HOW DOES I NFORMATION SECURITY

I MPACT YOU?

Trusted Impact Pty Ltd, Level 4, 210 Albert Road, South Melbourne 3205
secure@trustedimpact.com, (03) 8623-2890

Reducing cost and increasing security

When enterprises grow, they often find themselves with a diverse
patchwork of disparate security technologies, policies, and
approaches all connected with workarounds and manual
interventions which are usually expensive and largely inefficient.
They also are a common cause of security breaches and failures.

When a security incident occurs, loss of productivity is inevitable and

the potential for public embarrassment or regulatory intervention a
distinct possibility. Having the right protection in place, along with
appropriate procedures and people, productivity should never be
hindered.

Tools are only as good as the people using them, so a good deal of planning and tailoring to your environment is still needed.
The most important assets of a business are its data, and taking care of business means protecting business data. Data means
customers, communication, cash flow, and productivity figures. Without it, companies risk losing a host of factors in addition to
direct revenue: reputation, market share and brand equity.

By understanding, prioritising, and securing sensitive information, enterprises can better manage the risks associated with the
ever changing world of Information Security, now and in the future, and avoid the perils of having to explain why it didnt protect
such information.

The Issue integration has traditionally focused on consolidating data

IT complexity can be attributed to many
factors, such as acquisitions, evolving
technologies, adherence to compliance
bodies, and organic business growth. Keeping the
environment secure, seems to add more complexity and
higher cost, and typically drives enterprises to comply with
technology, rather than the other way around. However, this
may also cause some organisational politics to emerge,
whereby the IT department is forced into implementing
technologies that would impact on other areas of the
business.
Acquisitions
Continual business change and organisational consolidation,
whether from a merger or an acquisition or other event,
results in a patchwork of hardware, software, and
applications that rapidly need to work together as one
solution. From the IT perspective, the response to business
and applications. Although this is a valid approach, it is a long-
term, high-cost activity that must be balanced with the need
to demonstrate a more immediate return on investment.
With this business growth, enterprises inherit technology that
becomes outdated or that doesnt fit the big picture over
time. In addition, the people and processes and policies
supporting the technology becomes less effective. Before an
enterprise realises, its security architecture is misaligned with
business direction, with expensive maintenance of outdated
legacy solutions, and becomes ineffective in protecting the
information of the enterprise.
Emerging technology providers
Fear, uncertainty, and doubt, known as FUD in the
information security industry, is a popular tactic used to scare
customers into purchasing security mechanisms they may or
may not need. Therefore, IT managers need to keep their IT
strategy in line with how their business is changing. A well

Trusted Impact Pty. Ltd. ABN: 70 121 001 438 Page 1

thought out strategy, would allow or cater for projected Taking strategic action
growth of the business.

Mobility, for example, is the latest trend among enterprises

to help improve efficiency within their sales and operations
areas. This technology provides some great benefits,
however, without proper due diligence on this technology,
the enterprise is open to a whole wrath of security issues,
should it be implemented recklessly.

Compliance bodies

As enterprises evolve and grow, and as laws change,

businesses now need to conform to these often strict
regulatory bodies in order to continue doing business in these
industries that require it. These are usually driven by current
issues, such as identity theft, heavier regulation and the
introduction of laws such as Anti-Money Laundering/Counter
Terrorism Financing which may require software to be
modified to be able to record specific data and undertakings.
In order to process credit card transactions, most financial
providers require that organisations comply with PCI-DSS
(Payment Card Industry Data Security Standard) before they
issue a merchant ID.
Basically, if your enterprise captures sensitive information,
someone out there wants it from cyber-criminals to law
enforcement. Adhering to a recognised standard or
regulation helps to protect that information from being mis-
used. These standards set out guidelines on what is
perceived to be best practice in the industry.
Organic business growth
The success of your business is growing faster than your IT
department can keep up. Many startup companies
implement the bare basics to get their business off the
ground and focus on growing the business. But as the
business grows, these same systems and processes become
inadequate to support the growing business.
Size and Scale
Medium to small companies get by with IT Managers who
must be broadly skilled to manage a diversity of issues, from
keeping the LAN up and running, to fixing the Managing
Directors new operating system. By definition, the scale of
the business may not warrant an expert in Security that has
the depth of knowledge to be able to streamline the
companys security assets.
Establish a baseline - a diagnostic approach
Information and the systems that process it are among the
most valuable assets of any organisation. Adequate security
of these assets is a fundamental management responsibility.
There is a broad range of internationally recognised standards
and frameworks to use when performing security
assessments some designed to address generic areas of IT
and networking, and some which are very specific in their
application.
It is our approach to use these reliable frameworks as an
important reference point and building blocks for our
projects. This ensures our clients can be confident that they
are being evaluated against well established industry
standards.
However, we look to add additional value above and beyond
the common standards by tailoring them to reflect the
individual circumstances and unique client environments.
The approach that we use draws from a solid understanding
and experience with standards such as PCI-DSS, CoBit,
ISO27001, AS17799, ACSI33, combined with our practical
experience successfully performing risk reviews. This
framework is designed to help businesses meet the challenge
of creating a security posture that corresponds to the threats,
risks and business demands they facewhile providing a
clear path to improving security levels as situations and
conditions evolve. It is designed to enable a better
understanding of your unique IT Risk Assessment program,
providing an effective roadmap for improvement and secure
environment for the business.

Trusted Impact Pty. Ltd. ABN: 70 121 001 438 Page 2

 Understanding the business requirements and cost drivers Consolidate or relocate IT systems

Understanding the nature of the business is a fundamental
key to successfully reducing cost in an organisation. Here,
companies must lead some healthy discussions and ask some
simple but critical questions
What business are we in?
Who are our customers? Who are our stakeholders?
Is our business seasonal?
Are we influenced by unique events?
Are we transaction-intensive or a service based?
All have a bearing on the IT strategy. A team with
representatives from all departments legal/compliance,
finance, IT, sales and product development should be
involved in developing the strategy, collaboratively.
Understanding the data
Once the baseline has been formulated and tailored to the
business, and the data has been identified and categorised,
the next step is to find out where it all lives. Is it spread
across numerous systems or all sitting on the G: drive which
happens to be under the receptionists desk? What burden is
this placing on your backup strategy? Can these systems be
consolidated, and what about protecting the sensitive
elements? Can some of these systems be hosted elsewhere?
Are you sure the data centre has been built to comply with
set regulations and standards?
Regulatory requirements
The increasing emphasis on protecting data has many
regulatory drivers. For those companies that accept credit
cards for the payment of goods/services, there is the
requirement to adhere to the latest Payment Card Industry
Data Security Standard. This standard applies to all
merchants, and service providers that store, process or
transmit cardholder data.

All companies collect data in one form or another. By The Healthcare Insurance Portability and Accountability Act
analysing what data is collected and where it is stored, and (HIPAA) addresses security policies and procedures that
how it used is the fundamental starting point to ensure secure access, transmission and retention of personal
understanding this important company asset. health information. Therefore, protecting medical records is a
compliance issue for hospitals, insurance companies, medical
Which data is vital data that, if lost or stolen, would practices, laboratories, life sciences firms, and pharmacies. In
break the company? Australia, this is addressed by the Privacy Act 2001 and the
Health Records Act 2001.
Which data is critical data that, if lost or stolen,
would not cause the company to fail? The global financial world is impacted by Sarbanes-Oxley,
which dictates new policies and procedures for financial
Which data is not critical but useful? reporting and auditing. It affects public companies and their
accounting firms. It also addresses retention of financial
Additionally, is this data sensitive? A partial list could be: records. To be compliant, companies will have to adjust their
business processes to more rigorously protect their data.
Data Vital Critical Useful Other Sensitive?
eMail Yes Insurance companies, as well as regulators, are scrutinising
Financial Yes their clients data protection policies. Those firms whose data
Web server No is deemed at higher risk will pay higher premiums, since loss

of data translates into huge business losses. To mitigate their
eCommerce Yes
own risk, companies should consider suppliers data
Sales Yes
protection policies as well. If a supplier loses data, those who
Call centres No are closely linked could incur losses as well.
Support desks Yes
Internal support No
Portals Yes
Supply chain Yes
Legal Yes
Research and Yes
development

Trusted Impact Pty. Ltd. ABN: 70 121 001 438 Page 3

Standardise and automate core processes
By transforming the most basic day-to-day processessuch
as procurement, budgeting and reporting an enterprise will
become more efficient, and reduce cost. By lessening the
burden posed by these non-core tasks, the business can more
efficiently capture the professional value of its staff, and
deliver better performance and better value to its customers.
By having an automated workflow solution for approval
processes, many manual processes have become automated,
driving the savings of time and money. The value of this
functionality with regards to security is that these processes
can ultimately determine a users level of access to a system,
and can be used to enforce segregation of duties as it relates
to managing user access.
Companies should be able to set up specific, easily scalable
workflow processes consisting of one or more related steps to
implement, approve, and execute tasks. For example, these
tasks may include creation, deletion, and modification of
identities (user, groups, accounts or roles); user self-
registration, partner (company) self-registration,
subscribe/unsubscribe to groups or roles.
Prioritise and adopt correct technologies
Whether its a new ERP system to handle the process
workflow, or the latest and greatest technology to protect or
deliver your data, adopting the correct technology tailored to
your business is the right philosophy to take. Take the time
to understand the technology, and how it can play a valuable
role in making your business successful.
Bring it all together
Take the next step toward achieving the benefits of improving
your security posture, while reducing the costs associated
with it, by contacting a Trusted Impact representative and
scheduling a Solutions Workshop. Trusted Impact consultants
can then work with your IT team to assess the value of
consolidating your environment, help you understand the
sensitive data you hold and store, and provide a roadmap for
designing and implementing a consolidated robust security
infrastructure framework.
Trusted Impact Pty. Ltd. ABN: 70 121 001 438
About Trusted Impact
Trusted Impact is an Australian-owned, invested and focused
company - meaning we truly care about the success of
Australian enterprises and have a deep understanding of the
relevant issues in the local environment. Our approach is to
uniquely combine solid business knowledge and experience
with a deep technical understanding and expertise in
information security and risk management to define
pragmatic, reliable solutions to improve your business. We
are people driven to help other people succeed in their jobs.
"Its not just about technology; it's about helping your people
become more effective".
Competitive differentiators for Trusted Impact include:
Business Driven - A unique combination of expertise to
deliver business outcomes from a deep understanding of
technology
Demonstrable results - Improvement is about your
people and how they do work not just about
technology. We understand the people and process
issues which must be addressed to achieve successful
business outcomes
Holistic expertise - A unique blend of integrated network
and IT expertise to deliver more holistic improvements to
a companys IT and Network assets
Our people - Our strength is our people and their
expertise. We have formal programmes to develop and
incent our people to deliver exceptional client service.
Our investment in our people means our clients get the
best resources in the market.
www.trustedimpact.com
The Author
Bill Callahan is a Principal Consultant with Trusted Impact Pty.
Ltd. He has over 20 years of Australian and international
expertise helping clients improve their businesses. For further
information, call us on (03) 8623-2890.
Page 4