Page 339 -
P. 339
338 Part Two Information Technology Infrastructure
little time to respond between the time a vulnerability and a patch are announced
and the time malicious software appears to exploit the vulnerability.
8.2 BUSINESS VALUE OF SECURITY AND CONTROL
Many firms are reluctant to spend heavily on security because it is not directly
related to sales revenue. However, protecting information systems is so critical
to the operation of the business that it deserves a second look.
Companies have very valuable information assets to protect. Systems
often house confidential information about individuals’ taxes, financial
assets, medical records, and job performance reviews. They also can contain
information on corporate operations, including trade secrets, new product
development plans, and marketing strategies. Government systems may
store information on weapons systems, intelligence operations, and military
targets. These information assets have tremendous value, and the repercus-
sions can be devastating if they are lost, destroyed, or placed in the wrong
hands. Systems that are unable to function because of security breaches,
disasters, or malfunctioning technology can permanently impact a company’s
financial health. Some experts believe that 40 percent of all businesses will
not recover from application or data losses that are not repaired within three
days (Focus Research, 2010).
Inadequate security and control may result in serious legal liability.
Businesses must protect not only their own information assets but also those
of customers, employees, and business partners. Failure to do so may open the
firm to costly litigation for data exposure or theft. An organization can be held
liable for needless risk and harm created if the organization fails to take appro-
priate protective action to prevent loss of confidential information, data corrup-
tion, or breach of privacy. For example, BJ’s Wholesale Club was sued by the
U.S. Federal Trade Commission for allowing hackers to access its systems and
steal credit and debit card data for fraudulent purchases. Banks that issued the
cards with the stolen data sought $13 million from BJ’s to compensate them for
reimbursing card holders for the fraudulent purchases. A sound security and
control framework that protects business information assets can thus produce a
high return on investment. Strong security and control also increase employee
productivity and lower operational costs.
LEGAL AND REGULATORY REQUIREMENTS FOR
ELECTRONIC RECORDS MANAGEMENT
Recent U.S. government regulations are forcing companies to take security
and control more seriously by mandating the protection of data from abuse,
exposure, and unauthorized access. Firms face new legal obligations for the
retention and storage of electronic records as well as for privacy protection.
If you work in the health care industry, your firm will need to comply with the
Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA
outlines medical security and privacy rules and procedures for simplifying the
administration of health care billing and automating the transfer of health care
data between health care providers, payers, and plans. It requires members of
the health care industry to retain patient information for six years and ensure
the confidentiality of those records. It specifies privacy, security, and electronic
transaction standards for health care providers handling patient information,
MIS_13_Ch_08 Global.indd 338 1/17/2013 3:10:20 PM
