Information Technology Reference
In-Depth Information
Individuals also have to take personal responsibility for the information
with which they deal. This is not something new. People have always
managed their bank account numbers, drivers' license numbers, social
security numbers, phone numbers, names, and addresses in environments
where transactions were much less electronic in nature. This set of
information has since expanded to include the account names and pass-
words for various Web-based accounts — banks, brokerages, E-commerce
sites, e-mail accounts, and other Internet transactions. Personal information
that existed earlier as physical objects, such as letters and photographs,
are now digital — people use e-mail instead of letters, and retain digital
photos instead of prints and negatives. Physical access is needed to steal
physical assets. Electronic access is needed to steal digital assets. These
digital assets are often located on vulnerable home machines, carelessly
left connected to the Internet. Most users do not understand the security
aspects of this changing environment; except for what little information
about incidents they happen to obtain from the popular press. Although
an active “personal security tools” industry has emerged, somewhat similar
to the electronic home security business, many of the issues remain
unsolved, expensive, and difficult to implement.
Security Crosses Conventional Application Boundaries
Most businesses have not been organized with a view to security needs.
They might have been organized as functional departments or projects or
by products, or a matrix version of all these. Whatever the organization
is, certain boundaries get established, such as “my department,” “your
department,” “my project,” “your project”. While thinking of security, one
must cast a wider net, looking beyond the product, project, or department
of which one is part. Depending on the culture within the organization,
this may not be easy to achieve. This is one of the reasons why security
exists as a centralized function — for example, Department of Homeland
Security. The assumption is that going up one level will make working
across organizational boundaries easier.
For the application, its responsibility ends with the successful process-
ing of a required transaction, or the output of some required information.
Once outside the application, the information might scatter in known and
unknown locations (Figure 16.2). It resides with other departments, supply
chain partners, ex-employees, contractors, and regulatory agencies, to
name a few. It resides in various formats — e-mails, printouts and
documentation, and other devices and media. It may even exist in data-
bases that are outside one's control. Tracking any of these, even at one
