Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of December 2006 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story

Telescope 2007

Security: Compliance tools

The essence of compliance is to integrate technology with an organisation’s processes and assets, and to know how systems are operating at any given point of time. It’s also about being capable of monitoring, auditing and controlling systems effectively. Most CIOs feel that a comprehensive security management platform is essential for enabling compliance. A prominent trend is that companies are rushing to comply with regulations such as SOX and Basel II so that they can do business abroad. Conducting audits on a regular basis is another initiative in this regard. Security vendors are also building compliance features into their security products. By Megha Banduni

Achieving compliance is simply meeting the requirements of the law. The meaning of compliance, however, lies far beyond this definition. Having compliance tools in place is not sufficient; it is rather a multi-faceted approach involving people, processes and technologies. CIOs look at compliance as an opportunity for organisations to put best practices and controls in place in order to enhance productivity and performance, and, most important, eliminate the risk of losing information.

Investments in compliance tools have been increasing, and so have awareness levels among CIOs. CIOs strongly feel that it is important to educate and train their employees to understand the processes and technologies behind any particular regulatory system so that they can manage the system in accordance with the goals and objectives of the organisation.

Sarbanes-Oxley (SOX) and Basel II are the two main regulations driving Indian companies towards compliance, especially firms conducting business with American and European companies.

Best Practices
Network Magazine spoke with a few CIOs who recommended guidelines that should be followed before and while deploying security compliance tools.

Bala Giridhar recommends

  • Every employee in the organisation should be aware of the security policies.
  • Ensure that the IT infrastructure is robust enough at the perimeter level and user level.
  • The security software should be updated regularly.
  • The compliance model should be well articulated with the audit, access, monitoring and security processes.

    Ashok Adhikary recommends

  • Compatibility with diversified requirements.
  • Can be migrated to a different platform.
  • Cost involved in creating the compliance procedures.
  • User review before commissioning.

    Mitish Chitnavis recommends

  • Have a proper security policy in place for assessing various risks and threats.
  • Analyse the probability of occurrence of threats and the level of vulnerability to risk.
  • Deploy software solutions and compliance tools to mitigate identified threats and risks.
  • Monitor through internal and external audit periodically.
  • Calculate return on investment to measure effectiveness of compliance tools.

CIO’s role

CIOs look at compliance as an opportunity for organisations to put best practices and controls in place in order to enhance productivity and performance, and, most important, eliminate the risk of losing information

CIOs believe that having the right security policy is the foundation. Compliance is the most important part of security policy. In order to have an effective information security posture, organisations need to align their people, processes and technologies with their business objectives. Today, the major challenge for any company is to manage huge chunks of data. A more challenging task is to restore the data securely and provide it to the end-customer as and when required. In order to meet these requirements, CIOs say it is important that compliance and security tools be aligned with people and processes.

Informs Bala Giridhar M, Head, Global IT Management, Wipro Technologies, “We spend about 15 percent of our total budget on security, and compliance is part of our security policy. SOX, periodic audits and continuous vulnerability checks should be done to meet compliance needs. Audits are important and companies should do them on a quarterly basis.”

Analyst's View

Observes Sivarama Krishnan, Executive Director, PricewaterhouseCoopers, ‘‘One trend I see is that investments are not happening over technology alone. Investments are more people and processes driven. Companies are focussing largely on making people aware of security breaches, training them, monitoring internal activity and setting processes right.’’

Companies are spending 7 to 15 percent of their IT budget on compliance. Compliance is the biggest driver of security investments among Indian companies, especially financial and IT / ITES. In the financial sector, regulators like SEBI and RBI drive the compliance investment. Large private banks that are planning foreign investments are going in for SOX. For instance, banks like ICICI, SBI and HDFC are planning to implement SOX.

The adoption of compliance tools is very high among financial services and moderate among other verticals. In manufacturing it is just picking up. Clause 49 is giving a boost from the compliance perspective. Another trend is that companies such as Oracle and SAP are offering their own compliance tools for ERP applications.

The emerging scenario under the Basel II accord and the need to use supervisory resources more productively are prompting companies to have compliance tools in place. Here the CIO must deploy risk management systems and analytical tools that have reporting and predictive capabilities.

Ashok Adhikary

Being part of a global operation, Aker Kvaerner has a comprehensive security policy to look after security measures for physical intrusion and electronic intrusion systems with user-level, server-level and internet gateway-level control access. This Intranet spans 150 offices in 30 countries and is grouped into a facility management centre in APAC, Europe and the Americas. Says Ashok Adhikary, Associate Director, Aker Kvaerner Powergas, “IP-based door-locks are used for physical access, and critical areas like server farms are scanned by CCTV. We do have a security policy laid before the execution of any project; it consists of access rules, workflow procedures, log-in requests, restricted access and blocked Web sites.”

The company has deployed an employee self-service (ESS) portal for access requests, system problems, service requests, etc. Regulatory requirements are met as per ISO 9001, and regular audits are done by Lloyd register. “Compliance is responsible for optimised work-load, detailed procedures, standardisation and a report in an electronic format. The company has benefited in terms of ease of administration, detailed tracking of each request raised by users, and report generation,” adds Adhikary.

Companies across verticals—be they banks, manufacturing concerns, pharmaceutical companies or IT houses—must comply with the guidelines that the government, corporate governance, internal company policy and third-party standards organisations have laid out. Nowadays there is a trend where companies (especially banks) which want to go global are investing heavily in foreign companies, and are hence opting for international standards like SOX.

Corporate financial scandals, the rise of terrorism, and increased concerns over privacy of user information are among the factors that have led to a rise in laws and industry regulations around financial reporting, security and data privacy

Corporate financial scandals, the rise of terrorism, and increased concerns over privacy of user information are among the factors that have led to a rise in laws and industry regulations around financial reporting, security and data privacy. Failure to secure sensitive information can result in serious damage to the corporation, and failure to achieve compliance has financial consequences as well.

The human factor

CIOs feel that creating awareness is the first and the most important aspect in compliance, and the key to creating awareness is communication. The entire organisation must be made aware of threats that exist and solutions that have been deployed. Awareness helps ensure that employees understand security and its importance in day-to-day activities. Effective security must be directed and co-ordinated at the board level.

Says Giridhar, “We have a security policy, and every employee who joins signs that policy. This is a good way of spreading awareness about security threats, security breaches and our security policies. Training is another good method for spreading awareness about various security threats (internal and external), and solutions deployed or planned for deployment in the organisation.”

Vendor Space

Security solutions providers' feel that the demand for compliance tools is growing like never before, and that compliance is one of the biggest factors driving security investments in organisations due to their desire to do business abroad.

According to Niraj Kaushik, Country Manager, Trend Micro India and Saarc, a recent industry study reveals that more than 70 percent of Indian corporates still do not have a formal corporate security policy. ‘‘And just having policies is not enough. Organisations also need the ability to enforce those policies, and to be able to demonstrate that the enforcement is systematic. Like any other organisational policy, the organisation's security policy too needs to be documented to make it an organisational process. As much as possible, the information needs to demonstrate the enforcement of the policy rather than the existence of the policy.’’

Adds Anil Menon, CEO, SecureSynergy, ‘‘Compliance is driving security investments, which have grown from 1 to 2 percent to 4 to 7 percent of the budget of organisations. But the problem is that the investments are not happening at the right places. Critical things in compliance like encryption and log analyses are not getting attention. Investment in these two areas is less than 1 percent.’’

According to Unmesh Deshmukh, Director, Specialist, Sales & Services, Symantec, ‘‘Basel II and SOX are the biggest drivers behind compliance investment in India. More than regulatory pressure, CIOs look at compliance for IT security policy. Companies which are doing business abroad, for example BPOs, want to assure their customers that their company has the right security policy, and that regulations are aligned with business processes.’’

Mohammed Hayath, National Business Development Manager, India, (Network Security), Cisco Systems, is certain that compliance is the key factor driving security investments. ‘‘In India, Clause 49 is very important. All Indian companies listed in any stock exchange have to comply with this clause.’’

Comments Kartik Shahani, Director, Sales, India and Saarc, McAfee, ‘‘Though India is lacking behind US and Europe in terms of compliance adoption, it is catching up very fast as compared to the past. If companies want to do business abroad, they need to have regulations and frameworks like HIPAA, BS7799 and Basel II in place. Compliance deals with challenges in terms of network, security, policies, asset protection, etc. Companies need to gather various compliance tools and not just one to overcome these challenges.’’


MphasiS deployed BS7799 three years back and is in process of certifying ISO 2701.

Information is the key in today’s world, says Mitish Chitnavis, Group Information Security Officer at the company. “There are three elements associated with information—people, process and technology. People access information, and to ensure secure access the right process and technology is required. Similarly, in compliance, the processes and people need to be aligned with the technology to get the right information and the best results.”

With companies investing abroad, the sales of security solutions and compliance tools have exceeded expectations in recent times. Market players and analysts believe that the momentum will be maintained in the coming year as well. One trend we will see is that with the integration of technology into business processes, companies will increasingly see compliance as an integrated part of their core business.

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.