User Account

All Pages

Corporate network that concerns gene fredriksen

Assignment Help Management Theories
Reference no: EM131052521

CASE

I t's not what's coming into the corporate network that concerns Gene Fredriksen; it's what's going out. For the chief security officer at securities brokerage Raymond James Financial Inc. in St. Petersburg, Florida, leakage of sensitive customer data or proprietary information is the new priority. The problem isn't just content within e-mail messages, but the explosion of alternative communication mechanisms that employees are using, including instant messaging, blogs, FTP transfers, Web mail, and message boards. It's not enough to just monitor e-mail, Fredriksen says. "We have to evolve and change at the same pace as the business," he explains. "Things are coming much faster."

So Fredriksen is rolling out a network-based outbound content monitoring and control system. The software, from San Francisco-based Vontu Inc., sits on the network and monitors traffic in much the same way that a network-based intrusion-detection system would. Rather than focusing on inbound traffic, however, Vontu monitors the network activity that originates from Raymond James's 16,000 users. It examines the contents of each network packet in real time and issues alerts when policy violations are found. Network-based systems do more than just rule-based scanning for Social Security numbers and other easily identifiable content. They typically analyze sensitive documents and content types and generate a unique fingerprint for each. Administrators then establish policies that relate to that content, and the system uses linguistic analysis to identify sensitive data and enforce those policies as information moves across the corporate LAN. The systems can detect both complete documents and "derivative documents," such as an IM exchange in which a user has pasted a document fragment. When BCD Travel began to investigate what it would take to get Payment Card Industry (PCI) certification for handling customer credit card data, Brian Flynn, senior vice president of technology, realized that he didn't really know how his employees were handling such information. Not only could PCI certification be denied, but the travel agency's reputation and business could also be harmed.

At the National Football League's Houston Texans, IT Director Nick Ignatiev came to the same realization as he investigated PCI certification. In both cases, vendors they'd been working with suggested a new technology: outbound content management tools that look for proprietary information that might be leaving the company via e-mail, instant messaging, or other avenues. Flynn started to use Reconnex's iGuard network appliance, with vivid results. "It was a shock to see what was going out, and that gave us the insight to take action," he says. After Ignatiev examined his message flow using Palisade System's Packet Sure appliance, he too realized that his employees needed to do a better job protecting critical data, including customer credit cards, scouting reports, and team rosters. How does the technology work? Basically, the tools filter outgoing communication across a variety of channels, such as e-mail and IM, to identify sensitive information.

They're based on some of the same technologies-like pattern matching and contextual text search-that help antivirus and antispam tools block incoming threats. Tools typically come with basic patterns already defined for personally identifiable information, such as Social Security and credit card numbers, as well as templates for commonly private information, such as legal filings, personnel data, and product testing results. Companies typically look for three types of information using these tools, notes Paul Kocher, president of the Cryptography Research consultancy. The first, and easiest, type is personally identifiable information, such as Social Security numbers and credit card information. The second type is confidential company information, such as product specifications, payroll information, legal files, or supplier contracts.

Although this information is harder to identify, most tools can uncover patterns of language and presentation when given enough samples, Kocher notes. The third category is inappropriate use of company resources, such as potentially offensive communications involving race. The traditional security methods may restrict sensitive data to legitimate users, but Flynn and Ignatiev found that even legitimate users were putting the data, and their companies, at risk. At BCD Travel, a corporate travel service, nearly 80 percent of its 10,000 employees work in call centers and thus have legitimate access to sensitive customer information. BCD and the Texans did not find malicious activity; instead, they found people who were unaware of security risks, such as sending a customer's credit card number by e-mail to book a flight or room from a vendor that didn't have an online reservations system. Fidelity Bancshares Inc. in West Palm Beach, Florida, is using the message-blocking feature in Port Authority from Port Authority Technologies Inc. in Palo Alto, California. Outbound e-mail messages that contain Social Security numbers, account numbers, loan numbers, or other personal financial data are intercepted and returned to the user, along with instructions on how to send the e-mail securely. Joe Cormier, vice president of network services, says he also uses Port Authority to catch careless replies. Customers often send in questions and include their account information.

"The customer service rep would reply back without modifying the e-mail," he says. "The challenge with any system like this is they're only as valuable as the mitigation procedures you have on the back end," notes Fredriksen. Another key to success is educating users about monitoring to avoid "Big Brother" implications. "We are making sure that the users understand why we implement systems like this and what they're being used for, he says. Mark Rizzo, vice president of operations and platform engineering at Perpetual Entertainment Inc. in San Francisco, learned in a previous job the consequences of not protecting intellectual property. "I have been on the side of things disappearing and showing up at competitors," he says.

The start-up online game developer deployed Tablus's Content Alarm to remedy the problem. Rizzo uses it to look for suspicious activity, such as large files that are moving outside the corporate LAN. Now that the basic policies and rules have been set, the system doesn't require much ongoing maintenance, he says. Still, Rizzo doesn't use blocking because he would need to spend significant amounts of time to create more policies in order to avoid false positives. Although companies in highly regulated industries can justify investing in outbound content monitoring and blocking tools, other organizations may have to sharpen their pencils to justify the cost. These are very expensive solutions to deploy. Fredriksen, who built a system to support 16,000 users, says that for a setup with about 20,000 users, "you're in the $200,000 range, easily." With outbound content management tools, "you can build very sophisticated concept filters," says Cliff Shnier, vice president for the financial advisory and litigation practice at Aon Consulting. Typically, the tools come with templates for types of data that most enterprises want to filter, and they can analyze contents of servers and databases to derive filters for company-specific information, he says.

(Consulting firms can improve these filters using linguists and subject matter experts.) As any user of an anti-spam tool knows, no filter is perfect. "A big mistake is to have too much faith in the tools. They can't replace trust and education," says consultant Kocher. They also won't stop a determined thief, he says. Even when appropriately deployed, these tools don't create an ironclad perimeter around the enterprise. For example, they can't detect information that flows through Skype voice over IP (VoIP) service or SSL (Secure Sockets Layer) connections, Kocher notes. They can also flood logs with false positives, which makes it hard for IT security staff to identify real problems. That's why chief information officers should look at outbound content management as a supplemental tool to limit accidental or unknowing communication of sensitive data, not as the primary defense. Fredriksen says that although Vontu is important, it's still just one piece of a larger strategy that includes an overlapping set of controls that Raymond James uses to combat insider threats. "This augments the intrusion-detection and firewall systems we have that control and block specific ports," he says. "It's just a piece. It's not the Holy Grail."

CASE STUDY QUESTIONS

1. Barring illegal activities, why do you think that employees in the organizations featured in the case do not realize themselves the dangers of loosely managing proprietary and sensitive information? Would you have thought of these issues?

2. How should organizations strike the right balance between monitoring and invading their employees' privacy, even if it would be legal for them to do so? Why is it important that companies achieve this balance? What would be the consequences of being too biased to one side?

3. The IT executives in the case all note that outbound monitoring and management technologies are only part of an overall strategy, and not their primary defense. What should be the other components of this strategy? How much weight would you give to human and technological factors? Why?

Reference no: EM131052521

Questions Cloud

Statements regarding universal life insurance : Which of the following statements regarding universal life insurance is not true?
Develop a new marketing plan : You have been hired by a university to develop a new marketing plan that includes not only the key elements of the marketing mix, but also how you would implement them. You are asked to present your 1-2 page Executive Summary
Describes how you would lead the organization : Discuss how you as a leader would direct this organization through the changes that are necessary for its survival.
Treating risk-risk control and risk financing differ : How do the two basic methods of treating risk-risk control and risk financing differ? Why is risk avoidance not a practical solution to many risks? Why might inadequate planning cause a client to retain pure risk?
Corporate network that concerns gene fredriksen : I t's not what's coming into the corporate network that concerns Gene Fredriksen; it's what's going out. For the chief security officer at securities brokerage Raymond James Financial Inc. in St. Petersburg, Florida, leakage of sensitive customer ..
Assignment-external environmental scan : In order to develop effective strategies, it is critical to understand the marketplace environment. In this assignment, you will explore the relationship between marketplace positioning based on environmental factors.
The policy holder with the highest-risk tolerance : Which of the following is the policy holder with the highest-risk tolerance?
Write a paper about art tom brenner stoop pastel on paper : Write a paper about art Tom Brenner Stoop Pastel on paper. What era of Art History does your artwork belong to? INTRO: one paragraph
High degree of trust-commitment : I was in an organization that had a high degree of trust, commitment, and effort in stilled into everyone that worked there.  I was in the United States Marine Crops where every Marine is instill with a core set of values to fallow while doing the..

Reviews

Write a Review

Management Theories Questions & Answers

  Do you believe that walgreen first decision was ethical

While the debate over corporations moving offshore is political, there were clear business advantages. Do you believe that Walgreen's first decision was ethical? Why do you think Walgreen's management reverse course

  Provide the incident response plan

The _____ should provide the incident response plan as its first deliverable. Confidentiality, integrity, and availability reflect upon the relative _____ of an information system

  Provide an anaylysis of gap''s leadership style

1.Provide an anaylysis of Gap's Leadership Style

  New technologies to keep the organization competitive

Select an organization. Who are the stakeholders of your selected organization? How would the stakeholders be affected by the failure of the organization to keep up with new technologies to keep the organization competitive?

  Innovation management dyesol

Innovation Management. Dyesol : Partnering to harness the power of the sun (Schilling, 2013, pp 151-153) 1. Discuss the advantages and disadvantages of collaborating with external partners.

  Doodling for dollars

The body of your paper shuld be a minimum of one page in length, not including the title and reference pages. While you are not required to use sources outside of your textbook, if you choose to use them, they must be cited and referenced appropriate..

  Explain why the focus group is being held

Explain why the focus group is being held

  Calculate the average time to produce a widge

calculate the average time to produce a widge, and the expected load in standard hours each month. What will be the required capacity for 90% utilization factor? Graph the results.

  What factors operate in the vdot''s general and specific

What factors operate in the VDOT's general and specific

  What are the responsibilities of top management

What are the responsibilities of top management.

  As the administrator of a local nursing home,

• As the administrator of a local nursing home, you have just received notification that the organization is being purchased by a national group. Because of new policies to be implemented, many of the residents will be displaced. To make the situatio..

  How can we spot and choose the right market segment

How can we spot and choose the right market segment

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd