Phy-gital Roundtable: Breakfast Roundup from Germany and Netherlands

02 May '15 | Debjyoti Paul

German Shoppers: Meet Them in the Fast Lane to Phy-gital

15 January '15 | Ralf Reich

Shoppers Will Share Personal Information (But They Don’t Want to be “Friends”)

15 January '15 | Anil Venkat

Modernize or Perish: Property and Casualty Insurers and IT Solutions

14 January '15 | Manesh Rajendran

Benelux Reaches the Phy-gital Tipping Point: Omnichannel Readiness is Crucial

13 January '15 | Anil Gandharve

The New Omnichannel Dynamic: Finding Core Principles Across Industries

13 January '15 | Debjyoti Paul

Technology does not disrupt business – CIO day 2014 Roundup

02 December '14 | Anshuman Singh

Apple Pay – The Best Is Yet To Come

02 December '14 | Indy Sawhney

Digital transformation is a business transformation enabled by technology

01 December '14 | Amit Varma

3 Stages of FATCA Testing and Quality Assurance

06 October '14 | Raman Suprajarama

3 Reasons why Apple Pay could dominate the payments space

18 September '14 | Gaurav Johri

Beacon of Hope: Serving Growth and Customer Satisfaction

05 August '14 | Debjyoti Paul

The Dos and Don’ts of Emerging Technologies Like iBeacon

30 July '14 | Debjyoti Paul

What You Sold Us On – eCommerce Award Finalist Selections

17 July '14 | Anshuman Singh

3 Steps to Getting Started with Microsoft Azure Cloud Services

04 June '14 | Koushik Ramani

8 Steps to Building a Successful Self Service Portal

03 June '14 | Giridhar LV

Innovation outsourced – a myth or a mirage or a truth staring at us?

13 January '14 | Ramesh Hosahalli

What does a mobile user want?

03 January '14 | Gopikrishna Aravindan

Information Security – Need of the Day

Posted on: 29 July '09

“The best way to secure your critical infrastructure and applications is to switch off all your systems, put them in a locked room and keep the key in a safe location. Fully secure, but absolutely useless”. This is a very common phrase among security geeks.

It is important for us to understand that there is no such thing as “fully secured information system”. We live in the world of vulnerability, be it information or human life.

The paradox is, while the security risks are increasing by the day, enterprises are becoming externally focused and open. Hackers are increasingly turning fraudulent and criminal, but centralized assets are becoming distributed assets, increasing the vulnerability; new viruses are on the prowl, but applications are thrown open to Internet; phishing and identity thefts have increased, but controlled IS department has changed to be completely business focused and customer centric organizations.

Business demands have changed from “what is not explicitly permitted is prohibited” to “what is not explicitly prohibited is permitted”

Today, the enterprises live in a world where security attacks can crumble the business to its knees. This has become a part of everyday life.

Threats can cause complete damages to systems and lives of people in case of natural disasters or terrorist attacks. Hacking, Phishing, etc can cause financial losses; Brand threats happen if web sites are attacked or defaced.

According to CSI (Computer Security Institute), for the first time ever, during this year financial frauds overtook virus attacks. Gartner and Symantec have published that close to 90% of the attack are targeted at application layer, clearly indicating fraudulent intent. The average loss due to security attacks has doubled this year.

CIOs are moving the thought process from “I will not be affected” to “Oh! God, let me check my systems” to “I need to check the security measures of my partners” to “what should I do if a disaster strikes”. This is a healthy sign.

It is important for the enterprises to take cognizance of the fact that the security threats are real. They need a structured program to protect the information from external and internal threats.

Information security is defined as: The concepts, techniques, technical and administrative measures used to protect information assets from

* Deliberate or inadvertent unauthorized acquisition
* Damage
* Disclosure
* Manipulation
* Modification
* Loss, or
* Misuse

And sometimes to even suppress the knowledge of a certain information’s existence

The information resides everywhere in your organization, in printed sheets, in files, in computers, in storage racks, in offsite data centers, in tapes stored in a remote location (By the way, this is called rested data), in employees head (You better ask your employees to wear helmets if they drive a bike) and all these are vulnerable to be misused. The damages can be significant.

The structured program to secure your information starts with a clearly articulated vision. This vision should come from none other than the CEO. Next we need is to define a well articulated security policy, followed by the identification of the information assets. Risk analysis need to be done to cover the probability of a disaster/attack and the risk. For example, an earthquake of Ritcher scale 8.0 is low probability in Bangalore, but high impact on your information assets. On the other hand virus attack can be high probability but low impact if all the secure measures are taken to prevent virus attack

The risk analysis should also cover the financial/brand and other damages clearly quantified.

Next step is to take measures to manage the risk. Once the measurements are in place, we need to get to the next important step Business Continuity Program and Disaster Recovery.

It is extremely important to have a business continuity plan and identify optimal business recovery time for your business. If acceptable business recovery time can be days, you may opt for just offsite tape storage and if the acceptable business recovery time is just few hours, then a hot standby system at a disaster recovery site may be needed.

I advise to have a disaster recovery drill periodically to test your preparedness for a disaster.

The key components of the Information Security are People, Process and Technology.

People are essential in every step of the Information Security Program. They not only are information assets, but guardians of the information security. They need to be trained and coached to protect the information. The processes for asset identification, risk analysis, risk quantification and management, risk prevention, business recovery, should be mode as robust as possible. We have BS7799, ISO 17799 and the new ISO 27001 standard which aid us to create, implement and manage security processes. In the Technology part, the firewalls, IDS systems, penetrating testing tools, vulnerability assessment tools, disaster recovery systems, play a pivotal role.

To summarize, understand that security threats are real. Create a corporate vision on security. Have a comprehensive security policy. Analyze risks and identify acceptable risks. Have a risk management process, Have a business continuity plan and a disaster recovery process. Periodically check the people, process and technology preparedness by DR Drills.

  • Thanks for sharing your views Mohan. But what caught on to me is the emphasis on information security that has constantly overshadowed information sharing, which is often at the other end of the spectrum. I just thought we could create a more balance culture when these 2 topics are communicated in parallel to staff members. However, I do agree that the IS department needs to take care of the potential external threats.