Informatica's Security FAQ

If you can't find an answer to your most pressing security question amongst the 10 listed below, all you have to do is ask.

1. How can we work security into a tight IT budget?

Security is not an IT problem, it is a business issue. As such, security thinking must take place in the boardroom, not in the server room. Every organization needs to identify its valuable information assets and create plans to protect them just as it plans any other critical business activity.

If you find yourself trying to address an important security issue, try to create a plan for lasting change, not just a one-time patch. Identify what you seek to protect and enlist the help of specialists to determine potential threats and risk mitigation strategies. Operationalize these strategies by converting them into procedures and enforced policies. Finally, communicate them to all employees through an effective security awareness program.

The top security issues you are likely to encounter vary from one business to the next. Each organization has information assets that face different types of risk, from theft to privacy breaches, from unauthorized disclosure to transactional integrity.

Information security problems are either accidental or intentional in nature and the current climate indicates a tremendous growth in malicious activity for financial gain. Each organization faces such risks, but they need to be identified by management in conjunction with experienced security professionals. Once the risks are understood, a strategy or security program can be put in place to effectively mitigate them.

You need to implement an ongoing security program that anticipates emerging threats and operationalizes risk mitigation strategies. Security has as much to do with people as it does with technology, so any effective program needs to involve training and awareness.

Your program needs to be specifically designed to your company, its assets and the threats that are likely to affect them. Just as importantly, it needs to evolve along with the threats themselves, the business and its company culture.

Much like IT, information security is considered by most companies to be a cost centre. Security-savvy organizations also calculate security ROI based on specific metrics and key performance indicators, verifiably reducing their risk exposure at set intervals, and providing auditable results to demonstrate security compliance.

Your company can leverage security investments to reduce security incidents, insurance costs, productivity loss. Demonstrating a genuine focus on security can also have a very positive effect on your company's bottom line, by boosting its credibility, customer confidence and acting as a strong competitive differentiator.

Security has long been in danger of becoming a meaningless buzzword. Companies are trumpeting security along with their products and services to gain customer trust. Unfortunately, many are going about it the wrong way, leading to a false sense of security and potentially damaging their own credibility.

In as many as 60% of such products and services on the market Informatica Research has found that security clauses are misleading or simply untrue. The most common case being unclear claims of data confidentiality that lead customers to believe that their data is completely protected when in fact that is true for only a small portion of the entire transaction. To help avoid such dangerous situations both clients and service providers need to consult security experts to identify threats and outline the steps involved in mitigating the risk in a way that is both clear and accurate.

If your company has achieved a high level of security awareness among its staff, continually educates management and IT employees about evolving security risks, reviews strategy, policies and procedures on a regular basis; successfully carries out recurring security audits and assessments; has achieved industry and regulatory compliance; has dedicated information security professionals on staff and independent experts for support; monitors security incidents and events in real-time; has effectively mitigated risks to all information touch points such as the Web, email, wireless, mobile and teleworkers; has legally and technically enforced its policies upon suppliers and customers; designed incident response and business continuity planning into its operations and addresses information risks as part of all management and board meetings... then no, we can't.

7. We're strapped for cash and tight on time. What's the most important thing we can do RIGHT NOW that will give us the most protection and last the longest?

As stated before, security can't be treated as an afterthought or a quick fix. The reason is not to create opportunities for security companies to milk their clients but to avoid the biggest risk of all: a false sense of security. Because of the great liabilities associated with security threats, privacy and compliance issues, security should never be taken lightly.

With that in mind, we strongly believe that beyond basic network and computer security protection, the most effective investment is in people. By creating a clear security strategy, documenting strong policies, enforcing effective procedures and keeping employees informed, the loop is closed and every employee in the organization is a trusted part of an intelligent network that will actively protect the company and its assets for a long time.

The most affordable and effective such training program is our own Security Awareness Certification, a 3-hour online program that exposes every employee to security issues and ways to mitigate the risk.

As mentioned in #5, security is relative and consumers really need to understand what it means for a bank to claim the security of its online service or for an Internet provider to offer PC confidentiality of privacy.

Being aware of security risks is a good first step, but unless your company has access to independent experts whose sole occupation is to keep track of emerging security threats and finding out ways to mitigate them, relying on product packaging is a very risky strategy.

Terms such as computer security or IT security are very common and straightforward, but they are not synonymous with information security. Information lives in filing cabinets, in people's wallets, in bank ATMs, in corporate phone and voice mail systems, in factory machinery, in the 'pipes' that carry Internet emails, in the wireless transmissions that surround us and just about anywhere else. IT and computer security professionals do not pretend to protect information assets in all their forms.

This simply means that to secure your information you need to know where it is, how it travels and how it needs to be protected. It is unrealistic and dangerous to believe that anyone but an information security expert can provide an adequate picture of risk and vulnerability.

As mentioned previously, we focus on the business problem of protecting information assets. Although this topic encompasses IT security, it involves more interaction with people, analysis of internal processes and streamlining of technology controls. Such activities involve all departments, layers of security including physical and legal, as well as project-based and ongoing activities that constitute effective security management.

Informatica's certified information security experts are trusted advisors to managers and executives, helping to shape security strategy along with business operations. Informatica is an information security service provider, offering assurance through security audits and assessments, proprietary and standard methodologies, compliance analysis, training and awareness, best-of-breed products and turnkey solutions, security research and development.

See Also

• Security Service Selector

Next Steps

• Ask a question or request a solution!