Organizations have to take the top-down
approach if security is to be viewed seriously. Top
management involvement will also augment security awareness
and ensure adherence to the security policy
Most Indian enterprises equate
security with anti-virus or firewall solutions. The
major thing lacking here is awareness. Security is regarded
as a technical issuesomething that concerns the
IS department. But that mindset is changing slowly due
to numerous incidents of hacking and data theft.
Security is gaining prominence
in the corporate boardroom. 59 percent of the respondents
confirmed this. This is especially true in the BFSI
(73 percent) and Telecom/IT/ITES (70 percent) segments
where security is vital.
|Click on images for larger
What are the most critical issues on the CIOs
mind when it comes to information security?
Among those who have invested in IT security or are
planning to invest, the most critical security issues
are 'Viruses' (83 percent) and 'Internet security' (50
percent). Less importance is given to other security
issues like 'Education of users', 'Internal fraud',
'Hackers', 'Remote Access Control' and 'Theft/damage
to data'. While you are busy managing your firewalls
on the perimeter, the attacks could come from within
the organization itself.
Then there needs to be a proper
incidence response mechanism in place. In case a hacker
gets through, or some employee manages to get hold of
'for the CEOs eyes only' information, how does
the IS department respond to such a situation? Also,
there must be a clearly defined set of guidelines for
creating security awareness. All this calls for a well
defined and documented security policy.
Having a comprehensive security policy is a major step
towards securing IT infrastructure. But effectiveness
of security policy depends on how well it has been implemented
and practiced within the organization.
The security policy concerns
all people in the organization. Most companies take
the bottom-up approach (beginning with the IS department)
when it comes to framing the security policy (or making
other decisions about security). Rather, one should
take the top-down approach. It shouldn't be just the
CIO who is responsible for security policyideally,
even the CEO, board of directors, and the functional
heads should be involved.
58 percent of the respondents
said functional heads are involved in framing the security
policy, and 54 percent said the CIO is involved. 43
percent involve the CEO. The involvement of the CFO
or an external security consultant is very low when
it comes to framing a security policy.
The security policy should
cover all aspects of security, be it physical security,
data security, perimeter security, or network security.
Most Indian companies are placing high emphasis on data
security (92 percent of the respondents) and restricting
unauthorized employee access (70 percent of respondents).
But one should realize that
the weak link or entry-point could be anywhere on the
network and more attention should be paid to securing
data in transit, or to perimeter security (firewalls,
IDS, and encryption). Companies also need to have a
proper intrusion response mechanism in place. At present
only 29 percent companies have intrusion response as
a part of their security policy.
The security policy has to be in line with the business
objectives. It also needs to consider new developments
in technology implementation. Therefore, it is necessary
to perform regular audits and review the policy periodically.
14 percent of the respondents said they review the policy
once a year, while 29 percent said there was no fixed
period. The frequency of review also depends on the
businesss dynamics. 35 percent said they review
the policy every six months while 22 percent said that's
done every three months.
Companies need to conduct external security audits.
Audits are closely related to security policy. They
should be done periodically to check if the security
policy is effective in a changing business environment.
There are several auditing standards and procedures
(COBIT, BS 7799, ISO 17799 etc) now.
However, very few companies
in India actually conduct periodic security audits or
reviews. Most of the respondents (76 percent) said they
do not conduct security audit. The few companies that
conduct audit do so only out of compulsionbecause
a regulator or an international business partner insists
on it. The audit is usually done once a year or once
in six months.
61 percent companies do audits
internally. This is not the right approach since there
are many areas an internal committee may overlook. Organizations
need to look at an external audit firm if they are serious
about conducting security audits. Of the companies which
conduct a security audit, the most prevalent auditing
standard is BS 7799.