“Security must be a business enabler, not an inhibitor”

David Zimmerman, Global Solutions Executive, IBM, talks to Sneha Khanna on the measures companies need to take to keep data safe and meet compliance requirements

David Zimmerman

Is a compliant organisation secure as well?

In most cases, compliance increases security enforcement and deployment. The complexity arises only in cases where compliance efforts and security policies are different. This results in a change in policy and takes some time to be accepted.

As organisations weigh how to improve their security practices, it is important to recall that retrofitting security is notoriously difficult. Ideally, security should be a part of every IT project from the start. Risk engines—centrally-controlled measurement and monitoring systems integrated across discrete lines of business—can give financial institutions the ability to rapidly anticipate and adjust to shifting market dynamics in line with predetermined risk tolerances.

Most compliance in India is related to regulatory accounting or financial information, which means that security product deployment is not a major issue. With Basel II catering to data encryption and storage-related issues, this is probably one of the few regulations that requires increased security deployments. When the Reserve Bank of India comes up with privacy-related guidelines that need to be complied with, financial institutions will beef up their security deployments.

Many organisations are opting for outsourced security management services. What are the security challenges that have come about due to this?

From the perspective of IT infrastructure, it is relatively high. However, from a security policy enforcement view, and phishing, pharming and user exploitation, it’s low.

Are Service Level Agreements (SLAs) important in security compliance?

SLAs are required if there is an IT-business split in an organisation. The other reason for SLAs is IT outsourcing. From a security standard perspective (if we follow ISO 27001 controls), SLAs are mandatory. For other regulatory compliances, this is never an issue. Nevertheless, I believe that a good SLA should embrace the following: the services to be delivered, performance, tracking and reporting mechanisms, problem management and dispute resolution procedures, the recipient’s duties and responsibilities, security, legislative compliance, intellectual property, and confidential information issues and agreement termination.

What measures should a CIO take when it comes to security compliance? Do external audits help?

No organisation can be compliant with regard to security. It can only comply with standards or guidelines. Governments can introduce regulatory compliance standards like two-factor authentication for banks, and a security policy deployment for BPOs. Organisations could be categorised as low-risk (where awareness of security norms would suffice), medium risk (where awareness and action is required) and high-risk (where awareness, action and assurance is mandated).

To be compliant with security certifications or standards, there are numerous activities such as creation of a risk management framework, creation of a detailed information security policy or framework, deployment of a good business continuity framework, deployment of a good disaster recovery plan, and establishment of a security organisation. External audits help, but only if a strong internal security organisation does not exist. A possible way out of this complexity is to create a centralised, integrated IT infrastructure that serves everyone’s purpose. Users can get a single sign-on to all the applications they need to access, and the enterprise can get a flexible, low-cost way to keep user authorisations fully updated while ensuring maximum business control.

Which areas in an organisation are more prone to security threats?

All departments involving IT and non-IT infrastructure and information are affected. However, marketing teams are prone to IT and social engineering attacks, while the IT infrastructure and information leakage itself is prone to virus, phishing and other forms of attacks due to lack of information sharing, education and assistance.

Employee turnover rates are rising. What many companies don’t realise is that when employees leave the business, they sometimes take with them the firm’s most precious assets—the data that runs the business. They also take everything from customer account data to sales and inventory data to confidential business intelligence and much else stored in the company’s internal systems.

While departing employees routinely return things like laptops and security badges, they hold on to the security IDs and passwords that provide access to the company’s internal databases. In fact, over 20 percent of accounts on many company systems—for example, mail systems and mainframes—are of employees who have left the organisation, often even five years earlier. Disgruntled employees go a step further by causing damage to company systems.

What are the reasons for security lapses?

The usual gaps are inadequate education, faulty security policies and procedures, poor employee induction and exit procedures, improper business continuity plans, little or no risk management, and inadequate clean-desk policy frameworks. Depending on the sector in which a company operates, security policies and framework components carry varied importance and priority levels.

A downside to all e-business progress is that companies have not bothered to integrate the applications they have been building, which has added greatly to the complexity and cost of administering IT. Since applications are neither centrally managed nor integrated, end-users such as employees have multiple sign-ons to enterprise applications, which accounts for all those IDs and passwords we carry around in our heads—and keep forgetting. Help desks now spend much of their time giving out passwords instead of adding real value to the enterprise.

Add to this situation more complexity: companies have to keep track of all new users entering the enterprise and the applications they have access rights to. These applications often run on different computing platforms with their own security requirements—plus users keep changing. The end result is a situation in which companies are hard pressed to know who is accessing applications for legitimate purposes.

However, IT security is not about setting up unnecessary roadblocks to business activity. It’s about enabling people to do the things they need to do to be successful. Security must become a business enabler, not an inhibitor. The Internet and e-business have changed the way we do business forever. It’s now time to complete the transformation by reducing the complexity and cost of running an e-business.

khannasneha@networkmagazineindia.com