
After rank ordering the importance of the objectives, cost reductions and business cycles
were considered paramount. As a result, teams of IT-business leads were sent to inter-
view managers at these different operations to obtain feedback on prioritizing different
options.

All print and electronic rights are the property of AberdeenGroup 2005.
14 AberdeenGroup
Best Pracitces in Security: Information and Access

Table 4: Best Practices in Security: Competitive Matrix


Industry Average Best in Class
Organizational structure and fund- Formal organizational structure, funding and
Organizational ing are either ad-hoc or loosely un- ongoing risk assessments, complemented by
structure and defined at best. Often, the respon- managed and optimization.
strategy sibility moves from one group of
Organizational responsibility reaches across
people to another, defeating the
HR, sales order management, purchasing,
experience, data, and knowledge
credit approval, IT, and internal controls.
that are critical to performance re-
sults.
Processes Processes are only loosely defined Processes are aligned by business and mis-
and standards do not exist. sions, workflows, business procedures, com-
pany standards, policies, and procedures. For-
malized user training and education programs
are complemented by ease-of-use provisioning,
awareness training, and help desk remediation
activities. Hot lines are added for emergencies.
Information risk identification, remediation, data
classification, limits, and protections are imple-
mented to minimize risk from data leakage.
Automated protection for the transmission of
sensitive data, via e-mail, is natively deployed
by specific job functions.
Data and Knowledge depends on whatever Information flow rates are tracked and evalu-
Knowledge local systems administrators bring ated, as are operational performance metrics
to the task and is often performed for customer retention experiences, self-
on an as-needed basis. service, self-sales, and supplier self-
management
activities.
Information risk metrics, including leakage of
sensitive data, are tracked and scored by
business risk.
Technology Directory technology is employed Many directories form the basis for internal
without connecting the applications alignment by job function and cross company
and business uses of information communications. Application linkages with the
through the directories. directories include e-mail, database, web appli-
cations, sales systems, ERP systems, customer
service systems, etc. Specific solution for da-
tabase vulnerability management and informa-
tion risk management are deployed. Specific
solutions for protecting data on a wide variety
of devices and media are employed.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 15
Best Practices in Security: Information and Access

Industry Average Best in Class


Performance Very few metrics are tracked on a Most aspects of information flow and protection
and metrics consistent basis. The result: no way are tracked. Key metrics include customer
to measure the relationship be- sales, customer retention, service latency, on-
tween business results and the board and off-board cycle times, information
practices and technologies being and search latency.
employed to accelerate and protect
information.
Source: AberdeenGroup, June 2005

Once the options were prioritized, the interdisciplinary teams were asked to map the busi-
ness processes for each of the top 10 ranked priorities that would deliver the most signifi-
cant reductions in costs and the business cycle. These process mappings were reviewed
and actually simulated to determine the impact a change would have on both the business
cycle and costs.
After making adjustments, the project plans were defined. Where project dependencies
existed, these plans were aligned against changes to existing business processes and costs
for training, along with project management charts to track progress.
Once completed, it took this company about a year to start realizing significant savings in
parts procurement costs. Business cycle reductions, although not final, are now measur-
able.
When it comes to protecting information that should not be disseminated, the picture is a
bit different. Although the security frameworks provide guidance, very few are specific
enough to tell the winners what to do and how to do it. As a result, many of the firms
grew through trial and error as they discovered the best practice steps to balance
information freely available, versus information being unavailable. The steps include:
Classify data, people, business procedures and information flows;
Employ a variety of automation tools to manage inbound and outbound informa-
tion flow;
Changing business procedures with caution;
Harden the IT databases;
Monitor access to information;
Protect data on laptops;
Limit the flow of information;
Prevent the flow of information;
Harden information in transit and in storage;
Document and audit sensitive data disclosure; and
Obtain signed release forms from participants.
In addition to sensitive customer and corporate date, theres another form of data running
through the enterprise network, most of which has negative consequences. Taking the
form of pornography, religious jokes, ethnic jokes, spyware, trojan horses, and automated

All print and electronic rights are the property of AberdeenGroup 2005.
16 AberdeenGroup
Best Pracitces in Security: Information and Access

scripts embedded into PowerPoint decks and Excel spreadsheets, these forms represent
the dark side of opening access to the Internet and increasing information flow between
the enterprise, its customers, suppliers and business partners.
For example, one of the scripts found in an Excel spreadsheet was actually copying all
data in memory on the CFOs laptop and sending it back out through the Internet to some
rogue sites.
Another case involved a loss of revenue in a quarter because employee jokes about relig-
ion offended resellers the company depended on for business on another continent.
The downside of information acceleration is being met more straightforwardly with tech-
nology and service alternatives, without the need to conduct business impact analysis and
stage the introduction of changes to accomplish objectives. In the case of the winner
listed, it was simply a matter of flipping the switch to a service and connecting to the
supplier. Once turned on, bad stuff went away forever. The only procedures that survive
today are minor processes involved with reporting, updates, and selection criteria to ac-
commodate different filtering requirements for people with different job functions.

Best Practice Framework: Data and Knowledge


All respondents cite data and knowledge as their most critical tools for improving the
performance of their security programs. The stance these sites take: What you dont
know is much more important than what you do know. The most oft-cited practices for
managing data and knowledge include:
Measure and map bandwidth usage against business and organizational informa-
tion contexts;
Free up bandwidth for time-critical business functions;
Stop unauthorized and out-of-policy uses of IT resources;
Map expected against actual information flows to discover more efficiencies;
Automate access to information by business use, role, and major job functions;
Authorization granularity should range from least to most as information sensi-
tivity grows from least to greatest;
For the most sensitive information and business procedures, look for and elimi-
nate user and global IDs that cannot be audited across application boundaries;
Make sure application, transaction and security logs are preserved and remain
intact;
Make sure high spikes in resources usage are planned for, accounted for, and that
automation technologies can implement customer requirements;
Leverage HR, legal, and the IT help desk as much as possible;
Test and verify memory-flushing for sensitive business applications and identifi-
cation information;
Test and validate application and configuration vulnerabilities in major business
applications and databases;

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 17
Best Practices in Security: Information and Access

Focus management reports on business impact in two dimensions: increase in


customer measurement metrics and decrease in business risk metrics; and
Review ongoing progress with the business and IT leadership council.
In addition, some of these sites track and aggregate data from their information and ac-
cess procedures into real-time risk management dashboards. Additional information on
this is covered in the Governance edition of this research series.

Best Practice Framework: Technology


Nearly every site covered in this report is implementing directories throughout their or-
ganization to accelerate information flow. In fact, directories appear to be the backbone
that is making it possible to share information and have access to information, applica-
tions, and IT resources.
As another form of a layered defense model, no one directory fits all needs. For example,
Microsoft Active Directory (AD) is widely deployed within and across departments. Its
also used for access to major application systems from departmental roles.
In addition, some firms are implementing a wide range of other directories, most notably,
versions of the Lightweight Directory Access Protocol (LDAP). Unlike the Microsoft
AD, LDAP-based directories are being implemented outside the organization, with sup-
pliers, business partners, and major customers. In fact, unlike the more homogeneous
Microsoft AD thats being used to aggregate user access to internal resources for em-
ployees, the LDAP-based directories are being deployed for external access to informa-
tion and applications. Moreover, rather than use a homogeneous directory, many sites are
implementing separate LDAP directories by business process and application resources.
Mirroring the use of virtual LAN (VLAN) rings that deal with separating access to re-
sources at layers 1 through 3 of the network tack, directories are being used to accelerate
access to information and resources while limiting access to information at layers 4
through 7 of the standard ISO stack. And, much like VLANs, the directory can simulate
rings of access that are structured similarly to the VLANs, where the most sensitive data
is in the center of the ring structure and the least sensitive is further from the center.
The primary determinant of the use of directories for implementing an information ring
structure is focused on placing core customer and sensitive corporate data onto isolated
inner rings of the defense, and placing less sensitive public information in the outer rings.
In between, business partners and suppliers are being provided with access to some cor-
porate information not available to the public thats accessible at intermediate rings (Fig-
ure 5).

All print and electronic rights are the property of AberdeenGroup 2005.
18 AberdeenGroup
Best Pracitces in Security: Information and Access

Figure 5: Best Practices, Enabling Technologies

Source: AberdeenGroup, June 2005

Figure 5 shows four rings. This is not the most common implementation of this approach.
In fact, some firms implement only two layers of information: public and private. For
private information, everyone on the inside ring is provided access, largely based on rules
employed in Microsoft AD.
Multi-layered approaches tend to also be sites that integrate business partners, suppliers
and customers into the information-acceleration activities to reduce business cycles, in-
crease customer orders, and better retain customers.
Despite the widespread use of directories, theres a trust but verify philosophy among
these sites, taking the form of vulnerability management tools to verify the integrity of
websites, application servers, e-mail portals, and critical information databases. For some
sites, these tools are continuously monitored.
In addition, some of these sites employ a combination of virtual private networks and
encrypted e-mail services and products to ensure information in transit is protected be-
tween the enterprise and its customers, partners and suppliers.
Further, some of these organizations are taking information content analysis to the next
level by using products and services that are able to inspect the content of the message
traffic to trap and eliminate all problems, including, pornography, spyware, viruses,
worms, and information that flows to competitors.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 19
Best Practices in Security: Information and Access

Lastly, most of these sites are using role-based access controls to segment access to in-
formation and information access resources (applications, network software services, di-
rectories, etc). For some organizations, this has included the use of automated user provi-
sioning, single sign on, and password management systems to tie the use of access to in-
formation and IT resources to the organizations policies and procedures. Acting across
e-mail, directories, web portals, virtual private networks, and other information access
services (e.g., FTP, Telnet, Instant messaging, Wi-Fi access, and remote access,), these
systems make it much easier for the organizations to further automate provisioning and
access to information and applications, while restraining access to information resources.
The other benefits these organizations achieve through the use of role-based access con-
trols (e.g., automated provisioning and access systems), are built-in controls and audit
logs that are used to provide assurance with compliance programs, including Sarbanes-
Oxley, European data privacy laws, and Gramm Leach Bliley, among other mandated
regulatory initiatives.

Best Practice Framework: Performance and Metrics


Performance metrics for network and infrastructure security cover a wide range. The
most important and most consistently tracked by these firms in this report include:
Customer sales,
Customer retention rates,
Users added and subtracted,
Mean time between service levels,
Number of vulnerabilities,
Number of sensitive information leaks,
Number of sensitive e-mails,
Resources added and subtracted, and
Number of incidents avoided.
In addition to these metrics, the organizations track their performance against the follow-
ing metrics: increased access to information, costs saved on customer self-service, ex-
penses reduced on user self-service, and expenses saved from supplier self-service.
Some of the sites have automated the tracking of performance metrics and thresholds into
real-time risk management dashboards. Additional information on this is covered in the
Governance edition of this research series.

Aberdeen Group Recommendations


Aberdeen views a holistic approach to SCSM as entailing five key process steps:
1. Objectives, which establish the organizations objectives, standards, procedures,
structure, and knowledge;
2. Measurements, which identify profiles and gaps from business procedures to
enabling technologies;

All print and electronic rights are the property of AberdeenGroup 2005.
20 AberdeenGroup
Best Pracitces in Security: Information and Access

3. Analysis, which is aggregated to financial and public-image impact by business


operations, lines, and divisions;
4. Education, which makes a security program effective to fulfill business and or-
ganizational missions; and
5. Refinement, which recalibrates objectives, measurements, analysis, spending,
processes, organizational structure, and knowledge management.
With this background, here are 14 recommendations based on this fact-based research:

Structure a layered information and access posture


Whether theyre described as rings or directories, the purpose behind the concept of the
layered, multiple access environments is to take the frontal assaults from the Internet
where it will cause the least damage. Not discussed, but important, is the use of informa-
tion access honey-pots, the faux view hackers and privileged insiders see that are being
placed in all of the rings. Structure the rings to protect from least to most valuable.

Segment access to information


Lessons from the masters include: segment access to information by the combination of
network and software services, along with directory- and role-based access controls.

Detect, then prevent


Most of the companies selected for this research utilize tools that inspect information
content flow. There are two approaches: the first includes inspection of incoming flow to
identify and, in some cases, remove information content not allowed by policy (e.g., por-
nography) as well as hidden scripts and capabilities hackers exploit to gain footholds.
The second includes identifying sensitive information that should either not flow out of
the organization or to specific destinations.

Take inventory and monitor continuously


The best advice from the best-practice firms: Take a daily inventory of the information
flow. Devote special attention to the top 50 lists inbound information exploits and of sen-
sitive outbound information blocks.

Consolidate security into `black belt and `green belt teams


Similar to the terminology used in the world of Six Sigma improvements, practitioners
should find and keep their best possible master black belts to form the basis of their team.
After this, farm out repetitive processes for information flow, user registrations, and in-
formation resource access by using as much automation as possible and lower-skilled,
less expensive resources. These best-practice firms also recommend establishing authori-
tative sources of record by function. For example, the combination of the purchasing de-
partment and internal controls should be looked to as the authoritative source for role-
based access data to support accelerating information flow for the supply chain. Simi-
larly, the sales order database, credit, and internal controls database should serve the au-
thoritative source for customer self-service initiatives. HR and business line managers
should serve as the authoritative source for role-based employee authorizations.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 21
Best Practices in Security: Information and Access

Keep to the standards


The surest path to failure, according to all, is to waver or modify company policies and
standards in the face of negative reaction from within. The standards may have to be up-
dated, but if theyre properly informed and arrived at with input and review from the
steering committee, theres no reason to quickly change them.

Yield to executive sponsorship


At this stage, in the era of Sarbanes-Oxley and increasing regulatory and audit review,
finding and retaining executive sponsorship among the best-in-class practitioners is not
an issue. However, if your company is not operating at best-in-class levels, the practitio-
ners recommend starting here, and making sure an executive-level steering committee
meets regularly. Its important to recognize when to compromise and at least make the
risks known than to take an adversarial position without reasoning and facts to back up
the expected results of decisions that are likely to increase risk.

Automation: business pressures, scope, scale, and speed


Almost all respondents agree that network and infrastructure security is a necessary pre-
cursor from which to implement defenses to protect the organization from nasty inbound
threats.
However, the respondents in this report believe information flow, both inbound and out-
bound, is necessary to speed up business cycles, increase revenue, and reduce costs. Fur-
ther, the respondents say automating access, both inbound and outbound, must take into
account the role of the people involved. As such, information and access is seen not as
plumbing and wiring, but intimately linked with business procedures and results.

Strategically reevaluate service levels against third-party sources


Almost all respondents stated there are plenty of opportunities to lower costs and deliver
higher service levels by reevaluating which aspects can and should be farmed out. For
example, one outsourced identification and authorization for new customer orders below
credit-approval levels to increase business from high-volume, low ticket price orders.
This firm was able to leverage third-party services to increase revenue from new business
while focusing credit review practices on lower-volume, higher-ticket orders.

Classify, reclassify, and involve everyone


A major reason the best in class are performing as well as they are is their focus on clas-
sification, including that of data, information, applications, business partners, suppliers,
and even customers.
The classification exercise dovetails with major business procedures, business processes
flow, information flows needed to support operations, and a continual reevaluation of
them to keep pace with changing business conditions.
Moreover, the success of these organizations is due largely because every stakeholder is
asked to participate and help with the program success. Outside IT, this includes human
resources, legal, finance, business unit managers, internal audit and controls, public rela-
tions, local and federal law enforcement, and the peer network. Lastly and perhaps most
importantly, all these firms routinely operate and deliver information security awareness

All print and electronic rights are the property of AberdeenGroup 2005.
22 AberdeenGroup
Best Pracitces in Security: Information and Access

training for employees, business partners, suppliers, and customers. By leveraging more
eyes and ears, these firms encourage everyone who interacts with the organization to
think security as a part of his or her job.

Focus on managing risk while delivering operational agility


Best-in-class organizations focus on quantifying and qualifying risk that, if not mitigated,
will result in loss of business agility or other negative consequences. The ideal position,
according to the best-practice companies: improvements to business agility with an opti-
mization of managed risk.

Dont assume; determine and verify the facts


The advent of fact-based investigation, analysis, and quantification is a hallmark of all
the sites profiled in this report. None assumes its skills and knowledge are better, faster,
and more powerful than mistakes, omissions, carelessness, and wily hackers.

Measure twice, cut once


All of the selected firms recommend employing a measure twice, cut once philosophy.
Measuring twice covers all technical and business issues involved. Cutting once may in-
volve notifications to line managers, internal controls, legal, and human resources de-
pending on company standards and the nature of information flow.

Be careful about segregation


The audit world is aglow and focused on segregation of duties, and for good reason.
Moreover, many executives Aberdeen has interviewed over the years have stated that
when it comes to security, theyre as afraid of what the experts operating internally could
do as what they could not do. For these reasons and others, its proper to place controls
that will segregate duties and roles.
However, too much segregation will result in negative consequences. If the controls
make it impossible to respond to seasonal business changes, sudden spikes in trading
volumes, and access to historical business information, the organization will be defeating
its objectives and abilities to execute.
Therefore, before introducing any controls in the environment that segregate, evaluate the
business impact of the controls for worst-case boundary conditions beforehand.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 23
Best Practices in Security: Information and Access

Chapter Four:
Recommendations for Action

Detailed Aberdeen research, covering more than 70 information and programs, has identified
Key Takeaways

the following enterprises as demonstrating best practices:


An automotive company
A bank
A health insurance and benefits company
An insurance company
A financial services company
An insurance company
A health-care organization
An advertising agency
A health care organization
A pharmaceutical company

C ase studies for these enterprises follow in this chapter.

All print and electronic rights are the property of AberdeenGroup 2005.
24 AberdeenGroup
Best Pracitces in Security: Information and Access

Health Benefits Organizations Full-Disk Encryption


Boosts Business, Data Protection, Compliance
Business Challenge
This for-profit health benefits company

Best Practices in Security: Information and Access


offers health insurance products and bene- Company Name
fits administration services to a wide range
of constituents, including employers, gov- Health insurance and benefits company
ernment agencies, consumers, health main-
tenance organizations, and preferred pro- Solution Providers
vider networks.
PC Guardian
The pressures facing this organization in-
clude rapid industry consolidation through
Business Challenges
mergers and acquisitions, expansion of
health-care regulations, especially HIPAA, Accommodating rapid change in its industry
and the business impact of rapidly changing
while dealing with rapid turnover in technol-
technologies.
ogy.
Leveraging the Internet as much as possi- Accelerating the flow of information for its
ble, the company is lowering its costs and business, while protecting it.
delivering much faster response to its cus-
Complying with regulated mandates, espe-
tomers while enabling them to manage as-
pects of their health plan online. cially HIPAA.

Strategy
Strategy
To improve sales, customer service, and Avoid any sensitive-data leakage, even from
benefits administration, the company data downloaded to PC laptops.
worked to make information access via the
web ubiquitous to people across its delivery Value Achieved
network. It also had to adhere to rigorous
Data leakage via laptops avoided and
regulations and mandates governing access eliminated
to, and protection of, patient data.
HIPAA compliance made easier
The organization has already invested in its
security governance programs by broaden-
ing its coverage, using frameworks such as ISO 17999, employing multi-layered defen-
sive systems for its IT infrastructure, and relying on best-practice solutions to accelerate
the flow of critical business information to authorized personnel. The company is also
using data classification, segregation of duties based on job function, and need-to-know
access control principles.
Adjusting to changing business requirements, the organization allows access to, and stor-
age of, critical business data on portable PC laptops. To address the vulnerabilities asso-
ciated with portable laptop systems (e.g., theft of the systems, loss of sensitive business
information, and loss of personally identifiable data) the company evaluated

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 25
Best Practices in Security: Information and Access

alternative approaches to protecting information on portable laptops, and chose full-disk


encryption to protect all system information, opting for PC Guardian solutions.

Deployment Experience
The solutions were deployed in 2001 and 2002, long before the trade press began report-
ing the current wave of security breaches or hacking of confidential customer data plagu-
ing many industries. The firm found the PC Guardian solution set easy to use and largely
free of the problems associated with user errors and overrides. Moreover, it came with
FIPS and DoD approvals that assured safety and security compliance throughout imple-
mentation.

Results
This company has significantly diminished the risk associated with sensitive data being
downloaded or acquired through secure communication methods and stored on portable
PC laptops. This problem has been mitigated. Now, all new laptops are outfitted with the
encryption/decryption package and tested before being issued.

Lessons Learned
Technology deployments can be simple and effective. PC Guardian is one example of an
effective, easy-to-use, and worry-free solution. Other lessons learned include:
Some security controls and mechanisms need to be as transparent as possible to not
hinder daily business operations.
All threat vulnerabilities require formal risk assessment, executive-level awareness;
and remediation by senior executives, business operations, and IT security;
Governing policies and standards must be as clear and concise as possible, including
consideration of the interactions between physical and electronic security;
Keeping data classification simple (e.g., company confidential, company private,
company unclassified); and
Deliver user and awareness training regularly.

Future Outlook
This company plans to separate its standards and compliance function from its security
implementation and operations in the near future. The objective is to place the develop-
ment and maintenance of standards, along with testing and audit, as an oversight function
to work alongside internal controls. The company also plans to integrate wireless tech-
nology while locking-down all devices that attach to the network.

Aberdeen Conclusions
This is a site with a very mature security program, a seasoned management team, and
stellar performance results. It has been in the forefront of security for years and contin-
ues to demonstrate excellence and commitment to security for its own business as well as
its customers, suppliers, and business partners.

All print and electronic rights are the property of AberdeenGroup 2005.
26 AberdeenGroup
Best Pracitces in Security: Information and Access

Information Access for Diverse Global Operations


Drives Security at Major Automotive Firm
Business Challenge
Operating globally, this automotive firm is

Best Practices in Security: Information and Access


under increasing pressure to compete by Company Name
decreasing its business cycles, especially
for new product concepts that will continue Automotive company
to increase revenue and market share.
Solution Provider
Operating with more than 100,000 users,
more than 200 different companies, design BMC
and manufacturing centers around the
world, and several third parties, this firm
Business Challenge
must accelerate access to information to
bring products to market sooner than com- Accelerate information access to reduce
petitors can. business cycles
While doing this, the company must care- Manage security across more than 200 com-
fully guard its core data, its customer data, panies
and the data of its business partners and
suppliers. Strategy
In addition, the company must protect Employ role-based access controls to supply
manufacturing operations from Internet- access to information based on job function
borne, and non-Internet-borne software vi-
ruses, Trojan horses, and spyware. The rea- Establish security governance program to
son: An infection of automated manufactur- manage results across 200+ companies
ing systems using Windows software would
result in huge negative financial conse- Values Achieved
quences from manufacturing lines that
No shutdowns in manufacturing opera-
would have to be shuttered until the auto- tions
mated machines and networks can safely
return to productive manufacturing. Business-cycle reductions are being real-
ized, with more to come

Strategy Common understanding across more than


200 companies for security objectives with
Utilizing BS 7999 (versions 1 and 2) as the decreasing operational risks
framework for much of its security man-
agement programs, the company invested
major resources and effort in tightening network security operations to avoid downtime
in manufacturing operations. After being assured that performance metrics for its net-
work and infrastructure security programs were on target, the company turned its atten-
tion to two thorny problems: limiting access to customer and corporate data on a role or
job-function basis, and obtaining consent from more than 200 other companies to buy
into a common security program.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 27
Best Practices in Security: Information and Access

Solution Deployment Experience


Using solutions from Siemens, BMC and IBM, the automotive company is about two-
thirds through its full deployment to centralize user management and user provisioning.
Using human resources databases as its authoritative source for employees, the company
relies on 200-plus business partners to manage their own employees to standards. The
decision-maker at this company said the technology complexity in deploying the BMC
solutions represented only about 20% of its problems, with the biggest headaches mostly
related to human factors, especially in how people acquire access to information and
when they dont have access to information for which they previously had access.

Results
To date, about 300,000 users are enrolled in the program, with at least another 100,000 to
come. This project-funded program, which the operating business divisions have identi-
fied as a critical need, enables design teams from around the world to complete work
more rapidly and deliver information to advanced manufacturing centers, which can fast-
track concepts into the companys mainstream product rollout procedures.
Reflecting a need-to-know bias, the role-based, job-function access to information has
made it easier for the appropriate people to acquire needed information while protecting
information assets.

Lessons Learned
The senior manager on this project advises to not underestimate the time it takes to bring
people on board with changes to business and information access procedures. Build addi-
tional time into projects to handle human factors, and involve all constituents at the front
end. Expect people to forget and have to be reminded several times before new behavior
patterns take over from older, more comfortable patterns.
Also, the manager advises, dont invest in firewalls at the periphery; there is no periphery
anymore, especially for companies operating globally and acting locally. Firewalls are
necessary, but firms must take their security programs up to the level of information con-
tent and access to content that flows through the firewalls.

Future Outlook
This company plans to use a common identity and access management framework for use
with its partner, sales, and dealer networks, as well as within its own operations. As part
of this activity, the company plans to classify roles, business functions, and relationships
to ensure access to information follows policies and standards.

Aberdeen Conclusions
This automotive company, a leader in information and access, is on the brink of automat-
ing its security governance programs for itself and its business partners. The company
has learned, through its own efforts, the fine balance thats needed to optimize the rela-
tionship between access to information for business operations versus ratcheting down
too much on access to information, systems and networks. The results: reduced business
cycles, lowered risk levels, and greater alignment across its value chain.

All print and electronic rights are the property of AberdeenGroup 2005.
28 AberdeenGroup
Best Pracitces in Security: Information and Access

Turning Traditional Security Model Inside-Out Pays


Big Dividends for Financial Services Firm
Business Challenge
With more than $24 billion in assets under

Best Practices in Security: Information and Access


management and more than 1,000 business Company Name
customers, this financial services firm de-
livers a wide range of services, including Financial services company
electronic processing, investment services,
electronic payment processing, credit ser- Solution Provider
vices, funds transfers, and settlement ser-
vices. IPLocks

Operating as one of the largest service pro-


Business Challenge
viders in its sector of the financial services
industry, this company is under intense Maintain customer faith that data is pro-
pressure to deliver assurances to customers
tected and safe
that their data and the companys corporate
data and processes surrounding the safety
Manage regulatory audits
of this data remain sacrosanct.
Strategy
Strategy
The company overhauled its approach to Turn security inside-out by focusing on the
security several years ago by turning the core data
traditional security model inside-out. In-
stead of implementing security solely from Overhaul the security function and focus it
the periphery and working inward, this on managing risk at the business unit level
company decided to focus on data and its
business value and work outward. This al- Values Achieved
lowed the company to focus its information
Reassured customers that their
security risk management efforts on the
data is safe
most critical assets and allocate the most
appropriate resources and technology. No shutdowns to data flows
Vulnerabilities and risk-behaviors
As part of this effort, the company decided
curtailed
to tackle its biggest challenge of all: identi-
fying where its critical data resides, the Highly unlikely to become a poster
value of the data to the business and its cus- child for data leakage reported in
the media
tomers, the workflows that operate on the
data, and the behavior associated with ac-
cess to the data.
The company integrated the security function into the business units to improve results
faster, overhauled its metrics for IT security, and focused its security programs on man-
aging risk across its business operations and enabling technologies. During the evolution
of its security program, the company deployed a wide range of vulnerability assessment
technologies to identify weaknesses. As part of this evolution, the firm decided to auto-

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 29
Best Practices in Security: Information and Access

mate security scanning, vulnerability assessment, and remediation for where most core
data resided: in databases.

Solution Deployment Experience


Using solutions from IPLocks, the company has been able to verify the locations of core
data, the vulnerabilities in its databases and their underlying operating systems, and the
changes to data. The company is using alerts for conditions that exceed its risk thresh-
olds, while ensuring that configuration mistakes and security vulnerabilities in the data-
bases are fixed. In addition, the company has been able to identify and eliminate inap-
propriate privilege conditions, authorized and unauthorized access to data, and suspicious
behavior regarding its most valuable IT assets: its data and customers data.

Results
The use of the IPLocks solutions has enabled this firm to harden its databases and avoid
privilege-race conditions that tend to lead to fraud and theft, while avoiding any undue
performance loads that would be noticeable to business operations. The solutions are be-
ing used at granular-levels that make a difference, including database queries, database
builds, database patches, privileged operations accessible to database administrators, da-
tabase schemas, and database metadata.
In addition, the companys risk-based approach to security, utilizing the OCTAVE meth-
odology from Carnegie Mellon University, has enabled it to evangelize the value of in-
formation security risk management throughout the organization because it bridges the
gaps between the business lines, the finance organization and the technology controls.

Lessons Learned
In this day and age of data privacy, publicity about data-leakages and corporate value,
one of the primary lessons this company learned is that it was correct to undertake two
fundamental changes in the way it approached security: (1) Start where the valuable data
is, and (2) Make security usable to the business by managing it as a risk underwriting and
transfer activity focused on the core data assets of the organization. In addition, the com-
pany learned that security awareness is critical to results: once everyone understands his
or her role, it turns in performance results much more rapidly.

Future Outlook
This company is well on its way to security governance now that it has all the pieces in
place to balance the acceleration of access to information and the inherent risks that ac-
celerating access poses to the organization. Instead of focusing on what the security
frameworks say, this company is focusing on how to achieve results.

Aberdeen Conclusions
Despite the large foray into network security that grips most firms, this company is proof
that, after network and infrastructure security, the next rung up the security value ladder

All print and electronic rights are the property of AberdeenGroup 2005.
30 AberdeenGroup
Best Pracitces in Security: Information and Access

is information and access. While its focused on information and access, this firm is also
accelerating quickly into security governance to achieve its business objectives.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 31
Best Practices in Security: Information and Access

Accelerating Information Access: a Key to Regional


Banks Growth and Compliance Strategy
Business Challenge
One large regional, independent bank oper-

Best Practices in Security: Information and Access


ating in the U.S. offers a wide range of ser- Company Name
vices to consumers and businesses. Its
growth strategy includes offering easy ac- Bank
cess to branches, commercial, private, retail
and mortgage banking services. Solution Provider
To achieve this growth, the company has Hewlett-Packard
leveraged the Internet for consumer, online
business banking services, treasury man-
Business Challenge
agement services, wealth management, in-
vestments, and mortgage services. Fast growth, cutting technology and a highly
Delivering its services requires that the competitive industry complemented by supe-
bank accelerate information access, and rior customer service. In addition, the bank is
with due care to protect its brand. Also, it under sharp pressure to conform with vari-
must reinforce its value proposition to its ous regulatory mandates and audits.
customers and meet financial, legal, and
regulatory compliance requirements that
Strategy
include Sarbanes-Oxley and Gramm Leach
Bliley. Accelerate information access for custom-
ers, business partners, and employees while
Strategy retaining control over the information and
According to the principals, this bank can who has access to it.
be viewed as a technology company that In addition, ensure the company executes
just happens to offer banking and financial
against the procedures, data, and records
services, especially given its focus on lev-
for audit compliance.
eraging technology.
As part of its efforts, the company has kept Values Achieved
security at the forefront of all business seg-
Increase usage of online banking services
ments and technology operations, espe- by existing customers
cially as new business and applications are
considered and long before the technology New customer accounts
is deployed. Prepared for compliance audits

Security policy and deployment largely


incorporates an information risk-management approach. Considering the network and
infrastructure, the bank also takes into account the value of information, performance
metrics, and security governance.
Despite the companys at the front of the cycle approach, it decided that it had to go
beyond directories to actually touch and control the information flow between its

All print and electronic rights are the property of AberdeenGroup 2005.
32 AberdeenGroup
Best Pracitces in Security: Information and Access

databases, application systems, customers, employees and business partners. For this rea-
son the bank selected solutions from Hewlett-Packard (HP) out of a range of finalists.

Solution Deployment Experience


The HP solutions include software that assists in the management of information flow
and what can be done with the information even after it has been distributed to desktops
over the network. However, the heart of the system comprises the Identity Select, Iden-
tity, and Access solutions that deliver user provisioning, application, and information
access. These solutions are being employed to enforce procedures needed to comply with
the banks own standards and regulatory audit requirements. In addition, the solutions
will provide single sign-on for Web access to applications and information.

Results
The first phase of the project has been a success. All components are working as ex-
pected, and the solution will continue to make a significant difference to infrastructure
operations, customer service, and the product lines as additional phases are rolled out.
According to the bank, the relationship with HP has made it much easier for it to acquire
pre-integration software solutions from third-party solution providers, including its moni-
toring, console dashboards, and compliance needs. Principals at the bank say user train-
ing and awareness are essential for these programs to succeed. Moreover, audit require-
ments imposed by the OCC are far more stringent than other audits the firm faces.

Lessons Learned
One senior manager warned to not underestimate the time it takes to bring people on
board with changes to business and information access procedures. Also,build in addi-
tional time to handle human factors, and involve all stakeholders and constituents at the
front end.

Future Outlook
This company is facing additional regulatory controls in the form of Basel and is plan-
ning how it will accommodate its procedures to conform to the operational risk require-
ments of this mandate. This company also recommends using data and knowledge about
information flow as it relates to business processes to stay ahead of the curve, especially
when measuring and tracking performance against plan.

Aberdeen Conclusions
With its very advanced technology focus, this bank is planning to stir up competition
across the banking industry. Its metrics and performance results certainly qualify it for
selection as a winner and its practices, especially those for its information risk manage-
ment program, elevate the bank to a level that would be compelling for some of the larg-
est and most pervasive financial service providers.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 33
Best Practices in Security: Information and Access

Internet Information Access Controls, Better Desk-


top Security Improve Results for Ad Company
Business Challenge
A subsidiary of a much larger branding

Best Practices in Security: Information and Access


company with more than 5,000 clients in Company Name
more than 100 countries, this firm operates
globally. The company delivers a wide Advertising and branding
range of services, including marketing
promotions, advertising, media buys, Solution Providers
events, public relations, and account plan-
ning. St. Bernard, Microsoft

As part of its operations, the company in-


Business Challenge
teracts with clients from around the world,
manages suppliers globally, and delivers Accelerate access to online information to
services directly and indirectly.
service clients, manage suppliers, reduce
Dependent on the Internet for accelerating costs, and better meet client deadlines.
business results, this company has found it
must monitor Internet use for a number of Strategy
reasons, including efficient servicing of
clients, better managing suppliers, reducing Provide Internet access, including e-mail and
costs, and meeting client deadlines. web access, to employees to drive new busi-
ness, increase customer retention, manage
Strategy suppliers, and reduce costs.
This company decided to deliver Internet
access to its employees, including e-mail Value Achieved
and Web access. However, it found the Improved sales results from information
business benefits that come with Internet flow
access arrive with some drawbacks, includ- Reduced risk from litigation and compli-
ing network loading that can and did get in ance snafus
the way of legitimate business purposes,
Prepared for integrated risk and exception
potential liability due to inappropriate sites
management
and content being accessed by employees,
and larger infection rates due to spyware
and viruses being inadvertently brought into the company by unknowing employees.
Although the company invested in employee training and awareness programs, these ef-
forts did not produce the desired effects. As a result, it shopped for a solution that could
monitor Internet information and inbound content flow, as well as the sites that employ-
ees were visiting. For this purpose, this company selected solutions from St. Bernard.
In addition, the company decided to upgrade all its desktop systems to Microsoft XP. The
goal was two-fold: Take advantage of improved security capabilities and avoid the infec-
tion problems and associated cleanup expenses it had been incurring.

All print and electronic rights are the property of AberdeenGroup 2005.
34 AberdeenGroup
Best Pracitces in Security: Information and Access

Deployment Experience
The St. Bernard solutions block employees from restricted websites. In addition, new
capabilities are being employed to keep employees from visiting sites that are known
perpetrators of spyware, Trojan horses, and security exploit scripts.
The solution has been used on several occasions to shut down Internet access during
emergencies. Monthly reports are circulated to management to show how much time em-
ployees spend on the Internet and websites that, though not banned, may be reason for
management concern.
The Microsoft XP migration was smooth and resulted in marked improvements to desk-
top security. Although the administrator at this company does not like having to update
desktops with every Microsoft patch release, the company would rather deal with this
expense than the expense involved in recovering systems and data.

Results
Not only was network bandwidth restored, but employee productivity increased follow-
ing deployment of the St. Bernard solutions. One IT administrator also mentioned that
the XP desktops are working well, especially compared to what the company had.

Lessons Learned
Changing behavior and improving results could not have been achieved manually, and
the IT security organization did not want to become online babysitters. By documenting
the procedures and reports, this firm has improved workforce productivity, its networks,
and overall business information flow.

Future Outlook
Security performance metrics drive results for this companys program. More are being
added during the coming year. In addition to the solutions already mentioned, the com-
pany uses a third-party e-mail filtering service to achieve similar results with external e-
mail. To date, it has been able to filter 45% of the junk mail, quarantine the other 45%,
and deal with the 10% that might be at risk. The company plans to ratchet up its capa-
bilities in this area to close the gap and edge closer to 100%.

Aberdeen Conclusions
The performance results, practices, procedures, enabling technologies, and standards this
company employs qualify it to be among the best practice profiles. This company is em-
ploying a formal risk assessment and management program to track performance metrics
and operate based on thresholds, all to better manage performance results.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 35
Best Practices in Security: Information and Access

Financial Services Company Restricts Outbound


Information Flow, Minimizes Business Harm
Business Challenge
This financial services company operates in

Best Practices in Security: Information and Access


a highly competitive market for insurance, Company Name
investment, and real estate products, among
others. Under pressure to grow, the com- Financial services company
pany actively looks for the correct acquisi-
tions while cutting business lines that no Solution Provider
longer meet portfolio requirements.
Vontu
With operations that extend around the
world, the business challenges include ac-
Business Challenge
celerating information flow to service cus-
tomers while ensuring information distribu- Accelerating information flow for the busi-
tion doesnt run afoul of regulatory re- ness, regulatory mandates, mergers and
quirements, snarl planned mergers, acquisi- acquisitions, divestitures, outsourced third-
tions, and divestitures, and is consistent party business partners and vendors
with standards for its outsourced business
partners and suppliers. Strategy
In addition, the company must also comply Enable information access for business pur-
with the regulatory mandates of Sarbanes- poses, protect sensitive information in-
Oxley, Gramm Leach Bliley, and the laws transit, and be able to track and prevent
for all countries in which it operates. sensitive data from flowing to unauthorized
locations
Strategy
Values Achieved
At the time of deployment, this organiza-
Authorized distribution of sensitive infor-
tion was employing a mature security team
mation protected in-transit
and program, incorporating some of the
most rigorous network and infrastructure Reduction in personal information distrib-
security in the business. In addition, it uted to unauthorized locations
placed great emphasis on ensuring that in- Reduction in company data distributed to
formation needed for business operations unauthorized sites
was available, accessible, accurate, and Reduction in sensitive company data dis-
tamper-free. However, the company sus- tributed to unauthorized parties
pected that some of its sensitive data, cov-
ering customers, employees, and its own
operations, was leaking out. As a result, this company conducted a bake off involving a
number of competitive solutions to identify the extent of the problem and identify requi-
site action. Ultimately the company turned to Vontu.

Solution Deployment Experience


The company first set the Vontu solution to gauge the extent of its data-leakage problem
and completed the assessment involving a small segment of the company. With the extent

All print and electronic rights are the property of AberdeenGroup 2005.
36 AberdeenGroup
Best Pracitces in Security: Information and Access

of the problem in the test area revealed, the company decided to scale the inspection of
outbound flow of sensitive data to other business areas, as well.

Results
Managing an extensive amount of sensitive data on employees, customers, and its own
mergers and acquisitions, the company sought to reduce misappropriated information
flow (through omission or commission) by its employees and business partners.
The Vontu solutions have reduced the amount of outbound flow of sensitive data to a
trickle, while identifying new problems. It used the Vontu solution to: (1) advise man-
agement about which sensitive information is flowing out of the organization; (2) run
training and awareness programs for employees; (3) notify line managers and human re-
sources about problem situations; (4) stop sensitive data from flowing outbound to unau-
thorized people and locations; and (5) increase SOX compliance.
Despite an initial learning period, the solution has worked better than anticipated.

Lessons Learned
The company has learned that security maturity and performance results are mostly about
people. Although the technology side can be vexing, its not as unpredictable as people.
As a result, the decision-maker advises that focusing on the people part of security will
probably pay bigger dividends than focusing exclusively on the technology will.
Another important lesson this firm learned is to sweep everything devices, networks,
systems, applications, information, people, behavior, and usage spikes, as well as all de-
tailed inner workings. Without such a comprehensive approach, its impossible to know
where the performance of security programs has been, or could be, compromised.

Future Outlook
This organization has rolled out its controls to monitor compliance down to the technol-
ogy platforms and networks that enable its business operations. It anticipates spending
additional time on the people part of SOX compliance and plans to continue looking at
additional information flow monitoring.

Aberdeen Conclusions
This company has one of the top-tier security programs in the industry, thanks to the sen-
ior staff and veteran managers operating and managing it. The security initiatives and
performance results registered to date set this company apart and ahead of the curve, par-
ticularly when compared with most other companies.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 37
Best Practices in Security: Information and Access

Access Controls for Internet Information Content


and Flow Improve Results for Insurance Company
Business Challenge
With more than $1 billion in assets under

Best Practices in Security: Information and Access


management, this insurance firm delivers Company Name
property and casualty insurance products
through more than 700 independent sales Insurance company
agencies. Information and networks are
central to the companys business success Solution Provider
as it operates across several states through
its sales channels and with many business Websense
partners.
Business Challenges & Goals
The company operates in regulated markets
and is constrained by regulatory mandates Accelerate information flow
that include Sarbanes-Oxley, Gramm Leach Keep constituents and data separated
Bliley, and HIPAA. As a result, the com- where required
pany must carefully control access to its Avoid litigation
information and customer data, while assur- Manage both business and technology
ing its independent agents and business risk in this highly competitive industry.
partners that its security performance re-
sults are among the best in the industry. Strategy

Strategy Employ three-layered approach across a


defense-in-depth multi-tiered environment
The companys security strategy is based
on a defense-in-depth approach that utilizes while moving to risk and exception-based
multiple layers, rings, and controls within management.
each. In addition, the company employs
monitoring and altering capabilities for Value Achieved
conditions that exceed pre-established Improved sales results from information
thresholds to manage security events by flow
exception. The firm emphasizes network Reduced risk from litigation and compli-
segmentation, role-based access controls, ance snafus
and different layers of security controls. It
Prepared for integrated risk and exception
approaches security equally across all three
management
legs on which this best practices report is
organized by edition: network and infra-
structure, information and access; and governance.
The company employs multiple sources as references for its policies and standards, in-
cluding ISO 17999, NIST, COSO and Cobit, NSA, and its own. Developed over years by
a veteran team, this organization has implemented specific standards from its policies that
extend into logical to physical controls. In addition, the firm tracks formal performance
metrics that are keyed to a formal risk assessment and management framework.

All print and electronic rights are the property of AberdeenGroup 2005.
38 AberdeenGroup
Best Pracitces in Security: Information and Access

A number of years ago the company realized that to optimize its use of network services
including servicing its sales channels and managing its partner relationships it
would need to monitor and assess Internet usage associated with business processes. The
goal was to determine what portion of bandwidth was allocated to business versus per-
sonal use. Some of the usage problems were corrected by management actions. To re-
dedicate its resources to business use and keep employees from introducing additional
business risk, the firm opted to deploy solutions from Websense.

Deployment Experience
The Websense solutions are blocking employees from restricted websites. In addition,
recent capabilities are being employed to keep employees from visiting sites known to be
perpetrators of spyware, Trojan horses, and security exploit scripts.
The solution has been used on several occasions to shut down Internet access in emer-
gencies. Featuring Internet access tracking by employee, monthly management reports
show how much time employees are spending on the Internet and visiting sites that, al-
though not banned, may be reason for management concern.

Results
Network bandwidth was restored, and employee productivity increased as a result of de-
ploying Websense solutions.

Lessons Learned
Changing behavior and improving results could not have been achieved manually, and
the IT security organization did not want to become online babysitters. By documenting
new procedures and the usage tracking reports, this firm has improved workforce produc-
tivity, its networks, and its business information flow.
More importantly, security capabilities have enabled the firm to avoid having its PCs and
databases infected, information and systems hijacked, and its core data transferred to un-
authorized parts of the world without its knowledge.

Future Outlook
Metrics drive the performance results for this company and more are being added during
the coming year. In addition, its risk management systems will leverage an existing inte-
gration between business and technology with regulatory and governance risk assessment
and analysis.

Aberdeen Conclusions
The insurance company is one of the top-tier players in its space. Beyond the security
solution itself, its success can be attributed in large part to a seasoned security manage-
ment team and executive management. Advocacy and ongoing support for security as
fundamentally good for the business are making a difference, not only for measuring
results, but also for teaching employees to be more effective and productive.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 39
Best Practices in Security: Information and Access

Secure E-Mail Helps Health Care Organization Ac-


celerate Patient Care and Comply with HIPAA
Business Challenge
With more than 2,600 employees and al-

Best Practices in Security: Information and Access


most 400 practicing physicians, this organi- Company Name
zation, a non-profit, multi-network health
care system with several hospitals, medical Health care organization
centers, and clinics, must provide patient
care information at any time and at almost Solution Providers
any location, without infringing patient pri-
vacy regulations. It must also pass audits CertifiedMail
that monitor compliance with the Health
Insurance Portability and Accountability Business Challenge
Act (HIPAA).
Accelerate access to sensitive information
Strategy via e-mail to improve patient care while com-
plying with standards and regulatory re-
One of the key strategies this organization
quirements.
employed was making access to informa-
tion via e-mail ubiquitous across its deliv-
ery network to improve patient care. How- Strategy
ever, it also had to adhere to HIPAAs
Adopt e-mail as the vehicle for sharing sen-
regulations and mandates governing access
to patient data. sitive data, and employ a security e-mail
solution to achieve objectives.
The organization had already invested in a
multi-ringed, zoned defensive system for its Value Achieved
networks. Now, its implementing role-
based access controls to assist with its ef- Patient care and billing both improved
forts at making information more accessible Sensitive data now protected
according to job function. Regulatory documentation and proce-
To accommodate information access from dures in place for audits
any location, the company decided to use e-
mail. The controls required for HIPAA
compliance, as applied to e-mail, meant the organization had to make improvements to
protect patient data.
As part of this effort, the organization had to develop data classification standards that
included data covered by the HIPAA regulations and data the organization considered
sensitive. In addition, the organization implemented a formal review process to manage
business, regulatory, and technology risks. To protect sensitive data, the organization
selected solutions from CertifiedMail to implement secure e-mail to protect patient data
and internal data, improve patient care delivery, and comply with HIPAA.

All print and electronic rights are the property of AberdeenGroup 2005.
40 AberdeenGroup
Best Pracitces in Security: Information and Access

Deployment Experience
The CertifiedMail solution is being used to protect patient information and records
transmitted by e-mail. In addition, it covers billing and invoicing. Further, the organiza-
tion is using CertifiedMail solutions to transmit what it considers sensitive non-patient
data via e-mail.

Results
The CertifiedMail deployment has gone smoothly. The only areas that required a little
additional work was employee training and awareness covering sensitive data and use of
the solution. The results have improved patient care delivery services and billing, and
have delivered the necessary documentation for HIPAA audits.

Lessons Learned
The technology involved in security is the easy part. The difficult part is anticipating the
range of behavior to design and deliver employee training and awareness programs. This
site recommends keeping training programs simple, with as many analogues to everyday
life experiences as possible. It also recommends focusing risk analysis on the business
impact, especially the specific business risks the organization faces. Further, the site rec-
ommends staying ahead of the curve on knowledge and data, including new security
threats, new techniques, and new methods of governance for the security program.

Future Outlook
This site is using performance metrics to drive improved security results, and plans to
add metrics during the coming year that would cover business processes and performance
results. It also plans to improve some risk management methodologies to ensure a clear
linkage between business and technology risk.

Aberdeen Conclusions
The performance results of this company qualify it to be in our list of best practice or-
ganizations. For example, over a five-year span, there was only one significant security
incident that caused a reduction in business operations. This was caused by an Internet
worm that introduced a portable device to the internal network. Fortunately, this incident
was quickly contained before becoming widespread due to a quick reaction from the IT
staff and some enterprise network controls. The use of secure e-mail, although a small
contribution to the overall security program, has resulted in large business and compli-
ance improvements.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 41
Best Practices in Security: Information and Access

Health Care Organization Improves Information Ac-


cess while Complying with HIPAA Mandates
Business Challenge
This non-profit, multi-hospital health care

Best Practices in Security: Information and Access


organization requires quick access to health Company Name
care data for authorized personnel from
almost any location and device. At the Health care organization
same time, it must abide by the mandates of
the Health Insurance Portability and Ac- Solution Provider
countability Act (HIPAA). Both spell chal-
lenges for the IT organization. Avatier, Microsoft

This is a far-flung organization, operating


Business Challenge
several health care facilities while deliver-
ing care through outpatient centers, home Accelerate information access to improve
health care services and fitness centers, and patient delivery services
employing more than 7,000 people. Many Avoid HIPAA audit deficiencies and remedia-
of the physicians in the system operate their tion cycles
own practices and have privileges to prac-
tice at one or more of the organizations Strategy
facilities. Start simple, with minor changes geared
The organization is an early adopter of toward user self-service
clinical and digital technology as well as Evolve towards a fully-featured role-based
Six Sigma process improvement practices information access system
adapted for health care delivery.
Values Achieved
Strategy Improved patient delivery services
The medical delivery, executive and IT Ready access to information needed to
teams at this health care organization de- deliver health care services
cided that the optimal strategy was to adopt Clean bill-of-health for HIPAA compliance
a self-service approach that would enable
participants, from patients to delivery per-
sonnel, to acquire access to data and IT resources based on pre-defined roles and func-
tions.
The focus on self-service was driven by the need to make information easy to access,
while being constrained by the limits imposed by the organizations own standards and
regulatory requirements.

Solution Deployment Experience


To meet its objectives, this organization chose to implement identity management solu-
tions from Avatier, along with support from Microsoft for its Active Directory solution.
The initial deployments of the Avatier solutions consisted of software for managing self-
service password resets and password synchronization. Additional software has since

All print and electronic rights are the property of AberdeenGroup 2005.
42 AberdeenGroup
Best Pracitces in Security: Information and Access

been rolled out and covers the entire organization, from patient delivery to non-patient
delivery functions such as finance, purchasing, and human resources.
Integrated with Active Directory, the combination has made it possible for this organiza-
tion to automate access to applications, information, and other IT resources while grant-
ing particular access by job functions and in compliance with HIPAA mandates.

Results
To date, the organization has experienced three major benefits from this deployment: (1)
reduced health-care delivery costs, (2) improved access to information and data, and (3)
improved security controls that also comply with HIPAA mandates.
The integration with Active Directory has enabled this organization to make access to
information more seamless, making the job of health care delivery easier.

Lessons Learned
One of the lessons the organization learned is to not underestimate user training require-
ments. Despite delivering training, notifications, and more training, the IT organization
still finds itself in the business of holding hands for people who are being forced to
change old habits regarding how they interact with computer systems. The problem that
must be factored in, according to these IT decision-makers: human nature. And the rec-
ommendation: Plan to deal with it.
The biggest problem this organization ran into was inadequate testing of older applica-
tions that would not run on the latest version of Windows XP. Despite XPs compatibil-
ity mode capabilities, some of the older programs wrote directly to memory locations and
drivers that - for reliability and security reasons - are no longer supported in the newer
Windows XP environment. The incompatible software caused delays in schedules until
the organization received replacement software. Although this delayed project schedules,
the improved stability and security of XP were the reasons the organization made the
transition. As with many IT projects, this organization learned that unexpected problems
can - and do - impact project schedules.

Future Outlook
This organization is rolling-out additional capabilities from Avatier, including single
sign-on, user provisioning and de-provisioning, and user administration capabilities to
improve customer service through access to information.

Aberdeen Conclusions
This organization is converting lessons from Six Sigma to the delivery of health care ser-
vices and because access to information is critical to improving patient results while re-
ducing delivery costs. As a result, the organization is dramatically altering its security
approach to service the needs of organizational missions while meeting and exceeding
regulatory mandates.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 43
Best Practices in Security: Information and Access

Automating Access Helps Pharmaceutical Company


with Business and Compliance
Business Challenge
This firm, one of the larger pharmaceutical

Best Practices in Security: Information and Access


companies, operates globally in more than Company Name
100 countries. It has more than 50,000 em-
ployees and maintains manufacturing op- Pharmaceutical company
erations in more than 15 countries.
Solution Provider
The company must constantly keep its re-
search and development engines humming Avatier
to bring new products to a very competitive
market. Part of the companys success re-
Business Challenge
sides in its research and development, and
global sourcing and manufacturing capa- Shorten business cycles where possible,
bilities. Another reason for its success is its
keep constituents and data separated where
ability to continually reduce the business
required, avoid litigation, and manage busi-
cycle, which is often elongated due to drug
testing and regulatory requirements. ness and technology risk in a highly competi-
tive industry.
Strategy
Strategy
To reduce its business cycles, keep its de-
velopment pipeline filled, better manage its Accelerate access to information across the
global supply chain and improve business companys value chain.
performance, this company decided it had
to accelerate the flow of information be- Value Achieved
tween its own operations and external func-
tions that influence its business cycles. Some business cycles shortened
Regulatory reviews are much faster due to
Having already invested significantly in its system use
network and infrastructure security pro-
grams, the company decided to improve Additional benefits expected as the solu-
tion goes global
user access to information while reducing
the related risks. For these reasons, the
company selected Avatier as its implemen-
tation partner.

Deployment Experience
The company deployed the Avatier solution to improve user access to information while
reducing the costs of delivering the required support services. In addition, the company
decided to employ the solution to authenticate end users to help desk personnel who de-
liver support services. Access to the companys SAP systems with the use of Active Di-
rectory and the Avatier solutions have been complemented with password management
features that allow users to self-subscribe, enroll, and change their profiles within con-
straints mapped to authoritative data governing employees job functions.

All print and electronic rights are the property of AberdeenGroup 2005.
44 AberdeenGroup
Best Pracitces in Security: Information and Access

Results
The company has seen an increase in self-service password resets being performed by
users while the number of calls to the help desk has dropped. The drop in call volume has
enabled help desk personnel to focus on more pressing service level delivery issues. Al-
though the company has seen a strong correlation between higher service delivery-level
times before using the Avatier solution, and lower service level delivery times after de-
ploying the Avatier solution, these have not yet been quantified.
The company believes there is better information access to decision-making employees
in the operating divisions where the solutions have been deployed, better management of
supply sources, and shorter development and manufacturing cycles, thus reducing busi-
ness cycle times. Also, the company has been able to demonstrate improved security in
self-service password changes, which aids regulatory compliance audits.

Lessons Learned
Some of this firms IT resources and functions are outsourced, prompting a need to re-
solve complications between the kind of data available to these external providers, access
privileges these suppliers need to do their work, and a careful review of the companys
standards and regulatory requirements. In addition, the company has learned that solid
procedures are critical to security performance results. Although procedures are more
than adequate in the manufacturing divisions, theyre less so in other parts of the com-
pany. As part of further improvement efforts, the company is realigning technology staff
in other business divisions to approximate the performance results being achieved in the
divisions that have deployed the Avatier solutions.

Future Outlook
The firm plans to complete the global rollout of the Avatier solution to drive further im-
provement. However, a short-term decision to outsource solution support to an out-
sourced help desk might result in longer project schedules unless the company is careful
to institute formal reporting metrics from its outsourcing partner, and train appropriate
staff in using them.

Aberdeen Conclusions
This is one of the top-tier companies in the pharmaceuticals industry, and its use of the
Avatier solution demonstrates the business value of accelerating information flow, im-
proving security, and demonstrating audit compliance in a highly regulated business en-
vironment.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 45
Best Practices in Security: Information and Access

Featured Sponsors

IP Locks, Inc. protects business continuity, safeguards company brand reputation and
eases the pain of corporate governance by securing critical information assets from negli-
gent and malicious acts. The IP Locks Information Risk Management Platform alerts
management to information risks from security and business policy violations, attacks on
data, compromised structural integrity and information theft, which other security solu-
tions fail to detect. IP Locks secures business-critical data for financial services, tele-
communications, media services, health care, public utilities, and other industries.
Founded in 2002, IP Locks is a privately held global corporation with customers
throughout North America, Asia Pacific, South America, and Europe.

BMC Software, Inc. [NYSE:BMC], is a leading provider of enterprise management solu-


tions that empower companies to manage their IT infrastructures from a business per-
spective. Delivering Business Service Management, BMC Software solutions span enter-
prise systems, applications, databases and service management. BMC Softwares Identity
Management Suite provides hundreds of enterprises a proven solution that adapts to
processes around alignment of identities and access requirements. It offers capabilities in
the following key areas: Directory Management and Visualization, Access Management,
Password Management, User Administration & Provisioning, Audit & Compliance Man-
agement. Founded in 1980, BMC Software has offices worldwide and fiscal 2004 reve-
nues of more than $1.4 billion.
For more information about BMC Software, visit www.bmc.com.

All print and electronic rights are the property of AberdeenGroup 2005.
46 AberdeenGroup
Best Pracitces in Security: Information and Access

Sponsor Directory

IPLocks, Inc.
441-A West Trimble Road
San Jose, CA 95131
USA
408-383-1037
www.iplocks.com
info@iplocks.com

BMC Software, Inc.


2101 CityWest Blvd.
Houston, TX 77042
713-918-8800
www.bmc.com

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 47
Best Practices in Security: Information and Access

Author Profile

Jim Hurley, Vice President, Research


Security, Compliance and Risk Management
AberdeenGroup, Inc.
Jim Hurley is vice president of research with a focus on security, compliance, informa-
tion and risk management at Aberdeen. In this role, Jim conducts research, analysis, and
assessment of business performance results and enabling technologies.
His recent research includes studies on Sarbanes-Oxley compliance, spending and per-
formance results of security programs, the business impact of Internet business disrup-
tions, and performance results for automating access to business information. Current
research efforts include best practices for compliance, data privacy and protection, and
solution supplier source selection criteria.

All print and electronic rights are the property of AberdeenGroup 2005.
48 AberdeenGroup
Best Pracitces in Security: Information and Access

Appendix A:
Research Methodology

P rimary quantitative research that contributed to this research report includes


benchmark research programs conducted with more than 500 qualified respon-
dents, along with more than 100 in-depth interviews.
Further research was conducted with more than 200 companies known to be operating at
best-in-class levels by Aberdeen. Subsequent blind interviews were conducted with more
than 70 respondents to determine qualification status based on performance results.
These resulted in more than 50 additional in-depth interviews to cover detailed best prac-
tices. Of the 50 sites interviewed in-depth, those featured in this report were selected
based on their metrics and practices.
Solution providers recognized as sponsors of this report were solicited after the fact
and had no influence on the research methodology, the research interviews, or the
content of the Best Practices in Security reports. Their sponsorship has made it possi-
ble for AberdeenGroup to make this report available to readers at no charge.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 49
Best Practices in Security: Information and Access

Table 5: PACE Framework

PACE Key

Aberdeen applies a methodology to benchmark research that evaluates the business pressures, actions,
capabilities, and enablers (PACE) that indicate corporate behavior in specific business processes. These
terms are defined as follows:
Pressures external forces that impact an organizations market position, competitiveness, or business
operations (e.g., economic, political and regulatory, technology, changing customer preferences, com-
petitive)
Actions the strategic approaches that an organization takes in response to industry pressures
(e.g., align the corporate business model to leverage industry opportunities, such as product/service
strategy, target markets, financial strategy, go-to-market, and sales strategy)
Capabilities the business process competencies required to execute corporate strategy
(e.g., skilled people, brand, market positioning, viable products/services, ecosystem partners,
financing)
Enablers the key functionality of technology solutions required to support the organiza-
tions enabling business practices (e.g., development platform, applications, network con-
nectivity, user interface, training and support, partner interfaces, data cleansing, and man-
agement)

Source: AberdeenGroup, June 2005

Table 6: PACE and Competitive Framework Interaction

PACE and Competitive Framework: How They Interact


Aberdeen research indicates that companies that identify the most impactful pressures and take the most
transformational and effective actions are most likely to achieve superior performance. The level of com-
petitive performance a company achieves is strongly determined by the PACE choices it makes and how
well it executes.

Source: AberdeenGroup, June 2005

All print and electronic rights are the property of AberdeenGroup 2005.
50 AberdeenGroup
Best Pracitces in Security: Information and Access

Appendix B:
Related Aberdeen Research & Tools

Some of the related Aberdeen research that forms a companion or reference to this report
includes:
SOX Compliance and Automation Benchmark (March 2005)
Security Spend Management Benchmark (December 2004)
Automating Information Access Benchmark (September 2004)
The Value of User Provisioning for SOX Compliance (February 2005)
Actions for Improving Security (February 2005)
Choosing Business Information Performance Objectives Carefully (November, 2004)
Information on these and other Aberdeen publications can be found at
www.aberdeen.com.

All print and electronic rights are the property of AberdeenGroup 2005.
AberdeenGroup 51
Best Practices in Security: Information and Access

About
AberdeenGroup

Our Mission
To be the trusted advisor and business value research destination of choice for the Global
Business Executive.

Our Approach
Aberdeen delivers unbiased, primary research that helps enterprises derive tangible busi-
ness value from technology-enabled solutions. Through continuous benchmarking and
analysis of value chain practices, Aberdeen offers a unique mix of research, tools, and
services to help Global Business Executives accomplish the following:
IMPROVE the financial and competitive position of their business now
PRIORITIZE operational improvement areas to drive immediate, tangible value
to their business
LEVERAGE information technology for tangible business value.
Aberdeen also offers selected solution providers fact-based tools and services to em-
power and equip them to accomplish the following:
CREATE DEMAND, by reaching the right level of executives in companies
where their solutions can deliver differentiated results
ACCELERATE SALES, by accessing executive decision-makers who need a so-
lution and arming the sales team with fact-based differentiation around business
impact
EXPAND CUSTOMERS, by fortifying their value proposition with independent
fact-based research and demonstrating installed base proof points

Our History of Integrity


Aberdeen was founded in 1988 to conduct fact-based, unbiased research that delivers
tangible value to executives trying to advance their businesses with technology-enabled
solutions.
Aberdeen's integrity has always been and always will be beyond reproach. We provide
independent research and analysis of the dynamics underlying specific technology-
enabled business strategies, market trends, and technology solutions. While some reports
or portions of reports may be underwritten by corporate sponsors, Aberdeen's research
findings are never influenced by any of these sponsors.

All print and electronic rights are the property of AberdeenGroup 2005.
52 AberdeenGroup
Best Pracitces in Security: Information and Access

AberdeenGroup, Inc. Founded in 1988, AberdeenGroup is the technology-


260 Franklin Street driven research destination of choice for the global
Boston, Massachusetts business executive. AberdeenGroup has over 100,000
02110-3112 research members in over 36 countries around the world
that both participate in and direct the most comprehen-
USA
sive technology-driven value chain research in the
Telephone: 617 723 7890 market. Through its continued fact-based research,
Fax: 617 723 7897 benchmarking, and actionable analysis, AberdeenGroup
www.aberdeen.com offers global business and technology executives a
unique mix of actionable research, KPIs, tools,
2005 AberdeenGroup, Inc. and services.
All rights reserved
June 2005
The information contained in this publication has been obtained from sources Aberdeen believes to be reliable, but
is not guaranteed by Aberdeen. Aberdeen publications reflect the analysts judgment at the time and are subject to
change without notice.
The trademarks and registered trademarks of the corporations mentioned in this publication are the property of their
respective holders.
THIS DOCUMENT IS FOR ELECTRONIC DELIVERY ONLY
The following acts are strictly prohibited:
Reproduction for Sale
Posting on a Web Site
Transmittal via the Internet
Copyright 2005 Aberdeen Group, Inc. Boston, Massachusetts

Terms and Conditions


Upon receipt of this electronic report, it is understood that the user will and must fully comply with the
terms of purchase as stipulated in the Purchase Agreement signed by the user or by an authorized
representative of the users organization.

This publication is protected by United States copyright laws and international treaties. Unless otherwise
noted in the Purchase Agreement, the entire contents of this publication are copyrighted by Aberdeen
Group, Inc., and may not be reproduced, stored in another retrieval system, posted on a Web site, or
transmitted in any form or by any means without prior written consent of the publisher. Unauthorized
reproduction or distribution of this publication, or any portion of it, may result in severe civil and criminal
penalties, and will be prosecuted to the maximum extent necessary to protect the rights of the publisher.

The trademarks and registered trademarks of the corporations mentioned in this publication are the
property of their respective holders.

All information contained in this report is current as of publication date. Information contained in this
publication has been obtained from sources Aberdeen believes to be reliable, but is not warranted by the
publisher. Opinions reflect judgment at the time of publication and are subject to change without notice.

Usage Tips
Report viewing in this PDF format offers several benefits:
Table of Contents: A dynamic Table of Contents (TOC) helps you navigate through the
report. Simply select "Show Bookmarks" from the "Windows" menu, or click on the bookmark
icon (fourth icon from the left on the standard toolbar) to access this feature. The TOC is both
expandable and collapsible; simply click on the plus sign to the left of the chapter titles listed
in the TOC. This feature enables you to change your view of the TOC, depending on whether
you would rather see an overview of the report or focus on any given chapter in greater
depth.
Scroll Bar: Another online navigation feature can be accessed from the scroll bar to the right
of your document window. By dragging the scroll bar, you can easily navigate through the
entire document page by page. If you continue to press the mouse button while dragging the
scroll bar, Acrobat Reader will list each page number as you scroll. This feature is helpful if
you are searching for a specific page reference.
Text-Based Searching: The PDF format also offers online text-based searching capabilities.
This can be a great asset if you are searching for references to a specific type of technology
or any other elements within the report.
Reader Guide: To further explore the benefits of the PDF file format, please consult the
Reader Guide available from the Help menu.

Vous aimerez peut-être aussi