“The best way to secure your critical infrastructure and applications is to switch off all your systems, put them in a locked room and keep the key in a safe location. Fully secure, but absolutely useless”. This is a very common phrase among security geeks.
It is important for us to understand that there is no such thing as “fully secured information system”. We live in the world of vulnerability, be it information or human life.
The paradox is, while the security risks are increasing by the day, enterprises are becoming externally focused and open. Hackers are increasingly turning fraudulent and criminal, but centralized assets are becoming distributed assets, increasing the vulnerability; new viruses are on the prowl, but applications are thrown open to Internet; phishing and identity thefts have increased, but controlled IS department has changed to be completely business focused and customer centric organizations.
Business demands have changed from “what is not explicitly permitted is prohibited” to “what is not explicitly prohibited is permitted”
Today, the enterprises live in a world where security attacks can crumble the business to its knees. This has become a part of everyday life.
Threats can cause complete damages to systems and lives of people in case of natural disasters or terrorist attacks. Hacking, Phishing, etc can cause financial losses; Brand threats happen if web sites are attacked or defaced.
According to CSI (Computer Security Institute), for the first time ever, during this year financial frauds overtook virus attacks. Gartner and Symantec have published that close to 90% of the attack are targeted at application layer, clearly indicating fraudulent intent. The average loss due to security attacks has doubled this year.
CIOs are moving the thought process from “I will not be affected” to “Oh! God, let me check my systems” to “I need to check the security measures of my partners” to “what should I do if a disaster strikes”. This is a healthy sign.
It is important for the enterprises to take cognizance of the fact that the security threats are real. They need a structured program to protect the information from external and internal threats.
Information security is defined as: The concepts, techniques, technical and administrative measures used to protect information assets from
* Deliberate or inadvertent unauthorized acquisition
* Loss, or
And sometimes to even suppress the knowledge of a certain information’s existence
The information resides everywhere in your organization, in printed sheets, in files, in computers, in storage racks, in offsite data centers, in tapes stored in a remote location (By the way, this is called rested data), in employees head (You better ask your employees to wear helmets if they drive a bike) and all these are vulnerable to be misused. The damages can be significant.
The structured program to secure your information starts with a clearly articulated vision. This vision should come from none other than the CEO. Next we need is to define a well articulated security policy, followed by the identification of the information assets. Risk analysis need to be done to cover the probability of a disaster/attack and the risk. For example, an earthquake of Ritcher scale 8.0 is low probability in Bangalore, but high impact on your information assets. On the other hand virus attack can be high probability but low impact if all the secure measures are taken to prevent virus attack
The risk analysis should also cover the financial/brand and other damages clearly quantified.
Next step is to take measures to manage the risk. Once the measurements are in place, we need to get to the next important step Business Continuity Program and Disaster Recovery.
It is extremely important to have a business continuity plan and identify optimal business recovery time for your business. If acceptable business recovery time can be days, you may opt for just offsite tape storage and if the acceptable business recovery time is just few hours, then a hot standby system at a disaster recovery site may be needed.
I advise to have a disaster recovery drill periodically to test your preparedness for a disaster.
The key components of the Information Security are People, Process and Technology.
People are essential in every step of the Information Security Program. They not only are information assets, but guardians of the information security. They need to be trained and coached to protect the information. The processes for asset identification, risk analysis, risk quantification and management, risk prevention, business recovery, should be mode as robust as possible. We have BS7799, ISO 17799 and the new ISO 27001 standard which aid us to create, implement and manage security processes. In the Technology part, the firewalls, IDS systems, penetrating testing tools, vulnerability assessment tools, disaster recovery systems, play a pivotal role.
To summarize, understand that security threats are real. Create a corporate vision on security. Have a comprehensive security policy. Analyze risks and identify acceptable risks. Have a risk management process, Have a business continuity plan and a disaster recovery process. Periodically check the people, process and technology preparedness by DR Drills.