Enterprise information security
One of the important CIO roundtable discussions at the Technology Senate 2003
was on Enterprise Security. This discussion at the event held in Kochi in November
2003 saw seven CIOs of some of the leading companies in India share their thoughts
and points of view on the nuances and changing face of enterprise information
Some of the issues that were discussed were that of the level of awareness about
information protection and security, and users' attitudes towards it.
Vice-President, Information Technology, HDFC Bank, said:
Security is not only the IT department's businessit is a corporate matter.
So the CEO should have the vision to look at security from the top, downwards.
The CIO's responsibility is to see that this vision is developed by every user.
A lot of valuable company information is stored in physical media like tapes
and cartridges. These must be kept safely in a storage vault and access given
to a custodian. And if a policy so describes, even the CTO may not have unchecked
access to it.
S.B. Patankar, Director, Information Systems, The Stock Exchange said:
Security should always be a part of the planning and design phase. When you
want to carry out a business, which will be enabled through IT, you must think
not only think about the business delivery, but also embed the aspects of security
into the plan.
Vice-President - Information Systems, Hero Honda Motors said:
We were in the process of making a comprehensive security policy and conducted
a data classification workshop for the higher management. The users were told
that we were talking not just about security of electronic data, but also about
data in any other format and business area. Surprisingly, all the members realized
that they had so much information to protect in the form of paper reports, meeting
minutes, and business strategy reports.
Mulki, General Manager - Information Systems, Godrej Industries said:
Although IT security is the responsibility of the business, it is easier said
than done. The worry is not so much about how to align IT security with business,
but rather how to align business with IT security.
Many users leave behind vital business information on papers on their desks
and meeting rooms. Suppose, the President of a company comes to the office at
lunchtime and wants all papers from all unattended desks removed? Doesn't a
company compromise valuable information this way?
V. Subramaniam, CIO, Otis Elevator Company (India) said:
A company should have an IT steering committee spearheaded by the CEO and
MD. The committee will help enforce policies and can control the IT budget.
The committee can audit all aspects of physical and information security every
Raisinghani, Vice President - Information Technology, Birla Sun Life Insurance
Any company should have a very high level of application-level security. People
at the operational level should have access to only the concerned operational
data. Regular audit trails should be conducted and a clear policy should be
made to authorize the various levels of access.
VP, IT, HDFC Bank
Director, IS, The Stock Exchange
CIO, Otis Elevator Company (India)
VP - IS, Hero Honda Motors
GM - IS, Godrej Industries
Head - IT, SBI Life Insurance
VP - IT, Birla Sun Life Insurance
Capt Felix Mohan,
The panel of CIOs agreed that awareness is very necessary to ensure enterprise
information protection and security. There must be a change in attitude among
all users in the company. And, the responsibility of information security must
trickle down from the higher management.
It is important that the company has organizational development along with security
awareness programs. In this way an enterprise can witness good balanced growth.