Defending Against Security Threats
We use [Cast] for somewhere around 10 to 12 of our applications. Increasingly, project group by project group uses the Cast tool at different levels of granularity. Obviously a project manager and a software architect will look into things in much more detail than I will as the CIO. I have a dashboard, then I just look at the dashboard and if I don't see red, I just concentrate on something else. You have this information at your fingertip, and you can dig in to lower levels of detail.What are the plans for Function Points? What does this initiative entail? Function Point analysis is one of the ways people try to understand initially how much it will cost to build a software package. By doing function point analysis, you can have a measurement of the complexity of the program code. Cast will tell me whether what I've spent for this Website is reasonable given the amount of complexity, whether I've paid too much or whether I've gotten away with paying little for it. You have the code written, and then you analyze for the number of function points. You have to have specialists that do this manually. How does the EMA approach the security challenges of storing 70 terabytes of data? We run standard state-of-the-art IT security. So we have the usual arrangement of cascaded firewalls. So it cannot be a systemic whole. We use specially certified consultants who are cleared at the military levels to check the design of our IT security systems. We pay a specialized company to try and break into our systems. We have all of the required approaches. What types of data breaches have you encountered? We're running intrusion detection systems. Just before Christmas we spoke with the FDA on systems and what we do. Maybe because intrusion detection is not good enough, we have at the moment a very low number of attempted attacks-not aware of any successful attack. These breaches have all been passive insider threats. If you analyze the difficult IT threats, you can divide them into passive versus active. I consider based on my own experience in IT, which now goes back 25 years, that by far the most dangerous threat is the active insider threat who you haven't promoted-a passive insider member of staff or insider getting code [or] information.
Then I can drill down to see where Cast highlights there's a problem. If you use Cast systematically and regularly, the debugging becomes much easier.