|
Telescope 2007
Security: Compliance tools
The essence of compliance is to integrate technology with
an organisation’s processes and assets, and to know how systems are operating
at any given point of time. It’s also about being capable of monitoring,
auditing and controlling systems effectively. Most CIOs feel that a comprehensive
security management platform is essential for enabling compliance. A prominent
trend is that companies are rushing to comply with regulations such as SOX and
Basel II so that they can do business abroad. Conducting audits on a regular
basis is another initiative in this regard. Security vendors are also building
compliance features into their security products. By Megha Banduni
 Achieving
compliance is simply meeting the requirements of the law. The meaning of compliance,
however, lies far beyond this definition. Having compliance tools in place is
not sufficient; it is rather a multi-faceted approach involving people, processes
and technologies. CIOs look at compliance as an opportunity for organisations
to put best practices and controls in place in order to enhance productivity
and performance, and, most important, eliminate the risk of losing information.
Investments in compliance tools have been increasing, and
so have awareness levels among CIOs. CIOs strongly feel that it is important
to educate and train their employees to understand the processes and technologies
behind any particular regulatory system so that they can manage the system in
accordance with the goals and objectives of the organisation.
Sarbanes-Oxley (SOX) and Basel II are the two main regulations
driving Indian companies towards compliance, especially firms conducting business
with American and European companies.
Network Magazine spoke with a few CIOs who recommended
guidelines that should be followed before and while deploying security compliance
tools.
Bala Giridhar recommends
|
CIO’s role
|
CIOs look at compliance as an opportunity
for organisations to put best practices and controls in place in order
to enhance productivity and performance, and, most important, eliminate
the risk of losing information
|
CIOs believe that having the right security policy is the
foundation. Compliance is the most important part of security policy. In order
to have an effective information security posture, organisations need to align
their people, processes and technologies with their business objectives. Today,
the major challenge for any company is to manage huge chunks of data. A more
challenging task is to restore the data securely and provide it to the end-customer
as and when required. In order to meet these requirements, CIOs say it is important
that compliance and security tools be aligned with people and processes.
Informs Bala Giridhar M, Head, Global IT Management, Wipro
Technologies, “We spend about 15 percent of our total budget on security,
and compliance is part of our security policy. SOX, periodic audits and continuous
vulnerability checks should be done to meet compliance needs. Audits are important
and companies should do them on a quarterly basis.”
|
Observes Sivarama Krishnan, Executive Director, PricewaterhouseCoopers,
One trend I see is that investments are not happening over technology
alone. Investments are more people and processes driven. Companies are
focussing largely on making people aware of security breaches, training
them, monitoring internal activity and setting processes right.
Companies are spending 7 to 15 percent of their IT budget on compliance.
Compliance is the biggest driver of security investments among Indian
companies, especially financial and IT / ITES. In the financial sector,
regulators like SEBI and RBI drive the compliance investment. Large private
banks that are planning foreign investments are going in for SOX. For
instance, banks like ICICI, SBI and HDFC are planning to implement SOX.
The adoption of compliance tools is very high among financial services
and moderate among other verticals. In manufacturing it is just picking
up. Clause 49 is giving a boost from the compliance perspective. Another
trend is that companies such as Oracle and SAP are offering their own
compliance tools for ERP applications.
The emerging scenario under the Basel II accord and the need to use supervisory
resources more productively are prompting companies to have compliance
tools in place. Here the CIO must deploy risk management systems and analytical
tools that have reporting and predictive capabilities.
|
Ashok Adhikary |
Being part of a global operation, Aker Kvaerner has a comprehensive
security policy to look after security measures for physical intrusion and electronic
intrusion systems with user-level, server-level and internet gateway-level control
access. This Intranet spans 150 offices in 30 countries and is grouped into
a facility management centre in APAC, Europe and the Americas. Says Ashok Adhikary,
Associate Director, Aker Kvaerner Powergas, “IP-based door-locks are used
for physical access, and critical areas like server farms are scanned by CCTV.
We do have a security policy laid before the execution of any project; it consists
of access rules, workflow procedures, log-in requests, restricted access and
blocked Web sites.”
The company has deployed an employee self-service (ESS) portal for access requests,
system problems, service requests, etc. Regulatory requirements are met as per
ISO 9001, and regular audits are done by Lloyd register. “Compliance is
responsible for optimised work-load, detailed procedures, standardisation and
a report in an electronic format. The company has benefited in terms of ease
of administration, detailed tracking of each request raised by users, and report
generation,” adds Adhikary.
 Companies
across verticals—be they banks, manufacturing concerns, pharmaceutical
companies or IT houses—must comply with the guidelines that the government,
corporate governance, internal company policy and third-party standards organisations
have laid out. Nowadays there is a trend where companies (especially banks)
which want to go global are investing heavily in foreign companies, and are
hence opting for international standards like SOX.
|
Corporate financial scandals, the
rise of terrorism, and increased concerns over privacy of user information
are among the factors that have led to a rise in laws and industry regulations
around financial reporting, security and data privacy
|
Corporate financial scandals, the rise of terrorism, and increased concerns
over privacy of user information are among the factors that have led to a rise
in laws and industry regulations around financial reporting, security and data
privacy. Failure to secure sensitive information can result in serious damage
to the corporation, and failure to achieve compliance has financial consequences
as well.
The human factor
CIOs feel that creating awareness is the first and the most important aspect
in compliance, and the key to creating awareness is communication. The entire
organisation must be made aware of threats that exist and solutions that have
been deployed. Awareness helps ensure that employees understand security and
its importance in day-to-day activities. Effective security must be directed
and co-ordinated at the board level.
Says Giridhar, “We have a security policy, and every
employee who joins signs that policy. This is a good way of spreading awareness
about security threats, security breaches and our security policies. Training
is another good method for spreading awareness about various security threats
(internal and external), and solutions deployed or planned for deployment in
the organisation.”
|
Security solutions providers' feel that the demand for compliance tools
is growing like never before, and that compliance is one of the biggest
factors driving security investments in organisations due to their desire
to do business abroad.
According to Niraj Kaushik, Country Manager, Trend Micro India and Saarc,
a recent industry study reveals that more than 70 percent of Indian corporates
still do not have a formal corporate security policy. ‘‘And
just having policies is not enough. Organisations also need the ability
to enforce those policies, and to be able to demonstrate that the enforcement
is systematic. Like any other organisational policy, the organisation's
security policy too needs to be documented to make it an organisational
process. As much as possible, the information needs to demonstrate the
enforcement of the policy rather than the existence of the policy.’’
Adds Anil Menon, CEO, SecureSynergy, ‘‘Compliance is driving
security investments, which have grown from 1 to 2 percent to 4 to 7 percent
of the budget of organisations. But the problem is that the investments
are not happening at the right places. Critical things in compliance like
encryption and log analyses are not getting attention. Investment in these
two areas is less than 1 percent.’’
According to Unmesh Deshmukh, Director, Specialist, Sales & Services,
Symantec, ‘‘Basel II and SOX are the biggest drivers behind
compliance investment in India. More than regulatory pressure, CIOs look
at compliance for IT security policy. Companies which are doing business
abroad, for example BPOs, want to assure their customers that their company
has the right security policy, and that regulations are aligned with business
processes.’’
Mohammed Hayath, National Business Development Manager, India, (Network
Security), Cisco Systems, is certain that compliance is the key factor
driving security investments. ‘‘In India, Clause 49 is very
important. All Indian companies listed in any stock exchange have to comply
with this clause.’’
Comments Kartik Shahani, Director, Sales, India and Saarc, McAfee, ‘‘Though
India is lacking behind US and Europe in terms of compliance adoption,
it is catching up very fast as compared to the past. If companies want
to do business abroad, they need to have regulations and frameworks like
HIPAA, BS7799 and Basel II in place. Compliance deals with challenges
in terms of network, security, policies, asset protection, etc. Companies
need to gather various compliance tools and not just one to overcome these
challenges.’’
|
Mitish
Chitnavis |
MphasiS deployed BS7799 three years back and is in process
of certifying ISO 2701.
Information is the key in today’s world, says Mitish
Chitnavis, Group Information Security Officer at the company. “There are
three elements associated with information—people, process and technology.
People access information, and to ensure secure access the right process and
technology is required. Similarly, in compliance, the processes and people need
to be aligned with the technology to get the right information and the best
results.”
With companies investing abroad, the sales of security solutions and compliance
tools have exceeded expectations in recent times. Market players and analysts
believe that the momentum will be maintained in the coming year as well. One
trend we will see is that with the integration of technology into business processes,
companies will increasingly see compliance as an integrated part of their core
business.
|
|| Feedback
|| Subscribe-
