Enterprise Security Management Security and Ethics at Essay

Enterprise Security Management

Security and Ethics at Cincom Systems

Cincom Systems is a global leader in the development, implementation and service of enterprise software that is specifically designed for the needs of complex manufacturers. Its security and ethics policies reflect the company's long-standing customer relationships with defense contractors both in the U.S., and in the United Kingdom, France and Australia. Each of these nations use Cincom's software to manage their complex defense systems. As a result of these long-standing and trust-based relationships, Cincom must adhere to very stringent requirements for data and information security. The intent of this analysis is to explain how Cincom Systems used the Confidentiality, Integrity, and Availability (CIA) triad to better manage security requirements, and to also define the formal and informal security policies the company has in place. Having served as an intern for the company for two years, specifically during summer and winter breaks, much of the information shared in this paper was a result of those experiences. The main security information threats, how information security is managed, and how Cincom monitors computer and online usage are also discussed. Restrictions on the access to company data is also provided in this analysis.

Cincom's Adoption of the Confidentiality, Integrity and Availability (CIA) Triad

The Cincom security platform is predicated on the security requirements triad of Confidentiality, Integrity and Availability (CIA) and there are formal, audit-based procedures in place for gaining access to specific information assets based on the use of this model. As a former intern for the company in their IT and marketing services organization over the span of two years, many of these aspects of their security strategy became clear. The CIA triad model is supported through a series of user and data taxonomies, each role-based, that define the specific data sets, fields and in the case of transaction systems, specific records and customer data (Bertino, Sandhu, 2005). The CIA Model is also used for managing the reporting analytics and metrics that drive overall security strategies and are also provided to the U.S. Department of Defense as part of their yearly audits, in addition to defense audits from the UK, France and Australia.These audits completed to ensure Department of Defense (DoD) compliance are also predicated on having servers for their projects physically located in a completely separate section of the computer room, with different security processes and procedures to gain access. Consistent with the use of the CIA Model, Cincom also has aligned their CIA framework to the strategic IT Plan and overall strategic plan of the entire enterprise. One of the most challenging aspects of using the CIA triad is to ensure enough agility in the business model to attain strategic plans while also having enough of the security infrastructure and frameworks in place to protect information assets and access (Knapp, Marshall, Rainer, Ford, 2006). Cincom has adopted the CIA triad in conjunction with the role-based access control (RBAC) model (Bertino, Sandhu, 2005) as the audit and security requirements of the U.S. Department of Defense and foreign ministries of defense require this level of auditability, visibility and verifiability of activity within each database and across the entire IT complex of systems the company has. Cincom adopted the RBAC Model specifically to allow for greater agility in their global software development, testing and selling efforts while also ensuring a hardened and secure IT infrastructure. The CIA triad is specifically designed to provide enterprises with the flexibility of attaining these strategic objectives (Knapp, Marshall, Rainer, Ford, 2006). Cincom has designed in compliance to their IT strategic plan with specific focus on attaining the shared objectives of confidentiality, integrity and availability of data while also ensuring its authenticity, as it is verified every six months or more by government agencies whose projects Cincom completes.

The formal and informal security policies in place within Cincom vary significantly across the divisions of the company. For those divisions….....