PDF File: 

asc7_wp_audebert.pdf

ActivCard Corporation

Open, collaborative business networks expose corporations to potential increases insecurity violations and, hence, possible government sanctions. Organizations mustbalance agility and connectivity with effective security systems.

New government regulations and legislative mandates have been created to not only safeguard our national borders, but also protect shareholder interests by holding corporations accountable for their actions. Many of the provisions not only impact an organization’s internal physical and logical security processes, but also extend beyond the four walls of the enterprise to include collaborative partners, suppliers and customers.

In the past, organizations did not see security as a major concern in relation to their supply chains. Because supply chain management systems were seen as a means to reduce overall operating costs and speed up supply chains, investing in security was viewed as not only cost prohibitive but also responsible for slowing down operations. But with greater global collaboration and commerce comes greater risk. The need for evaluating security vulnerabilities within the supply chain has become essential to succeed within the new business environment and achieve compliance with new regulations.

The new compliance mandates concentrate on three primary areas – security, privacy and corporate governance. They require companies to look beyond merely ensuring perimeter security to establishing a robust physical and logical security infrastructure that addresses the availability, accuracy and integrity of all systems, including supply chain activities. The increased security requirements span from identifying individuals who have access to systems (including supplier, partners and customers) to integrating enterprise application data and protecting the sensitive information within the systems, all the while enabling the global collaboration necessary to compete in today’s business environment.

Companies must prove to the federal government, as well as many state agencies and port authorities that their security framework, administration and operations are in line with the new mandates.

Security. Companies must have applications and procedures in place that monitor and control access to building facilities and enterprise data, as well as tools and policies to counter any threats – internal and external.

Privacy. Companies must ensure the privacy and confidentiality of their customers’ information, including medical records, credit card information, bank accounts and other personal or financial data.

Corporate governance. Public companies are required to ensure the accuracy of their financial reporting, including the ability to demonstrate the integrity and access-control capabilities of the systems and applications used to generate financial reports.

According to Gartner, the regulations require increased levels of physical and logical security, including but not limited to:

• User life cycle management. Organizations should have a process to provision identity, manage an individual’s privileges over their lifetime and ensure the removal of privileges when no longer necessary.
• Authorization. The control of privileges an individual has must be clear, defined and able to be documented.
• Remote user authentication and use. Authorized personnel accessing enterprise systems from outside a controlled perimeter should be required to verify identities using two-factor authentication.

Compliance Regulations: An Overview

One of the most striking aspects of the compliance regulations is how much of it is of recent origin. The drivers behind the legislation are often seen as a byproduct of corporate malfeasance and horrific terrorist acts of the early 21st century. Scandals, terrorist acts and security lapses that made the public vulnerable, however, are only part of the story. As global commerce and worldwide sourcing have boomed over the past decade, various branches of government have grown increasingly concerned about security and privacy. Many regulations directly impact how companies secure their physical and logical systems, oversee their administration and manage operations. The bottom line is that enhanced security is expected to play a major role in satisfying compliance. The following information, compiled from a variety of sources, provides a brief summary of the more critical legislation affecting global supply chains.

Sarbanes-Oxley Act

Most observers would agree that the Sarbanes-Oxley Act (SOX) is the single most important legislation affecting corporate governance, financial transparency and public accounting since the Securities and Exchange Act of 1934. It is, moreover, a law that came into being in the glare of a very bright, very hot spotlight. Where markets were once dominated by trusting, long-term investors willing to wait for financial information in quarterly and annual reports, today’s markets move in real time, and twice-shy investors no longer believe that companies, and executives in particular, have their best interests in mind.

In the simplest of terms, SOX requires executives, auditors and board members that attest to the fact that policies and procedures are in place and working effectively and securely to ensure the accuracy of transactions and internal reporting processes. Although SOX currently impacts only publicly held corporations, many privately held companies that choose to partner with these affected organizations are being asked to follow suit or jeopardize future business relationships.

SOX specifically requires companies to have “appropriate controls” in place that demonstrate the security and integrity of the systems used to generate financial reports, such are ERP tools and supply chain management systems. Companies must be able to show the presence of user, system and application resource access controls and demonstrate the processes that monitor and correct lapses in the controls.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB) is primarily known for its regulations regarding consumer privacy and protections, including the requirement that financial institutions notify consumers about their privacy policy and how they share customer information. Similar directives have been established by countries outside of the U.S., such as the European Union Data Protection Act, which focuses on the protection of an individual’s rights in respect to personal data that is subjected to any automatic processing.

GLB contains requirements affecting an organization’s security systems and applications. It requires financial institutions to ensure the security and confidentiality of customers’ personal information against what is termed “reasonably foreseeable” internal and/or external threats. For institutions providing online commerce, an infrastructure that assesses and monitors the environment and counters any potential threats must be established.

Federal Information Security Management Act

Expansive in scope, the Federal Information Security Management Act was enacted in response to concerns regarding cyber-security. The act requires federal agencies to develop, document and implement agencywide programs to secure data and information systems that support agency operations and assets, including collaborative partners and contractors. Agencies are subjected to annual tests, including evaluations of their IT security systems. With more than 1.4 million cyber-security incidents documented in 2003, many analysts believe the government will place even more stringent pressure on federal agencies to secure their IT infrastructure quickly.

Basel II Accord

Already incorporated into international banking law, the Basel II Accord is essentially a risk management mandate requiring proven IT security and administration. Capital reserves, supervision and market discipline are amongst the three primary risk management pillars within this accord. Expected to be finalized by 2006, banking institutions will be required to reserve capital that can be utilized to cover operational risks, including those that may arise from inadequate internal processes or external events.

Health Information Portability and Accountability Act

The U.S. Health Information Portability and Accountability Act was originally passed in 1996 to assist in the expansion of insurance coverage to the unemployed, but over the past several years, it has grown to include privacy clauses and security requirements. With the vast amount of patient medical information available online and in databases, this mandate sets forth new provisions requiring healthcare providers and insurance organizations to establish procedures to prevent, detect, contain and correct potential security violations. In addition, processes to monitor and control information system activity must be put in place.

Homeland Security Presidential Directive 12

Passed in August 2004, Homeland Security Presidential Directive 12 addresses the concern of inconsistent and potentially insecure forms of identification used to access federal buildings and information systems. Created to increase security, reduce identity fraud and increase efficiencies within the government, HSPD 12 establishes clear standards for secure and reliable identification used by federal employees and contractors. Credentials must be:

• Issued based on sound criteria for verifying an individual’s identity;
• Strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation;
• Rapidly authenticated electronically; and
• Issued only by providers whose reliability has been established through an official process.

In response to HSPD 12, the National Institute of Standards and Technology made specific recommendations for the use of smart cards as the device that will be used to provide the security and rapid electronic authentication required. These smart cards will contain multiple electronic credentials including cryptographic keys, personal identification numbers, biometric information and other data.

U.S. Customs Container Security Initiative

Born out of the horrific terrorist acts of Sept. 11, 2001, the U.S. Customs Container Security Initiative (CSI) attempts to extend the zone of security outward such that American borders are the last line of defense, rather than the first. It requires importers to provide detailed, accurate manifest information 24 hours prior to loading a shipment at the overseas origin port. Previously, authorities required such information only 96 hours before the arrival into a U.S. port. Based on the U.S. Department of Homeland Security, CSI consists of four core elements of security:

• Use intelligence and automated information to identify and target containers that pose a risk for terrorism;
• Screen those containers that pose a risk at the port of departure before they arrive at U.S. ports;
• Use detection technology to quickly pre-screen containers that pose a risk; and
• Use smarter, tamper-evident containers.

Customs-Trade Partnership Against Terrorism

Similar to previous efforts to restrict the flow of illegal drugs into the U.S., the Customs-Trade Partnership Against Terrorism is a joint government-business voluntary measure that facilitates the crossborder flow of cargo generated by shippers who participate. The volunteers agree to implement tight security programs at their facilities, which include best practices developed by U.S. Customs and the trade community, in exchange for expedited custom clearance and other shipping benefits. Recommendations include the areas of physical security, access controls, procedural security, personnel security and education.

Good Security Equals Good Supply Chain Management

While at first blush, the compliance regulations may appear like legislative over-reach, many analysts agree the mandates are an opportunity for organizations to implement best practices within their supply chains – bringing about much needed reforms. Many of the new regulations call for changes that make good business sense. For example, what company would not want a more streamlined supply chain where critical production requirements flow securely to authorized individuals at the earliest possible moment? Or, how about implementing a more resilient shipping process that facilitates secure imports and prevents delays at customs?

At a recent security conference, Dr. Stephen Flynn, retired U.S. Coast Guard commander and author of America the Vulnerable, a book on homeland security, issued a warning: our adversaries “will use catastrophic terrorism as the weapon of choice.” Because they will adapt to exploit our vulnerabilities, supply chains must be both secure and resilient. Flynn rejected the notion of a trade-off between protection and flexibility: a system that is chaotic cannot be secured. A resilient infrastructure has deterrence value because it means the effects of an attack stay localized.

A good place for a company to begin implementing a more resilient security infrastructure as it relates to the supply chain is what Gartner calls the "four A's of security." An organization must first ensure users are properly identified and these identities are validated to building facilities and supply chain management systems – authentication. Once identification is validated, the roles each user has must correlate to the access assigned within the enterprise – authorization. This information must be consolidated to provide a holistic view and an effective manner to manage user access – administration. Finally, security management must ensure all activities associated with user access are documented for monitoring, regulatory and investigating purposes – audit. With these processes instilled, an organization will be able to conduct real-time enforcements and effective physical and logical security management across the supply chain.

Some of the most widely used new technologies to accommodate security compliance with regard to authentication include:

• Tokens – small devices, which typically fit on a key chain, that display one-time passwords;
• Smart cards – credit-card sized devices embedded with chips containing access permissions and other data; and
• Biometrics – systems that involve analyzing an individual’s characteristics, such as faces, fingerprints or voices.

Although considered costly to implement, the more resilient security can also provide significant productivity gains and cost savings in terms of support. With close to 30 percent of tech support calls related to employees needing to reset passwords, the time saved alone is more than enough to justify such an investment.

Monsanto, with over 6,700 global collaborators requiring access to some aspect of the enterprise resources, demonstrated the need to gain control of the network to meet compliance requirements. Originally utilizing a password management system provided by MCI, their Internet access provider, remote access became a substantial vulnerability. Passwords were difficult to change, and those individuals who no longer worked with Monsanto were not always deleted from MCI’s role tables.

A token-based software system was chosen. Tokens are either built into employee computers, transmitting a numerical passcode each time the individual connects, or remote users and global collaborators carry a separate token device. Because the tokens generate new numerical passcodes each time a user connects, malicious spyware programs that steal corporate information are rendered ineffective.

The new token-based security system has helped Monsanto save approximately $500,000 per year. The company has not only been able to cancel its expensive dedicated network lines, but securely move business processes online, extend the corporate boundary beyond the four walls of the enterprise and improve its internal controls as mandated by SOX.

The Agile Supply Chain

The supply chain is one of the last frontiers from which to reduce operational costs. Flexible, agile supply chains enable greater connectivity and collaboration between business partners. Done right, this can improve operational effectiveness, customer service and, ultimately, profitability.

But with greater connectivity and collaboration comes greater risks. Enterprise application security and facility access are obvious risks, as is the risk of maintaining the availability, accuracy and integrity of the data that is transferred between partners. It has become imperative to the success of an organization to comprehend and assimilate the security regulations in a manner that ensures both compliance and the future of the business. Each organization will have different requirements and processes to create a comprehensive security infrastructure. The trick lies in identifying how to keep the supply chain nimble, while tightening up security. Although difficult, organizations will be galvanized into making long-awaited process improvements within the supply chain.