Triware Networld Systems 

23 Years Of Around The Clock Superior Network Systems Service & Support!

 

Home
Solution
Technology
Service
Support
Client
Partner
Career
Events
News
   Back ] Up ] Next ]
 
   

 

The Security Framework for Information Technology

Most of the damage to Information Technology (IT) security is not from outside malicious attacks, but rather from simple mistakes, unintended or unauthorized actions of legitimate users and IT engineers who are either untrained in security and/or who misunderstood the instructions from the management.

The two major issues mentioned replay themselves daily in the IT world.  Part of the reason this is happening is a lack of common, proven practices and guidelines developed for IT professionals.  Unlike the legal, financial, and medical fields, the IT field is still somewhat in its infancy. It has yet to develop the kind of respect from the business community that legal, financial, and medical professionals enjoy, despite the fact that IT professionals are increasingly tasked to handle and protect the core values of the organization—data and information that legal, financial, medical professionals, and management depended on.

There is no question how important the IT department is for any organization.  So what are the issues when it comes to poor security in most IT operations? Here are the main issues that I see:

Management vs. System users vs. IT professionals

No one needs to tell a brain surgeon what procedures to follow to perform an operation.  No one tells a Certified Public Accountant (CPA) how to conduct an audit for financial matters, and no one needs to ask an attorney to maintain attorney-client confidentiality during a trial.  And yet, when it comes to IT security, management, system users, and IT professionals are often at odd as to what is the best course of action in response to a given security concern.  The three groups almost always have their own ideas of how the security should function, when sometimes at least one, or two, or all three groups do not understand each other.  Even worse still, sometimes they don’t understand the security issues involved or the remedies available.  Management usually understands the high-level issues; users generally want convenience; and IT of course wants to please the first two while still doing their job.  However, they all do not have a common framework to follow, and most do not have a common policy to follow.  To make matters worse, everyone believes their way is the best, regardless of the real over-riding issues.

Standards

There is a total lack of standards when it comes to IT security.  As mention above, all three stakeholders have their own ideas regarding what the standards are.  And the three groups may even change the standards from time to time in response to a given situation, even though next time around it could be different.  Things are done to solve an “urgent” issue with an intention to revisit the actions taken later, when the urgency is over.  We all know how that goes.

Complexity of the Information Technology

Supporting the current IT infrastructure is exponentially more difficult than it was ten years ago.  While supporting the hardware aspect of IT has gotten dramatically easier, supporting the rest of the IT infrastructure is much more difficult today than it was in the past.  Most management and system users do not appreciate how difficult is to keep the IT operation running smoothly.  Management as well as system users only see the front end of the IT system; it is all Windows, GUI, point and click—but at the back end, IT is facing increasingly complex configurations and environments to make everything work.  Nearly all Operating Systems and most applications today use different security standards.

Consistency

Until just a few years ago, there was not a concerted effort in the IT industry and among IT professionals to focus on security. Even most training focuses on a micro-level that is specific to the given products and at times, a given task.  Very few IT professionals have a comprehensive knowledge of all the levels of IT security necessary for them to be able to perform their job consistently, each and every time.  Without a high-level IT security framework and/or IT security policy, the security tasks will be performed by an individual IT professional based on his or her unique experience. The results are often mixed and may or may not even be desirable. At best, even if the security tasks are performed by the same individual, the results can be inconsistent.

Policy

Most of the organizations today either still do not have a well defined security policy or none is ever developed at all.  Where there is  a comprehensive security policy, it is not well communicated and /or enforced because it lacks high-level framework to guide it.  Very often the policies address security issues at a micro-level that are hard for management, system users, and IT professionals to understand or enforce consistently.  For the organization that has a well defined security policy, very often there is not a well trained team (a workable team has to be composed of all stakeholders) to enforce and fine-tune it, and over time the system breaks down.

Framework

For an IT security system to work, more needs to be done.  A well defined framework needs to be developed involving all stakeholders, and it needs to be self-tuning over time to be useful.  Almost all of the organizations today stop short of having a good framework to enforce and fine-tune the IT security system.  Most understand the need for a well defined security policy, but unfortunately, most stop there after they have developed one.

Below is a high-level view of the Security Framework™ developed by Triware Networld Systems:

Training

One major difference between traditional, well respected professionals such as Medical Doctors, CPAs, Attorneys and the IT practitioner is the IT practitioners’ lack of a structured approach to learning their trade.  There is not a well defined curriculum developed for people who intend to go into IT fields.  Most IT trainings are mainly focused on product-specific and commercial aspects of the subject matter, combining marketing and product promotion as part of the training.  Traditional curricula that produce the skills demanded of most computer programmers and engineers are not suitable for keeping up with today’s IT demands.

In conclusion, in order for any IT security system to work, a well defined, organization-wide security framework needs to be implemented that involves all stakeholders, and the framework needs to be part of the organization’s core operations—its DNA— at all levels of the organizational structure.

By Benson Yeung, Senior Partner

Benson Yeung Biography

Mr. Yeung has over two decades of IT architecture and security related experience, including extensive experience as an integrator and distributor of IT products and services. In 1991, Mr. Yeung founded Triware Networld Systems, a San Francisco Bay Area IT systems integrator, and in 2000, he founded Triware Networld Solutions, Inc., a San Francisco Bay Area solution provider for IT knowledge management.

Since 1991, Mr. Yeung has consulted on IT and business related issues to over 300 small, medium, and large organizations. He also contributes articles to the Loral Computer Special Interest Group, Microsoft Project, and Silicon Valley Computer Society monthly newsletter.

For more than two decades, Mr. Yeung has spent a significant amount of time in IT security fields including being a forensics investigator, auditor and has a deep understanding of the state of IT security issues and has developed frameworks and best practice methodologies for the field.

Mr. Yeung also works closely with various VC firms and startups in Silicon Valley as a Visionary, Strategist, Technology Advisor and Operations Consultant. Mr. Yeung has a B.S. in Computer Science from Arkansas State University. He is Microsoft Certified System Engineer & Certified Trainer.

Back to Top

Sign up for TNS News Letter

Information Request Form

Select the items that apply, and then let us know how to contact you.

Request a Senior Partner contact me
Request a Web Meeting and / or Web Demo
Subject
Name
Title
Company
Address
E-mail
Phone
Refresh >>
Enter code

Business Partners

   
     

© Copyrights Triware Networld Systems, L.L.C. ® 1991-2014