Question

What are the most important business issues and goals for Pharm Universe case study?

Answer 1

Pharm Universe was founded nine years ago and is a relative newcomer to the pharmacy industry. It basically is just like a kid trying to make big in the Major league and is learning the rules of the games as it evolves and has a lot to learn. In the case of Information Security, Pharm Universe has a lot of ground to cover, especially when Industrial espionage is common in the pharmaceutical industry.

Having its main focus on research, they have a very casual attitude towards Information Security and they mostly take it for granted their ‘wait and see’ attitude might just harm them in the long term. Their key goal is to safeguard their Intellectual Property, identifying other risk areas and educating their resources about the criticality of threats, their impacts and how to avoid these threats, especially when they have some formulas which are not even patented. FDA approvals play a major role in the field and many other government rules also regulate this area and dictate the operational aspect of this business.

The biggest impediment to doing so is the current attitude of the company and its officials, without their proper understanding and involvement achieving an active state of heightened information security will be an extremely difficult job for the company. Another major issue for the company is the way their employees are leaving the companies, important research work, and intellectual properties can be misused by the leaving employees and this needs to be handled on a more personal level.

All the security testing is irregular and only done just meet compliance, which needs to be made a regular policy, in order to keep up-to-date with any security loopholes as newer threats keep on emerging on the daily basis. It is prevalent that the current controls in place are inadequate and a lot of revamping is needed.

1. What are the managerial, organizational and technological issues and resources related to this case?

Ans. Pharm Universe is growing rapidly and is facing multiple issues, especially in the case of information security. These issues aren’t just limited to the business part they span over multiple aspects of the organization.

Managerial

• The funding for information security is not regulated, threats of cutting down the budget by management can be detrimental in the long term.

• Management is ignorant towards the wrong practices which are prevalent in the organization and are Skeptical towards the changes which can improve them.

• Senior management scarcely knows about necessary and basic security methods like virtual private networks (VPNs) and file permissions and are uninclined to use these also because doing so would be troublesome that would slow their research progress.

Organizational

• The organization lacks an ‘Information-centric’ security structure which may hamper its chances to implement a good security policy throughout the information.

• Pharm Universe has several researchers under a pressure to produce, which may cause negativity amongst the resources and can cause destructive attitudes or outbreaks from within the organization.

• ‘Wait and see’ attitude towards information security is just like a welcome sign for future threats because if they are not being attacked now, it doesn’t mean that they can’t be attacked in the future.

• Their business is all about Intellectual Property and research which has final output as formulas patented formulas are safer to use, but having Non-patented formulas expands the company’s risk and chances of loss.

• Most of their employees are scientists who usually prefer working in an environment where free exchange is the norm, so convincing them about security is a major issue.

Technological

• Vulnerability analysis and penetration testing have been done only at the time of audits which exposes the company to newer threats which keep on evolving and loom as a constant threat to the security of the entire industry

• The current IT security function is focused mostly on firewalls and intrusion prevention systems (IPSs) is very minimal and isn’t actually a long term solution if the company expands at the same rate.

• Cloud services are frequently criticized for the security but research division now uses them for data storage which makes the technology under development more prone to leaks.

Resources:

• COBIT 5, ISO/IEC 15504, Six Sigma Quality Indicators, US National Institute of Standards and Technology [NIST] Special Publication [SP] 800-053 can be referred to while making policies.

• Managerial employees including Ben Dorian, Sudha Patel and other C-level executives will be major resources who will work on drafting the policies as per the recommendations of CIO

• Security team present in Boston will play a key role in maintaining the decided security protocols

• Researchers are the key resources since they are the one who will have to follow the rules and implement them, also the researchers who are leaving the organization can pose a major security threat.

1. What role do different decision makers play in the overall planning, implementing and managing of the information technology/security applications?

Ans. All the major stakeholders for the company’s success have to play their part in order to implement a well-rounded Information security based governance in the company. Involvement of management in the process policy drafting is necessary from the start to develop it in a way that it is well aligned to the organizational goals. Assets security, resource usage and information flow are continuous processes which are needed to be monitored and controlled from the starting.

Role of decision-makers:

The role of decision-makers and security system is essential and indispensable one. The three main tasks are Planning, Implementation and managing, the decision-makers will be in charge of and responsible for protecting the online operations of a corporate network from threats of random cyber-attacks. They need to determine the overall plan for security in the organization, security application’s plan is a cyclic process and involves:

–           Gap analysis

–           Risk assessment

–           Organizational security policy

–           Security risks controlling process

–           Security monitoring and auditing process.

–           Incident response plan

Key decision makers will include:

• CEO and Board members: They will decide on which of the suggestion made by CISO will actually be implemented in the organization.

• Chief Information Security Officer (CISO): CISO will be in charge of surveying, overseeing and realizing of the Information Security program which will keep the organization’s data secure.

• Security Team: They guarantee whether the security innovation is executed correctly in the organization with frameworks and in accordance with directions of CISO. They assume a part in arranging firewalls, execute, analyze and investigate security issues.

1. What are some of the emerging IT security technologies that should be considered in solving the problem related to the case?

Ans.  As per COBIT information, 97% of all the security breaches are avoidable through simple or intermediate controls and as per a report by PWC 31.8% of the breaches are Intellectual Property Theft impacting business. So, it is abundantly clear that when Pharm Universe is playing in pharmacy field which is completely relying on intellectual property they need to take care and stay updated in maintaining security at their organization. Security Protocols such as Access Controls and Firewalls are basic necessities for any organization. Currently, PU has firewalls and intrusion prevention systems (IPSs) in place but they are just like check marks. The fact that they only test their systems near audits is a major Red flag. As threats keep on evolving and sometimes they just sit there in the systems and wait for a right opportunity, making the lack of these controls all the riskier and an increase of extortion threats (7.1%) is a major indicator to that. Newer threats span mobile devices and network exploitations e.g. Blue snarking, blue bugging, RFID tag thieving. Besides the basic controls some newer methodologies can also be implemented, they include but are not limited to:

• Honeypots- Honeypots are additional systems or levels which act as decoy servers or systems setup to gather information regarding an attacker or intruder which is trying to get access to PU’s system. Thus, exposing their major threats.

• Honeynets- Several honeypots can be used together to form a network further enhancing a security, although at current level it is not necessary to be implemented but further down the road can be put into action

• Kerberos (protocol) – uses symmetric key encryption to validate an individual user to various network resources. It makes use of tickets to enable communication across non-secure channels for the users.

• A centralized user access control system must be developed in the lines of RADIUS, TACACS or DIAMETER systems

• Cloud security and software-defined security (SDS) can also be of great help especially considering the usage of the cloud to save important research, there are a host of security offerings that are specifically designed to protect cloud-based resources, particularly in a virtual environment like the one used in PU.

Other important tools which also are easy to implement and will provide an enhanced monitoring solution, in order to step up the security for PU are Packet Sniffers, Vulnerability Scanners and OS Detection tools. Tracking Firewall logs and system logs is an important aspect of enhanced security.

1. How can the chief information security officer (CISO) in this scenario most effectively communicate the risk to senior management?

Ans. CISO will be in charge of surveying, overseeing and realizing of the Information Security program which will keep the organization’s data secure. He is the one responsible for managing user expectations ranging from those of CEO’s to employees. For their understanding and security CISO will need to effectively communicate the level of vulnerability and the risk that PU is currently under, which can be a daunting task considering the skeptical attitude of the higher management especially the CEO towards the criticality of this operation.

• The first order of operations is to convince all the major stakeholders the importance of the security operations, the fact that any information breach can cause severe loss in the form of revenue, profit and negative publicity will harm the company even more.

• Secondly, a step-wise plan must be made and shown to the Senior Management, with the first year focusing mostly on strengthening the existing system and implementing cost effective solutions. Showing an incremental trend and thus, will be instrumental in demonstrating the importance of security investments and solidifying the trust of the managerial

• The most vital division of Pharm Universe is its research division which persistently creates intellectual property which is the significant zone of worry from the prospects of security. Since the scientists and researchers in the group are accustomed to talking about the thoughts inside and even outside the examination groups, this represents a major point of data break and must be conveyed to Senior Management to trigger appropriate changes in the organization.

• Monthly meetings in the company at least in the early stages of implementations of this project must have discussions for this in the project.

• A companywide memo must be circulated amongst all the employees at PU regarding the basics of security.

• A policy limiting BYOD must be asked for, from Senior Management which will be the first step towards a more secure organization.

• Regular Brainstorming sessions with the management to better understand their expectations and regular newsletter and bulletins can be helpful. They can be the key achieving and effectively implementing security with clear communication with Management and other key stakeholders.