Is information security important to your enterprise?

Arun Gupta, Customer Care Associate & CTO of Shoppers Stop Limited asks does the responsibility for protection of information remains relegated to the IT organization or the CIO at best

BANGALORE, INDIA: The question "Is information security important to your enterprise?" asked of any CEO, CFO or even a board member will evince open mouth responses akin to challenging their basic foundational beliefs, the way George Orwell classic raises a fundamental 2+2=4! Off course, it is. But ergo their inability to demonstrate their actions to support the response belies the response. In real life, the responsibility for protection of information remains relegated to the IT organization or the CIO at best. 

Through the ages, information has been equated with knowledge and power it bestows on the holder. In the current information age, it has become increasingly a challenge to protect it. The combination of distributed, fragmented storage and replication on multiple computing devices like the desktops/laptops, mobile devices and sharing by multitude of applications creates many points of potential breach. It's not always for gain that information leakage or destruction happens, but many times wilful destruction is attempted by disgruntled elements. Many a time, it is a demonstration of the power of knowledge that "You are insecure and at my mercy". In the last few years, this has been used for corporate blackmail too. 

Enterprises value information and many are paranoid about it. This is evident in the access control mechanisms implemented by almost every IT organization. Volumes have been written about information security and many companies have created business models around providing tools, technology and best practices that can be implemented to protect the valuable information assets. Their efficacy remains a topic of heated discussion depending on the frame of reference. 

Thus the challenge of information security has become a much debated topic in the IT fraternity and by virtue of that spawned service providers who use different tactics including the most elemental of all emotions "fear" to vend their products and services. Standards exist and are adopted to protect information (BS 7799, ISO 27001, etc); certification is expected to portray a secure organization. Formalized information asset classification and layers of protection offer some degree of comfort and protection. 

CIOs thus continue to face the challenge to create and enforce policies that are unpopular with the rest of the organization as they impose restrictions on information access. Complex set of rules enumerating do's and don'ts impede users of information, internal as well as external. Many technologies are deployed at the fringes to lock down all possible avenues of access to the external world. This is despite the fact that most breaches occur not always in electronic form and due to negligence, internal process failure or by people working within, as demonstrated by many surveys conducted by umpteen agencies. 

Industries that are governed by regulation around information security like Banking & Insurance, Pharmaceutical and Medical, undertake systemic programs spanning the enterprise to protect their information assets. A few FMCG and other consumer goods companies too have created framework to protect their formulae or designs that are their IP or that gives them a short to mid-term competitive advantage. 

There are many avenues through which information moves out of the company. Over the lifetime of an employee, she comes into contact with all types of information in physical and electronic form, which is used for conducting business activities and taking decisions. The information gets printed, stored, absorbed, replicated, and transmitted internally as well as externally. With no control on the instances of the information, it is virtually impossible to protect it in all its variants. With attrition, employees walk away with knowledge locked inside their minds with no feasible way to monitor or control the flow. 

At the same time, it is relatively easy to monitor and supervise access control. Many security vendors have however demonstrated that social engineering can overcome such policies and gain access at free will. Printed information lends itself to pilferage especially with organizations' inability to control the proliferation of printing devices. Every meeting that distributes printed sensitive information multiplies the risk. 

In its physical form, information ownership rested with the creators and users, the individual functions like Marketing, Finance, Executive offices and Human Resources. Each distinct part of the company worked towards keeping information secure, not the Administration function which provided the paper in which it was created or the photocopying machines using which it was replicated for distribution. So who should be the custodian of information? Technology facilitates storage in electronic form akin to what paper did in the past before IT became ubiquitous in every organization. Most Risk Committees discuss information security with a bias that it's an IT issue thereby missing the point completely. 

Thus, the question that haunts is, is the mantel of information protection rightly placed on the head of the CIO? Is the IT organization the only protector of the wealth created by information? Is electronic data the only way that information is created and stored in the enterprise? If information is a strategic asset, does the onus of protection make the CIO a strategic CXO or a convenient scapegoat under the guise that no one else understands the complexity of the technology required to protect the family jewels? 

If information is indeed one of the key assets of a company, why does information security remain unaddressed systemically by the Management? Why are not other CXOs responsible for the information they create and consume? IT can set the process, educate the employees, deploy the tools, but cannot enforce compliance, like the proverbial horse and the well story. Thus security budgets remain challenged and ROI remains elusive for most of the implementations because there is no ROI. You take insurance but no one wants to die! 

The perceived role of the CIO and the IT function here demands scrutiny. The security organization has evolved within IT and worked towards addressing the securing of information. The CISO role grew to cover hardware, networks, applications and operational data that manifested itself across the enterprise. Policies and processes addressed these issues, but business demanded exceptions to address market dynamics. Limitations thus placed on the CISO working under the CIO straightjacket the smooth functioning and implementation in the spirit with which the security was defined. This is similar to the pains faced by Internal Audit teams working under the aegis of Finance. 

It is time now to unshackle and for the CIO to involve the CEO, CFO and the CPO (Chief People Officer) to collectively create a movement towards a secure organization by addressing the people, process and technology, the three cornerstones of any successful initiative. The group needs to drive home the point that they individually and collectively, are responsible for the implicit and explicit security of the IP contained within the information. It should be on the agenda and KPIs of the management team and reviewed frequently. 

Information Security is too important a function and has implications that people talk about when it happens to others, while not believing that it could happen to them too. The ostrich approach will not will away the issue. Let the CISO be accountable to the Management team and they to him. This will also make the CIO focus on what matters and not operational issues relating to the basic security hygiene which everyone expects. 

SAVVIS UK is awarded ISO 27001 security standard

LONDON, Sep 15, 2008 (BUSINESS WIRE) -- SAVVIS UK Ltd, a leader in IT infrastructure services for business and government applications, has achieved the ISO 27001 security certification standard across its EMEA operations and data centres. The accreditation reinforces its commitment to IT security, business continuity management and ISO compliance.

The certification was extended to include SAVVIS' new Slough data centre, which will open in early October 2008. Based on the outskirts of central London, the facility boasts 24x7 advanced robust physical and logical measures including weight-sensitive entrance floor panels, 'man traps' and biometric scanning.

ISO 27001 is an internationally recognised standard for information security management that uses a continual improvement approach. The requirements of the certification focus on the security policy, physical and environmental security, access monitoring, adherence to legal requirements and internal processes of companies, as well as business continuity management.

With several recent high profile data loses reported in the UK, IT security is increasingly at the forefront of IT strategy for many enterprises, including SAVVIS' blue chip and government client base, which spans the government and legal, financial, retail, media sectors, amongst others. SAVVIS' data centres are built with multi-layer access levels and numerous parameters, as well as business continuity measures, providing a highly secure environment in which to host vital business applications and data.

"To achieve the ISO 27001 accreditation for the second consecutive year demonstrates SAVVIS' ongoing commitment to providing the highest level of security to its clients," said Richard Warley, International Managing Director for SAVVIS. "The protection of our clients' information is of utmost importance to us. The accreditation reassures our clients that we are a leading provider of IT security as well as managed hosting and network services."

Source: http://www.marketwatch.com

Systems, Visionet receive ISO/IEC certification for outsourcing centres

LAHORE: Systems Limited and its US subsidiary Visionet Systems Inc’s Business Process Outsourcing Centres in Lahore and Karachi recently underwent an audit of their Information Security Management Systems (ISMS). The audit was conducted by Moody’s International (Pvt) Limited and as a result, Systems Limited and Visionet Systems have received ISO/IEC 27001:2005 certification for their outsourcing centres.

According to a statement, the company appreciated the efforts of its process implementation team and the 350-member outsourcing team, for the hard work and dedication that led to the achievement of this milestone. It also acknowledged the support of the Pakistan Software Export Board in this regard.

Systems Limited management pledged that it would continue its efforts for further improving its ISMS programme, in order to ensure that its information processing centers and the information assets with which they are entrusted by its clients from Pakistan, Canada, USA and Europe, would continue to be protected and kept secure and confidential.

The company expressed belief that this achievement would further strengthen its business ties with national and international clients and help Systems Limited to make significant contributions to the growth of Pakistan’s information technology exports.

Source: http://www.thenews.com.pk

Netmagic attains ISO 27001 certification

MUMBAI, INDIA: Netmagic Solutions announced that three of its premier data centers in India have received the ISO 27001 certificate from BSI India, the subsidiary of the British Standards Institute. 

Sharad Sanghi, CEO and Founder, Netmagic Solutions said, "Netmagic is expanding aggressively in the country and has recently announced the opening of the company's largest data center till date in Vikhroli, Mumbai. We have always provided services and solutions of highest standards to our customers. We have received this certification for three of our data centers in total in Mumbai and Bangalore.This has reinforced our commitment to provide quality services to enterprises globally."

In response to the growing demand for managed hosting services and datacenter services, Netmagic has been expanding rapidly in the country after the recent funding of Rs 80 crore raised from Fidelity International and Nexus India Capital. Netmagic Solutions currently specializes in Internet data centers, managed hosting, remote infrastructure monitoring and management, and mail and messaging services.

ISO/IEC 27001 is a part of a growing family of ISO/IEC standards. The 'ISO/IEC 27000 series' is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The ISO/IEC 27001 certification deals with establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an information security management system (ISMS). Since a data center hosts critical data, a sophisticated and rigorous ISMS is absolutely essential. Certification by an independent third party gives the confidence to the customers of Netmagic that their data is safe and secure within the company.

Source: http://www.ciol.com/Channel-

New ISO Standard Focuses on Health Information Security Management

A newly published standard from the International Organization for Standardization (ISO) helps to safeguard the confidentiality of personal health information by providing guidelines for the management of health information security. ISO 27799:2008, Health informatics - Information security management in health using ISO/IEC 27002, is applicable to many different types of records and ways of storing and transmitting information, offering a set of detailed controls for healthcare organizations of all sizes. 

This new standard builds upon the principles set forth in ISO/IEC 27002:2005, Information technology - Security techniques - Code of practice for information security management. Developed jointly by ISO and the International Electrotechnical Commission (IEC), ISO/IEC 27002:2005 provides guidelines for organizations from any industry sector to initiate, implement, maintain, and improve information security management practices.

The development of ISO 27799:2008 was guided by healthcare professionals who contributed their expertise on the specific application of ISO/IEC 27002:2005 guidelines to health information management.

ISO Technical Committee (TC) 215, Health informatics, led the development of ISO 27799:2008. Since the committee's formation in 1998, TC 215 has published 48 International Standards that help to achieve compatibility and interoperability between independent information and communication technology (ICT) systems. The U.S. has held the secretariat of this committee since its inception, and the Healthcare Information and Management Systems Society (HIMSS) has performed the secretariat duties since 2003. In addition, HIMSS serves as the Administrator of the American National Standards Institute (ANSI)-accredited U.S. Technical Advisory Group (TAG) to TC 215.

For more information on ISO 27799:2008, see the ISO news release. The Healthcare Information Technology Standards Panel (HITSP) is currently running a series of free educational webinars that aim to build awareness of the work that is currently underway to support the exchange of healthcare information in the United States.

Three more webinars remain in the series. The next session, Electronic Health Record (EHR) and Emergency Response, will take place on Thursday, September 4, from 2:00 p.m. to 3:30 p.m. For more information, visit www.hitsp.org/webinars.aspx.

About HITSP

Operating under contract to the U.S. Department of Health and Human Services (HHS), HITSP is administered by ANSI in cooperation with strategic partners including HIMSS, the Advanced Technology Institute (ATI) and Booz Allen Hamilton.

Source: http://news.thomasnet.com

ANALYSTS SAY STATE MUST INVEST IN ONLINE SECURITY

CAIRO: While the boundaries of Gaza and Kashmir garner far more headlines, a less tangible set of borders are proving to be almost equally vital to state security: those that govern the sprawling fields of data on the internet.  

Under a set of global security standards known as ISO 27001, nearly 90 percent of Egyptian state information systems are not secure, said Hassan El Meligy, director of assistance and automation as Megacom, an 11-year-old information technology consulting firm. In most cases, nearly half of the standards on the list are unmet, he said.

Megacom works with a range of banks, manufacturers, small businesses and state agencies here, and often insists on using international standards to figure out how protected their clients are. “Because we are connected globally, anyone can steal information,” El Meligy said.

The sort of online nastiness that can befall a state already has a number of precedents. In August this year, hackers paralyzed Georgian state websites just as Russian tanks pushed across the country’s physical borders. And shortly after Estonian officials talked of removing an old Soviet monument from the capital Tallinn in 2007, state websites were smashed by a wave of “denial of service” attacks.

The physical route of a country’s internet contact is important. Georgia’s websites were particularly vulnerable because much of their connection is wired through Russia. An article published in The New York Times yesterday pointed out that the shift of internet paths to other countries has American intelligence worried over their ability to monitor global flow of information.

A country’s economic and political interests are often intertwined, and it is still businesses, such as banks, that make up the bulk of hackers’ targets.

The interaction between public and private is often complex. In many cases, companies are reluctant to let local competitors catch a glimpse of sensitive information, so they reroute their networks through service providers in other countries, as with Egypt’s internet through Europe. The risks of this became obvious when a submarine snapped cable in the Mediterranean last January, dragging connection speed to a crawl for several days.

While both local and global companies are sprouting up in Egypt to deal with these issues, the state should also do more to make firms abide by standards, El Meligy said. In his opinion, this is not much different from forcing companies to follow fire codes.

“You don’t have a fire every day, but you could face a hacker every day,” he said. “The government should apply security standards.”

Online crime has grown organically with the internet. While many early web lawbreakers acted mostly to see what they could get away with, the image of the lone, basement-dwelling hacker has since morphed into something closer to a mafia don: Complex online groups with multilayered bureaucratic — and non-technical — structures now function essentially like other organized criminals, as with one Russian group busted in 2004 after unleashing a series of “denial of service” attacks.

Now many use tools like botnets, or collections of automatically-run software, to plunder online accounts, alter public records, glimpse sensitive information and then blackmail its users, or disrupt the day-to-day work of businesses and governments.

Some examples of large attacks include “Code Red” in 2001 and the “SQL Slammer” in 2003 — both based on worms, or self-replicating programs used to jam the bandwidths of targets. 

Many companies and state bodies are also becoming worried about insiders. The threat that disaffected employees could ransack company data or that a sensitive spreadsheet could be intercepted from an unsecured wireless network is becoming graver as more people work outside the office, according to many in the industry. 

As the stock exchange expands here, and firms as diverse as automotives and tourism reach outside of Egypt, businesses and the state will continue to march steadily online. The profits are potentially huge, but so are the risks.

There is plenty of ground to cover. At a conference on internet security held by the International Data Corporation last week, one speaker asked how many in the crowd had heard of the SQL Slammer. Only two raised their hands.

El Meligy pointed to local culture. While Egyptians are becoming more aware of the threats posed online, many are used to leaving the doors of the offices and homes open to visitors, and are thus reluctant to shut themselves off, he said. “Everything is open [in Egypt],” he said. “People consider computers in the same way.”

Dubai Bank gets ISO award

DUBAI - Dubai Bank, a Dubai Group company, has announced its Information Security Management System (ISMS) has been accredited at the highest possible level, receiving ISO 27001:2005 certification. This is an all-encompassing international standard, designed to protect and improve the security of financial information and transactions for the bank and its customers. The accreditation endorses Dubai Bank as being ultimately modern and reliable to its customers in terms of protection of information, meeting top international level requirements. 

Accredited ISO auditors TUV Rheinland ME FZE assessed Dubai Bank’s compliance with the various requirements for certification and after conducting the audit, the team recommended the issue of a certificate of compliance, which was received by Dubai Bank on June 25, 2008.

Dubai Bank’s CEO Salaam Al-Shaksy said: “This is yet another accomplishment in line with Dubai Bank’s quest for continual improvement and customer satisfaction. Being ISO-certified is an important achievement for any business in this day and age. Dubai Bank has received the highest accreditation available today for information security, a vital step forward in line with the demands associated with modern technology and the risks attached thereto.”

Chief Risk Officer of Dubai Bank, Pravin Kandhari said “today’s customers are better educated, and they understand the risks of living in a constantly connected world, so they have higher expectations of service quality and security. Dubai Bank’s ISMS was developed to address the needs of control standards and system compliance.”

Source: http://www.saudigazette.com.sa