Legal and Security Implications of E-Businesses

Solution Preview

Introduction
The purpose of this paper is to identify a framework and specific protection mechanisms that Brownstone Companies, Inc. may use to establish a comprehensive IT Security Program. This paper is organized into the following sections (1) a background of Brownstone Companies, Inc. (2) a summary of the primary concerns related to an IT Security Program (3) a proposed framework with specific protection mechanism recommendations (4) identification of limitations of the paper and areas for further research and (5) a summary.

Background
Brownstone Companies Inc. (BCI) is the parent corporation of three subsidiaries; Brownstone Technology Solutions, Brownstone Security and Impact Solutions.
Brownstone Technology Solutions (BTS) is involved in three primary areas including video surveillance systems and support, point of sale systems and support, and software development. In regards to video surveillance system and point of sales system support BTS provides support services to several hundred clients, both by remote access and via on-site support. In the software development area, BTS develops video surveillance software and enterprise solutions for the physical security and hospitality industries. These enterprise solutions provide highly regulated functionality such as credit card processing, payroll processing, and the retention of personal information on both employees and clients.

Brownstone Security (BPS) provides physical security and security consulting to a variety of clients that include private business, publicly traded organizations, and government entities. BPS consulting services include the development of comprehensive security plans for clients including the evaluation of all risks and vulnerabilities, and the development of a mitigation plan. Many documents development by BPS are considered highly proprietary and confidential. In some cases, BPS does maintain government classified material related to security of government facilities. In addition, BPS provides physical security including armed officers and access control to clients who maintain both sensitive data and government classified data. Many of these security posts must provide real time reporting via remote connections for incidents that occur while officers are on duty.

Impact Solutions provides human resource outsourcing services including payroll processing, benefits administration including health insurance, risk management services related to safety, 401K administration, new hire processing, tax payments, government compliance and a variety of other services related directly to human resources to a wide range of clients. In conjunction with these services, Impact Solutions maintains large amount of personal information on thousands of employees nationwide.

BCI as the parent corporation maintains oversight over the information technology (IT) Infrastructure for all three subsidiaries. This infrastructure includes a central server system located in Las Vegas, Nevada, which includes all data, application, mail, and web servers. The central server is connected to seven offices located in three states through a wide area network. Other key services provided by the infrastructure include (1) laptop and mobile device connections including vehicle based laptops (2) web portal access for clients (3) remote access to hundreds of client sites for support and reporting (4) an online training portal for employees and clients (5) enterprise Blackberry server and (6) software development applications and servers.

Areas of Concern related to IT Security
The importance of a good IT security program cannot be overstated and it all starts with the security framework and policy. As Kadam (2007) states "credibility of the entire information security program of an organization depends upon a well-drafted information security policy." (p.246) In order to develop this IT security policy an organization must first identify and implement an IT security framework with an appropriate oversight structure, including a Chief Information Security officer or equivalent position. It is within this framework that the information security policy will be developed and implemented.

In the process of identifying an IT security framework Freeman (2007) discusses the importance of using a holistic approach to information security due to its complexity. A holistic approach to security is based upon the principle that security must be thought of from the very beginning of development and be constantly addressed, it cannot be an afterthought after an IT system is development and put in place. (Freeman, 2007) With this in mind, there are several primary areas of concern related to IT security that must be addressed by the security framework. These areas of concern are not specific security issues, such as securing wireless access points, but instead they are strategic level concerns. Some of the more specific areas that need to be addressed for BCI follow.

Proper allocation and control of resources in order to ensure the maximum ROI on IT programs is a primary concern of any program. In order to accomplish this, the framework established must provide a means for the tracking and measuring of IT security activities to ensure resources are being properly utilized. Drugescu and Etges (2006) identify the basic requirements of metrics for this purpose as (1) they must ensure organizationally meaningful things (2) the must be reproducible and consistent (3) they must be objective and unbiased and (4) they must be able to measure some type of progression toward a strategic goal over time. It will be necessary for the framework used and implemented to account for the establishment of a comprehensive metrics program in order to ensure the proper allocation of IT resources, thereby resulting in maximum ROI.

The framework used must also ensure IT alignment with business objectives and goals. It is important that IT be properly aligned with business in order that all IT resources are properly allocated to accomplish business objectives and goals. This includes the allocation of resources to IT security. IT Governance Institute (2007) specifically addresses this issue in CobiT 4.1 by stating, "business orientation is the main theme of CobiT" (p.10). To demonstrate the importance of this theme it is integrated into the basic CobiT principle, which is that IT resources should be used in IT processes that deliver enterprise information based on business requirements in order to ...