Research Paper: Security Management Defining an Effective Enterprise

Pages: 12 (3174 words)  ·  Bibliography Sources: 13  ·  Level: Master's  ·  Topic: Business - Management  ·  Buy This Paper

Security Management

Defining an Effective Enterprise Security Management Strategy

For any enterprise to attain its long-term and most strategic objectives, the need to have an agile, highly secure framework for managing their financial reporting and audit applications corporate-wide. Security within the enterprise is not relegated to just layers of passwords or authentication technologies protecting intellectual property. Best practices in enterprise security management focus on how to use the global requirements for audit compliance including COBIT, Information Technology Infrastructure Library (ITIL), Sarbanes-Oxley (SOX), ISO/IEC 17799 and other security and audit standards (Robinson, 2005). Combining Governance, Risk and Compliance (GRC) as part of a broader strategy of enterprise security management ensures higher levels of compliance while also anticipating and responding to compliance regulations (Maner, 1999). Organizations who have taken this approach to enterprise security management (ESM) have continually been able to drastically reduce security threats to their applications, ensuring their up-time and performance over the long-term.

ESM strategies need to combine risk management pertaining to enterprise-wide applications including ERP, CRM, and supply chain management (SCM) while also attaining compliance to reporting requirements as well. This dual requirement of mitigating risk to enterprise applications while at the same time ensuring a high level of compliance to reporting requirements can serve as a very powerful catalyst of innovation and long-term change within an enterprise. Based on the research completed for this analysis, it is clear that the need exists for an equilibrium model that can assist senior management teams including CEOs, CFOs and CIOs in navigating these two initially conflicting objectives that need to be coordinated if a company is going to attain its strategic plans and initiatives. Balancing the need for application security management and the need for compliance can be combined into a single initiative, and many organizations have done this successfully. When the Sarbanes-Oxley Act of 2002 was passed (SOX) the initial audits of publically-traded companies showed that many did not have application security programs in place, and the majority lacked an enterprise security management (ESM) strategy as part of their strategic plan. Redefining the core business processes to ensure application security and compliance actually increased the effectiveness of company's ability to respond to market conditions while reducing security and audit risk (Stoica, Farkas, 2004).

Integrating the enterprise information systems, audit processes and certification programs, costs controls and Enterprise Risk Management (ERM) systems and compliance programs into a single, unified framework can accomplish the goals of mitigating risk and increasing compliance (Smith, 2008). Both objectives can be accomplished, they do not need to be mutually exclusive. Further, the greater the level of enterprise security management to mitigate security threats, the greater the potential for auditability and compliance (Mitchell, 2007). Instead of seeing these two aspects of the overall risk management strategy as mutually exclusive, they can complement each other and make the enterprise not only more secure but also more efficient and agile in response to market conditions as well (Hawkins, Alhajjaj, Kelley, 2003). The intent of this analysis is to show how such a model could work.

Background

Creating an effective enterprise security management strategy needs to start at the application level, where the dual design objectives of supporting workflows that can align to specific roles in the organization are also compliant to regulatory requirements. By integrating application security, evaluation or auditing and compliance to SOX, COBIT and other governance initiatives, enterprises are finding they can quantify the performance and value of their security management programs. Integrating security management of applications to governance initiatives in conjunction with the audit processes used to ensure compliance has the effect of actually strengthening applications security throughout enterprises (Ma, Orgun, 2008).

The first step in creating a more effective enterprise security management strategy is to design applications so they are more role-based than functionally oriented, as the majority are today. To attain the highest levels of security possible at the application level, enterprise applications need to have identity management, authentication from a role and situational-based context, in addition to supporting constraint-based modeling and definition of security access privileges by user and account (Das, Echambadi, McCardle, Luckett, 2003). This is critical to ensure that enterprise applications support and strengthen each role within an organization to the maximum extent possible. The defining of security and authentication to the role-based level has been a concept enterprise application vendors however had been slow to adopt, until the Return on Investment (ROI) and quantifying of its value was readily seen in customers' results. Security management strategies are driving enterprise application vendors to be more aligned and attuned to role-based information needs, as security of corporate information assets including critical financial data, now must be managed to the corporate officer level (Ma, Orgun, 2008).

Security management concerns and the needs of enterprises is then reshaping how Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), Supply Chain Management (SCM) and many other areas of enterprise applications are being developed and sold today. The following graphic explains how contextual roles are influencing the design and implementation of enterprise applications today. Figure 1 shows the taxonomy-based approach often used by enterprise software companies including Infor, Oracle, SAP and others.

Figure 1:

Taxonomy-based Approach to Role-based Application Development

Source: (Cuppens, Cuppens-Boulahia, 2008)

Enterprise security management strategies on the part of companies have forced enterprise software vendors to take a more multidimensional approach to how they design, implement and support their applications. As Figure 1 shows, there are a variety of contextual reference points that enterprise applications must be compatible with for the enterprise to mitigate security risks while also staying in compliance to financial reporting standards including SOX and others. The prerequisite, provisional, spatial, temporal, and user-declared contexts of an enterprise application need to be taken into account to ensure security management goals of enterprises are met. This contextual approach to defining security is also critically important from the role-based reporting and use requirements of enterprises over the long-terms as well (Swart, Marshal, et.al., 2005). Finally, taking this contextual-based approach to defining roles and the security supporting them also is ensuring a higher level of compliance to reporting requirements as well (Cuppens, Cuppens-Boulahia, 2008). The triad requirements of role-based access to applications to increase security, compliance to government reporting requirements, and quantifying or measuring the financial value of these factors form the foundation of effective enterprise security management (ESM) platforms today (MacVittie, 2006).

Role-based applications are quickly transforming the enterprise software landscape, leading to much greater focus on measurable performance by sales, marketing, services, pricing, production and executive management teams. This focus on measuring the contributions of each role in an enterprise has inherent risks from a security, authentication and data use perspective. The greater the level of authentication required to the role level, the more critical it is to create a more agile enterprise security management framework. Given the constraint of legacy systems in many enterprises, there has continues to be retrofitting programs in place to make applications more-role-based through the use of Business Process Engineering Language (BPEL) support (Ma, Orgun, 2008). This however has not solved the inherent design limitations of applications designed more for functional use, not role-based, highly secured and authenticated use. Retrofitting applications to be more role-based also mitigates the value of analytics for tracking their performance over time as well -- a key component of any enterprise security management strategy (Vijayan, 2007). What enterprises have typically done is concentrate on creating a series of proprietary networks very comparable in scope to Intranets, yet differentiated from this collaboration framework through the use of multi-layer sign-ons and the use of biometrics and advanced forms of security management (Gupta, Roth, 2007). In companies that have an inflexible, highly structured series of enterprise systems, the security management strategies shift from role-based application development and implementation to creating internal networks that sacrifice fluidity and agility of information flows for having security management defined to the network protocol layer (Ray, Tideman, 2004). Companies that have a legacy of functional enterprise applications, inflexible to being modified to reflect role-based accountability and use of data, face the daunting task of taking their enterprise infrastructure and creating walled and highly secured internetworks that attain the highest levels of security while sacrificing agility, information integration, and the ability to collaborate freely across the enterprise (Ma, Orgun, 2008).

This is the dichotomy that many organizations face from a security standpoint. They can either stay with their existing IT infrastructure which for many of them is highly siloed, difficult to use in today's more turbulent economic climate and uncertain business environment, or they can opt to create a role-based enterprise infrastructure (Talbot, 2006). Making this transition on legacy systems is however fraught with potential security problems high levels of security and intrusion risk, and worst of all, the degradation in the quality and availability of knowledge. Legacy systems also lack the necessary support and infrastructure for supporting more advanced algorithms used for managing authentication and validation of users by role they have in the organization as well (Ma, Orgun, 2008).… [END OF PREVIEW]

Four Different Ordering Options:

?
Which Option Should I Choose?

1.  Buy the full, 12-page paper:  $28.88

or

2.  Buy + remove from all search engines
(Google, Yahoo, Bing) for 30 days:  $38.88

or

3.  Access all 175,000+ papers:  $41.97/mo

(Already a member?  Click to download the paper!)

or

4.  Let us write a NEW paper for you!

Ask Us to Write a New Paper
Most popular!

Network Management System Assessment


Risk Management Explain the Difference Essay


Management Development Process Has Been Adopted Term Paper


Security Self-Assessment Coyote Systems Security Self-Assessment Organization Thesis


Managing Homeland Security Essay


View 1,000+ other related papers  >>

Cite This Research Paper:

APA Format

Security Management Defining an Effective Enterprise.  (2011, August 11).  Retrieved July 19, 2019, from https://www.essaytown.com/subjects/paper/security-management-defining-effective/80479

MLA Format

"Security Management Defining an Effective Enterprise."  11 August 2011.  Web.  19 July 2019. <https://www.essaytown.com/subjects/paper/security-management-defining-effective/80479>.

Chicago Format

"Security Management Defining an Effective Enterprise."  Essaytown.com.  August 11, 2011.  Accessed July 19, 2019.
https://www.essaytown.com/subjects/paper/security-management-defining-effective/80479.