Tackle Security At The Design Stage

Avinash Kadam, Director, COO & Head Delivery - MIEL e Security shares with Biztech2.com his views on varied issues related to Information Security, ranging from the recently introduced DSCI framework to what should be the CISO’s strategy to convince management for information security projects.

What are your views on the recently introduced DSCI framework?

DSCI has proposed two frameworks - Data security and Data privacy framework. It is essentially an amalgamation of the best practices from various standards including 27001, to provide the appropriate level of security and privacy for the Indian organisations.

The idea is that every organisation implementing this security and privacy framework will be able to assure the client that they are following the best practices in Information security and governance.

Like any framework, this one too is well designed since it is based on so many matured frameworks.

The only concern is how DSCI will assure whether the implementation is really complete with all the required controls, checks and balances in place. The issue with all such frameworks is that they are in place just for the name sake to fulfill the regulatory requirements, but during an eventuality they would prove toothless.

Why is it critical that security should be thought of at the design stage itself?

Security cannot be an after thought, one that comes subsequent to an exploit unearthed by an ethical hacker, which is then adequately patched and then await the same hacker to identify the next potential exploit to be patched.

Security has to be built in at the design stage itself. It’s easy to define physical security, but cyber security has a number of vulnerable avenues like network security violation, operating system violation, application security violation, social engineering attacks, etc.

When the system is designed, the various potential attack types should be considered and accordingly each layer should be properly securitised. One should not wait for an ethical hacker to exploit it and show as vulnerability. These loopholes are already well known. So, if an application is compromised, it means that it was not properly tested with the necessary secure code review procedure. The problem should not be tackled from the wrong end. Security should be tested at the design stage and not after the product is delivered.

What are the guidelines you suggest for patch management?

Firstly, companies should not apply a patch as soon as it is out. They should evaluate whether the patch is applicable, and then check whether that patch will impact any other processes. There may be a set of applications that can get vulnerable to the patch, compromising performance. Thus, patch management should not be fully automated.

Patch management is highly time consuming for the technical staff. Hence, patches should be selectively applied on a priority basis. Also, a team should be well designated to manage the released patches. We always talk about it theoretically, but every patch has to be tested in a regulated environment. And, only when it is tested out to be not impacting any other application that it is rolled out. This is not one of the technology chores. The team has to operate as defined and not when they get time, which is usually the case with most of the Indian organisations where patches are implemented once in a while, leaving a huge window of opportunity for people with malicious intentions.

What should be the CISO’s strategy to convince the top management for security projects?

The CISO should gain the top management’s confidence because they are the driving force. The CISO is their eyes and ears as far as Information security in the organisation is concerned. The case should be put forward in the ‘business language’ that the board of directors understand. So, using the tech terminology will be ineffective and they will not pay much attention to this aspect.

The CISO has to make sure that all the identified risks are linked to the business case. He should be able to articulate scenarios that will unfold if the threats and security issues are not catered to, and what can be the possible ramifications.

So, the right use of the business glossary to the Board of Directors will make them understand why companies need such fat information security budgets.