Archives || Search || About Us || Advertise || Feedback || Subscribe-
-
Issue of June 2006 
-

[an error occurred while processing this directive]

  -  
 
 Home > Cover Story
 Print Friendly Page ||  Email this story

Infrastructure Strategies '06

A secure roadmap

Security has always remained a pain point for organisations. Shivani Shinde takes a look at India Inc's security scenario

Security has become the focal point of the enterprise roadmap. The IS survey strongly underscores this fact. Security has emerged as the single, biggest IT priority. 53 percent of the 328 respondents consider security to be among their top three IT priorities.

83 percent of respondents have invested in security in the past. Last year (2005-06) security got priority from 56 percent of the respondents and in the current year (2006-07) that number is up a tick to 57 percent.

The truth is that despite spending on security every year, it is an area still being invested in. The survey suggests that last year almost 64 percent of the respondents in the telecom sector invested in security followed by BFSI (63) and IT/ITeS (63). For the current year (planned investment) security is still a concern with 57 percent of the respondents planning to invest in it. This time around though, it is the government and PSU sector (75 percent) that plans to invest the highest, followed by IT/ITeS (66) and BFSI (60).

Virus and worm attacks (64) still constitute a critical issue.

“Hard and Soft Controls help achieve security”

Viral Raval
VP, IT, Kale Consultants
Security remains a concern area: While technology per se has become complex, its use has become easy. It indicates that recovery is difficult, while hacking is becoming easy. Organisations have realised this and hence are gearing up to upgrade their defence system. 

Information security can be achieved by hard controls and soft controls. Hard controls are the system tools like IDS, firewall and AV. Soft controls are the policies. A security policy would define the scope and extent to which a company’s IT assets are being safeguarded. It covers general policy, e-mail, Internet policy and also the physical security policy. The policies are normally drafted by a team of senior professionals including the CIO, HR head and the process head. The CEO adds inputs to it and finally approves the policy. 

On security policy and reviewing: Documented policy ensures uniformity and clarity on implementation. An external third party audit shall also insist on a documented policy, so will the compliance to standards like BS7799 or ISO 27001.

Security policy is also reaching the boardroom. The focus is on risk and its management. Risk management could be mitigation, acceptance or transfer of risks. Uptime of systems plays a pivotal role. At least once in six months, review is necessary. Review of a policy could be the outcome of a finding, due to a recent security incident. Policies need to adhere to the standard for which certification is sought. 

Take the case of Kale, we adopted BS7799/ISO27001-based ISMS. This talks of the Plan-Do-Check-Act (PDCA) implementation. There has to be a check on current level of implementation and the findings need to be corrected, which mostly could mean change in policy. This can happen if the reviews happen at regular intervals.

Our security policy focusses on ethical use of IT assets and facilities like e-mail, laptops and Internet. There are defined policies for routers, firewalls and AV deployment/patch management. The policy covers control on external devices and there is a check on what goes out of the premises. Emphasis on data ownership brings accountability. Similarly, we are planning to upgrade to the new standard. 

On physical access control: It is more to do with the trust factor. It is also difficult to check all the contents stored on media. While you may have a policy to control usage of CD-writers, what gets written on it, remains known to the person doing it. The challenge is to bring in culture shift, and accountability for assets. 

On audits: Half yearly audits are fine among organisations. However, a right mix of internal as well as external audit is necessary. The reason being internal audits are normally not taken seriously. In extreme cases, even the internal auditors can get biased. The focus changes from a fact-finding to fault-finding exercise.

External audits are a must for certificate maintenance. External auditors would look for internal audit findings and the corrective and preventive actions based on them.

I do not recommend external audits alone, as that may focus only on samples and real issues may not come to the fore. Focus should be on continual improvement and not on hiding behind loopholes.

Security concerns

In terms of security concerns, viruses and Internet security constitute the prime focus area and hence investment in anti-virus (97 percent), anti-spam (59) and firewalls (78) continue to be high. However areas such as IDS, encryption and access control devices are also gaining attention.

BFSI (37 percent), telecom service providers (38) and manufacturing/ engineering and auto components verticals are adopting IDS. SSL/IP VPNs are being favoured among the FMCG/consumer durables (51), IT/ITeS (43) and manufacturing (44).

With security issues moving away from viruses and spam and mobility becoming common among organisations, there is a need to adopt mechanisms such as encryption/cryptography, access control devices and IDS.

However, the survey shows a low level of acceptance. Of the total respondents across verticals just 17 percent have invested in an encryption mechanism. BFSI (26) again takes the lead with IT/ITeS (20) and FMCG/consumer durables (20) following close. Whereas access control devices are being favoured by FMCG/consumer durables (43), telecom service providers (34) and IT/ITeS (31).

 

“Physical aspects need proper controls”


V K Ramani
President, IT, UTI Bank
On security retaining prominence: The usage of non-traditional channels for data transfer such as ATMs, the Internet, and mobile phones has created possibilities for a lot more risk and therefore organisations have started looking at security as an important IT investment. 

On the survey finding that anti-virus and firewall still tops the chart: There exists an information security ecosystem and anti-viruses and firewalls form a part of that physical aspect of the security, which is visible and therefore they are on the top. But unless proper controls and implementation back them up, they will not be optimally used. 

On security policy and review: A security policy in short is a document which says how well an organisation’s information is stored. The most important people who frame the policy are from the top management and security committee. This is how it happens at UTI. The minimum review period that I would recommend is at least a year. But for critical applications, a half-yearly review is a must.

The major reason for documenting security policy is for creating awareness among employees. Its implementation and control are important in the later stages. What is needed is a will to enforce the policy and cooperation from employees. A lot of organisations just go for the frills as far as security is concerned. There is no essence.

Security issues getting discussed at boardroom level is a matter of educating all employees. At UTI we produce an internal newsletter and circulate it. It covers pointers such as consequences of an attack, various types of risks and so on. It is called InfoSec@UTI Bank. 

On physical threats: There are lots of ways in which an unauthorised employee can access data. The IT team can always provide passwords and user identification. But then there are ways such as maintaining copies of documents and so on at unsecured places, which we cannot do much about. 

Data security tops our list followed by storage security. Access controls and user/customer education are also important. As far as physical data thefts are concerned, we only have an advisory list of do’s and don’ts for our employees. 

On security audits: Organisations need different frequencies of audit. It depends on how the information legitimately flows and gets distributed. The idea of maintaining standards is that an organisation evolves to that level before upgrading itself. We follow a result-based policy, where the result of an implementation is considered rather than a set standard.

As a conscious policy at UTI, the process of conducting audit is not done by the IT team. It is done by the management. We support them in every way, but the final process of audit and report is done by a team other than IT. A copy of the report is first sent to the management and then to the IT team.

As far as the internal team is concerned, they might not be able to assess the potential or sometimes, even the existing risks in total view of the organisation. There might be some points, which may miss their view of things. So it becomes essential that some external hand also plays a part in the auditing of the security policy.

Secure policy

Soft security measures or in other words a comprehensive security policy is essential for a robust system. The IS survey 2006 says that 64 percent respondents have a security policy in place. Among them the FMCG/consumer durables (77 percent) lead the pack followed by IT/ITeS (71), BFSI (71) and government/PSU (67 percent).

Data security (96 percent) and unauthorised employee access (71) seems to be the prime concern among the organisations and hence are integral to the policy document.

However, the seriousness of security and its effectiveness as a tool is diluted when one looks at the frequency of security audits and review of security policy being done. The IS survey shows that 61 percent of the respondents do not conduct security audits. Among those who do conduct audits, getting certification to various levels is not the prime concern. 14 percent have gone for BS7799, 13 percent for ISO 17799 and just three percent for COBIT and a dismal 19 percent plan to upgrade to ISO 27001.

Security audits are conducted once a year (38 percent), once in three months (24) and once in six months (26). An audit by an internal IT team (54) seems to be preferred to an external consultant (26). Chemical & pharma (80 percent) prefer audits by internal IT teams followed by telecom (63) and BFSI (50).

Merely formulating a security policy is not enough. One needs to review it at regular intervals. The survey points out that among those who do have a policy in place, 29 percent review the policy once in three months, 28 percent once in six months and 26 percent once a year. The government/PSU sector (60 percent) and IT/ITeS lead in conducting reviews every three months.

Recommendations
  • Having a policy in place is work half-done. Reviewing it at intervals is what matters
  • External audits are important for reviewing policy
  • Investing in IDS makes sense along with a firewall and anti-virus
  • Unified threat management or UTM is the new kid-on-the-block offering integrated security functions. It is perhaps better suited to medium businesses or branch offices of large enterprises

Decision-Makers

Boardroom level involvement in framing security policy seems to be gaining acceptance with 63 percent doing so. The role of a CIO is crucial in forming a security policy. A CIO (67 percent) leads the pack, followed by a CEO (49) and functional heads (40). The role of a Chief Security Officer (CSO) (33) surprisingly has not caught up in forming a security policy.

That could be due to the fact that many have not appointed a CSO. With just 36 percent of the respondents having appointed a CSO, BFSIs (50 percent) have the maximum of them followed by FMCG/consumer durables (43). Just 18 percent plan to establish the post of CSO in their organisation in the future.

Where a CSO is present, he reports either to a CIO (36 percent), CEO (32) or in some cases to the Board of Directors (13).

— With inputs from Rishiraj Verma

 
     
- <Back to Top>-  
Untitled Document
 
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.