Workers’ Compensation Board of BC
The Worker’s Compensation Board of B.C. Keeps Infrastructure Safe with an End-to-End Security Solution
|
|
Company Overview
Headquartered in Vancouver, British Columbia, the Workers' Compensation Board of B.C. (WCB) is dedicated to promoting workplace health and safety for the workers and employers of the province. The WCB consults with and educates employers and workers and monitors compliance with the Occupational Health and Safety Regulations. In the event of work-related injuries or diseases, the WCB works with the affected parties to provide return-to-work rehabilitation, compensation, health care benefits, and a range of other services.
Business Challenge
The WCB of BC takes safety and security seriously. With approximately 2,500 employees and 12 offices across the province, the WCB serves the needs of four distinct customer communities – employers, workers, healthcare providers and the health and safety community. With many external and internal stakeholders, the organization made the safety of its internal IT infrastructure a priority.
While many organizations are only now starting to grapple with the issue of infrastructure security, the WCB has over the past number of years developed standards and procedures to address and streamline its patch management strategy. The organization realized years ago that having a strong security process in place would not only save headaches within IT, but across the organization as a whole.
|
Solution
To address security throughout its IT organization, the WCB has developed a department focused on the management of information security and risk management. The department has taken a three-prong approach, combining security access administration with security technical specialists and security business analysts. The access administration group focuses on the day-to-day ID and access management issues. The analysts focus on application development and business risks while the technical specialists handle the technologies to support these, such as two factor authentication, firewall, intrusion detection systems and patch management solutions.
Working closely with Microsoft Premier Support, the organization has benefited from the deep product knowledge of the team of employees of Microsoft and apply it to internal security practices and procedures.
Developing Policies and Procedures
A key component of the organization’s security strategy is the patch management program. The program has been in place for over two years and has become a routine part of the organization’s security program. With over 200 servers and 2,500 desktops across the organization, the WCB realizes the need to protect its critical business information.
“It took a year to iron out all the specifics and to get buy-in from the various managers within the IT department but we now have a consistent way of looking at patches. When a patch comes out now we have a business process in place that assess the patch and determines if and how we will deploy it. We do the deployment differently when it comes to servers and work stations, but the way that we actually handle a patch is ubiquitous,” says Bob Hawke, Senior Security Specialist, WCB.
When a patch comes out Microsoft attaches its own assessment, indicating that the patch is critical, important, or informational. The WCB security team reviews each critical notification to determine if the announced vulnerability is present on WCB systems. Every patch is tracked. Patches that apply to the organization’s infrastructure are deployed quickly. For each patch, an assessment is made regarding the degree of testing that may be required before the patch can be deployed. If required, a testing process is executed to ensure that the patches can be appropriately applied and have no obvious impact on systems and applications. In most instances the patch is deployed almost immediately. A balance between the desire for thorough testing and the need for quick deployment can be difficult to achieve but the goal is to ensure that systems are more secure and that the patches are rolled out quickly.
“Our goal is to maintain a consistent and predictable approach to the security of our IT investments. Patch management is part of an integrated approach to helping to secure our enterprise,” says Stephen Landon, Manager, IT Security, WCB. “Our effort to standardize our patch management processes and utilize the latest deployment tools enables us to manage vulnerabilities in proactive rather than a reactive fashion.”
The Tools for the Trade
To support the organization’s patch management strategy, the WCB uses Microsoft® Systems Management Server 2 (SMS) SP5 software to deploy patches to desktop systems and Software Update Services (SUS) for deploying patches to server systems and for overall monitoring and reporting. By utilizing the management infrastructure inherent within Windows operating system, the WCB is able to leverage its current investment of SMS to manage its Windows-based systems at a far lower cost. SMS has an extensible set of programmatic interfaces to allow it to integrate in many ways with other Microsoft-based management applications, such as SUS, which enables the WCB administrators to quickly and reliably deploy the latest critical updates to the organization’s servers that use Windows® 2000 and Windows Server™ 2003 operating system.
“Our organization is an SMS-based environment, so we have the ability to deploy patches and critical updates with SMS. We also use the SUS feature pack for reporting the specifics of what machines are missing patches and who has them installed,” says Chris Bell, Manager, Office Systems. “We run the SUS scan and the Patch Wizard every two days and are able to view Web reports on a regular basis. Together, these technologies have really helped to streamline the patch management process.”
In addition to having these safeguards in place, the WCB monitors all of Microsoft’s Security Bulletins on a regular basis. The organization is able to maintain all of its workstations to a standard baseline image and is able to keep them all properly patched.
“We approach security on both the server and the desktop. You can’t simply focus on one and not the other; you need to look at both sides of the coin,” says Hawke. “That is why we have developed an integrated approach to patch management to ensure that both our servers and our desktops are secure.”
Business Benefits
Guaranteed Uptime
With numerous employees scattered around the province of British Columbia, the importance of ensuring that systems are up and secure is critical. The WCB’s proactive approach to security and leadership in this area is paying off. Since developing an end to end patch management strategy, the organization’s mission-critical applications have remained stable and secure from large-scale Internet worms and virus attacks.
“Our clients assume a stable working environment and we have been able to provide that for them,” says Bell. “Just having the technology in place with SMS and SUS, we have been able to provide increased uptime and that really makes the user community happy.”
Saving time and money
Increased efficiencies and streamlined patch management processes have resulted in significant cost avoidance and time savings for the organization. The investment in security has helped ensure that the organization has not had to encounter the costs associated with a large-scale system weakness and lost hours in revenue.
“I would say that the return on investment for security is generally 10 to one. Being proactive will save you 10 times the amount of work,” says Hawke. “As a sensible business, I would say to design and implement security with a good system would cost less in the long term and save more money.”
Mitigating Risk
As a result of having its patch management program in place, the WCB has been able to protect employees, data and machines from a recent rash of serious Internet viruses and worms. By managing various threats and viruses with technology and business solutions, the organization has been able to mitigate the impact on its business and the customers that it services.
“I believe a good security process is like buying insurance. A lot of businesses ask ‘why would I want security? I don’t see any ROI for it’. My answer would be, ‘why do you have insurance or put fire extinguishers on the walls,” says Hawke. “You may not want to purchase security systems or employ a security team, but the avoidance of one or two major security breaches makes our work worthwhile.”
“When viruses do circulate, it’s a very comfortable feeling to know that there are several layers of security and standard patch processes in place,” says Bell.
Microsoft Windows Server System
Microsoft® Windows Server System is a comprehensive, integrated, and interoperable server infrastructure that helps reduce the complexity and costs of building, deploying, connecting, and operating agile business solutions. Windows Server System helps customers create new value for their business through the strategic use of their IT assets. With the Windows Server operating system as its foundation, Windows Server System delivers dependable infrastructure for data management and analysis; enterprise integration; customer, partner, and employee portals; business process automation; communications and collaboration; and core IT operations including security, deployment, and systems management.
For more information about Windows Server System, go to:
http://www.microsoft.com/windowsserversystem
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to: www.microsoft.com
For more information about Worker’s Compensation Board; B.C. products and services, call 1-888-757-5552 or visit the Web site at: www.worksafebc.com
