Developing a Computer =
Proposal for Small Businesses - How to Start
It has been widely reported that=20 computerization has played a significant role in the current = economic=20 expansion. It is also understood that small businesses are the = backbone of=20 the economy: small businesses "represent 99% of all employers, = employ 52%=20 of all private workers, and provide 51% of the private sector = output." By=20 extension, small business computer automation is playing a vital = role in=20 the economic expansion. However, when it comes to systems = management in=20 general, and systems security in particular, small businesses are = ill=20 prepared to deal with the challenges that increased automation and = increased connectivity bring.
Our computer systems are under = siege. Systems=20 managers are under increasing pressure to secure their systems = from=20 outside attack. The attacks reach into the business via electronic = mail=20 messages, malicious web sites, and exploits of newly found holes = in=20 standard business software. Large and mid-sized companies are = hiring all=20 the available, qualified security professionals at an increasing = rate.=20 Further, the salaries that security professionals command are = increasing=20 at a rate higher than the rest of the IT industry.
The problems are magnified in = smaller=20 companies. Systems managers employed at smaller companies are = often not as=20 well trained and are less experienced than their counterparts in = larger=20 organizations. Often, in very small organizations, systems = management=20 tasks are assigned to non-technical staff. The typical systems = manager at=20 a small business also may be responsible for duties other than = systems=20 management.
How can a systems manager at a = small business=20 IT shop convince management that the business is at risk, and the = business=20 systems need to be secured - all without blowing the entire = corporate=20 budget? This paper will help systems managers with limited = business=20 experience focus their requests for security funding.
Step 1. Identifying the = Risks
Part of any good security = assessment is an=20 overall assessment of the systems in use at a business. = First, the=20 systems manager should list the different applications that are = available=20 to the business, then begin to rank them in order of importance to = the=20 business. For example, if the company in question is a small = e-commerce=20 shop, then the company’s web site and, possibly, its product = database=20 should rank higher on the priority list than the companies word = processing=20 system. However, if the company’s internal office automation = suite is used=20 to generate consulting revenues, then it may rank higher than the = static,=20 display only, web server.
Step 1 also helps reinforce the = concept that=20 the computer systems in place at the company are a means to an = end, not=20 an end in themselves. In the proposal, it is important to = emphasize=20 this phase of the process. It forces the systems manager to speak = in=20 business terms that senior management understands. The focus = should be on=20 the highest risk items, namely, the most mission critical=20 applications.
Determining what constitutes a = mission critical=20 application is not as easy as it sounds. The complexity of systems = and the=20 interconnectedness between these systems increases geometrically = with the=20 overall size of the organization. In this case, the small business = systems=20 manager has an advantage in that his or her span of systems tends = to be=20 much smaller. There are several tools available to help systems = managers=20 determine what constitutes a mission critical system. One of these = is the=20 Critical Infrastructure Assurance Office’s (CIAO) = Infrastructure Asset=20 Evaluation Survey. While this document is written for large = federal=20 government agencies, the methodology can be scaled down to the = small=20 business.
Step 2. Identifying the=20 Platforms
Once the mission critical = applications are=20 identified, the systems manager should identify the various = hardware and=20 software platforms that need to be secured. This may sound simple, = but it=20 forces the systems manager to enumerate the various component = pieces of=20 each vulnerable application. Some systems managers at small = companies may=20 not know that the mission critical XYZ application is built = around=20 a particular type of database. This is a constant dilemma with = systems=20 managers at smaller organizations. More technical knowledge may be = required to understand and enumerate the various components of a = given=20 application than is required for the systems manager’s = normal job duties.=20 This is a particular problem when system management duties are = assigned to=20 other individuals in the business. All that the systems manager = may know=20 about a particular application is that when application XYZ has = problems,=20 he or she is supposed to call in the consultant or vendor that = deployed=20 the application for the company.
Step 2 forces the systems manager = to become=20 more familiar with the inner workings of each mission critical=20 application. Frequently, this requires lengthy telephone sessions = with=20 various software vendors or applications consultants. This step = helps the=20 systems manager build skills and contacts in dealing with vendors = and=20 their support staff.
Step 3. Identifying the Current=20 Vulnerabilities
In this step the systems manager = uses various=20 resources to check for known vulnerabilities in the component = pieces of=20 each mission critical application. Step 3 serves two purposes: It = helps=20 the systems manager find fixes or patches for the known = vulnerabilities,=20 and it opens up a community of like-minded users to the systems = manager.=20 The systems manager can draw on this community to find current = best=20 practices, recommended tools, and other resources. A major = component of=20 this step includes a risk management analysis. During the = investigation,=20 systems managers need to ask themselves several questions for each = of the=20 vulnerabilities. A good starting point for this can be found in=20 Critical Infrastructure Assurance Office’s (CIAO) = Practice for Securing=20 Critical Information Assets. In this document, the risk = analysis=20 includes the following questions:
Step 4. Identifying the Best = Practices to=20 Cover the Vulnerabilities
Through the research in Step 3, = systems=20 managers should develop a list of best practices that are specific = to=20 their application mix and the components of each of the = applications.=20 These best practices can include specific products, such as = anti-virus=20 software, recommended patches for operating system = vulnerabilities, or=20 specific checklists in securing specific types of = systems.
During this step, systems managers = should work=20 backward to apply what they find in Step 4 to the vulnerabilities = found in=20 Step 2. Further, these best practices should be prioritized based = on the=20 risk analysis and the relative weight given to each mission = critical=20 application identified in Step 1.
The number of resources available = to help=20 systems managers with this step is increasing at a rapid pace. = There are=20 web site clearing houses for newly discovered systems = vulnerabilities as=20 well as Internet mailing lists and newsgroups that can help the = systems=20 manager with this step. Two of the most notable sites follow: =
Step 5. Identifying the Costs = for Each of=20 the Best Practices
Some of the best practices will not = have an=20 apparent cost. It is important for systems managers to understand = that=20 their time is a high-cost component. Systems managers must = remember=20 that the cost of performing a particular task also has an = opportunity cost=20 for not doing something else. For example, if a systems = manager=20 needs to choose between purchasing an automated tool that performs = a=20 security task that the manager could do manually, the manager must = also=20 include the actual labor cost and the lost opportunity cost = into=20 the equation. There are no hard and fast rules for this, = particularly in=20 the small-business realm where systems managers may play multiple = roles.=20 It is important for systems managers to ask two questions: Is what = I’m=20 doing right now adding value to the company? If not, = is=20 there some tool or utility that can do this job for me, so I can = focus my=20 efforts on value-added tasks? Sometimes spending a few dollars can = pay=20 back big dividends in timesavings for the systems manager. This = type of=20 cost justification can really help when writing the funding=20 proposal.
Step 6. Make the = Case.
Now that the systems managers are = armed with=20 the facts, they can go forward and begin the request process. A = few gentle=20 reminders:
Final = Considerations
These steps can be modified to work = with almost=20 any information technology purchase that the small business = systems=20 manager may need. The key concept to remember is that the systems = manager=20 is developing a business case for the purchase.
1 Business Technology =
JBMA/BTA Annual Meeting, July 13, 1999
2 United States Small =
Association, Small Business Week 2000 (25 February 2000)
3 Lohr, Steve, "Computer =
Respect of Economists," New York Times on the Web, April 14, =
4 Berkowitz, Steven, =
Accountant’s Role in Enhancing Computer Security," January =
5 SANS, "1999 SANS =
and Security Administration Salary Survey," December 1999
6 Critical =
Office, "Practices for Securing Critical Information Assets," =
9 Turisco, Fran, =
Investments Justify the Purchase… Realize the Value, " =