News
Commentary
12/9/2003
12:13 PM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

SmartAdvice: Measuring The ROI On IT Security

It's hard to quantify how much return your company gets on security when it's intangibles such as reputation and trust that are at stake, The Advisory Council says. Also, consider security issues related to implementing a single sign-on system, and what roles should be covered in a detailed disaster-recovery plan.

Topic B: What are some of the security issues related to implementing a single sign-on system using Novell SecureLogin?

Our advice: Single sign-on technology has been touted as the answer to the problem of proliferating accounts and the increased complexity of corporate organizations. Seen from this perspective, it can be an attractive proposition. But remember, it's still an emerging technology that can have far-reaching ramifications for your corporate computer security policies and architecture decisions. For this reason, it's important to separate the technology platform issues from the business reasons for wanting to move to a single sign-on platform. Of course, any prior investment in the Novell eDirectory technology should also be factored in.


Related Links

Single Network Identity: Holy Grail or Nightmare?

Implementing Strong Passwords In An NDS Environment

Go In-Depth With LDAP And Novell's eDirectory


In general, you can apply basic IT security common sense to Novell Nsure security issues. Nsure has a good reputation for being solid, reasonably secure software. Novell has built its business on delivering robust security for its client companies. However, it's important to remember that IT security is only as good as its weakest link.

Critical security success factors

  • Have a strong and enforceable IT security policy with executive support;


  • Insist that users conform to strong password policies and change passwords on a regular basis;


  • Enforce immediate removal of inactive and terminated accounts; and


  • Educate staff.

Single sign-on technology works best in two very different environments: large, "self managed" account sites; and very security-conscious sites. For example, universities, which have many constantly changing accounts, benefit more from the self-service model, since users are able to complete and submit required forms online, instead of having data-security and management teams take weeks to create manually generated user IDs and proper access. On the other hand, sites with very complex security needs can take advantage of the many, fine-grained policies built into Novell's product.

-- Beth Cohen

Topic C: What roles and responsibilities should be included in a detailed disaster-recovery plan?

Our advice: In any disaster-recovery plan, there should be a section detailing the explicit roles and responsibilities of all designated teams and individuals involved in the disaster-recovery effort. Specific individuals should be assigned to recovery teams on the basis of their expertise and knowledge. Many of these teams will of course be of a specialty nature (network, legal affairs, etc.). Yet exactly what specialty teams are created or used by a given firm will vary, based on the organization's structure and needs as well as on the IT systems deployed. The point here is that a disaster-recovery plan needs to discuss and address specific specialty teams, their make-up (i.e., the leader, the secondary leader, other members) and the roles of the team and of the individuals.

Related Links

Contingency Planning Guide for Information Technology Systems

DRJ's Sample DR Plans and Outlines

Disaster Recovery World



The team leader for each specialty team is responsible to upper management, and should serve as a liaison to other disaster-recovery specialty teams. The role of the team leader also includes disseminating information to his or her group, approving all decisions affecting the team, and leading the team's efforts. A backup team leader should be designated, in case the main team leader cannot fulfill his or her obligations. As mentioned above, individuals should be assigned to respective teams based on their skills and knowledge. Yet when doing so, care should be taken in not assigning a critical person to more than one team, to avoid overload or conflicts.

Of course, a management team will need to oversee all the respective specialty teams, so as to guide and support them. In addition, management should insure that no responsibility conflicts occur between teams. The most senior IT executive, usually the CIO within an organization, has the clear authority to activate the disaster-recovery plan and make cost decisions, coordinate overall efforts among departments, and be the overall management team leader. Ultimately, this senior IT executive, or CIO, would be responsible for all management and specialty teams in the disaster-recovery effort.

--Stephen Rood

Carlos Bravo, TAC Expert, has more than 15 years of experience at the senior officer management level (22 years' total business experience). He's a seasoned, former Fortune 500 senior executive, and founder and principal of multiple companies in the technology, manufacturing and services sectors. Experienced in all areas, from startup though management of thousands of employees and contractors, he has navigated through several mergers, acquisitions, and IPOs as principal. He is recognized as an industry expert in business-process reengineering and in large-scale systems integration for enterprisewide computing solutions.

Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT delivery organizations from both the user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future.

Stephen Rood, TAC Expert, has more than 24 years' experience in the IT field, specializing in developing and implementing strategic technology plans for organizations, as well as in senior project management and help-desk operations review. His consulting experience has included being the chief technology planner in designing and then implementing a state-of-the-art emergency 911 call center for the city of Newark, N.J., and managing technology refreshes for a major nonprofit entertainment organization and for a large, regional food broker. He is the author of the book, "Computer Hardware Maintenance: An IS/IT Manager's Guide," which presents a model for hardware maintenance cost containment. He is a senior consultant with Strategic Technology in Scarsdale, N.Y.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.