Inc is now more serious about IS security. But security
begins with a policy and not many enterprises have a
formal security policy. Among those that have a policy,
many admit it isn't effective enough or it isn't on
par with international standards. by Brian Pereira
the old economy an organization placed high value on
its physical assets and took appropriate steps to secure
and protect these. That attitude remains unchanged today.
Try walking into the heart of a corporate office and
you'll run headlong into a glass door that refuses to
open unless an employee swipes his card. Even before
that, as you enter the premises, a burly security guard
eyes you with suspicion and wants to know if you have
a floppy or CD in your bag.
In the new economy, information is more valuable than
physical assets. It's an electronic world and even money
is represented by binary digits. Wire transfers and
electronic transactions are commonfew exchange
wads of bank notes during business transactions. A company's
vital business processes and trade secrets are stored
in electronic databasesnot safe boxes. Now imagine
the consequences if a stranger had access to all this
Are you doing enough to secure your prized information
assets? Deploying firewall, IDS and anti-virus solutions
isn't enough. You need to define a framework (guidelines,
procedures and rules) for securing information and systems.
This is known as a Security Policy. What's more, you
need to document this policy and review/revise it frequently,
in accordance with change in business objectives and
change in technology.
how effective are the security policies implemented
by Indian companies?
An annual survey conducted by the Confederation of Indian
Industry (CII) and PricewaterhouseCoopers, brings out
the stark realities.
The CII-PricewaterhouseCoopers Information Systems Security
Survey 2002-2003 reveals that more Indian companies
now have a security policy, but we still have a long
way to go in bringing it on par with international standards.
PWC evaluates the status of a security policy by placing
enterprises in one of four categories. The categories
are No Policy, Informal Policy, Written Security Objective
and Comprehensive Documentation.
Sameer Kapoor, Executive Director, PWC, says an Informal
Policy is as good as having no policy. "An informal
policy is practiced but never put down on paper. It's
like implementing a firewall without having the rules
An Informal Policy is a set of practices known to a
select group of people, usually IS staff such as system
administrators. And when such staff leaves the organization,
it becomes cumbersome to retrain their replacements
in the absence of a documented policy.
Kapoor explains that a Written Security Objective covers
just the basics. "The approach here is to protect
information and systems that have higher business impact.
One is not detailing it too much in the policy or not
making it comprehensive. Further, it is known to a small
group of people who are focused on security, but it
cannot be disseminated throughout the organization."
And a policy with Comprehensive Documentation covers
everything an organization has to say about security,
in terms of the basic principals, the standards and
According to the CII-PWC survey for 2002-03, 47 percent
of the respondents continue to operate without a formal
security policy (Refer to chart 1). Informal policy
is regarded as not having a security policy. About 17
percent of the respondents have absolutely no security
policy, while 30 percent said they have an Informal
Policy. But this is definitely an improvement over the
previous year. The CII-PWC survey for 2000-2001 reveals
that 7 percent had absolutely no policy, while 50 percent
had an informal policy. So more companies (especially
in the Financial sector) have implemented security policies
for certain reasons (See the next story, 'Security
Policies: The right approach'.) The CII-PWC
survey for the current year reveals that 12 percent
of the respondents have a Written Security Objective.
This number was higher in 2000-01 at 26 percent. This
indicates that there is a trend towards having a formal
Though 68 percent of the respondents have high regard
for IS security, just 41 percent have a security policy
that's comprehensively documented. In the previous year
17 percent had Comprehensive Documentation. However,
in its previous survey report PWC noted that a number
of documented security policies are far from meeting
international standards. So what really counts is the
effectiveness of the security policy.
THE ESSENTIAL INGREDIENTS
PWC says there is a clear correlation between security
policy and effectiveness of security measures in the
organization. "It's not enough to just have a security
policy," says PWC's Kapoor. "You need to look
at your business objectives and then link the policy
to these objectives."
Among those Indian enterprises that have a formal security
policy (comprehensive or written security objectives),
the effectiveness of security on the ground was observed
to be starkly low (Refer to chart 2). Only 40 percent
of such respondents believe that their security is highly
effective and 17 percent of the respondents do not feel
secure even though they have a security policy in place.
A large proportion of Indian enterprises admit to their
IS security being very low. 83 percent of the respondents
without a formal security policy feel that their security
is only moderately effective (42 percent) or has low
effectiveness (41 percent). (Refer to chart 3)
PWC says there are certain essential ingredients that
businesses must consider to make their security policies
effective. These ingredients are based on business risk
analysis and classification of business data and include:
More than 50 percent of the respondents with a comprehensive
policy have not addressed critical, business-oriented
preventive and detective elements such as risk analysis
(not conducted by 45 percent), classification of data
(not done by 67 percent of the respondents), and procedure
for partners (not laid down by 72 percent in their respective
IS security policies). (Refer to chart 4) PWC says such
organizations would feel reassured about their IS security
by just addressing the technological aspect, while they
would continue to be susceptible to threats from various
sources because they have not covered the more critical
business issues related to the adoption and deployment
of IT systems. This explains the low effectiveness of
a number of security policies.
PWCs Kapoor says a major mistake that most businesses
make when formulating a security policy, is that they
take the bottoms-up approach and begin with technology.
"Essentially, it should be a top-down approach,
where you understand the business and then co-relate
it to technology. You don't start with technology. You
say, this is my business, this is my dependency on IT
for decision-making, and how do I secure it? So you
look at the dependency of business on information,"
WHO SETS THE POLICY
The effectiveness of a policy also depends on the involvement
of certain people in the organization. Just because
security has been associated with technology, it does
not mean that only the IS department or CIO/CTO should
Kapoor says the security policy is usually the responsibility
of the CIO/CTO because security is thought to be too
complex to be handled by anybody else. He strongly believes
people, who are the information owners, should be involved.
"Top management should also be involved otherwise
information security will never get implemented in the
right manner. Predominantly, in the Indian environment,
it is still the CIO/CTO who is solely involved in formulating
and implementing the security policy."
For this survey, CII and PWC asked companies that had
a comprehensive security policy about the people responsible
for policy development in their organization.
In response to the multiple choice questionnaire, it
was found that the overall involvement at all levels
in formulating the security policy is significantly
lower in India as compared to global levels (Refer to
Currently, CIOs (43 percent compared to 57 percent globally)
participate the most in policy making initiatives. Involvement
of security specialists like the chief information security
officer (CISO) and the chief administrator is low in
Indian businesses as compared to their global counterparts.
However, compared to 2000-2001, participation by the
CISO in making initiatives has doubled.
To be highly effective, a security policy should be
reviewed at least once every year. Policies must be
reviewed to take into account the changing circumstances
across the business. But how frequent should this be
Kapoor says the security policy must be reviewed to
keep it in sync with business goals, but it would be
tedious to review and change the whole policy regularly.
He advises that the security policy should have two
parts. The Basics part would contain the fundamental
principles that do not change frequently over time.
The second part could be on Standards and Procedures
which will change more frequently as and when new vulnerabilities
are introduced. This is the part that is technology-centric.
"Security should be reviewed on a daily basis because
there are new vulnerabilities reported everyday. Hence
the Standards part of the policy should be reviewed
regularly. But the Basics part of the policy should
be reviewed whenever there is some major change in business
processes or whenever you are introducing new systems.
A good practice is to do this at least once a year."
The survey shows some positive results here (Refer to
chart 6). Over two-thirds of Indian businesses that
have a security policy, review their comprehensive security
policy either continuously or at least once a year.
This is a significant increase from 2000-2001, when
only 44 percent of the businesses with a security policy
admitted to reviewing the policy at least once every
Around 20 percent of the respondents have either not
reviewed their security policy or have no regular pattern
of review. But this is better than the situation in
2000-2001 when nearly 51 percent of the respondents
had no regular pattern of review or did not at all review
their security policy.
This implies that Indian companies are making an effort
to keep their policy up to date. However, PWC feels
that, the current quality of the security policy of
most Indian companies have a long way to go before achieving
global standards. The Financial services companies are
an exception to this.
Perhaps this will change as businesses in other verticals
move to the global playing field. Just as there is a
regulator for the Banking and Financial services sector
which makes recommendations for policies, it would help
to have something similar for other verticals.
Brian Pereira can be reached at email@example.com
missing in our policies
businesses need to review their current policy
initiatives. The major missing components in the
policy documents of Indian businesses are:
Risk analysis of the processes and activities
enabled by IT deployment.
Classification of business data sets along the
three IS security objectives of confidentiality,
integrity and availability.
End user awareness, through inclusion of IS
security training in structured induction or
Procedure for partners especially in scenarios
where business partners interact electronically
or the auditor/consultant community start to
emphasize on the company's electronic data systems.
Monitoring standards for checking compliance
of IT security policy including continuous review
of security events.
PricewaterhouseCoopers Pvt. Ltd.
1, 2 & 3
Year@ : CII-PWC Information Systems Security Survey
2000-01* : CII-PWC Information Systems Security
Global+ : InformationWeek Research Global Information
Security Survey 2001
IS Security Survey 2002-03
of CII-PWC IS Security Survey 2002-03
80% respondents reported security breaches
in the last 12 months
Virus infection continues to be most prevalent
Hackers and unauthorized users are responsible
for over two-third of the security breaches
Average downtime for all security breaches
is at an alarming level of 29 hours
41% of the companies have a security policy
74% of the respondents have increased their
security budgets over previous year