Infrastructure Strategies '06
A secure roadmap
Security has always remained a pain point for organisations.
Shivani Shinde takes a look at India Inc's security scenario
has become the focal point of the enterprise roadmap. The IS survey strongly
underscores this fact. Security has emerged as the single, biggest IT priority.
53 percent of the 328 respondents consider security to be among their top three
83 percent of respondents have invested in security in the past. Last year (2005-06)
security got priority from 56 percent of the respondents and in the current
year (2006-07) that number is up a tick to 57 percent.
The truth is that despite spending on security every year, it is an area still
being invested in. The survey suggests that last year almost 64 percent of the
respondents in the telecom sector invested in security followed by BFSI (63)
and IT/ITeS (63). For the current year (planned investment) security is still
a concern with 57 percent of the respondents planning to invest in it. This
time around though, it is the government and PSU sector (75 percent) that plans
to invest the highest, followed by IT/ITeS (66) and BFSI (60).
Virus and worm attacks (64) still constitute a critical issue.
Security remains a concern area: While
technology per se has become complex, its use has become easy. It
indicates that recovery is difficult, while hacking is becoming easy. Organisations
have realised this and hence are gearing up to upgrade their defence system.
VP, IT, Kale Consultants
Information security can be achieved by hard controls
and soft controls. Hard controls are the system tools like IDS, firewall
and AV. Soft controls are the policies. A security policy would define
the scope and extent to which a companys IT assets are being safeguarded.
It covers general policy, e-mail, Internet policy and also the physical
security policy. The policies are normally drafted by a team of senior
professionals including the CIO, HR head and the process head. The CEO
adds inputs to it and finally approves the policy.
On security policy and reviewing: Documented
policy ensures uniformity and clarity on implementation. An external third
party audit shall also insist on a documented policy, so will the compliance
to standards like BS7799 or ISO 27001.
Security policy is also reaching the boardroom. The focus
is on risk and its management. Risk management could be mitigation, acceptance
or transfer of risks. Uptime of systems plays a pivotal role. At least
once in six months, review is necessary. Review of a policy could be the
outcome of a finding, due to a recent security incident. Policies need
to adhere to the standard for which certification is sought.
Take the case of Kale, we adopted BS7799/ISO27001-based
ISMS. This talks of the Plan-Do-Check-Act (PDCA) implementation. There
has to be a check on current level of implementation and the findings
need to be corrected, which mostly could mean change in policy. This can
happen if the reviews happen at regular intervals.
Our security policy focusses on ethical use of IT assets
and facilities like e-mail, laptops and Internet. There are defined policies
for routers, firewalls and AV deployment/patch management. The policy
covers control on external devices and there is a check on what goes out
of the premises. Emphasis on data ownership brings accountability. Similarly,
we are planning to upgrade to the new standard.
On physical access control: It is more to
do with the trust factor. It is also difficult to check all the contents
stored on media. While you may have a policy to control usage of CD-writers,
what gets written on it, remains known to the person doing it. The challenge
is to bring in culture shift, and accountability for assets.
On audits: Half yearly audits are fine among
organisations. However, a right mix of internal as well as external audit
is necessary. The reason being internal audits are normally not taken
seriously. In extreme cases, even the internal auditors can get biased.
The focus changes from a fact-finding to fault-finding exercise.
External audits are a must for certificate maintenance.
External auditors would look for internal audit findings and the corrective
and preventive actions based on them.
I do not recommend external audits alone, as that may
focus only on samples and real issues may not come to the fore. Focus
should be on continual improvement and not on hiding behind loopholes.
terms of security concerns, viruses and Internet security constitute the prime
focus area and hence investment in anti-virus (97 percent), anti-spam (59) and
firewalls (78) continue to be high. However areas such as IDS, encryption and
access control devices are also gaining attention.
BFSI (37 percent), telecom service providers (38) and manufacturing/ engineering
and auto components verticals are adopting IDS. SSL/IP VPNs are being favoured
among the FMCG/consumer durables (51), IT/ITeS (43) and manufacturing (44).
With security issues moving away from viruses and spam and
mobility becoming common among organisations, there is a need to adopt mechanisms
such as encryption/cryptography, access control devices and IDS.
However, the survey shows a low level of acceptance. Of the
total respondents across verticals just 17 percent have invested in an encryption
mechanism. BFSI (26) again takes the lead with IT/ITeS (20) and FMCG/consumer
durables (20) following close. Whereas access control devices are being favoured
by FMCG/consumer durables (43), telecom service providers (34) and IT/ITeS (31).
On security retaining prominence: The usage of non-traditional channels
for data transfer such as ATMs, the Internet, and mobile phones has created
possibilities for a lot more risk and therefore organisations have started
looking at security as an important IT investment.
V K Ramani
President, IT, UTI Bank
On the survey finding that anti-virus and firewall
still tops the chart: There exists an information security ecosystem
and anti-viruses and firewalls form a part of that physical aspect of
the security, which is visible and therefore they are on the top. But
unless proper controls and implementation back them up, they will not
be optimally used.
On security policy and review: A security
policy in short is a document which says how well an organisations
information is stored. The most important people who frame the policy
are from the top management and security committee. This is how it happens
at UTI. The minimum review period that I would recommend is at least a
year. But for critical applications, a half-yearly review is a must.
The major reason for documenting security policy is for
creating awareness among employees. Its implementation and control are
important in the later stages. What is needed is a will to enforce the
policy and cooperation from employees. A lot of organisations just go
for the frills as far as security is concerned. There is no essence.
Security issues getting discussed at boardroom level
is a matter of educating all employees. At UTI we produce an internal
newsletter and circulate it. It covers pointers such as consequences of
an attack, various types of risks and so on. It is called InfoSec@UTI
On physical threats: There are lots of ways
in which an unauthorised employee can access data. The IT team can always
provide passwords and user identification. But then there are ways such
as maintaining copies of documents and so on at unsecured places, which
we cannot do much about.
Data security tops our list followed by storage security.
Access controls and user/customer education are also important. As far
as physical data thefts are concerned, we only have an advisory list of
dos and donts for our employees.
On security audits: Organisations need different
frequencies of audit. It depends on how the information legitimately flows
and gets distributed. The idea of maintaining standards is that an organisation
evolves to that level before upgrading itself. We follow a result-based
policy, where the result of an implementation is considered rather than
a set standard.
As a conscious policy at UTI, the process of conducting
audit is not done by the IT team. It is done by the management. We support
them in every way, but the final process of audit and report is done by
a team other than IT. A copy of the report is first sent to the management
and then to the IT team.
As far as the internal team is concerned, they
might not be able to assess the potential or sometimes, even the existing
risks in total view of the organisation. There might be some points, which
may miss their view of things. So it becomes essential that some external
hand also plays a part in the auditing of the security policy.
security measures or in other words a comprehensive security policy is essential
for a robust system. The IS survey 2006 says that 64 percent respondents have
a security policy in place. Among them the FMCG/consumer durables (77 percent)
lead the pack followed by IT/ITeS (71), BFSI (71) and government/PSU (67 percent).
Data security (96 percent) and unauthorised employee access
(71) seems to be the prime concern among the organisations and hence are integral
to the policy document.
However, the seriousness of security and its effectiveness
as a tool is diluted when one looks at the frequency of security audits and
review of security policy being done. The IS survey shows that 61 percent of
the respondents do not conduct security audits. Among those who do conduct audits,
getting certification to various levels is not the prime concern. 14 percent
have gone for BS7799, 13 percent for ISO 17799 and just three percent for COBIT
and a dismal 19 percent plan to upgrade to ISO 27001.
Security audits are conducted once a year (38 percent), once
in three months (24) and once in six months (26). An audit by an internal IT
team (54) seems to be preferred to an external consultant (26). Chemical &
pharma (80 percent) prefer audits by internal IT teams followed by telecom (63)
and BFSI (50).
Merely formulating a security policy is not enough. One needs
to review it at regular intervals. The survey points out that among those who
do have a policy in place, 29 percent review the policy once in three months,
28 percent once in six months and 26 percent once a year. The government/PSU
sector (60 percent) and IT/ITeS lead in conducting reviews every three months.
- Having a policy in place is work half-done.
Reviewing it at intervals is what matters
- External audits are important for reviewing
- Investing in IDS makes sense along with a firewall
- Unified threat management or UTM is the new
kid-on-the-block offering integrated security functions. It is perhaps
better suited to medium businesses or branch offices of large enterprises
level involvement in framing security policy seems to be gaining acceptance
with 63 percent doing so. The role of a CIO is crucial in forming a security
policy. A CIO (67 percent) leads the pack, followed by a CEO (49) and functional
heads (40). The role of a Chief Security Officer (CSO) (33) surprisingly has
not caught up in forming a security policy.
That could be due to the fact that many have not appointed a CSO. With just
36 percent of the respondents having appointed a CSO, BFSIs (50 percent) have
the maximum of them followed by FMCG/consumer durables (43). Just 18 percent
plan to establish the post of CSO in their organisation in the future.
Where a CSO is present, he reports either to a CIO (36 percent), CEO (32) or
in some cases to the Board of Directors (13).
With inputs from Rishiraj Verma