Indian enterprises that have a security policy admit
it isn't effective enough. A security policy can help
secure an organization's information assets if it is
properly implemented. For that, companies need to have
the right attitude and should take the right approach.
by Brian Pereira
previous story, 'How effective
is your Security Policy?' is a reality check
on the status and effectiveness of a Security Policy
in Indian companies. After analyzing the CII-PricewaterhouseCoopers
IS Security Survey, Network Magazine spoke to security
consultants/Security Solutions Providers (SSPs) and
a few security-savvy companies. They told us about the
importance and benefits of having a security policy,
and the correct approach for creating one. During these
interactions we also found out where companies are faltering
in their approach.
We're convinced that security has gained in significance
within Indian enterprises, and the topic is even being
discussed in corporate boardrooms. Yes, even CEO's and
COOs are talking about securing their information assets
now. With increased dependence on IT infrastructure,
a company's assets today are not just physicalinformation
is also considered a prized asset, and with that comes
the need to secure it. Companies that transact through
the Internet also acknowledge the need for strong security.
Almost everyone we spoke to agreed that the Banking
and Finance sector is most serious about security and
that most banks have a documented security policy. When
the banks began putting their services on the Net (around
1999), RBI issued a set of guidelines that strongly
suggested the implementation of a security policy.
C.N. Ram, Chief Technology Officer at HDFC Bank, feels
a security policy is necessary for providing customers
a secure infrastructure for processing transactions
on the Net.
"We have developed a complete security policy covering
the risks in the areas of technology and operations,"
Rajeev Wadhwa, Chief Operating Officer, Global E-Secure
says the drive for security policy needs to be enforced
by some regulator. "The Banking and Finance industry
were early movers because they have sensitive data and
also due to the RBI guidelines. So I won't be surprised
if the telecom regulator (TRAI) imposes a National Telecom
Security Policy for the Telecom and ISP industry tomorrow."
But is enforcement by regulatory bodies the only driver
for drafting and implementing a security policy?
Pressure from international clientele or partners is
another reason why companies are going in for security
"We observe that companies with overseas clientele
are getting serious about security. These are typically
software developers, call centers, and BPO companies.
Security policy is one of the conditions set by the
overseas client and they might send an auditor to check
the extent to which one has implemented one's security
policy," says Avinash Kadam, Chief Executive-Assurance
and Global Services, MIEL e-Security. Kadam says overseas
clients are increasingly asking Indian companies if
they have security certification."
The MNCs also have security policies because their parent
firms have a security policy that's implemented right
across the organization, in all offices around the world.
But having a security policy does not guarantee a secure
environment, says another consultant. "It depends
on how you implement the policy. You have to generate
sufficient awareness about security at all levels in
the organization," he says.
Going by the results of the CII-PWC IS Security Survey,
it's evident that even organizations that have a security
policy feel it isn't effective enough or that they have
not taken the proper steps to secure their IT infrastructure.
So where are we going wrong? What should be the correct
IS security has always been associated with the IT department
and thought to be a very technical issue. And that's
the fundamental problem.
Says Santosh Desai, Senior VP, eSecurity, eServices
Division, RoltaNet, "People are looking at technology
first, and this is wrong. This is because (evolving)
technology is forcing companies to upgrade its IT infrastructure.
So no one looks at security from a business angle. It
becomes an end-to-end security solution only if you
look at it from a business angle and then address your
Kadam feels it isn't right to involve only technical
people when formulating the policy. "Technical
people may formulate excellent technical policies that
might not be practical to implement. They do not know
the business issues and people-related issues. That's
why their policies do not match actual requirement,
and this is where the policy implementation fails."
Another malpractice is having a lengthy and complex
policy that few understand.
"Hitherto, organizations typically developed a
security policy that was a voluminous document that
few read, hence it wasn't fully implemented," says
Himanshu Khanna, Head-Technology, iServ India. "This
is not the correct approach. A security policy needs
to be short and crisp, with clear threat identification,
processes for countering these threats and an organization
structure supporting these counter measures. We believe
that for high efficacy of implementation, an organization
should follow a phased approachhigh potential
threats countered first and others countered in subsequent
WHO SHOULD BE INVOLVED?
The effectiveness of the policy and the motivation to
adopt it depends on the people involved in formulating
it. The traditional practice of involving only the IT
manager and IS department should be discarded. Rather,
companies should take the top down approach and the
initiative should come from top management.
The CEO can define a broad policy in consultation with
the IT manager. Once that happens, security awareness
percolates down to all levels within the organization.
Besides the CEO and CIO/CTO there are others who should
"All business users who access information should
be involved," says Kadam. "Procedures and
implementation could be done by the CIO/CTO. But the
policy cannot be created only by the CIO/CTO. He may
not be aware of all the business processes."
Take the Internet/e-mail usage policy for instance.
This cannot be decided only by the CIO. For this the
CIO will have to consult HR, business users, and top
management. They will decide how much flexibility is
to be given depending on job function. The CIO will
only address the technical aspects.
Some organizations assign the responsibility of forming
the security policy to a steering committee or task
force. This team comprises of consultants and security
advisors who may be from within the organization or
from outside. This team is given privileged access to
talk to top management, the business development teams,
the implementers (IT and IS managers), head of HR and
other departments, and also end users.
"This team should be headed by a security consultant
who has to ensure that the policies defined by the top
management are understood at a lower level. This reduces
the gap between assumed policies and existing policies,"
FORMING A POLICY
With commitment from top management, the team can begin
work on the security policy. It may conduct a series
of interviews with people at all levels in the organization
(and with various departments) to check their expectations
from the policy. The task of creating a policy involves
various procedures that can broadly be grouped in the
Risk Assessment In the first phase, one identifies all
risks and vulnerabilities that could disrupt business.
The procedures/methods to counter the threats are also
devised. It is important to understand the business
objectives and expectations from IT while doing risk
Design and Write The results of the interviews conducted
in the first phase are analyzed. Also, all the procedures
for countering threats are considered when designing
the policy. A draft policy is written which goes to
the management. Certain statements may be modified and
the new changes are incorporated. This may be repetitive
until the policy is fine-tuned and specific to the business
processes and in line with business objectives. The
policy is documented and copies may be distributed to
all in the organization. The documentation also includes
penalties for not adhering to the policy.
Implement and Monitor Once the policy is implemented,
the team observes its acceptance and makes notes. Certain
sections might come out to be too rigid or too flexible.
These will be modified later when the policy is reviewed.
Audit Besides monitoring the acceptability of the policy,
the team will also conduct audit trials to check for
weaknesses or new vulnerabilities. The policy will be
AUDIT AND REVIEW
A security policy won't be effective unless it is periodically
audited and reviewed. This is deemed necessary because
both business objectives and technology change.
"You review a policy to measure its effectiveness,"
says Wadhwa. "Security policy is an initiative
so it needs to be seen how well it is accepted and practiced
within the organization. When you review it, you measure
the acceptance and also, you measure the benefits of
the policy. When reviewing it you look at the changing
scenario within your corporation."
Companies can check the effectiveness of the policy
by engaging the services of internal or external auditors.
This exercise should be done regularly.
"We have an internal team from our Audit department
that regularly reviews the policy," says HDFC's
get our systems audited by an external auditor once
For auditing there are industry standards like BS 7799
(Part 2) and COBIT. The BS 7799 standard is catching
on in India. ISO has adopted Part 1 (Best Practices)
of this standard. The COBIT standard has the best of
BS 7799 and ISO 17799.
Companies that do not have a comprehensive security
policy can follow the BS 7799 guidelines to begin with.
Abroad, companies that adopted this standard said they
improved their security as a result.
Sooner or later, it could become mandatory for businesses
to have a security policy. So why not draft one for
your organization today?
(For more on the BS 7799 standard, do check out the
Secured View column)
Pereira can be reached at email@example.com
you need to have a Security Policy
security policy is a document that sets the
rules and principles, which affects the way
an organization approaches problems.
Furthermore, a security policy is a document
that leads to the specification of the agreed
conditions of use of an organization's resources
for users and other clients. It also sets the
rights that they can expect with that use.
Ultimately, a security policy is a document
that exists to prevent the loss of an asset
or its value. A security breach can easily lead
to such a loss, regardless of whether the security
breach occurred as a result of any natural disaster
or hardware or software error, or malicious
action internal or external to the organization.
An organization should make decisions with regard
to other policies. It is not uncommon for a
policy on a particular matter to refer to other
policies. For instance, a security policy may
refer to a policy on Copyright or to a policy
dealing with the Press. Similarly, other policies
may need to refer to specific sections of the
security policy. This obviously is not possible
if a security policy is nonexistent.
The policy helps in making purchasing decisions.
A security policy offers guidelines for standards
of protection required on particular classes
of computer systems. If a software or hardware
component under consideration for purchase could
be used to (or will actually) compromise these
standards, then this may have an influence on
whether the component is purchased.
A security policy forms a framework for deciding
what action to take in particular circumstances.
In the event of a security breach, a security
policy may contain guidelines of what authority
particular people have to take and the actions
to minimize the impact of that breach. Furthermore,
after the breach, the policy will provide guidelines
regarding the course of action to take in order
to prevent further or repeated breaches, and
also regarding the identification and discipline
of the people responsible (in whatever capacity)
for the breach. This removes the scope for independent
reasoning at inappropriate times.
Courtesy: Global E-Secure
approach for formulating a Security Policy
Solutions Providers (SSPs) will have their own
unique approaches to formulating the security
policy. Here is the methodology adopted by iServe
India. This SSP claims its approach is comprehensive,
practical and implementable.
The methodology followed is:
Understanding of the business process and the
way IT is deployed in the organization.
Identification of the critical IT resources,
their availability requirements, and locations.
Identification of threats to these resources.
Threats could be:
Threats could also be:
IT related like hacking, denial of service
attacks, removal of a resource.
Non-IT related: These threats include physical
threats or any action that would somehow
make an IT resource unavailable.
Definition of routine processes that needs to
be followed to protect the IT assets.
Definition of incident handling processes. Processes
are defined for different kinds of incidents
like hacking attempts, denial of service attacks
Definition of an organization structure for
implementation of the security policies. The
organization structure clearly identifies the
key personnel in the implementation of the plan
and delineates their roles and responsibilities.
Awareness plan: This plan focuses on a plan
that would make aware each and every member
of the organization of the security policies
and their implementation.
Development of an implementation road map.
Courtesy: iServ India