MemoTrade Secrets and Financial Security - Essay Example

Eze, CISO Joan Sutherland, COO Re: Digital investigations Ms. Sutherland, I understand your concern about trade secrets and financial security. I would like to address each of these issues separately, as they relate to security and monitoring of our computer systems. I will make recommendations for each issue and explain how they can be dealt with in our organization. First, when it comes to the company books, our CFO has agreed to provide information regarding accounts and financial transactions any time, upon request by you, as COO and the outside auditors we have contracted. In fact, CFO files are backed up daily and sent to our auditors, per recommendations by the auditors themselves and governmental standards. The U.S. GAO(General Accounting Office) researched the procedures of 14 Fortune 1,000 companies, and found that most have procedures in place to identify and handle violations of their company computer-use policies. “These companies reported they collect this information to create duplicate or back-up files in case of system disruptions; to manage computer resources such; and to hold employees accountable for company policies”(GAO, 2002). Further, we advise all employees and officers that, in the even we receive information regarding our policy violation, their respective electronic transactions are subject to being read and reviewed. This policy covers use of offensive or disruptive language, visiting of offensive websites, improper handling or protection of corporate information and client files and doctoring or altering of corporate files. Altering of financial data is included in this policy as well. We have taken several steps to reduce the risk of trade secrets and other private company information from reaching competitors as well. First, the most sensitive information regarding corporate and client financial information is limited in access, to only those employees who need to information to perform their jobs. Our department has a list of the various levels of access assigned to each employee. Within our department, myself and one technical manager on each shift has access to the highest level access. To keep passwords from accidentally falling into the wrong hands, we also assign new passwords to those with the highest level of access every month. They are sent via email from within our corporate intranet. In addition, those with the highest level of access are only able to log on to the intranet, which is the only method of accessing financial data. We do not generally allow those with the highest access to take corporate computers or laptops offsite, though we make exceptions in very rare cases, such as meetings with auditors or legal advisors. I believe that the measures we have taken will ensure a greater security of our corporate trade secrets and/or financial information. Such steps should also help ensure the integrity of the financial data as well. As we encourage any suspicious activity to be reported, we encourage you to speak to either myself or one of the shift managers, should you ever have the need. We encourage you to also come to us with any rumors or suspicions that your employees may come to you with. Typically such allegations are unfounded, thought it pays to be cautious. I thank you for your concern regarding these issues. I can see that you take corporate security and integrity as serious as we do, and it is greatly appreciated by all stakeholders, including officers, board of directors, auditors and investors alike. Sincerely, Eze, CISO From: Eze, CISO To: Gustav Mahler, CEO Re: Privacy rights at work Mr. Mahler, I can understand the interpretation of the new company equipment policy as an intrusion on the privacy of our senior members. I would like to take this opportunity to explain the rationale behind the proposed policies. First, in light of the many corporate scandals and corruption that has taken place within Many global and national corporations, we must ensure that our stakeholders are protected from and ensured that we do not operate in a manner that is construed as dishonest or corrupt. Corporate corruption can be described as anything from treating clients to lavish vacations, nights at strip clubs, altering financial statements and many more activities. stakeholders, including investors, are watching the corporate environment very closely, in light of the many recent corporate scandals. I am sure our senior officers would rather present a squeaky clean reputation to its stakeholders and the business community, than have suspicions or questions of any type of corruption surface. The best way to do this is to develop strict corporate policies regarding use of business equipment as strictly for business. While it is not the intention of the IT department to dictate how our senior corporate officers conduct their daily business, we want to work within the current guidelines set forth by government and corporate standards. With many middle managers, corporate officers and financial personnel on the alert, the policies have been designed to put everyone’s minds at ease. They are designed to give the corporation the confidence to operate as one of the nation’s “shining stars” when it comes to corporate ethics. The IT department does not want to dictate what an officer does in his or her own time, or what outside interests and hobbies they should have. The policies are proposed to protect corporate and client information, as well as protect the corporate image and prevent suspicion. A quick glance at an officer’s desktop, which contains some sort of pornographic material or images may inadvertently offend a long standing client, who may, in turn, spread the word that our corporation is less than sensitive to its clients. As for hacking software, much of it requires disabling corporate firewalls and other forms of data security. It makes the job of the IT department very difficult, in terms of protecting corporate data, including financial information. Such actions also reflect a Certain corporate culture, or message that senior employees may send to junior employees, regarding professional behavior. Many companies expect top level executives to behave as lower level employees do, with respect to professional behavior and corporate information. This sets a more uniform example and reduces the risks of junior level employees behaving in a manner that puts corporate data at risk. The federal General Accounting Office has conducted studies of the top 1,000 corporations, and published its findings, with respect to corporate security and policies. Many companies, including some of our competitors adhere to strict policies regarding corporate computers and limitations on accessibility. “Most of the 14 companies reported various types of actions that could be taken against employees for inappropriate use of computer resources” (GAO, 2002). The proposed policies are not meant as a dictate to senior employees, as to how they should conduct their business. They are meant as a set of standards recommended by The government and that many of our competitors adhere to already. I am sure that our senior employees want the corporate image to remain squeaky clean, as opposed to enjoying a bit more freedom and latitude in regard to computer use and security. If needed, I can arrange a more thorough presentation for our senior employees and officers, if they request. Please know that I am looking out for the best interest of the corporation, as IT manager. My main goal is to maintain and preserve corporate security and integrity. Sincerely, Eze, CISO From: Eze, CISO To: Bela Bartok Re: Legal requirements for effective security Mr. Bartok, It was a pleasure giving the presentation at the retreat. I made the statement because I wanted everyone to be aware of the strict security requirements that our institution faces. We must develop information security policies that take into account local, state and federal guidelines set forth by all governing bodies, that all health care institutions must now answer to. Most laws cover the security of patient information in regard to treatment and health information. Many also cover private information such as payment and credit card information, as well as more basic contact information like addresses and phone numbers. Federal HIPPA laws define confidential information as “All personally identifiable information and material about a recipient in any form or medium, and the information that an individual is or is not receiving services” (CMHPSM, 2006). State and local laws are also making the sharing of patient or client information stricter, with respect to who should have access to such information and when. For instance, a board member does not necessarily need access to patient information, unless that member is part of a review board examining a complaint or policy regarding that particular patient. A health care staff member who is not treating or who will not come in contact with a specific patient should not have access to any patient record, only those which are receiving care from that provider. To ensure that all staff members are in compliance with laws at each level, our organization should maintain current and updated information regarding changes in Laws, with respect to patient or client information. Such laws should be taken into account when our privacy policies are developed. This includes restricted access to only those employees who need relevant information to provide patient care or perform their duties. This is why IT departments in health care facilities such as ours must stay current with all applicable law. We must not only limit access to employees who need information, we are required to ensure that all employees are provided training and written notification of our policies. This is why we must conduct periodic employee seminars or training. Each employee who goes through our training must sign a confidentiality agreement, which states they understand their responsibilities in handling patient information and agree to adhere to our policies. Most employees understand the need for privacy policies and welcome them. By using local, state and federal privacy laws as guidelines, we are not only ensuring that our organization is abiding by all mandates, but also creating a trust with our patients as well, who expect a certain level of privacy, regarding the personal and health information. Our department has worked with the corporate legal department, to gain a thorough understanding of how we can keep our system in compliance with all regulations. We are committed to protecting patient data by designing our system intranet with many security features. Feel free to contact me if you desire a more thorough understanding of how our network Security has been implemented, or with any other questions regarding the security of the patient information. Sincerely, Eze, CISO From: Eze, CISO To: Antonio Vivaldi, Director of Human Resources Re: Company support for security certifications Mr. Vivaldi, I understand your concern regarding the costs for our IT department certification expenses and travel. In the past, corporations have valued IT employees with vendor-specific certifications, such as Microsoft, as they an indication that the employee has a greater understanding of the multitude of Microsoft products that many businesses use. However, just having those certifications today is no longer enough for IT staff. I would like to provide you with specific examples, so that you may have a better understanding of the level of knowledge and skill that IT employees must now possess. CISSP certification indicates competency in ten areas of system security and is globally accepted. It is generally recommended for top level security managers and CISOs, such as myself, who are mid-level and senior-level security offers. It provides “security professionals with not only an objective measure of competence but a globally recognized standard of achievement” (isc2.org). This allows our global clients to feel more confident about the security of their personal account information and other data which we may need to access or incorporate into our system. CISA, or Certified Information Systems Auditor designation indicates that the IT professional is knowledgeable in IT audit procedures. Not only is the IT professional knowledgeable, but the CISA professional is familiar with universally accepted practices in security and system audit. Again, this is beneficial to our organization when we may work closely with the security systems of our clients or partners. We are better able to communicate effectively and professionally with all associates. “Although certification may not be mandatory at this time, a growing number of organizations are recommending that employees become certified”(ISACA.org). In support of the ISSAP certification, it shows that the IT professional is knowledgeable in A variety of IT areas or specialties, that are critical to most corporate systems. The Certification covers the following: “Access Control Systems and Methodology, Cryptography, Physical Security Integration, Requirements Analysis and Security Standards, Guidelines, Criteria Technology Related Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) and Telecommunications and Network Security” (isc2.org). Integration of physical security may require the use of key cards, bar code ID badges or any number of devices, which may control access to our facilities or certain areas, using our system network, which is less costly than hiring physical security personnel, over time. The system also cannot be persuaded, with lack of human traits, to let an unauthorized employee or outsider to get by “just this once.” As we all know, many physical attacks or other types have been launched due to this type of experience. All it takes is one time. When you consider the abilities of our systems to be integrated with partners or clients, and possessing the know-how, with certification to back it up, it is clear the financial benefits to the organization, not only in maintaining current client relationships, but in securing new partners or accounts. Sincerely, Eze, CISO References Community Mental Health Partnership of Southern Michigan, 2006. Policy and Procedure. Accessed 18 Feb. 2008 from http://www.ewashtenaw.org/government/departments/cmhpsm/provider_information/provider_manual/provider_manual_chapter_1/Corporate%20Compliance%20Policy%20-%20Regional.pdf Government Accounting Office, 2002. Employee Privacy: Computer-Use Monitoring Practices and Policies of Selected Companies. GAO 02-717. isaca.org. Governance. Accessed 18 Feb. 2008 from http://www.isaca.org/Template.cfm. isc2.org. CISSP: The International Gold Standard. Accessed 18 Feb. 2008 from http://www.isc2.org/content.cgi.htm. Read More