Information Technology Facility Security Management
Dave Carlson - February 16, 2008
Information technology (IT) is vital to the success of many of today’s organizations. Effective security systems support organizational goals and objectives. An IT facility manager must be concerned about both internal and external security threats to IT facilities. Internal security threats include disgruntled personnel and malicious software. External security threats include unauthorized network and remote access. This paper presents examples of damage caused by disgruntled employees ranging from public embarrassment of an organization to financial loss and life safety issues. Both people and computer code can threaten system security. The best line of defense comes from an organization’s trained employees. An organization must take every reasonable precaution to protect from threats to IT facilities and the continuation of the organization.
Information Technology Facility Security Management
Information technology (IT) is vital to the success of many of today’s organizations. An IT facility manager must be concerned about both internal and external security threats. Internal security threats include disgruntled personnel and malicious software. External security threats include unauthorized network and remote access.
Janczewski and Colarik (2005) recommended IT facility managers follow the systems approach to information security. It is important to consider the big picture and keep in mind overall organizational goals and objectives. The purpose of facility security is to “optimize the protection of the workplace from any form of attack, including those from cyber-warriors and cyber-terrorists” (Janczewski & Colarik, 2005, p. 175).
Two internal threats to IT facility security are disgruntled personnel (including rogue programmers) and malicious software (including computer viruses).
“People, without a doubt, are an organization’s greatest assets -- but also one of its greatest risks” (Layton, 2007, p. 62). An IT facility can not operate without skilled personnel. To perform their jobs, some people (e.g. programmers and system administrators) frequently have unlimited access to specific systems.
A disgruntled employee with access to a system can be a security risk. A company in New York was forced to deal with an embarrassing and potentially costly incident when a disgruntled employee stole and released to the public confidential company restructuring plans (McCue, 2003). An architecture company lost $2.5 million worth of intellectual property when an angry employee erased seven years’ worth of drawings and blueprints (Fox News, 2008). A disgruntled employee of a communications system caused the company computer systems to shut down Internet and telecommunication services in three states, including access to 9-1-1 emergency services (Atlanta Business Chronicle, 2008).
A government contractor, with a top secret clearance, programmed malicious software code into Navy computers used for submarine navigation (McGlone, 2007). Rear Admiral Jeffrey L. Fowler described the incident as something significant that hindered “the ability of submarines to prevent collisions and could result in loss of life” (McGlone, 2007, ¶ 12). Fortunately, this problem only affected three of the five redundant systems designed to provide navigational support to submarines and the problem was resolved by the Navy rather quickly.
Unfortunately, most organizations do not have the resources of the U.S. Navy to detect and remove malicious software from their information systems. The threat of malicious software has spawned a $1.5 Billion industry to protect organizations from the threat of viruses and other malicious code (Bidgoli, 2006). “Protection against viruses and other subversive software is essential for every organization” (Janczewski & Colarik, 2005, p. 179).
Even though there are numerous commercial solutions to protect systems from malicious software, the most important line of defense is to rely on the people who work in the organization. Bidgoli (2006) warned that “one of the most dangerous things that a user can do on a networked computer is download an unknown piece of software and execute it locally” (p. 345). Employees must be trained to follow accepted procedures to protect systems from malicious software—they are the organization’s best line of defense against malicious software.
Janczewski and Colarik (2005) offered several suggestions for protecting systems:
- Use software to automatically download and install current virus scanner definition files.
- Establish a clear policy on Internet use and downloading unauthorized software.
- Provide detailed instructions on how to handle file types downloaded from networks.
- Implement procedures to quarantine new files introduced into the network.
- Evaluate system input and output access requirements. Restrict where appropriate.
- Have clear procedures about what to do upon discovering unauthorized software.
Access to computer systems from external attackers may lead to the loss of data, defacement of the company’s Web site, or public release of sensitive customer data (Bidgoli, 2006). Bidgoli (2006) characterized external threats as “controllable, partially controllable, and uncontrollable” (p. 1041). By definition, there is nothing an organization can do to eliminate uncontrollable threats. However, the organization can implement business continuity plans to minimize the damage and maximize the ability to recover from such threats.
An organization must take every reasonable step to deal with threats it can control. Bidgoli (2006) maintained that the first step an organization should take to secure its computer systems is to generate backups of all data files and store the backups in a location away from the computer room. Additionally, Bidgoli (2006) recommended fire walls, access controls (both for personnel and digital entities), physical security, power backup, and encryption of data transmitted through external networks.
An IT facility manager is charged with the security of IT facilities. Threats to facilities can come from both internal and external sources. People and computer code can threaten system security. An organization must take every reasonable precaution to protect from threats to IT facilities and the continuation of the organization.
Atlanta Business Chronicle. (2008). Former Cox Communications worker sentenced to prison. Retrieved February 15, 2008 from http://atlanta.bizjournals.com/atlanta/stories/2008/01/07/daily33.html
Bidgoli, H. (2006). Handbook of information security. Hoboken, NJ: Wiley.
Fox News. (2008). Angry employee deletes all of company’s data. Retrieved February 15, 2008 from http://www.foxnews.com/story/0,2933,325285,00.html
Janczewski, L. and Colarik, A. (2005). Managerial guide for handling cyber-terrorism and information warfare. Hershey, PA: Idea Group Publishing.
Layton, T. P. (2007). Information security: Design, implementation, measurement, and compliance. Boca Raton, FL: Auerbach Publications.
McCue, A. (2003). Disgruntled employee hacks own company’s computer system. Retrieved February 15, 2008 from http://networks.silicon.com/webwatch/0,39024667,10004804,00.htm
McGlone, T. (2007). Ex-contractor sentenced for sabotaging Navy subs. Retrieved February 15, 2008 from http://hamptonroads.com/node/246841