Unit 5 - Department of Energy Information Breach

There have been many information security breaches in the past few years. As information becomes more easily accessible and stored, it becomes easier to steal.  The one this blog will focus on is the Department of Energy (DOE) of the United States. Some breaches affect the clients of the business but this one affected the employees, dependents, and contractors.  Based on access to a human resource network, information such as Social Security numbers and dates of birth were stolen from a total of over 104,000 people.  Between the years of 2011-2013, the Department of Energy has been hacked three times.  This breach was one that could have been avoided.  The department utilized Social Security numbers for purposes where it was not necessary.  Also, there were not enough security measures put in place for a system that was known to be vulnerable.  Basically, the information was out there for the taking for anyone interested in trying hard enough.  Once the situation happened, it was difficult to find out which section of the institution was at fault and who was responsible for fixing it.

Looking at the McCumber cube areas where the DOE had vulnerablitiles can be noticed.

The network was already noted to be unsecure, but the department did not take the necessary measures to protect the individuals in the database.  It may have allowed the information to be safe during transmission but once it got to storage it was available for anyone who wanted it.  The storage site was not a safe one.  According to the cube, the information has to be available only to the authorized people and the information is to be kept confidential.  From our research, other people without access could get the personal information.  Direct internet access to the database’s sensitive information was allowed without appropriate security controls allowing access to the confidential information easier than accessing the DOE’s email.  The biggest security countermeasure failure was not following policy and practice.  It was Federal policy that Social Security numbers where not to be used frequently, but if it were used, the Social Security number needed to be stored as a partial number.  Another Federal policy that was violated was the policy to encrypt personally identifiable information (PII).  Both of the policies were in place by the Federal government but were not practiced by the DOE leading to the security breach.

Security planning is an important aspect of information security.  Having a business contingency plan in place in case of information hacking will help the entity know what to do and in what time frame in a worst case scenario. Figure 2 indicates that a contingency plan needs to include a business impact analysis, incident response planning, disaster recovery planning, and business continuity planning.

Figure 2 page 80 Management of Information Security 3e

Figure 2

Research indicated that the DOE did not even know who was at fault for the security breaches since the systems were owned by two different groups within the DOE.  One group within the DOE thought it was the responsibility of another group to take care of the security weaknesses and vice versa. This miscommunication meant that they did not have the policy in place to deal with the network breaking down.  It seems there was no education on what to do and they surely did not have the right technology to protect the information they collected.  The breaches occurred over two years; the DOE did not react appropriately and quickly enough.

Implementing a course of action is crucial once a security breach has occurred and is crucial for a company as well as the individuals involved with the information theft.  The Office of the Inspector General and the Office of Audits and Inspections conducted an audit of the DOE information security breach and gave advice for a course of action. One of the actions that the DOE implemented was to provide one year’s worth of monitoring at a specific credit rating agency.  Also, each group affected was given a paid four hours off to try to clear up issues that could be cleared up.  Other courses of actions included clarifying which group is responsible for the affected systems, developing a central authority to shut down networks known to be vulnerable and removing unnecessary information, including Social Security numbers where possible.   

The costs to deal with the problems with the breach are estimated to be up to 3.7 million dollars in value. The Department of Energy was very fortunate in the case of this security breach because according to the investigation, the attackers did not look to be targeting top-secret projects or identities of nuclear scientists. Sadly, the DOE is continually being pursued by hackers and their systems have been breached again in February of this year. These instances show the need for continually monitoring the security of your organization’s information and the damage that it can do if left unsecured.

Friedman, G. (2013, July 19). The Department of Energy's July. Retrieved from Energy.gov: http://energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf

Hicks J. (2013, December 11) Washington Post Retrieved from http://www.washingtonpost.com/blogs/federal-eye/wp/2013/12/11/doe-was-aware-of-security-weaknesses-that-led-to-hacking-report-says/

IBM (2014, July 17) IBM.com Retrieved from http://www.ibm.com/developerworks/security/library/s-confnotes2/

Lemos, R., (2013, February 6). Federal Reserve, DOE Confirm Hackers Breached Servers, Stole Data. EWeek. Retrieved from http://www.eweek.com/security/federal-reserve-doe-confirm-hackers-breached-servers-stole-data/

O'Brien, J. A., & Marakas, G. M. (2011). Management Information Systems 10th Edition. McGraw-Hill/Irwin.

Schwartz M. (2013, October 22) DarkReading.com Retrieved from http://www.darkreading.com/attacks-and-breaches/dept-of-energy-breach-bigger-than-we-realized/d/d-id/1112022?

Unit 4 IT Strategies For Transnational Organizations

As a business begins to sell their products/services in other countries, IT needs to develop a strategy in order to keep the growing business connected, running efficiently, and communicating correctly.  Many companies are turning to a transnational strategy (see Figure 1) in which an organization integrates its global business activities through close cooperation and interdependence among its headquarters, operations, and international subsidiaries and its use of appropriate global information technologies. In a transnational company everything must work efficiently and there needs to be cooperation between the headquarters and international operations.   This blog will talk about what will help transnational firms in terms of IT.

 One strategy that is important for a transnational company is to have a global network with only one service provider that is able to get everything done well.  With one single provider every part of the organization will have access to the same service and communication resources.   The fact that there is only one provider also ensures that new networks can be added easily as more subsidiaries are formed by the company.   Even though the business enjoys local responsiveness, it is better to also have a central IT system since in some countries, technology levels and support may be spotty which will affect the entire company.  A collaboration of both a global IT system and the local IT system means that if things go wrong then the local IT system can re access information from the headquarters.  Essentially, a transnational approach is important not only in terms of business strategy but also IT strategy.  This collaboration allows for knowledge sharing between local and global IT sections.

For success, the transnational organization must be concrete in its first strategy which is to balance local uniqueness and global uniformity.  Along with this, the IT structure must facilitate this strategy.  There needs to be international transaction processing systems and customer integrated systems.  The transnational organization needs to watch against duplication since there are global and local resources.  This means that consistent communication is vital. 

A transnational organization needs to combine both local responsiveness and global aspects in its IT, while not facing the disadvantages of local related problems or the problems of the global IT system being too far from the local organizations. Another method that has been used with transnational organizations is multifactor productivity. This method is used with the goal of capturing decision interdependencies driven by information technology and providing management with the information necessary to create policies to deal with these interdependencies. Transnational organizations have their autonomous functions but the method of multifactor productivity uses a system that weights input and output financial factors and attribute a quantitative analysis to IT practices. This process becomes more difficult due to external financial factors relating to global organizations such as exchange rates and inflation. This process becomes more or less intensive depending on the type of transnational organization. For the more centralized organization, it would be more likely to have more interdependent decisions involving information technology and in general while the more decentralized organizations would have less. One main factor or hindrance to the effectiveness of the multifactor productivity method is that there needs to be prior data to work with. This means that if there is not data available for analysis, which is usually the case with IT, this will take more time which equates to more money.

There are many challenges to developing a responsive, efficient and effective application for an international organization.  For instance, a system implementation or maintenance activity at night in United States can pose problems in Asia during the day.  Other problems that may arise with a transnational company is the architecture of data.  Definitions of words do not have a consistent meaning throughout the world.  A sale can be called an “order book” in the United Kingdom or an “order produced” in France.  In order to overcome transnational systems development issues strategies can be implemented.  One strategy includes transforming an application used domestically to a global application. Usually a system that has the best version of a product is globally implemented.  Another strategy is to create a multinational development team.  This team is comprised of several people of different subsidiaries and the purpose of the team is to make sure the system will meet the needs of their respective subsidiary and the corporate headquarters. 

Transnational organizations and the coordination of IT activities is very complex. These are only some of the methods that are used to manage these activities. As we know, the effective use of information technology is critical to the success of any company in this generation and even more so for organizations operating globally.  

 

Works Cited

Bogdan. (2001, January). From transnational organization to the virtual organization. Retrieved from Economy Informatics: http://www.economyinformatics.ase.ro/content/EN1/stoica.pdf

Linton, I. (2014, July 10). Transnational IT Operations as a Strategy. Retrieved from azcentral: http://yourbusiness.azcentral.com/transnational-operations-strategy-4238.html

O'Brien, J. A., & Marakas, G. M. (2011). Management Information Systems 10th Editiom. McGraw-Hill/Irwin.

Reimer, K. (n.d.).Managing Information Technology in the Transnational Organization: The Potential of Multifactor Productivity. University of Bremen. Retrieved from http://www.kai-reimers.net/ManagingInformationTechnologyintheTransnationalOrganization - dpi.pdf