How Effective is your Security Policy

Indian Inc is now more serious about IS security. But security begins with a policy and not many enterprises have a formal security policy. Among those that have a policy, many admit it isn't effective enough or it isn't on par with international standards. by Brian Pereira

In the old economy an organization placed high value on its physical assets and took appropriate steps to secure and protect these. That attitude remains unchanged today. Try walking into the heart of a corporate office and you'll run headlong into a glass door that refuses to open unless an employee swipes his card. Even before that, as you enter the premises, a burly security guard eyes you with suspicion and wants to know if you have a floppy or CD in your bag.

In the new economy, information is more valuable than physical assets. It's an electronic world and even money is represented by binary digits. Wire transfers and electronic transactions are common—few exchange wads of bank notes during business transactions. A company's vital business processes and trade secrets are stored in electronic databases—not safe boxes. Now imagine the consequences if a stranger had access to all this vital information.

Are you doing enough to secure your prized information assets? Deploying firewall, IDS and anti-virus solutions isn't enough. You need to define a framework (guidelines, procedures and rules) for securing information and systems. This is known as a Security Policy. What's more, you need to document this policy and review/revise it frequently, in accordance with change in business objectives and change in technology.

But how effective are the security policies implemented by Indian companies?

An annual survey conducted by the Confederation of Indian Industry (CII) and PricewaterhouseCoopers, brings out the stark realities.

The CII-PricewaterhouseCoopers Information Systems Security Survey 2002-2003 reveals that more Indian companies now have a security policy, but we still have a long way to go in bringing it on par with international standards.

CURRENT STATUS
PWC evaluates the status of a security policy by placing enterprises in one of four categories. The categories are No Policy, Informal Policy, Written Security Objective and Comprehensive Documentation.

Sameer Kapoor, Executive Director, PWC, says an Informal Policy is as good as having no policy. "An informal policy is practiced but never put down on paper. It's like implementing a firewall without having the rules documented."

An Informal Policy is a set of practices known to a select group of people, usually IS staff such as system administrators. And when such staff leaves the organization, it becomes cumbersome to retrain their replacements in the absence of a documented policy.

Kapoor explains that a Written Security Objective covers just the basics. "The approach here is to protect information and systems that have higher business impact. One is not detailing it too much in the policy or not making it comprehensive. Further, it is known to a small group of people who are focused on security, but it cannot be disseminated throughout the organization."

And a policy with Comprehensive Documentation covers everything an organization has to say about security, in terms of the basic principals, the standards and the procedures.

According to the CII-PWC survey for 2002-03, 47 percent of the respondents continue to operate without a formal security policy (Refer to chart 1). Informal policy is regarded as not having a security policy. About 17 percent of the respondents have absolutely no security policy, while 30 percent said they have an Informal Policy. But this is definitely an improvement over the previous year. The CII-PWC survey for 2000-2001 reveals that 7 percent had absolutely no policy, while 50 percent had an informal policy. So more companies (especially in the Financial sector) have implemented security policies for certain reasons (See the next story, 'Security Policies: The right approach'.) The CII-PWC survey for the current year reveals that 12 percent of the respondents have a Written Security Objective. This number was higher in 2000-01 at 26 percent. This indicates that there is a trend towards having a formal comprehensive policy.

Though 68 percent of the respondents have high regard for IS security, just 41 percent have a security policy that's comprehensively documented. In the previous year 17 percent had Comprehensive Documentation. However, in its previous survey report PWC noted that a number of documented security policies are far from meeting international standards. So what really counts is the effectiveness of the security policy.

THE ESSENTIAL INGREDIENTS
PWC says there is a clear correlation between security policy and effectiveness of security measures in the organization. "It's not enough to just have a security policy," says PWC's Kapoor. "You need to look at your business objectives and then link the policy to these objectives."

Among those Indian enterprises that have a formal security policy (comprehensive or written security objectives), the effectiveness of security on the ground was observed to be starkly low (Refer to chart 2). Only 40 percent of such respondents believe that their security is highly effective and 17 percent of the respondents do not feel secure even though they have a security policy in place.

A large proportion of Indian enterprises admit to their IS security being very low. 83 percent of the respondents without a formal security policy feel that their security is only moderately effective (42 percent) or has low effectiveness (41 percent). (Refer to chart 3)

PWC says there are certain essential ingredients that businesses must consider to make their security policies effective. These ingredients are based on business risk analysis and classification of business data and include:

1. Preventive measures
2. Corrective measures
3. Detective measures

More than 50 percent of the respondents with a comprehensive policy have not addressed critical, business-oriented preventive and detective elements such as risk analysis (not conducted by 45 percent), classification of data (not done by 67 percent of the respondents), and procedure for partners (not laid down by 72 percent in their respective IS security policies). (Refer to chart 4) PWC says such organizations would feel reassured about their IS security by just addressing the technological aspect, while they would continue to be susceptible to threats from various sources because they have not covered the more critical business issues related to the adoption and deployment of IT systems. This explains the low effectiveness of a number of security policies.

PWCs Kapoor says a major mistake that most businesses make when formulating a security policy, is that they take the bottoms-up approach and begin with technology.

"Essentially, it should be a top-down approach, where you understand the business and then co-relate it to technology. You don't start with technology. You say, this is my business, this is my dependency on IT for decision-making, and how do I secure it? So you look at the dependency of business on information," says Kapoor.

WHO SETS THE POLICY
The effectiveness of a policy also depends on the involvement of certain people in the organization. Just because security has been associated with technology, it does not mean that only the IS department or CIO/CTO should be involved.

Kapoor says the security policy is usually the responsibility of the CIO/CTO because security is thought to be too complex to be handled by anybody else. He strongly believes people, who are the information owners, should be involved.

"Top management should also be involved otherwise information security will never get implemented in the right manner. Predominantly, in the Indian environment, it is still the CIO/CTO who is solely involved in formulating and implementing the security policy."

For this survey, CII and PWC asked companies that had a comprehensive security policy about the people responsible for policy development in their organization.

In response to the multiple choice questionnaire, it was found that the overall involvement at all levels in formulating the security policy is significantly lower in India as compared to global levels (Refer to chart 5).

Currently, CIOs (43 percent compared to 57 percent globally) participate the most in policy making initiatives. Involvement of security specialists like the chief information security officer (CISO) and the chief administrator is low in Indian businesses as compared to their global counterparts. However, compared to 2000-2001, participation by the CISO in making initiatives has doubled.

POLICY REVIEW
To be highly effective, a security policy should be reviewed at least once every year. Policies must be reviewed to take into account the changing circumstances across the business. But how frequent should this be done?

Kapoor says the security policy must be reviewed to keep it in sync with business goals, but it would be tedious to review and change the whole policy regularly. He advises that the security policy should have two parts. The Basics part would contain the fundamental principles that do not change frequently over time. The second part could be on Standards and Procedures which will change more frequently as and when new vulnerabilities are introduced. This is the part that is technology-centric.

"Security should be reviewed on a daily basis because there are new vulnerabilities reported everyday. Hence the Standards part of the policy should be reviewed regularly. But the Basics part of the policy should be reviewed whenever there is some major change in business processes or whenever you are introducing new systems. A good practice is to do this at least once a year."

The survey shows some positive results here (Refer to chart 6). Over two-thirds of Indian businesses that have a security policy, review their comprehensive security policy either continuously or at least once a year. This is a significant increase from 2000-2001, when only 44 percent of the businesses with a security policy admitted to reviewing the policy at least once every year.

Around 20 percent of the respondents have either not reviewed their security policy or have no regular pattern of review. But this is better than the situation in 2000-2001 when nearly 51 percent of the respondents had no regular pattern of review or did not at all review their security policy.

This implies that Indian companies are making an effort to keep their policy up to date. However, PWC feels that, the current quality of the security policy of most Indian companies have a long way to go before achieving global standards. The Financial services companies are an exception to this.

Perhaps this will change as businesses in other verticals move to the global playing field. Just as there is a regulator for the Banking and Financial services sector which makes recommendations for policies, it would help to have something similar for other verticals.

Brian Pereira can be reached at brianp@networkmagazineindia.com