Begins on Your Desktop
J. Dowling - April 18th, 2000
IT Management Issue
- If the hard drive on your personal computer failed right now:
- How long would it take for you to be as productive as you were
- Would any clients be inconvenienced?
- Would you impact the productivity of others in the company?
- Are you sure that no one else on your corporate network can access
the files on your machine? How about when you connect to the internet
from home? From a client's site?
- Is your company providing the proper level of privacy and integrity
controls over client and corporate data to satisfy contracts? Laws?
enterprise runs on data, and not all of it is in the repositories that
are managed directly by the information technology departments. Studies
have shown that less than 20% of the data used to run a company resides
in its mainframe systems. Older studies showed that more than 50% resided
in unstructured formats in file cabinets and the remainder was stored
in personal files. Today, the personal computer has assumed the role of
personal and even work group file cabinet. However, it has not assumed
its privacy, security, and asset management capabilities.
group file cabinets are obviously company property, as are their contents.
Ownership of data in personal computers is not so obvious, by practice
and it is rarely shared. Cabinets are locked to prevent accidental access
and lock-barred to prevent intentional violation. Most personal computers
have neither capability or if they do, often it is not engaged.
also the use of spreadsheets, business modeling software, and personal
databases. Hundreds of hours go into building data interpretation, translation,
and presentation rules by individuals to enhance their personal productivity
(hopefully) or knowledge-based power (unfortunately). These rules are
used to make or guide business decisions, but they are not accessible
or even decipherable by anyone other than the model creators.
availability of such systems is an information technology management issue
even though it is rarely incorporated into formal information asset protection
systems. There are two principle threat sources that must be considered:
Physical threats such as theft, destruction, or damage to a personal computer;
and intrusion threats such as unauthorized use and network access.
Chief Information Officer rarely gets involved in personal databases and
information systems. The net result? A chief with domain over less than
20% of the corporate information assets.
continuity is an important issue for management. However, the impact of
losing a personal data store or information systems is not often considered
to be a business continuity issue. Some examples of business issues resulting
from weak governance of personal computer personal data stores and information
- A catastrophic hard drive failure causes the loss of years of accumulated
e-mail, memos, notes and proposals, resulting in months of confusion
among customers due to broken commitments.
- A stolen laptop computer places proprietary client data in the
hands of unknown parties, jeopardizing a valued relationship and opening
the company to legal action.
- Data extracted from several sources on mainframe systems is incomplete
and not synchronized, causing a collections team to ignore high-risk
accounts, resulting in a bad-debt bubble to burst weeks downstream.
- An employee's resignation places his personal computer into the
hands of a supervisor who reassigns the machine without removing files,
causing the loss of months of sales leads, proposals, and contract
- A work group shares files over the corporate intranet, where they
are copied by a disgruntled employee and e-mailed to the press, resulting
in significant internal conflict and public embarrassment.
- An employee whose machine is not equipped with updated virus detection
software introduces an infected document onto the machines of the
entire sales force, resulting in costly down time for sales and technical
staff to inoculate and disinfect machines.
- An employee tele-commutes to work using a broadband (cable modem)
service, which lays the machine open to hacking without knowing the
implications, resulting in lost files.
demand personal responsibility for information technology management. Many
of the above business issues could be mitigated to a great extent through
centralized or professional information technology management techniques.
However, the scale of these issues is immense when one considers the number
of people, the locations, travel, and other factors that drive the complexity
of issues and responses. There is, however a short list of information technology
implications that can be addressed to limit exposure.
- Provide education, policy, and means for backup, archive and recovery
of personal computer-based data and systems.
- For laptop machines, provide hard drive encryption software and encourage
the use of removable hard drives that can be encrypted and packed separately.
- Employ desktop computer monitoring software to identify failing hard
drives and proactively replace them.
- Facilitate access to mainframe data stores to assure data integrity.
- Provide education and means for continually upgraded virus detection
at the desktop, server, and mail gateway.
- Provide education, policy and means to assure data privacy in network
Information Technology Architecture is principally driven by the need
to support enterprise applications and data access. Special consideration
must be given to enable personal and workgroup productivity without compromising
data integrity and business continuation. Architecture design must consider
- Workgroup file servers with backup, archive and recovery capabilities.
- Workgroup level firewalls to control access to sensitive data such
as is often shared within marketing, human resources, research, finance,
and legal teams.
- Personal computer-based firewalls to assure network security within
the corporate intranet, when connected to other corporate internets,
and when connected to public networks.
- E-mail encryption at the desktop and e-mail gateways.
- Virus inoculation at the desktop, servers, and e-mail gateways.
- Remote diagnostics for personal computers.
- Public data networks with and without Virtual Private Network capabilities.
the responsibility for assuring business continuity and data security
through policies, procedures, and education. Take active measures such
as the following to create an informed and enabled workforce:
- Incorporate data integrity and privacy into human resources policies
and procedures and include in new employee orientation.
- Reinforce established practices through operational reviews and
audits that assess compliance with policies.
- Question the source of data used to make management decisions to
assure its integrity.
- Encourage and support information technology management to develop
workgroup-level architecture and infrastructure.
- Treat business interruption and liability issues related to personal
computer use the same as you would other risk management issues. Insurance
companies can provide helpful data as can legal consultants.
- Do not expect a higher degree of security than you are willing
to invest in.
infrastructure and services that enable responsible computing among personal
computer users is costly and not highly leverageable. Unlike the mainframe
environment where one firewall, backup server, or uninterrutible power
source, serves hundreds or thousands of users, many services must be implemented
on each personal computer individually.
make matters worse, personal computer management is a continual process
even for an individual user. Each hardware or software upgrade, each new
network, each new workgroup, and each new service requires personal attention.
Standardization has the highest degree of impact of any actions that information
technology management can take. Following lists high leverage standards
- Workgroup servers allow user files to be stored and backed up inexpensively
on high-availability hardware platforms.
- Enterprise Management Systems enable the technical support teams
to monitor the desktop and server network, responding to alerts and
trends rather than incidents.
- Segmented and Routed networks enable the use of filters and access
control lists. They also make convenient firewall lines of demarcation.
- Corporate accounts with Internet Service Providers can simplify
configuration and technical support.
- Inspect-and-Push software version management simplifies distribution
and increases the probability that current virus detection and firewall
software is in place.
- Locked-down desktop and laptop configurations can help but generally
they are bypassed to 'personalize' software and networking options.
This only works in high control / high conformance environments.
- Data-Marts improve data quality and access at the same time.
- Education and proficiency for technical support staff assures that
the tools at hand are employed properly and to their fullest value.