Information Security - Need Of The Day
It is important for enterprises to take cognizance of the fact that the security threats are real.
‘The best way to secure your critical infrastructure and applications is to switch off all your systems, put them in a locked room and keep the key in a safe location. Fully secure, but absolutely useless.’ This is a very common phrase among security geeks.
It is important for us to understand that there is no such thing as ‘a fully secured information system’. We live in the world of vulnerability, be it information or human life.
The paradox is, while security risks are increasing by the day, enterprises are becoming externally focused and open. Hackers are increasingly turning fraudulent and criminal, but centralised assets are becoming distributed assets, increasing the vulnerability; new viruses are on the prowl, but applications are thrown open to the Internet; phishing and identity thefts have increased, but controlled IS departments have changed to be completely business focused and customer-centric organisations.
Business demands have changed from ‘what is not explicitly permitted is prohibited’ to ‘what is not explicitly prohibited is permitted’.
Today, enterprises live in a world where security attacks can crumble the business to its knees. This has become a part of everyday life.
Threats can cause complete damage to systems and lives of people in case of natural disasters or terrorist attacks. Hacking, phishing, etc, can cause financial losses; brand threats happen if websites are attacked or defaced.
According to CSI (Computer Security Institute), for the first time ever, during this year financial frauds overtook virus attacks. Gartner and Symantec have published that close to 90 percent of the attacks are targeted at the application layer, clearly indicating fraudulent intent. The average loss due to security attacks has doubled this year.
CIOs are moving the thought process from "I will not be affected" to "Oh! God, let me check my systems" to "I need to check the security measures of my partners" to "What should I do if a disaster strikes". This is a healthy sign.
It is important for enterprises to take cognizance of the fact that the security threats are real. They need a structured program to protect their data and critical information from external and internal threats.
Information security is defined as: The concepts, techniques, technical and administrative measures used to protect information assets from:
* Deliberate or inadvertent unauthorised acquisition
* Loss, or
And sometimes to even suppress the knowledge of a certain information’s existence.
Information resides everywhere in your organisation, in printed sheets, in files, in computers, in storage racks, in offsite data centres, in tapes stored in a remote location (by the way, this is called rested data), in employees’ heads (you better ask your employees to wear helmets if they drive a bike) and all these are vulnerable to be misused. The damages can be significant.
The structured program to secure your information starts with a clearly articulated vision. This vision should come from none other than the CEO. Next, we need to define a well-articulated security policy, followed by the identification of information assets. Risk analysis needs to be done to cover the probability of a disaster/ attack and the risk. For example, an earthquake of Ritcher scale 8.0 is low probability in Bangalore, but would have a high impact on your information assets. On the other hand, virus attack can be of high probability but low impact, if all the security measures are in place.
The risk analysis should also cover the financial/ brand and other damages clearly quantified.
Next step is to take measures to manage the risk. Once the measurements are in place, we need to get to the next important step - Business Continuity Program and Disaster Recovery.
It is extremely important to have a business continuity plan and identify optimal business recovery time for your business. If acceptable business recovery time can be days, you may opt for just offsite tape storage and if the acceptable business recovery time is just few hours, then a hot standby system at a disaster recovery site may be needed.
I advise to have a disaster recovery drill periodically to test your preparedness for a disaster.
The key components of Information Security are People, Process and Technology.
People are essential in every step of the Information Security Program. They not only are information assets, but guardians of the information also. They need to be trained and coached to protect the information.
The processes for asset identification, risk analysis, risk quantification and management, risk prevention, business recovery, should be made as robust as possible. We have BS7799, ISO 17799 and the new ISO 27001 standard, which aid us to create, implement and manage security processes.
In the technology part, the firewalls, IDS systems, penetrating testing tools, vulnerability assessment tools, disaster recovery systems, play a pivotal role.
To summarise, understand that security threats are real. Create a corporate vision on security. Have a comprehensive security policy. Analyse risks and identify acceptable risks. Have a risk management process, Have a business continuity plan and a disaster recovery process. Periodically check the people, process and technology preparedness by having DR Drills.
C Mohan is Senior Vice President, IMS, with MindTree.
Biztech 2.0 spoke to Chinar Deshpande, CIO, Pantaloons and Satish Pendse, CIO, Hindustan Construction Company in order to gain a better insight as to what goes into having a concrete disaster recovery/ business continuity strategy.
Business continuity preparedness means having a living program - which is continually validated, communicated, tested, updated and improved.