The Effective Manager - Assignment Example

Running Head: THE EFFECTIVE MANAGER The Effective Manager of How Does Understanding Accounting And Financial Management Contribute To Effective Security Management In order to evaluate the statement that how does the understanding of accounting and financial management contribute to effective security management, one has to learn the whole process and implications of effective security managements and its linkages to the accounting and financial knowledge. Security policies are the foundation of the effective security management. Without them, one cannot protect the company from possible lawsuits, lost revenue, and bad publicity, not to mention basic security attacks. InternetWeek conducted a survey in late 2000 that showed sixty nine percent of managers expect security technology to have a high impact on their organization, yet only thirty seven percent have written security policies. At the same time, seventy five percent (up from 50 percent the previous year) reported downtime due to security breaches. (McClure, 2003) Of those with written policies, most of them failed to adequately address security issues. When asked why they do not have policies, many answered that they do not like writing them or that they do not want to commit in writing to upholding and enforcing them. Security management is not only technology specific but for to do three things for a company: 1. Reduce or eliminate legal liability to employees and third parties 2. Protect confidential, proprietary information from theft, misuse, unauthorized disclosure, or modification 3. Prevent waste of company computing resources (Nichols, 2001) It is known that accounting, as the word implies, is a reckoning of the financial outcomes of an entity between those who control the employment of capital or assets and those who provide the capital or assets so the understanding of accounting helps managers maintaining effective security management. Accounting reacts to the needs of business and follows developments in commercial activity. One main purpose of accounting is to fairly represent the financial results of an operation to the shareholders, who are the individual owners of a business entity. In simpler words, financial profit or loss is the revenue less the cost of goods sold less the fixed or overhead costs, less interest, taxes, and an allowance for depreciation on fixed assets. Depreciation is keyed to a phase of time that sufficiently reflects the useful life of the asset while it is under the stewardship, or control, of management. If an asset under the control of management is expected to have a useful life of twelve years, then it is usually written off, or depreciated, at 15 percent per year. Effective management is judged on its presentation to generate a profit on an asset under their control for ten years before it has to be replaced by charging management 15 percent of its value per year. Because the computation of taxes follows the same general format as reporting profits, some feel that pretax profit indicated in a financial report should be the same as the profits reported to the tax authority. In a few countries, such as Finland, Germany, Italy, Portugal, and Switzerland, this conclusion is correct. In most others, it is not. One reason for this is that the allowance for depreciation for reporting financial results may not be the same as the allowance for depreciation for filing a tax return. Whereas the purpose of financial reporting is to fairly represent the financial results of management's stewardship of the shareholders' assets, the purpose of filing a tax form is to calculate a liability. The depreciation plan selected for calculating taxes to be paid to a tax authority is the applicable schedule of depreciation decided on by the tax authority. (Kathryn, 1998) The resulting profit is severely for the computation of taxes, not to judge the performance of effective management to generate a profit on assets under their stewardship. Accounting helps in effective security management, as extreme security measures are necessary only in extreme environments. Keep this in mind: the more extreme the policy, the higher the costs associated with its failure. Some people view security as a barrier to progress-that it makes things less efficient and provide zero benefit-and others think it provides essential protection. Security comforts the customers but annoys, or even enrages, the employees. (Garfinkel, 2003) The key to acceptance of and compliance with security policies is education. Nobody grows up focused on security; it is a learned behaviour. Educating employees on the need for security and keeping them involved in the policy-development process prevents them from finding ways to avoid policies and rendering them ineffective. Seminars and awareness campaigns work well to spread the word on the importance of security. Focus the campaign on such topics as password selection, screen locking, document labelling, and physical (door) security. Posters, e-mails, screensavers, and mouse pads printed with security tips and expectations help provide day-to-day reminders. Some companies even establish security incentive programs for their employees. One company I consulted for ran a password cracker on their passwords each month. (McClure, 2003) The employees whose passwords could not be cracked by a two day brute-force attack were given a prize, usually a free movie ticket or free lunch. Others play security-themed games or require employees to take annual security quizzes. The goal is to get the word out, engage the end users, and help them understand that security is a necessity and that it can provide a bit of fun. Additionally, management buy-in is key to successfully implementing and enforcing the effective security management. The organization's top management should set an instance of how to follow the security policies. If they do not follow the rules, how does one expect to convince everyone else One will never achieve 100 percent security, but one should always be in the process of refining the policies, adding new policies when necessary, and removing old ones when they become obsolete. Maintaining the relevance of the security policies is crucial. Many organizations write their policies, distribute a copy to their employees, and never touch the policies again. One cannot build and maintain effective security management that way. The various roles that should be defined in the organization usually include those in human resources, accounting, marketing, development, quality assurance, system administration, and network administration, plus executives and contractors. Each group requires different access to resources to perform its job functions. Giving everyone the same access can ease administration, but it is poor security. So one needs to decide who can access each resource and what specific privileges they need. Understanding of accounting helps in finding which group or groups gets access to each resource and what access privileges its members is assigned. For instance, no one but system and network administrators should have root or administrator access to any system unless that permission is formally requested and approved by a member of management. (Button, 2000) These accounts are highly privileged and should be adequately protected. As another instance, only human resources personnel should have access to employee payroll records. One does not want people changing their salaries. Security Audits What does the company security audit report reveal When was the last time an audit was conducted Was one ever conducted Now-not after the information systems or network are exploited and damaged-is the time to find out. Security audits entail an in-depth examination of the effective security management, policies, people, and procedures. Their purpose is to identify areas of weakness within the infrastructure and to provide recommendations for appropriate solutions. A successful audit can be achieved only with the complete cooperation of all parties involved. Most people greatly dislike audits and security assessments. For many, the fear of losing their jobs, or at a minimum looking bad in front of the boss, is what drives the feeling. An audit is important, though, to ensure that defined corporate security policies are being followed and enforced. How can you ensure the access control policies are effective unless an audit is performed to review them Security auditing consists of two basic functions. First, the audit ensures compliance with the company security policy. Second, an audit allows one to build an audit trail to track and record security events. The point of creating an audit trail is to easily identify and track actions attempting to circumvent policy. Audit trails, according to John Johnson, senior security analyst as NASA, must 1. Be transparent to network users 2. Support all audit applications 3. Be complete and accurate in reconstructing network events 4. Protect against file manipulation by perpetrators Events to audit include logon and logoff activities, attempts to conduct file manipulation, and attempts to change system or network privileges. Objects to audit include sensitive data, confidential areas of data, or groups of resources. Auditing on a per-object basis is an option, and some data might be so important that one want to know, and have a record of, any time someone even tries to access it. Each event should include the type or name of the event, the date and time of occurrence, whether or not it was successful, and any program names or filenames involved. Management is responsible for arranging and supporting the audit, as well as helping to prioritise events to review and maintain. Remember, as with security policies, audit trail configurations should be reviewed periodically. Additionally, audit logs must be properly secured to prevent unauthorized modifications or deletion. (Nichols, 2001) An audit or assessment to reconstruct security-related events should have specific requirements and goals in reviewing how users perform daily compliance based on sound security policies. These goals, also developed by John Johnson, can include the following actions: 1. Determine any patterns of user access to specific objects or files on the network. 2. Evaluate any patterns of individual use. 3. Evaluate the performance level of various protection mechanisms on the network, especially their effectiveness. 4. Investigate any attempts, especially repeated attempts, by users to bypass the protection mechanisms on the network. 5. Determine the effectiveness of the audit or assessment to act as a deterrent against perpetrators' attempts to bypass any network-protection mechanisms. 6. Ensure that the auditor understands the network or system, including configuration and functionality. 7. Provide auditor verification of the phases of processing that a system must perform and the relationship between phases. 8. Provide auditor verification that network processes actually perform with expected results. The Audit When people hear the word "audit, " they often picture Internal Revenue Service or financial auditors. Auditors who understand little about what those being questioned do in their work may ask the people being audited embarrassing, personal questions. The objective is to find some mistake or malicious act that has resulted in financial harm to the organization. If nothing is found, the auditor must not have been looking hard enough. To many people, security audits are not much different. A successful audit consists of three aspects: The plan-Ranging from a formal document to notes on the back of an envelope, the plan lists the aspects of the system one are going to evaluate and how one are going to evaluate them. The tools-Tools can include notes, books, applications, public-domain security-checking programs, or commercial applications. The knowledge-This refers to knowing how to interpret the results of the audit and what changes to make accordingly. Privacy of data (user and system)-What data can be read, and what can be written to Data integrity-What can change key data System availability-What can disable system access and resource use Change control-How can changes are made Isolation-How can the system be accessed Physical Security-Is the machine, network, or site physically secure Audit- How are changes tracked Accountability-Can the causes of problems are located Users-Can users are grouped Are some rights universal What users require elevated access (Walsh, 2003) Based on discussions on these topics, a more detailed plan can be developed. In these discussions, trade-offs are determined, priorities decided, and the overall installation considered. For instance, one could improve physical security to the server room. One must weigh the risk of an internal attack against that of an external attack. Perhaps both security problems need to be fixed, or perhaps internal risks are less important. The result of this analysis is a firm set of goals, a way to judge the success of the audit and any resulting security improvements, and the knowledge of what kinds of tools are required to do the job. Employees can assist in the auditing process by reporting to their company's information technology personnel or to their supervisors any system damage caused by unexplained spillages, missing files, the last logon time displayed incorrectly, changed passwords, phantom or unexplained logons, or unexplained changes in file protections. They also could report system anomalies such as mysterious system loading, missing listings, the addition or removal of unexplained software, accounting imbalances in financial data, or unexplained batch jobs. Make sure the communication system is easy to use and well known to all employees. Their vigilance and response is critical to maintaining an effective security management. A system can be physically secure, have all known patches installed, have an up-to-date and reasonably secure operating system, and be constantly monitored. But without a knowledgeable systems staff and knowledgeable users, the system's security will always be suspect. A clueless user could mail the password file to an outsider, simply because he didn't know it could do any harm. Similarly, users can import code that contains worms or viruses and cause problems. A systems staff needs knowledge, of course. But in this group, one must include everyone who knows the root or Administrator password. Security is a complex issue, so even if one is well versed in security procedures and knowledgeable about security holes, break-in methods, and tools, one still need to keep learning. Since accounting is more than a way to organize financial figures. There is divergence and variety in the world's accounting systems and security systems because there is divergence and variety in the world's cultures. A manager who fails to appreciate this point may assume that the financial statements of a company operating in another region of the world are in accordance with the accounting system that one is proverbial with--a dangerous assumption. Without appreciating these differences, a manager might misinterpret the security management system, and in so doing, distort one's evaluation of an overseas operation. Beyond these skills is another realm of security existence. This one is born of experience, understanding of the environment, and a feeling for the users. At this level, one considers which problems to solve and which to leave alone based on context. If solving the problem will inconvenience users, the cost of someone exploiting the problem must be weighed against user time lost and the risk that users will implement a workaround if they are really put out. (Button, 2000) By forcing users to change passwords every month, one might encourage them to write down the password on a note. So it is now known that effective security management depends a lot on its audit and accounting and financial knowledge will facilitate one in carrying out audit in a better manner. Hence the understanding of accounting and financial management contributes a lot to effective security management. References Amanda, (2003), Surviving Security: How to Integrate People, Process, and Technology, Auerbach Publications, Boca Raton, FL. Andress Button Mark, and George Bruce, (2000), Private Security. Leicester. Perpetuity Press. Garfinkel, S., Spafford, G., and Schwartz, A., (2003), Practical Unix and Internet Security, O'Reilly & Associates. Kathryn M. Bartol and David C. Martin, (1998), Management, 3rd Edition. Boston. Irwin McGraw Hill. McClure, S., Scambray, J., and Kurtz, G., (2003), Hacking Exposed: Network Security Secrets & Solutions, McGraw-Hill Osborne. Nichols, R. and Lekkas, P., (2001), Wireless Security: Models, Threats, and Solutions, McGraw-Hill Professional. Walsh James. (2003), Asset Protection & Security Management, 584 pages. Read More