Before CIOs start worrying about other parts of the
business, they need to make sure their own hatches are battened
Richard Hunter, a vice president and analyst on security and
privacy with Gartner, says that CIOs should regularly run IT
security audits on the “practices and procedures related
to IT operations,” including checking on passwords,
logging capabilities, reviewing how systems are monitored and
other access control mechanisms. The audit needs to be an
objective “examination of records by an impartial third
party,” Hunter says.
In addition to ensuring that he has appropriate checks and
balances in his IT group, John Halamka, CIO of CareGroup and
Harvard Medical School, retains Third Brigade, a white-hat
hacking company, to conduct periodic vulnerability assessments.
Besides providing a checkup on his security systems, Third
Brigade can also tell Halamka what his IT staff could do to his
systems, if they so chose. (Halamka says he’s never had
to fire an IT person for abusing his IT access privileges.)
“What I always say is, if you don’t think you
have security problems, you haven’t looked hard
enough,” says Halamka.