30 BUILDING SUCCESSFUL INFORMATION SYSTEMS
Security Issues
Clearly, the biggest issue we should have with “always-on” data is the vulnerability it creates for our information systems. Data that is always accessible from the web is also always available to be hacked. Understand-ing what is needed, when, and by whom allows us to manage what data is made available, who can access it, and how that access can occur. Once we know that, we can create verifi cation systems, checkpoints, monitor-ing systems, and trackmonitor-ing capabilities to ensure that access to the data is controlled and limited only to those with a need for it.
A simple example of this might be personnel records. It is obvi-ous that these records contain sensitive data that needs to be tightly controlled. Why then, would a company allow access to these records 24 hours a day, 7 days a week? Most companies wouldn’t. However, if the records are stored in an enterprise database that is accessible by other applications on a 24 × 7 basis, the records are technically accessible and subject to hacks.
A better way would be to store the records on a physically separate server that is removed from the network in the evenings and on week-ends. Logging (tracking of users and data fl ow) should be turned on and monitored to ensure unusual activity (i.e., personnel records being accessed at 3:00 am on weekends) are quickly reported.
Lack of Control
Th e other issue with always- available data is lack of control. If secure cor-porate data is available everywhere, then we either need to build a fi rewall around the entire world or understand that data will exist that is beyond the control of our enterprise security. Th is doesn’t necessarily mean that the data is available to anyone who wants it. Rather it means that we need to consider alternatives to traditional in- house servers and fi rewalls as ways of securing key data. One really important aspect is understanding that it is the data, not the infrastructure, that needs to be secured. We do not, and cannot, control the cloud. However, we can track, monitor, and limit the access to our data that resides there. While in its infancy, cloud- based security has matured rapidly and has provided decent (and improving)
HOW DO WE GET INFORMATION TO THE RIGHT PLACE? 31
protection of key data—provided we have a strategy in place for identify-ing what data is allowed on the cloud and for what purpose.
Misrepresentation of Information
One of the key issues that arises as we try to push real- time delivery of data is the increasing possibility of misrepresentation of information. Th is occurs most often when data is converted to information for reports, for example, and in the interest of speed, the reports are not checked for accuracy. Th is can result in some amazing errors. Recent examples include news agencies reporting the death of various celebrities while they were still alive, and the
“fl ash crash” on Wall Street due to a slipped decimal point.
On a corporate level, many organizations have made drastic strategic and operational decisions based on what they believed was accurate infor-mation, only to fi nd that the underlying data were estimates, or worse, placeholders, in a draft report that was waiting for updated numbers.
Remember, the information system can only provide information based on the data that has been input into the system. Environmental changes, especially unexpected ones, can cause the information (while it is accurate based on the data in the system) to be wildly inaccurate. Th is can lead to poor, and sometimes catastrophic, decisions by management as they attempt to “manage from the data” rather than using the information as one part of the decision- making process.
For the C-Suite
To deliver the right data to the right place, we need to know:
• What data is needed: developing a data- ranking strategy is the key. You should develop a corporate- wide ranking system that designates data on a scale from public to mission critical (see example below).
• Why is it needed: all data should serve a purpose which should be tied to the organization’s strategy, goals, and objectives.
Data collection simply for the sake of data collection should be discouraged and minimized as much as possible.
32 BUILDING SUCCESSFUL INFORMATION SYSTEMS
• What are the security parameters related to the location:
where can the data be accessed and how can the access occur?
For mission critical data, access should be limited to onsite access. Key reports that do not contain complete listings of mission critical data may be made available off site, but access can only be given to key personnel who possess the appropriate security credentials.
• How often it is needed: is the data needed 24 × 7? If so, by whom and why? Develop a matrix of who needs the data, by person and position, and the hours of operation of each of these. For instance, an assistant HR person rarely needs access to personnel fi les at 3:00 am on a Sunday morning.
• How fresh the information needs to be: do you really need the data available to the entire organization around the world 5 seconds after it is created? Remember, with freshness comes cost and the possibility of incorrect information. Timeliness is important, but not at the expense of accurate data.
A sample data classifi cation ranking system might look like the following.1
Rank Description
Level 1 Data that would severely damage the company, if compromised. Could result in legal action against the company, if made public. Includes accounting data, personnel information, intellectual property, etc.
Level 2 Data that would compromise the competitive nature of the organization, if compromised. Examples might include strategic plans, pricing strategies, new product rollout strategies, etc.
Level 3 Data that is maintained by the company as private, but which would not cause serious harm to company if made public. Examples might include daily production schedules, upcoming press releases, non- critical meeting notes, etc.
Level 4 Public data. Data that is currently available to the public through internet searches, government fi lings, etc.