This report comprises all the relevant information regarding the Cathay Pacific Airways, specially its security governance framework. It sums up four parts: record of the business, potential areas of IT security failures, suggested IT security governance platform and last but not least issues and troubles confronted by that security governance framework. In the very first part, we've referred to about basic fundamentals like its headquarter, its fleet of airbuses, worldwide areas and its achievements.
In the 2nd portion of the report are the specific areas where security failures may occur. These areas include controlling key business system. As the airways used the legacy systems, which is easily susceptible to security threats. Secondly it cannot cope with current qualified requirements. Furthermore, it being a extensive infrastructure & desktop Personal computers, the airways' data move over internet, which may be captured by any intruders or hackers. This may cause disruptions to routinely business. Its business to business (B2B) interchange of data again creates vulnerabilities in its IT infrastructure. The pervasiveness of network creates a more open group of information systems for the mobile and diverse need of the orgnaisation. This mobile layout may be easily attacked by inner and external resources. In the 3rd part this survey discourses on IT governance platform. This construction is the advised one to be implemented in the organization. The framework of governance is totally accountable to provide control and effective management of the IT infrastructure security. In the structure each one is accountable at his own rank for the security, safe practices of IT resources and data protection.
Lastly this record raises various problems and difficulties confronting the security governance framework while controlling and managing the security of the IT infrastructure of Cathay Pacific.
INTRODUCTION
Today, every business implemented or is considering to look at IT infrastructure. Once it is put in place, it requires security. IT possessions, repository and information trafficking on ubiquitous network have to be fully protected. That is why; a necessity concerning this IT infrastructure within an business has cropped up. For security and safety, security governance has been thought of. It may consist of shareholder, mother board of directors, CIO, financial manager and so forth. These individuals are fully in charge of controlling and streamlining everything system of the organization like Cathay pacific. This governance platform practices various new regulations designed to increase the security governance. Threats to information systems disruptions from hackers, worms, trojans and terrorists have resulted in need for this governance. This survey explains plainly security failures, governance framework for ICT and IT related issues and issues.
BACKGROUND OF ORGANISATION
Cathay Pacific Airways is an international airline registered and based in Hong Kong, offering planned cargo and passenger services to over 90 vacation spots surrounding the world. The primary vision of the company is to make Cathay Pacific the most adored airline in the world. To do this goal Cathay started out its journey from 1946 and today it is known as best Airlines in Asia. It really is one of the five airlines to carry a "5 star" ranking from Skytrax (Cathay Pacific 2007). The state website of Cathay Pacific is http://www. cathaypacific. com/cpa/en_INTL/homepage
Cathay Pacific was set up in 1946 in Hong Kong with a mere two DC-3 aircrafts servicing traveler routes for Bangkok, Shanghai, Manila and Singapore. From its humble origins, it has to date cultivated into a global class airline employing over 15, 000 employees and calling 62 global areas. It owns over 100 widebodied aircrafts that transports over the million passengers a month to almost each continent on the planet (McFarland & Young, 2003) and transports freight worldwide which constitutes to almost 30% of its revenue. Gains stood at $511 million during 2002 and Cathay expanded into the high tech $628 million global head office in Cathay City. Cathay consistently faced numerous difficulties coming to success. Nevertheless, its management acknowledges the actual fact that in order to stay competitive given the current market situation; it is very important to improve on its tactical and non proper perspective of its complete ICT reference. Cathay Pacific carries on to purchase new ICT infrastructure to streamline its business processes and make information much easier to access for everyone employees. Within this process, Cathay Pacific carried out technology solutions designed to automate and simplify customer and financial information management.
POTENTIAL AREAS OF IT SECURITY FAILURES
Currently, many airlines are looking at e-business to safeguard their assets and also to secure customer's commitment, and to succeed in today's competitive environment. Many e-commerce key points have been pioneered by the airline industry. These include the first business-to-business electric information exchange and industry-wide digital marketplace. You can find many benefits to be gained for airlines and airline people, E-ticketing, e-Check in many internet foundation services provide to customer with quick and low cost services but there continues to be hesitation among many peoples even many companies about committing any major effort to electronic business. The main concern about security of hypersensitive data, such as credit card figures, personal data and business private data (Jiang 2003).
Managing Main Business System
Cathay Pacific has been expanding in house systems because the 70s. Some of its central business systems are accounting systems, anatomist system, workers and airline flight systems and other inner applications. Legacy systems are "systems that have evolved over many years and are believed irreplaceable, either because re-implementing their function is considered to be too expensive or because they're trusted by users" (Dietrich 1989). Business change constantly to be able to meet the demands of industry and this necessitates the necessity for information systems to develop consequently (McKeen & Smith 1996). Over twenty years later, Cathay understood that the coordination and support of these systems was a cumbersome task that may potentially stunt the strategic growth of the business. Given its extraordinary growth rate, Cathay noticed that the IM team will never be able to cope with the ever before changing business requirements. Legacy passenger service systems might not exactly be flexible and scalable enough to aid the new marketing strategies of airlines today (Cavaliere 2006). Cathay needed a technology that continues costs down and it is flexible whilst at the same time gives on both today's needs and the ones into the future. Customizing current legacy systems to match these current competitive requirements just used too much time and resources. Mckeen and Smith (1996) further argues that since change is a regular running a business and in technology, demand for maintenance is un-easing and since existing systems are the ones operating the business enterprise, maintenance work may easily overwhelm new development.
Infrastructure performs an important role in ensuring vital support comes to systems development clubs and this effective coordination and direction is open to IS as a whole (McKeen & Smith 1996). Cathay's rapid enlargement to new vacation spots and tremendous surge in route expansion, passenger and cargo level in the 80s triggered Cathay's network infrastructures to continue to broaden. Without infrastructure, output will soon decline as individuals and groups each attemptedto replicate the task of others. Cathay's data middle which coordinated important airline operations was located in two locations in Kowloon and on Hong Kong Island. These data centers provided uninterrupted information to Cathay's air travel operations. The flames in 1991 on Cathay's data center interrupted flight businesses for 12 hours. Cathay's management recognized the importance of ensuring continuous information stream to critical business functions is top priority for the business. IT infrastructure and facilities need develop in tandem with the organization's development speed. Almost full at its operational capacity at its current data centre, Cathay probably needed some more data centers to manage the organization's information at current growth rate. Mid 90s found an uneven PC syndication at Cathay Pacific. PC distribution to workers depended on each staff member's degree of security access. This caused some of the staff to have a Personal computer while other did not. This uneven circulation was finally rectified by Cathay's outsourcing its Laptop or computer management to IBM in 2001. The costs involved in outsourcing techniques these services means that more scrupulous attention will be paid with their value on an ongoing basis. Nevertheless, the outsourcing exercise posed its own complexity affecting hardware and software licensing concern. Managing energetic changes in desktop environment and the suppliers was the primary task in the desktop computer management for Cathay. The Personal computer outsourcing development was still new in this region thus brought up skepticism among professionals in the initial stage.
Managing B2B system integration
In a broad sense, Business to business (B2B) integration identifies all business activities of the enterprise that contain regarding electronic announcements exchange between it and a number of of its trading partners (Bussler 2003). Bussler further narrows down this explanation in a software technology's range that B2B integration refers to software technology that is the infrastructure to connect any rear end applications system within businesses to all or any trading lovers over formal note exchange protocols like the Electronic Data Interchange (EDI). Cathay is normally in an extremely competitive and challenging air travel business. Fundamental journey operational information can be very powerful and customers must be maintained updated with the latest information. Information, fares and schedules have to be accurate; sales offers and marketing activities are constantly changing. Air travel operations are susceptible to any changes in weather which might cause last second routine changes or cancellations. With all the variety of multiple locations, languages, time zones and alerting travelers, an flight business is continually a logistical functions struggle to any Cathay. These information need to be translated into online web content in order to fulfill its B2B need. Information should be accurate, the advertising channel has to be reliable and secure, changes need to be updated quickly and last second flight disruptions need to be communicated to people immediately and consistently through a variety of channels. This e-business eyesight has required a sophisticated structures of specialist websites designed to assimilate and deliver a number of different information and program components in a seamless manner. Content management is one of the key components in Cathay Pacific's e-business architecture. It was vital for the air travel to ensure it invested in the right product that can deliver its offer within budget and on time.
Managing Standards
As the pervasiveness of network create a far more open set of information systems for the mobile and diverse need of the organization, increased attention must be paid to the matching increase in exposure to attacks from interior and external sources (Dhillon, 2001). Cathay uses Secure Socket Layer (SSL) protocol - as an industry standard for encryption over the Internet, to protect the Data. Cathay's main challenge up to now is not being able to convince its associates and customers confidently that despite with recent security specifications, any internet purchase could be leaked out by individuals through internet hacking. This is acknowledged in its website claim which says "that complete confidentiality and security is not yet possible online, and privacy cannot be assured over-all its internet communication between your business and its customers" (Cathay Pacific 2007). Cathay pacific in ensuring reliable B2B applications must ensure that the latest criteria such as XML and available source technology are being used extensively in all its software applications critical to business. Digital documentation for any online orders especially those that involve monetary exchange is essential in guaranteeing customer confidence and also to avert security breach.
RECOMMENDED IT SECURITY GOVERNANCE FRAMEWORK
There a wide range of definitions that summarize the ICT Corporate Governance. Here I choose a few interesting definitions to be discussed in this record. Corporate and business Governance of ICT is "Specifying the decision privileges and accountability platform to encourage attractive behavior in the use than it. " (Weil & Ross, 2004) In contrast, the IT Governance Institute, 2003 expands the definition to include underpinning mechanisms: "the management and organizational constructions and functions that ensure that the organisation's IT sustains and extends the organisation's strategies and goals. "
While AS8015, the Australian Standard for Corporate Governance from it, defines Corporate and business Governance than it as "The system by which the current and future use of It really is directed and manipulated. It involves assessing and directing the programs for the utilization of IT to support the business and monitoring this use to achieve plans. It includes the strategy and plans for utilizing it within an group. "
Figure 1 AS 8015 - 2005 model of Corporate and business Governance of ICT
(Source: Skinner, 2006)
Every meaning has its way of explaining the term Corporate and business Governance from it but I think the definition of the AS8015, the Australian Standard for Corporate Governance of It's the most understandable and plainly defined (see amount 1). "AS8015 clarified what's important - the organisation's goal" (Toomey, 2006). However we can observe that every definition targets the same issues which is directing and handling the implementation of IT according to the organisations' strategy and plans. This involves the contribution in decision making of every stakeholder of the organization. As we can easily see that the IT Governance Institute has also stated the word "Leadership", which stands for the principal of the business, the board of directors and the management team, who must take care of the efficient use from it to achieve the strategies and targets. Unlike old time that your IT system is been able together by the IT team. Discussing the IT Management people may usually merge it up with the IT Governance. They are not the same thing. "Governance is the procedure where management is monitored and measured. It isn't a substitute for management - it is a means of ensuring that sound management occurs" (Philipson, 2005). There are various key motorists for Corporate and business Governance of IT. Within this report I'll concentrate on the legal and regulatory compliances which will be discussed in the next part of the report.
IT Governance Construction of Cathay Pacific
Information security governance is the duty of the mother board of directors and older professionals. It must be an intrinsic and clear part of venture governance and become aligned with the IT governance platform. Whilst senior executives have the responsibility to consider and respond to the concerns and sensitivities lifted by information security, planks of directors will progressively be expected to make information security an intrinsic part of governance, involved with processes they curently have in place to govern other critical organisational resources. To exercise effective venture and information security governance, boards and senior professionals must have a clear understanding of what to expect using their enterprise's information security program. They have to learn how to direct the implementation of information security program, how to evaluate their own position in regards to to an existing security program and how to decide the strategy and objectives of an effective security program. Whilst there a wide range of aspects to information security governance, there are several concerns that can assist in concentrating on the question, 'What is information security governance?' These are the:
Desired final results of information security governance
Knowledge and security of information assets
Benefits of information security governance
Process integration
(IT Governance Institute 2006)
Figure 2: IT Security Governance Framework of Cathay Pacific (Source: Poore 2005)
Information security governance includes the management, organisational set ups and techniques that safeguard information. Critical to the success of the structures and operations is effective communication between all parties predicated on constructive relationships, a standard language and distributed commitment to handling the problems. The five basic outcomes of information security governance should include:
1. Strategic positioning of information security with business strategy to support organisational objectives
2. Risk management by performing appropriate measures to manage and mitigate hazards and reduce potential effects on information resources to an acceptable level
3. Source of information management by utilising information security knowledge and infrastructure proficiently and effectively
4. Performance dimension by calculating, monitoring and confirming information security governance metrics to ensure that organisational aims are achieved
5. Value delivery by optimising information security investments to get organisational objectives
The National Relationship of Corporate Directors (NACD), the leading membership company for boards and directors in the US, recognises the value of information security. It recommends four essential procedures for planks of directors, as well as several specific methods for every point. The four techniques, which are based on the practicalities of how boards operate, are:
Place information security on the board's plan.
Identify information security leaders, hold them accountable and ensure support to them.
Ensure the effectiveness of the corporation's information security coverage through review and endorsement.
Assign information security to a key committee and ensure sufficient support for that committee (IT Governance Institute 2006).
Benefits of Information Security Governance
Information security governance produces significant benefits, including:
An upsurge in show value for organisations that practice good governance
Increased predictability and reduced doubt of business operations by cutting down information security-related hazards to definable and suitable levels
Protection from the increasing prospect of civil or legal liability consequently of information inaccuracy or the absence of due care
The structure and construction to optimise allocation of limited security resources
Assurance of effective information security insurance policy and plan compliance
A firm base for productive and effective risk management, process improvement, and immediate event response related to securing information
A degree of guarantee that critical decisions are not based on faulty information
Accountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process restoration, and regulatory response
The benefits add significant value to the company by:
Improving rely upon customer relationships
Protecting the organisation's reputation
Decreasing probability of violations of privacy
Providing greater self confidence when interacting with trading partners
Enabling new and better ways to process electronic transactions
Reducing operational costs by providing predictable outcomes-mitigating risk factors that could interrupt the process (IT Governance Institute 2006).
ISSUES AND CHALLENGES
In the ICT world today, don't assume all organisation can achieve success or enjoy its benefits. Way too many ICT initiatives have failed to deliver the bottom-line results companies had hoped for. One quite typical reason of inability is that the organizations neglect to have a good management and manipulated of the IT system. The Data Governance Council, with a focus on the review and endorsement aspects of board responsibilities, recently suggested that planks provide tactical oversight regarding information security, including:
1. Understanding the criticality of information and information security to the organisation
2. Looking at investment in information security for positioning with the organisation strategy and risk profile
3. Endorsing the development and execution of a comprehensive information security program.
Let's discuss about major issues and issues that confronted by Cathay pacific, employing an IT Security Governance platform. Boards and management have several fundamental obligations to ensure that information security governance is in effect. Between the issues they should concentrate on are:
Understand Why Information Security Needs to Be Governed
Risks and risks are real and could have significant effect on the organization.
Reputation destruction can be substantial.
Effective information security requires co-ordinate and built in action from the top down.
IT purchases can be substantial and easily misdirected.
Cultural and organisational factors are evenly important.
Rules and priorities have to be established and enforced.
Trust needs to be proven toward trading partners whilst exchanging electronic transactions.
Trust in consistency of system security must be proven to all stakeholders.
Security incidents are likely to be exposed to the general public.
Take Board-level Action
Become informed about information security.
Set path, i. e. , drive insurance policy and strategy and establish a worldwide risk account.
Provide resources to information security initiatives.
Assign obligations to management.
Set priorities.
Support change.
Define cultural ideals related to associated risk awareness.
Obtain guarantee from external or internal auditors.
Insist that management makes security ventures and security advancements measurable, and displays and accounts on program success (IT Governance Institute 2006).
Take Senior Management-level Action
Provide oversight for the development of a security and control platform that contains standards, measures, techniques and types of procedures, after a policy has been approved by the governing body of the organisation and related assignments and responsibilities assigned. (Design)
Set direction for the creation of your security plan, with business insight. (Coverage Development)
Ensure that individual roles, duties and power are obviously communicated and recognized by all. (Jobs and Obligations)
Require that threats and vulnerabilities be determined, analysed and checked, and industry methods used for due care.
Require the set-up of an security infrastructure.
Set direction to ensure that resources can be found to allow for prioritization of possible control buttons and countermeasures implement accordingly on a well-timed basis, and managed effectively. (Implementation)
Establish monitoring methods to find and ensure modification of security breaches, so all real and suspected breaches are immediately identified, looked into and acted upon, and to ensure ongoing compliance with policy, criteria and minimum acceptable security practices. (Monitoring)
Require that regular reviews and lab tests be conducted.
Institute processes that will assist implement intrusion detection and event response.
Require monitoring and metrics to ensure that information is safeguarded, right skills are on hand to use information systems firmly and security happenings are taken care of immediately on a well-timed basis. Education in security steps and practices is of critical importance for the success of an organisation's security program. (Understanding, Training and Education)
Ensure that security is known as an integral part of the systems development life routine process which is explicitly dealt with during each period of the process. (IT Governance Institute 2006)
Questions to discover Information Security Issues
Does the head of security/CISO regularly meet or quick business management?
When was the last time top management got involved with security-related decisions? How often does top management try progressing security alternatives?
Does management know who's responsible for security? Does the responsible individual know? Does everyone else know?
Would people recognise a security incident when they observed one? Would they dismiss it? Would they know very well what to do about it?
Does anyone understand how many computers the company has? Would management know if some went lacking?
Are damage evaluation and disaster recovery plans in place?
Has management discovered all information (customer data, strategic programs, financial data, research results, etc. ) that could violate policy, legal or regulatory requirements or cause shame or competitive downside if it were leaked?
Did the business have problems with the latest computer virus or malware strike? How many attacks were successful in the past 12-month period?
Have there been intrusions? How often and with what impact?
Does anyone know how many people are using the organisation's systems?
Does anyone worry whether or not they are allowed gain access to, or what they are doing?
Is security considered an afterthought or a prerequisite?
(IT Governance Institute 2006)
CONCLUSIONS
Information security isn't only a technical issue, but a company and governance challenge that involves enough risk management, reporting and accountability. Effective security requires the dynamic involvement of executives to assess rising threats and the organisation's response to them. As organisations like Cathay pacific, make an effort to remain competitive in the global current economic climate, they respond to constant stresses to spend less through automation, which often requires deploying more information systems. The blend is forcing management to face difficult decisions about how to effectively solve information security. This is in addition to results of new and existing laws and regulations that demand compliance and higher degrees of accountability.
