Security
A top-down approach for Security

Organizations have to take the top-down approach if security is to be viewed seriously. Top management involvement will also augment security awareness and ensure adherence to the security policy

Most Indian enterprises equate security with anti-virus or firewall solutions. The major thing lacking here is awareness. Security is regarded as a technical issue—something that concerns the IS department. But that mindset is changing slowly due to numerous incidents of hacking and data theft.

Security is gaining prominence in the corporate boardroom. 59 percent of the respondents confirmed this. This is especially true in the BFSI (73 percent) and Telecom/IT/ITES (70 percent) segments where security is vital.

Click on images for larger view

What is critical?
What are the most critical issues on the CIO’s mind when it comes to information security?
Among those who have invested in IT security or are planning to invest, the most critical security issues are 'Viruses' (83 percent) and 'Internet security' (50 percent). Less importance is given to other security issues like 'Education of users', 'Internal fraud', 'Hackers', 'Remote Access Control' and 'Theft/damage to data'. While you are busy managing your firewalls on the perimeter, the attacks could come from within the organization itself.

Then there needs to be a proper incidence response mechanism in place. In case a hacker gets through, or some employee manages to get hold of 'for the CEO’s eyes only' information, how does the IS department respond to such a situation? Also, there must be a clearly defined set of guidelines for creating security awareness. All this calls for a well defined and documented security policy.

Security Policy
Having a comprehensive security policy is a major step towards securing IT infrastructure. But effectiveness of security policy depends on how well it has been implemented and practiced within the organization.

The security policy concerns all people in the organization. Most companies take the bottom-up approach (beginning with the IS department) when it comes to framing the security policy (or making other decisions about security). Rather, one should take the top-down approach. It shouldn't be just the CIO who is responsible for security policy—ideally, even the CEO, board of directors, and the functional heads should be involved.

58 percent of the respondents said functional heads are involved in framing the security policy, and 54 percent said the CIO is involved. 43 percent involve the CEO. The involvement of the CFO or an external security consultant is very low when it comes to framing a security policy.

The security policy should cover all aspects of security, be it physical security, data security, perimeter security, or network security. Most Indian companies are placing high emphasis on data security (92 percent of the respondents) and restricting unauthorized employee access (70 percent of respondents).

But one should realize that the weak link or entry-point could be anywhere on the network and more attention should be paid to securing data in transit, or to perimeter security (firewalls, IDS, and encryption). Companies also need to have a proper intrusion response mechanism in place. At present only 29 percent companies have intrusion response as a part of their security policy.

Reviewing the policy
The security policy has to be in line with the business objectives. It also needs to consider new developments in technology implementation. Therefore, it is necessary to perform regular audits and review the policy periodically. 14 percent of the respondents said they review the policy once a year, while 29 percent said there was no fixed period. The frequency of review also depends on the business’s dynamics. 35 percent said they review the policy every six months while 22 percent said that's done every three months.

Low on auditing
Companies need to conduct external security audits. Audits are closely related to security policy. They should be done periodically to check if the security policy is effective in a changing business environment. There are several auditing standards and procedures (COBIT, BS 7799, ISO 17799 etc) now.

However, very few companies in India actually conduct periodic security audits or reviews. Most of the respondents (76 percent) said they do not conduct security audit. The few companies that conduct audit do so only out of compulsion—because a regulator or an international business partner insists on it. The audit is usually done once a year or once in six months.

61 percent companies do audits internally. This is not the right approach since there are many areas an internal committee may overlook. Organizations need to look at an external audit firm if they are serious about conducting security audits. Of the companies which conduct a security audit, the most prevalent auditing standard is BS 7799.