Johnson & Johnson tackles security pain

For Johnson & Johnson, the healthcare giant with more than 200 separate companies operating in 54 countries, one of the biggest problems encountered in e-commerce was finding a way to quickly get business partners access to the network but enforce security.

The problem vexed the Brunswick, N.J., maker of pharmaceuticals and medical equipment because e-commerce partners, once given access, sometimes introduced worms and viruses into J&J's network. In addition, the process of reviewing business requests for network access between a J&J unit and its intended partner had become burdensome, delaying e-commerce transactions.

However, IT staff at J&J said since new security procedures put in place a year ago altered the equation, it has been much faster to process network-access requests. Through the uniform monitoring and documentation processes, security has improved, with worm and virus outbreaks emanating from business partners reduced to nil.

"The documentation is still a bit cumbersome, but now it's a repeatable process," says Thomas Bunt, director of worldwide information security at J&J, about the challenge of providing network access for business partners. "We're facing an increased demand for external connections, and it wasn't easy to do this."

When a business manager at J&J wants to have counterparts in outside firms gain access to internal applications for e-commerce, the IT department is summoned to assess risk.

First, the J&J unit and the outside firm have to fill out a detailed questionnaire about the nature of the connection request, says Denise Medd, information security senior analyst. In addition, J&J expects the intended e-commerce partner to submit to a security assessment and evaluation.

This vulnerability assessment may be done by a neutral third party, but the goal is to ensure that doing business via the network connection, which is typically opened up via J&J firewall, presents no unnecessary risks. The J&J operating company, officially known as "the sponsor," is held to the same standards, Medd emphasizes.

Occasionally, a request for network access is turned down, especially if the J&J side has servers lacking proper patch-update mechanisms or other shortcomings. "There is a final review, and we will not let an insecure connection go live," Medd says.

The IT and security professionals at J&J worked with the legal department to craft standard procedures for requests and evaluations. J&J and its partner also must complete a contract or memo of understanding regarding the network connection to be established.

"We'll look closely at what the connectivity is, and typically a limited number of people could have access," Bunt says, pointing out that J&J strives to accommodate requests for a range of VPN access methods.

J&J also includes an inspection process every six months to ascertain the security of the network connection. The risk management procedure has resulted in a dramatic drop in virus and worm outbreaks. Sometimes business project managers grumble about the assessment process, but management's solid backing of it has made it a uniformly enforced process that is in effect with hundreds of outside firms, Bunt says.