Page 354 -
P. 354
Chapter 8 Securing Information Systems 353
over the past few years, the cloud services of Amazon.com and Salesforce.com
experienced outages that disrupted business operations for millions of users
(see the Chapter 5 ending case study).
Cloud users need to confirm that regardless of where their data are stored,
they are protected at a level that meets their corporate requirements. They
should stipulate that the cloud provider store and process data in specific
jurisdictions according to the privacy rules of those jurisdictions. Cloud clients
should find how the cloud provider segregates their corporate data from those
of other companies and ask for proof that encryption mechanisms are sound.
It’s also important to know how the cloud provider will respond if a disaster
strikes, whether the provider will be able to completely restore your data, and
how long this should take. Cloud users should also ask whether cloud providers
will submit to external audits and security certifications. These kinds of controls
can be written into the service level agreement (SLA) before signing with a
cloud provider.
Securing Mobile Platforms
If mobile devices are performing many of the functions of computers, they
need to be secured like desktops and laptops against malware, theft, accidental
loss, unauthorized access, and hacking attempts.
Mobile devices accessing corporate systems and data require special
protection. Companies should make sure that their corporate security policy
includes mobile devices, with additional details on how mobile devices should
be supported, protected, and used. They will need mobile device management
tools to authorize all devices in use; to maintain accurate inventory records on
all mobile devices, users, and applications; to control updates to applications;
and to lock down or erase lost or stolen devices so they can’t be compromised.
Firms should develop guidelines stipulating approved mobile platforms and
software applications as well as the required software and procedures for
remote access of corporate systems.
Companies should encrypt communication whenever possible. All mobile
device users should be required to use the password feature found in every
smartphone. Mobile security products are available from Kaspersky, Lookout,
and DroidSecurity.
Some companies insist that employees use only company-issued
smartphones. BlackBerry devices are considered the most secure because
they run within their own secure system. But, increasingly, companies are
allowing employees to use their own smartphones, including iPhones and
Android phones, for work, to make employees more available and productive
(see the Chapter 5 discussion of BYOD). Protective software products, such as
the tools from Good Technology, are now available for segregating corporate
data housed within personally owned mobile devices from the device’s
personal content.
ENSURING SOFTWARE QUALITY
In addition to implementing effective security and controls, organizations
can improve system quality and reliability by employing software metrics
and rigorous software testing. Software metrics are objective assessments of
the system in the form of quantified measurements. Ongoing use of metrics
allows the information systems department and end users to jointly measure
the performance of the system and identify problems as they occur. Examples
MIS_13_Ch_08 Global.indd 353 1/17/2013 3:10:24 PM
