For Johnson & Johnson, the healthcare giant with more than 200 separate companies operating in 54 countries, one of the biggest problems encountered in e-commerce was finding a way to quickly get business partners access to the network but enforce security.
The problem vexed the company because e-commerce partners, once given access, sometimes introduced worms and viruses into the company's network. In addition, the process of reviewing business requests for network access between a J&J unit and its intended partner had become burdensome, delaying e-commerce transactions.
However, IT staff at J&J said since new security procedures put in place a year ago altered the equation, it has been much faster to process network-access requests. Through the uniform monitoring and documentation processes, security has improved, with worm and virus outbreaks emanating from business partners reduced to nil.
"The documentation is still a bit cumbersome, but now it's a repeatable process," says Thomas Bunt, director of worldwide information security at J&J, about the challenge of providing network access for business partners. "We're facing an increased demand for external connections, and it wasn't easy to do this."
When a business manager at J&J wants to have counterparts in outside firms gain access to internal applications for e-commerce, the IT department is summoned to assess risk.
First, the J&J unit and the outside firm have to fill out a detailed questionnaire about the nature of the connection request, says Denise Medd, information security senior analyst. In addition, J&J expects the intended e-commerce partner to submit to a security assessment and evaluation.
This vulnerability assessment may be done by a neutral third party, but the goal is to ensure that doing business via the network connection, which is typically opened up via J&J firewall, presents no unnecessary risks. The J&J operating company, officially known as "the sponsor," is held to the same standards, Medd emphasizes.
Remember the final review
Occasionally, a request for network access is turned down, especially if the J&J side has servers lacking proper patch-update mechanisms or other shortcomings. "There is a final review, and we will not let an insecure connection go live," Medd says.
The IT and security professionals at J&J worked with the legal department to craft standard procedures for requests and evaluations. J&J and its partner also must complete a contract or memo of understanding regarding the network connection to be established.
"We'll look closely at what the connectivity is, and typically a limited number of people could have access," Bunt says, pointing out that J&J strives to accommodate requests for a range of VPN access methods.
J&J also includes an inspection process every six months to ascertain the security of the network connection. The risk management procedure has resulted in a dramatic drop in virus and worm outbreaks. Sometimes business project managers grumble about the assessment process, but management's solid backing of it has made it a uniformly enforced process that is in effect with hundreds of outside firms, Bunt says.
The IT department says it hopes to streamline the risk evaluation further by drawing up standardised interconnection security agreements and uniform set of questions to ask outside firms wanting access to J&J's internal network.
"We also need to better explain to our partners why they need to do this and how they benefit by getting a good look at our security posture," Bunt says.