Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
Issue of November 2002 
 Home > Cover Story
 Print Friendly Page ||  Email this story

Security Policies: The right approach

Many Indian enterprises that have a security policy admit it isn't effective enough. A security policy can help secure an organization's information assets if it is properly implemented. For that, companies need to have the right attitude and should take the right approach. by Brian Pereira

The previous story, 'How effective is your Security Policy?' is a reality check on the status and effectiveness of a Security Policy in Indian companies. After analyzing the CII-PricewaterhouseCoopers IS Security Survey, Network Magazine spoke to security consultants/Security Solutions Providers (SSPs) and a few security-savvy companies. They told us about the importance and benefits of having a security policy, and the correct approach for creating one. During these interactions we also found out where companies are faltering in their approach.

We're convinced that security has gained in significance within Indian enterprises, and the topic is even being discussed in corporate boardrooms. Yes, even CEO's and COOs are talking about securing their information assets now. With increased dependence on IT infrastructure, a company's assets today are not just physical—information is also considered a prized asset, and with that comes the need to secure it. Companies that transact through the Internet also acknowledge the need for strong security.

Almost everyone we spoke to agreed that the Banking and Finance sector is most serious about security and that most banks have a documented security policy. When the banks began putting their services on the Net (around 1999), RBI issued a set of guidelines that strongly suggested the implementation of a security policy.

C.N. Ram, Chief Technology Officer at HDFC Bank, feels a security policy is necessary for providing customers a secure infrastructure for processing transactions on the Net.

"We have developed a complete security policy covering the risks in the areas of technology and operations," he says.

Rajeev Wadhwa, Chief Operating Officer, Global E-Secure says the drive for security policy needs to be enforced by some regulator. "The Banking and Finance industry were early movers because they have sensitive data and also due to the RBI guidelines. So I won't be surprised if the telecom regulator (TRAI) imposes a National Telecom Security Policy for the Telecom and ISP industry tomorrow."

But is enforcement by regulatory bodies the only driver for drafting and implementing a security policy?
Pressure from international clientele or partners is another reason why companies are going in for security policies.
"We observe that companies with overseas clientele are getting serious about security. These are typically software developers, call centers, and BPO companies. Security policy is one of the conditions set by the overseas client and they might send an auditor to check the extent to which one has implemented one's security policy," says Avinash Kadam, Chief Executive-Assurance and Global Services, MIEL e-Security. Kadam says overseas clients are increasingly asking Indian companies if they have security certification."

The MNCs also have security policies because their parent firms have a security policy that's implemented right across the organization, in all offices around the world.

But having a security policy does not guarantee a secure environment, says another consultant. "It depends on how you implement the policy. You have to generate sufficient awareness about security at all levels in the organization," he says.

Going by the results of the CII-PWC IS Security Survey, it's evident that even organizations that have a security policy feel it isn't effective enough or that they have not taken the proper steps to secure their IT infrastructure. So where are we going wrong? What should be the correct approach?

IS security has always been associated with the IT department and thought to be a very technical issue. And that's the fundamental problem.

Says Santosh Desai, Senior VP, eSecurity, eServices Division, RoltaNet, "People are looking at technology first, and this is wrong. This is because (evolving) technology is forcing companies to upgrade its IT infrastructure. So no one looks at security from a business angle. It becomes an end-to-end security solution only if you look at it from a business angle and then address your security needs."

Kadam feels it isn't right to involve only technical people when formulating the policy. "Technical people may formulate excellent technical policies that might not be practical to implement. They do not know the business issues and people-related issues. That's why their policies do not match actual requirement, and this is where the policy implementation fails."

Another malpractice is having a lengthy and complex policy that few understand.

"Hitherto, organizations typically developed a security policy that was a voluminous document that few read, hence it wasn't fully implemented," says Himanshu Khanna, Head-Technology, iServ India. "This is not the correct approach. A security policy needs to be short and crisp, with clear threat identification, processes for countering these threats and an organization structure supporting these counter measures. We believe that for high efficacy of implementation, an organization should follow a phased approach—high potential threats countered first and others countered in subsequent phases."

The effectiveness of the policy and the motivation to adopt it depends on the people involved in formulating it. The traditional practice of involving only the IT manager and IS department should be discarded. Rather, companies should take the top down approach and the initiative should come from top management.

The CEO can define a broad policy in consultation with the IT manager. Once that happens, security awareness percolates down to all levels within the organization.

Besides the CEO and CIO/CTO there are others who should be involved.

"All business users who access information should be involved," says Kadam. "Procedures and implementation could be done by the CIO/CTO. But the policy cannot be created only by the CIO/CTO. He may not be aware of all the business processes."

Take the Internet/e-mail usage policy for instance. This cannot be decided only by the CIO. For this the CIO will have to consult HR, business users, and top management. They will decide how much flexibility is to be given depending on job function. The CIO will only address the technical aspects.

Some organizations assign the responsibility of forming the security policy to a steering committee or task force. This team comprises of consultants and security advisors who may be from within the organization or from outside. This team is given privileged access to talk to top management, the business development teams, the implementers (IT and IS managers), head of HR and other departments, and also end users.

"This team should be headed by a security consultant who has to ensure that the policies defined by the top management are understood at a lower level. This reduces the gap between assumed policies and existing policies," says Desai.

With commitment from top management, the team can begin work on the security policy. It may conduct a series of interviews with people at all levels in the organization (and with various departments) to check their expectations from the policy. The task of creating a policy involves various procedures that can broadly be grouped in the following phases:

Risk Assessment In the first phase, one identifies all risks and vulnerabilities that could disrupt business. The procedures/methods to counter the threats are also devised. It is important to understand the business objectives and expectations from IT while doing risk assessment.

Design and Write The results of the interviews conducted in the first phase are analyzed. Also, all the procedures for countering threats are considered when designing the policy. A draft policy is written which goes to the management. Certain statements may be modified and the new changes are incorporated. This may be repetitive until the policy is fine-tuned and specific to the business processes and in line with business objectives. The policy is documented and copies may be distributed to all in the organization. The documentation also includes penalties for not adhering to the policy.

Implement and Monitor Once the policy is implemented, the team observes its acceptance and makes notes. Certain sections might come out to be too rigid or too flexible. These will be modified later when the policy is reviewed.

Audit Besides monitoring the acceptability of the policy, the team will also conduct audit trials to check for weaknesses or new vulnerabilities. The policy will be revised accordingly.

A security policy won't be effective unless it is periodically audited and reviewed. This is deemed necessary because both business objectives and technology change.

"You review a policy to measure its effectiveness," says Wadhwa. "Security policy is an initiative so it needs to be seen how well it is accepted and practiced within the organization. When you review it, you measure the acceptance and also, you measure the benefits of the policy. When reviewing it you look at the changing scenario within your corporation."

Companies can check the effectiveness of the policy by engaging the services of internal or external auditors. This exercise should be done regularly.

"We have an internal team from our Audit department that regularly reviews the policy," says HDFC's C.N. Ram.

"We get our systems audited by an external auditor once every year."

For auditing there are industry standards like BS 7799 (Part 2) and COBIT. The BS 7799 standard is catching on in India. ISO has adopted Part 1 (Best Practices) of this standard. The COBIT standard has the best of BS 7799 and ISO 17799.

Companies that do not have a comprehensive security policy can follow the BS 7799 guidelines to begin with. Abroad, companies that adopted this standard said they improved their security as a result.

Sooner or later, it could become mandatory for businesses to have a security policy. So why not draft one for your organization today?

(For more on the BS 7799 standard, do check out the Secured View column)

Brian Pereira can be reached at

Why you need to have a Security Policy
  1. A security policy is a document that sets the rules and principles, which affects the way an organization approaches problems.
  2. Furthermore, a security policy is a document that leads to the specification of the agreed conditions of use of an organization's resources for users and other clients. It also sets the rights that they can expect with that use.
  3. Ultimately, a security policy is a document that exists to prevent the loss of an asset or its value. A security breach can easily lead to such a loss, regardless of whether the security breach occurred as a result of any natural disaster or hardware or software error, or malicious action internal or external to the organization.
  4. An organization should make decisions with regard to other policies. It is not uncommon for a policy on a particular matter to refer to other policies. For instance, a security policy may refer to a policy on Copyright or to a policy dealing with the Press. Similarly, other policies may need to refer to specific sections of the security policy. This obviously is not possible if a security policy is nonexistent.
  5. The policy helps in making purchasing decisions. A security policy offers guidelines for standards of protection required on particular classes of computer systems. If a software or hardware component under consideration for purchase could be used to (or will actually) compromise these standards, then this may have an influence on whether the component is purchased.
  6. A security policy forms a framework for deciding what action to take in particular circumstances. In the event of a security breach, a security policy may contain guidelines of what authority particular people have to take and the actions to minimize the impact of that breach. Furthermore, after the breach, the policy will provide guidelines regarding the course of action to take in order to prevent further or repeated breaches, and also regarding the identification and discipline of the people responsible (in whatever capacity) for the breach. This removes the scope for independent reasoning at inappropriate times.

Courtesy: Global E-Secure

An approach for formulating a Security Policy

Security Solutions Providers (SSPs) will have their own unique approaches to formulating the security policy. Here is the methodology adopted by iServe India. This SSP claims its approach is comprehensive, practical and implementable.

  • The methodology followed is:
  • Understanding of the business process and the way IT is deployed in the organization.
  • Identification of the critical IT resources, their availability requirements, and locations.
  • Identification of threats to these resources. Threats could be:
    • External
    • Internal
      Threats could also be:
    • IT related like hacking, denial of service attacks, removal of a resource.
    • Non-IT related: These threats include physical threats or any action that would somehow make an IT resource unavailable.
  • Definition of routine processes that needs to be followed to protect the IT assets.
  • Definition of incident handling processes. Processes are defined for different kinds of incidents like hacking attempts, denial of service attacks etc.
  • Definition of an organization structure for implementation of the security policies. The organization structure clearly identifies the key personnel in the implementation of the plan and delineates their roles and responsibilities.
  • Awareness plan: This plan focuses on a plan that would make aware each and every member of the organization of the security policies and their implementation.
  • Development of an implementation road map.

Courtesy: iServ India

- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD