SmartAdvice: Measuring The ROI On IT Security

It's hard to quantify how much return your company gets on security when it's intangibles such as reputation and trust that are at stake, <B>The Advisory Council</B> says. Also, consider security issues related to implementing a single sign-on system, and what roles should be covered in a detailed disaster-recovery plan.

InformationWeek Staff, Contributor

December 9, 2003

5 Min Read

Topic B: What are some of the security issues related to implementing a single sign-on system using Novell SecureLogin?

Our advice: Single sign-on technology has been touted as the answer to the problem of proliferating accounts and the increased complexity of corporate organizations. Seen from this perspective, it can be an attractive proposition. But remember, it's still an emerging technology that can have far-reaching ramifications for your corporate computer security policies and architecture decisions. For this reason, it's important to separate the technology platform issues from the business reasons for wanting to move to a single sign-on platform. Of course, any prior investment in the Novell eDirectory technology should also be factored in.

In general, you can apply basic IT security common sense to Novell Nsure security issues. Nsure has a good reputation for being solid, reasonably secure software. Novell has built its business on delivering robust security for its client companies. However, it's important to remember that IT security is only as good as its weakest link.

Critical security success factors

  • Have a strong and enforceable IT security policy with executive support;

  • Insist that users conform to strong password policies and change passwords on a regular basis;

  • Enforce immediate removal of inactive and terminated accounts; and

  • Educate staff.

Single sign-on technology works best in two very different environments: large, "self managed" account sites; and very security-conscious sites. For example, universities, which have many constantly changing accounts, benefit more from the self-service model, since users are able to complete and submit required forms online, instead of having data-security and management teams take weeks to create manually generated user IDs and proper access. On the other hand, sites with very complex security needs can take advantage of the many, fine-grained policies built into Novell's product.

-- Beth Cohen

Topic C: What roles and responsibilities should be included in a detailed disaster-recovery plan?

Our advice: In any disaster-recovery plan, there should be a section detailing the explicit roles and responsibilities of all designated teams and individuals involved in the disaster-recovery effort. Specific individuals should be assigned to recovery teams on the basis of their expertise and knowledge. Many of these teams will of course be of a specialty nature (network, legal affairs, etc.). Yet exactly what specialty teams are created or used by a given firm will vary, based on the organization's structure and needs as well as on the IT systems deployed. The point here is that a disaster-recovery plan needs to discuss and address specific specialty teams, their make-up (i.e., the leader, the secondary leader, other members) and the roles of the team and of the individuals.

The team leader for each specialty team is responsible to upper management, and should serve as a liaison to other disaster-recovery specialty teams. The role of the team leader also includes disseminating information to his or her group, approving all decisions affecting the team, and leading the team's efforts. A backup team leader should be designated, in case the main team leader cannot fulfill his or her obligations. As mentioned above, individuals should be assigned to respective teams based on their skills and knowledge. Yet when doing so, care should be taken in not assigning a critical person to more than one team, to avoid overload or conflicts.

Of course, a management team will need to oversee all the respective specialty teams, so as to guide and support them. In addition, management should insure that no responsibility conflicts occur between teams. The most senior IT executive, usually the CIO within an organization, has the clear authority to activate the disaster-recovery plan and make cost decisions, coordinate overall efforts among departments, and be the overall management team leader. Ultimately, this senior IT executive, or CIO, would be responsible for all management and specialty teams in the disaster-recovery effort.

--Stephen Rood

Carlos Bravo, TAC Expert, has more than 15 years of experience at the senior officer management level (22 years' total business experience). He's a seasoned, former Fortune 500 senior executive, and founder and principal of multiple companies in the technology, manufacturing and services sectors. Experienced in all areas, from startup though management of thousands of employees and contractors, he has navigated through several mergers, acquisitions, and IPOs as principal. He is recognized as an industry expert in business-process reengineering and in large-scale systems integration for enterprisewide computing solutions.

Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT delivery organizations from both the user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future.

Stephen Rood, TAC Expert, has more than 24 years' experience in the IT field, specializing in developing and implementing strategic technology plans for organizations, as well as in senior project management and help-desk operations review. His consulting experience has included being the chief technology planner in designing and then implementing a state-of-the-art emergency 911 call center for the city of Newark, N.J., and managing technology refreshes for a major nonprofit entertainment organization and for a large, regional food broker. He is the author of the book, "Computer Hardware Maintenance: An IS/IT Manager's Guide," which presents a model for hardware maintenance cost containment. He is a senior consultant with Strategic Technology in Scarsdale, N.Y.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights