security in any organization is as secure as its weakest
link. And understanding the importance of this 'mantra'
is very crucial when it comes to framing a security
policy. One may have the best security infrastructure
money can buy, but in the absence of a well-defined
and updated security policy, the business faces a threat.
Unfortunately, security policies often figure at the
end of most CIOs' things-to-do list, when it actually
is a vital ingredient. When the drafting of a policy
is ultimately initiated, many do not know the kind of
policy their organization needs and the ways to develop
the relevant guidelines.
Finally, once the policy is drafted, one still has to
figure out ways to communicate it to users, and plan
processes to enforce it. There is no standardized or
sure-fire way of enforcing a security policy. This leaves
lot of room for error.
Then there's the question of updating your security
policy from time to time to fit the changing business
conditions. How often should a CIO update the company's
security policy? Once a year, or twice a year? Who should
be involved in framing and updating the security policy?
The CIO's suddenly short of answers.
A recent CII-PWC IS Security Survey 2002-03 highlights
the alarming state of security policy implementation
in India. According to the survey, 68 percent of the
respondents accorded a high priority to security, but
surprisingly only 41 percent had a comprehensive security
policy in place. A rather large chunk, about 47 percent
of the respondents continue to operate without a security
In this issue of Network Magazine we look at the 'Security
Policy' scenario in India extensively. We talked to
security management specialists in order to provide
answers to a wide range of issues on creating, managing,
and enforcing a security policy.
In due course of our research, one thing became quite
clear: framing a security policy is not the sole responsibility
of the CIO. The CEO, HR Head, and other business and
operational heads will have to play a pivotal role in
defining a security policy, since a CIO may not be fully
aware of all the business and operational issues.
The Next windows
Windows .NET Sever, the next version of the popular
Windows NT/2000 is bound to raise a gamut of upgrade
issues for CIOs. We give you a sneak peek at this highly-anticipated
OS and a look at three compelling reasons to upgrade.