The Cathay Pacific Airways Information Technology Essay

This report comprises all the relevant information regarding the Cathay Pacific Airways, specially its security governance framework. It sums up four parts: background of the organization, potential areas of IT security failures, recommended IT security governance framework and lastly issues and challenges faced by that security governance framework. In the very first part, we have described about basic fundamentals like its headquarter, its fleet of airbuses, worldwide destinations and its achievement.

In the 2nd section of the report are the specific areas where security failures may occur. These areas include managing core business system. Because the airways adopted the legacy systems, which is easily susceptible to security threats. Secondly it can not cope with current competent requirements. Furthermore, it being a wide infrastructure & desktop PCs, the airways’ data flow over internet, which can be captured by any intruders or hackers. This may cause disruptions to routinely business. Its business to business (B2B) interchange of data again creates vulnerabilities in its IT infrastructure. The pervasiveness of network creates a more open set of information systems for the mobile and diverse need of the orgnaisation. This mobile arrangement may be easily attacked by internal and external sources. In the third part this report discourses on IT governance framework. This framework is the recommended one to be implemented in the organization. The structure of governance is fully responsible to provide control and effective management of the IT infrastructure security. In the structure each one is accountable at his own rank for the security, safety of IT assets and data protection.

Lastly this report raises various issues and challenges confronting the security governance structure while managing and controlling the security of the IT infrastructure of Cathay Pacific.

INTRODUCTION

Today, every organization adopted or is thinking to adopt IT infrastructure. Once it is implemented, it needs security. IT assets, database and information trafficking on ubiquitous network need to be fully protected. That is why; a necessity relating to this IT infrastructure in an organization has cropped up. For safety and security, security governance has been thought of. It may comprise shareholder, board of directors, CIO, financial manager and so on. These persons are fully responsible for controlling and streamlining all the information system of the organization like Cathay pacific. This governance framework follows various new laws and regulations designed to improve the security governance. Threats to information systems disruptions from hackers, worms, viruses and terrorists have resulted in need for this governance. This report explains clearly security failures, governance framework for ICT and IT related issues and challenges.

BACKGROUND OF ORGANISATION

Cathay Pacific Airways is an international airline registered and based in Hong Kong, offering scheduled cargo and passenger services to over 90 destinations around the world. The main vision of this company is to make Cathay Pacific the most admired airline in the world. To Achieve this goal Cathay started its journey from 1946 and now it is known as best Airlines in Asia. It is one of the five airlines to carry a “five star” rating from Skytrax (Cathay Pacific 2007). The official website of Cathay Pacific is http://www.cathaypacific.com/cpa/en_INTL/homepage

Cathay Pacific was established in 1946 in Hong Kong with a mere two DC-3 aircrafts servicing passenger routes for Bangkok, Shanghai, Manila and Singapore. From its humble beginnings, it has to date grown into a world class airline employing over 15,000 employees and reaching out to 62 global destinations. It owns over a hundred widebodied aircrafts that transports over a million passengers a month to almost each continent in the world (McFarland & Young, 2003) and transports freight worldwide which constitutes to nearly 30% of its revenue. Profits stood at $511 million during 2002 and Cathay expanded into the state of the art $628 million global headquarters in Cathay City. Cathay continuously faced numerous challenges on its way to success. Nevertheless, its management acknowledges the fact that in order to remain competitive given the current market situation; it is of utmost importance to improve on its strategic and non strategic perspective of its entire ICT resource. Cathay Pacific continues to invest in new ICT infrastructure to streamline its business processes and make information easier to access for all employees. As part of this process, Cathay Pacific implemented technology solutions designed to automate and simplify customer and financial information management.

POTENTIAL AREAS OF IT SECURITY FAILURES

Currently, many airlines are looking at e-business to protect their assets and to secure customer’s loyalty, and to be successful in today’s competitive environment. Many e-commerce principles have been pioneered by the airline industry. These include the first business-to-business electronic information exchange and industry-wide electronic marketplace. There are many benefits to be gained for airlines and airline passengers, E-ticketing, e-Check in many internet base services provide to customer with quick and low cost services but there is still hesitation among many peoples even many companies about committing any major effort to electronic commerce. The main concern about security of sensitive data, such as credit card numbers, personal data and business confidential data (Jiang 2003).

Managing Core Business System

Cathay Pacific has been developing in house systems since the 70s. Some of its core business systems are accounting systems, engineering system, personnel and flight systems and other internal applications. Legacy systems are “systems that have evolved over many years and are considered irreplaceable, either because re-implementing their function is considered to be too expensive or because they are trusted by users” (Dietrich 1989). Business change constantly in order to meet the demands of the marketplace and this necessitates the need for information systems to evolve accordingly (McKeen & Smith 1996). Over 20 years later, Cathay realized that the coordination and support of these systems was a cumbersome task that could potentially stunt the strategic growth of the company. Given its phenomenal growth rate, Cathay realized that the IM department will not be able to cope with the ever changing business requirements. Legacy passenger service systems may not be flexible and scalable enough to support the new marketing strategies of airlines today (Cavaliere 2006). Cathay needed a technology that keeps costs down and is flexible whilst at the same time delivers on both today’s needs and those of the future. Customizing current legacy systems to match these current competitive requirements just consumed too much time and resources. Mckeen and Smith (1996) further argues that since change is a constant in business and in technology, demand for maintenance is un-easing and since existing systems are the ones operating the business, maintenance work can easily overwhelm new development.

Managing network infrastructure & desktop PCs.

Infrastructure plays an important role in ensuring vital support is supplied to systems development teams and that effective coordination and direction is available to IS as a whole (McKeen & Smith 1996). Cathay’s rapid expansion to new destinations and tremendous surge in route expansion, passenger and cargo volume in the 80s caused Cathay’s network infrastructures to continue to expand. Without infrastructure, productivity will soon decline as individuals and groups each attempted to replicate the work of others. Cathay’s data center which coordinated fundamental airline operations was placed in two locations in Kowloon and on Hong Kong Island. These data centers provided uninterrupted information to Cathay’s airline operations. The fire in 1991 on Cathay’s data center interrupted flight operations for 12 hours. Cathay’s management realized the importance of ensuring uninterrupted information flow to critical business functions is top priority for the organization. IT infrastructure and facilities need grow in tandem with the organization’s growth pace. Almost full at its operational capacity at its current data center, Cathay probably needed a few more data centers to manage the organization’s information at current growth rate. Mid 90s saw an uneven PC distribution at Cathay Pacific. PC distribution to staff members depended on each staff member’s level of security access. This caused some of the staff to have a PC while other did not. This uneven distribution was finally rectified by Cathay’s outsourcing its PC management to IBM in 2001. The costs involved in outsourcing these services means that more scrupulous attention will be paid to their value on an ongoing basis. Nevertheless, the outsourcing exercise posed its own complexity involving hardware and software licensing issue. Managing dynamic changes in desktop environment and the suppliers was the main challenge in the desktop PC management for Cathay. The PC outsourcing trend was still new in this region thus raised skepticism among managers in the initial stage.

Managing B2B system integration

In a broad sense, Business to business (B2B) integration refers to all business activities of an enterprise that have to do with electronic messages exchange between it and one or more of its trading partners (Bussler 2003). Bussler further narrows down this definition in a software technology’s scope that B2B integration refers to software technology that is the infrastructure to connect any back end applications system within enterprises to all trading partners over formal message exchange protocols like the Electronic Data Interchange (EDI). Cathay is naturally in a highly competitive and challenging airline business. Fundamental flight operational information can be very dynamic and customers must be kept updated with the latest information. Information, fares and schedules have to be accurate; sales promotions and marketing activities are constantly changing. Flight operations are vulnerable to any changes in weather which may cause last minute schedule changes or cancellations. With the wide array of multiple destinations, languages, time zones and alerting travelers, an airline business is constantly a logistical operations challenge to any Cathay. These information need to be translated into online web content in order to fulfill its B2B requirement. Information has to be accurate, the selling channel has to be reliable and secure, changes have to be updated quickly and last minute flight disruptions have to be communicated to passengers immediately and consistently through a number of different channels. Such an e-business vision has required a sophisticated architecture of specialist platforms designed to integrate and deliver a number of different information and application components in a seamless manner. Content management is one of the core components in Cathay Pacific’s e-business architecture. It was vital for the airline to ensure that it invested in the right product that could deliver its promise within budget and on time.

Managing Standards

As the pervasiveness of network create a more open set of information systems for the mobile and diverse need of the organization, increased attention must be paid to the corresponding increase in exposure to attacks from internal and external sources (Dhillon, 2001). Cathay uses Secure Socket Layer (SSL) protocol – as an industry standard for encryption over the Internet, to protect the Data. Cathay’s main challenge to date is not being able to convince its partners and customers with confidence that despite with the most recent security standards, any internet transaction could be leaked out by individuals through internet hacking. This is acknowledged in its website claim which says “that complete confidentiality and security is not yet possible over the Internet, and privacy cannot be assured over all its internet communication between the business and its customers” (Cathay Pacific 2007). Cathay pacific in ensuring reliable B2B applications has to ensure that the latest standards such as XML and open source technology are used extensively in all its software applications critical to business. Digital certification for all online transactions especially the ones that involve monetary exchange is imperative in ensuring customer confidence and to avert security breach.

RECOMMENDED IT SECURITY GOVERNANCE FRAMEWORK

There are many definitions that describe the ICT Corporate Governance. Here I choose a few interesting definitions to be discussed in this report. Corporate Governance of ICT is “Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.” (Weil & Ross, 2004) In contrast, the IT Governance Institute, 2003 expands the definition to include underpinning mechanisms: “the leadership and organizational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.”

While AS8015, the Australian Standard for Corporate Governance of IT, defines Corporate Governance of IT as “The system by which the current and future use of IT is directed and controlled. It involves evaluating and directing the plans for the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization.”

Figure 1 AS 8015 – 2005 model of Corporate Governance of ICT

(Source: Skinner, 2006)

Every definition has its own way of describing the term Corporate Governance of IT but I think the definition of the AS8015, the Australian Standard for Corporate Governance of IT is the most understandable and clearly defined (see figure 1). “AS8015 clarified what’s really important – the organisation’s goal” (Toomey, 2006). However we can notice that every definition focuses on the same issues which is directing and controlling the implementation of IT according to the organisations’ strategy and policies. This involves the contribution in decision making of every stakeholder of the organization. As we can see that the IT Governance Institute has also stated the word “Leadership”, which stands for the principal of the organization, the board of directors and the management team, who must manage the efficient use of IT to achieve the strategies and objectives. Unlike old time which the IT system is managed alone by the IT department. Talking about the IT Management people may usually mix it up with the IT Governance. They are not the same thing. “Governance is the process by which management is monitored and measured. It is not a substitute for management – it is a way of ensuring that sound management occurs” (Philipson, 2005). There are many key drivers for Corporate Governance of IT. Here in this report I will focus on the legal and regulatory compliances which will be discussed in the next part of the report.

IT Governance Framework of Cathay Pacific

Information security governance is the responsibility of the board of directors and senior executives. It must be an integral and transparent part of enterprise governance and be aligned with the IT governance framework. Whilst senior executives have the responsibility to consider and respond to the concerns and sensitivities raised by information security, boards of directors will increasingly be expected to make information security an intrinsic part of governance, integrated with processes they already have in place to govern other critical organisational resources. To exercise effective enterprise and information security governance, boards and senior executives must have a clear understanding of what to expect from their enterprise’s information security program. They need to know how to direct the implementation of information security program, how to evaluate their own status with regard to an existing security program and how to decide the strategy and objectives of an effective security program. Whilst there are many aspects to information security governance, there are several matters that can assist in focusing on the question, ‘What is information security governance?’ These are the:

Desired outcomes of information security governance

Knowledge and protection of information assets

Benefits of information security governance

Process integration

(IT Governance Institute 2006)

Figure 2: IT Security Governance Framework of Cathay Pacific (Source: Poore 2005)

Information security governance consists of the leadership, organisational structures and processes that safeguard information. Critical to the success of these structures and processes is effective communication amongst all parties based on constructive relationships, a common language and shared commitment to addressing the issues. The five basic outcomes of information security governance should include:

1. Strategic alignment of information security with business strategy to support organisational objectives

2. Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level

3. Resource management by utilising information security knowledge and infrastructure efficiently and effectively

4. Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure that organisational objectives are achieved

5. Value delivery by optimising information security investments in support of organisational objectives

The National Association of Corporate Directors (NACD), the leading membership organisation for boards and directors in the US, recognises the importance of information security. It recommends four essential practices for boards of directors, as well as several specific practices for each point. The four practices, which are based on the practicalities of how boards operate, are:

Place information security on the board’s agenda.

Identify information security leaders, hold them accountable and ensure support for them.

Ensure the effectiveness of the corporation’s information security policy through review and approval.

Assign information security to a key committee and ensure adequate support for that committee (IT Governance Institute 2006).

Benefits of Information Security Governance

Information security governance generates significant benefits, including:

An increase in share value for organisations that practice good governance

Increased predictability and reduced uncertainty of business operations by lowering information security-related risks to definable and acceptable levels

Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care

The structure and framework to optimise allocation of limited security resources

Assurance of effective information security policy and policy compliance

A firm foundation for efficient and effective risk management, process improvement, and rapid incident response related to securing information

A level of assurance that critical decisions are not based on faulty information

Accountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process recovery, and regulatory response

The benefits add significant value to the organisation by:

Improving trust in customer relationships

Protecting the organisation’s reputation

Decreasing likelihood of violations of privacy

Providing greater confidence when interacting with trading partners

Enabling new and better ways to process electronic transactions

Reducing operational costs by providing predictable outcomes-mitigating risk factors that may interrupt the process (IT Governance Institute 2006).

ISSUES AND CHALLENGES

In the ICT world today, not every organisation will be able to achieve success or reap its benefits. Too many ICT initiatives have failed to deliver the bottom-line results companies had hoped for. One very common reason of failure is that the organizations fail to have a good management and controlled of their IT system. The Data Governance Council, with a focus on the review and approval aspects of board responsibilities, recently recommended that boards provide strategic oversight regarding information security, including:

1. Understanding the criticality of information and information security to the organisation

2. Reviewing investment in information security for alignment with the organisation strategy and risk profile

3. Endorsing the development and implementation of a comprehensive information security program.

Let’s discuss about major issues and challenges that faced by Cathay pacific, implementing an IT Security Governance framework. Boards and management have several fundamental responsibilities to ensure that information security governance is in force. Amongst the issues they should focus on are:

Understand Why Information Security Needs to Be Governed

Risks and threats are real and could have significant impact on the enterprise.

Reputation damage can be considerable.

Effective information security requires co-ordinate and integrated action from the top down.

IT investments can be substantial and easily misdirected.

Cultural and organisational factors are equally important.

Rules and priorities need to be established and enforced.

Trust needs to be demonstrated toward trading partners whilst exchanging electronic transactions.

Trust in reliability of system security needs to be demonstrated to all stakeholders.

Security incidents are likely to be exposed to the public.

Take Board-level Action

Become informed about information security.

Set direction, i.e., drive policy and strategy and define a global risk profile.

Provide resources to information security efforts.

Assign responsibilities to management.

Set priorities.

Support change.

Define cultural values related to risk awareness.

Obtain assurance from internal or external auditors.

Insist that management makes security investments and security improvements measurable, and monitors and reports on program effectiveness (IT Governance Institute 2006).

Take Senior Management-level Action

Provide oversight for the development of a security and control framework that consists of standards, measures, practices and procedures, after a policy has been approved by the governing body of the organisation and related roles and responsibilities assigned. (Design)

Set direction for the creation of a security policy, with business input. (Policy Development)

Ensure that individual roles, responsibilities and authority are clearly communicated and understood by all. (Roles and Responsibilities)

Require that threats and vulnerabilities be identified, analysed and monitored, and industry practices used for due care.

Require the set-up of a security infrastructure.

Set direction to ensure that resources are available to allow for prioritization of possible controls and countermeasures implement accordingly on a timely basis, and maintained effectively. (Implementation)

Establish monitoring measures to detect and ensure correction of security breaches, so all actual and suspected breaches are promptly identified, investigated and acted upon, and to ensure ongoing compliance with policy, standards and minimum acceptable security practices. (Monitoring)

Require that periodic reviews and tests be conducted.

Institute processes that will help implement intrusion detection and incident response.

Require monitoring and metrics to ensure that information is protected, correct skills are on hand to operate information systems securely and security incidents are responded to on a timely basis. Education in security measures and practices is of critical importance for the success of an organisation’s security program. (Awareness, Training and Education)

Ensure that security is considered an integral part of the systems development life cycle process and is explicitly addressed during each phase of the process. (IT Governance Institute 2006)

Questions to Uncover Information Security Issues

Does the head of security/CISO routinely meet or brief business management?

When was the last time top management got involved in security-related decisions? How often does top management get involved in progressing security solutions?

Does management know who is responsible for security? Does the responsible individual know? Does everyone else know?

Would people recognise a security incident when they saw one? Would they ignore it? Would they know what to do about it?

Does anyone know how many computers the company owns? Would management know if some went missing?

Are damage assessment and disaster recovery plans in place?

Has management identified all information (customer data, strategic plans, financial data, research results, etc.) that would violate policy, legal or regulatory requirements or cause embarrassment or competitive disadvantage if it were leaked?

Did the company suffer from the latest virus or malware attack? How many attacks were successful during the past 12-month period?

Have there been intrusions? How often and with what impact?

Does anyone know how many people are using the organisation’s systems?

Does anyone care whether or not they are allowed access, or what they are doing?

Is security considered an afterthought or a prerequisite?

(IT Governance Institute 2006)

CONCLUSIONS

Information security is not only a technical issue, but a business and governance challenge that involves adequate risk management, reporting and accountability. Effective security requires the active involvement of executives to assess emerging threats and the organisation’s response to them. As organisations like Cathay pacific, strive to remain competitive in the global economy, they respond to constant pressures to cut costs through automation, which often requires deploying more information systems. The combination is forcing management to face difficult decisions about how to effectively address information security. This is in addition to scores of new and existing laws and regulations that demand compliance and higher levels of accountability.