Security

Rajiv Kumar: 28/07/2014-Security

Increasing dependence on information and data by the organizations has led a new branch of security breaches to flourish. Security breaches in information era are not just limited physical security or theft but also provide numerous ways for perpetrator to commit crime by misusing the information. Given the nature of Cybercrimes, security breaches related to misuse of organization’s data or information can go unnoticed for a long time. Therefore, it is very important for an organization to have a robust security policy to minimize the possibilities of security breaches. Undoubtedly, as cited by Dhillon in the article,” A majority of computer security breaches occurs because internal employees of an organization subvert existing controls”. Employees of an organization are the closest to organizations security loop holes and generally have fair understanding of the weak links, if present, in security chain.

As a security manager for BSL and on the basis of information presented in the article, I would have incorporated following security guidelines and principles. First, strong Authorization and access control policy should have been in place to avoid misuse of organizations’ system. Limited access to critical resources of system provides first level of security for any organization. In BSL case, Leeson was able to manipulate the information because he had direct access to manipulate the trading accounts on the IT system. Second, even if there is access control and authorization policy present; there are chances that authorized persons can misuse the systems and can manipulate the information for personal objectives. Therefore, it is very important to set procedures, policies and internal auditing teams to ensure the correctness of information fed to the systems. In BSL case, Lesson was able to post journal entries to the system without any reviews. Business process to review critical information could have mitigated the loss to a great extent. Third, there should be clear escalation hierarchy in place to tackle any security breaches in initial stages or unethical behavior. In BSL case, even though doubts related to account# 8888, account used by Leeson for fraudulent transactions, were raised in 1995 when Leeson manipulated the information by mentioning that the discrepancy was due to pending receivables, due to lack of clear hierarchy these doubts were surpassed . Also, an organization should have policy to report unethical behavior. In BSL case, personality attributes and unethical behavior was ignored .Last but not the least, there should have been a separate risk committee, which could analyze the basis for profit and understand the business transactions. In BSL case, lack of such committee and complete control to Leeson allowed for falsified records by Leeson to go unnoticed for a long time.

In the article, violation of safeguards by Trusted personnel and understanding related information security concerns, author has emphasized on structural and control issues such as lack of segregations of duties and lack of business processes but IT systems also plays very important in any business. Therefore, it is very important to ensure the correct behavior of IT systems and address any possible security loop holes in the system. In BSL case, no information related to Account 88888 was produced on reports sent to head office, can be accounted partially as incapability of information systems’ security policies, which allowed lesson to bypass this information in the reports. Another important attribute towards security is terminated employees. With the paperless records; extremely portable company information  ;access to critical databases; company’s data on personal devices such as mobile phones and PDA, It is very important to take appropriate actions on termination of an employee  based on what type of access the employee had. Therefore, effective controls such as system development; encryption; strong passwords policies; authorization and access play important role in mitigating security issues originating via Information systems and hence should be managed appropriately.