Enterprise information security

One of the important CIO roundtable discussions at the Technology Senate 2003 was on Enterprise Security. This discussion at the event held in Kochi in November 2003 saw seven CIOs of some of the leading companies in India share their thoughts and points of view on the nuances and changing face of enterprise information security.

Some of the issues that were discussed were that of the level of awareness about information protection and security, and users' attitudes towards it.

S.R. Balasubramanian, Vice-President, Information Technology, HDFC Bank, said:

Security is not only the IT department's business—it is a corporate matter. So the CEO should have the vision to look at security from the top, downwards. The CIO's responsibility is to see that this vision is developed by every user.

A lot of valuable company information is stored in physical media like tapes and cartridges. These must be kept safely in a storage vault and access given to a custodian. And if a policy so describes, even the CTO may not have unchecked access to it.

S.B. Patankar, Director, Information Systems, The Stock Exchange said:

Security should always be a part of the planning and design phase. When you want to carry out a business, which will be enabled through IT, you must think not only think about the business delivery, but also embed the aspects of security into the plan.

S.R. Balasubramanian, Vice-President - Information Systems, Hero Honda Motors said:

We were in the process of making a comprehensive security policy and conducted a data classification workshop for the higher management. The users were told that we were talking not just about security of electronic data, but also about data in any other format and business area. Surprisingly, all the members realized that they had so much information to protect in the form of paper reports, meeting minutes, and business strategy reports.

Mani Mulki, General Manager - Information Systems, Godrej Industries said:

Although IT security is the responsibility of the business, it is easier said than done. The worry is not so much about how to align IT security with business, but rather how to align business with IT security.

Many users leave behind vital business information on papers on their desks and meeting rooms. Suppose, the President of a company comes to the office at lunchtime and wants all papers from all unattended desks removed? Doesn't a company compromise valuable information this way?

V. Subramaniam, CIO, Otis Elevator Company (India) said:

A company should have an IT steering committee spearheaded by the CEO and MD. The committee will help enforce policies and can control the IT budget. The committee can audit all aspects of physical and information security every quarter.

M.C. Raisinghani, Vice President - Information Technology, Birla Sun Life Insurance Company said:

Any company should have a very high level of application-level security. People at the operational level should have access to only the concerned operational data. Regular audit trails should be conducted and a clear policy should be made to authorize the various levels of access.

Conclusion

The panel of CIOs agreed that awareness is very necessary to ensure enterprise information protection and security. There must be a change in attitude among all users in the company. And, the responsibility of information security must trickle down from the higher management.

It is important that the company has organizational development along with security awareness programs. In this way an enterprise can witness good balanced growth.