SlideShare a Scribd company logo
1 of 2
Download to read offline
45thectoforum.com 07 FEBRUARY 2010
CTOFORUM
Cost of being indifferent.Organisations
should stress on security audits for detecting incidents at
an early stage.
MOST organisations have docu-
mented Information Security (IS)
policies to comply with international
standards. However, when it comes
to implementation effectiveness, the
human factor and attitude play a
crucial role.
Two most important areas for
effective IS implementation are inci-
dent management and responsive-
ness to non-compliances identified
in IS audits. Most of the time the
incidents are logged by those who
are managing SQA (Service Quality
Assurance), as an outcome of secu-
rity audits as non compliances. The
real incidents have to be logged by
the person who has seen them first
— immediately after they happen
— but it seldom happens that way.
Most of the time people think that
it is somebody else’s job and this
indifference proves costly for the
organisation while compromising
on information security.
Some of the examples of human
indifference in IS areas are as follows:
Not having a realistic Business
Continuity Plan (BCP)
Not conducting Disaster Recovery
incidents
Not reviewing maintenance logs of
physical environment and assets
Not reviewing non-compliances
and CAPA
Unauthorised rights given for
internet usage
Unauthorised usage of software
Printouts/copying of sensitive
information without authorisation
Root cause for the above
mentioned issues is that these are
left to SQA department to find and
manage information security —
mainly to take care of certification
management.
To address the issues regarding the
human factor, one needs to follow
certain strict guiding principles.
Guiding principles
Top management of an enterprise
should lead and promote
risk management across the
organisation. Risk management
should be integrated into all
decision-making and planning
processes. To have a well
controlled information security
implementation, everybody needs
(DR) exercise at regular intervals
Not reviewing and updating
BCPs based on DRs, even if it is
conducted
Not taking backups of project
data at regular intervals; failure in
restoring and verifying the same
Not raising incidents as soon as
they occur, and not analysing them
properly
(For example: In case of access
control, entries related to failed
attempts should be in the incident
category and are not to be identi-
fied as non-compliance. If this is
identified as non compliance during
formal security audits, it will indi-
cate that regular review of logs was
not being done, which points to the
indifference by authorised persons
assigned to the job. Similarly, allow-
ing people to enter restricted areas
without proper access control cards
is yet another example of human
indifference.)
Not doing enough vulnerability
testing while acquiring systems
Not reviewing systems, access
control and admin logs daily, all of
which are crucial inputs to
“Top man-
agement of
an enter-
prise should
lead and
promote risk
manage-
ment across
the organi-
sation”
BYINVITATIONVENKIDESAN NARAYANAN | venkidesann@yahoo.co.in
THE AUTHOR IS Consultant - Programme
Management, Efficacy Auditing, Delivery
Management (Software Development )
BY I NVITATION SECURIT Y AUD IT S
to be aware of risks and therefore
should take the responsibility for
managing the same. This proactive
management of risk will help reduce
the consequence and likelihood of
adverse incidents. Without genuine
support from the top, information
security implementation has always
been a failure. Similarly, without
proper implementation, it is a
burden.
The approach needs to move away
from a compliance environment,
where the output was a risk register,
to an approach that focuses on the
processes which work around the
identification, mitigation and
management of risks within an
organisation.
The measures of
effectiveness
The critical success factors focus
on improving accountability, risk
awareness and communication. For
this, everyone within an organisa-
tion should know their risk manage-
ment responsibilities, which need
to be continuously reviewed and
improved. Organisations should
stress on the need to analyse inci-
dents at an early stage rather than
allowing the same to become non-
compliances, which are identified
during formal security audits.
While strategising, the above
points should be considered. Each
functional unit should be responsi-
ble for managing its own risk. Man-
agement and staff should have spe-
cific accountability requirements in
the risk management approach. The
responsibilities can be identified as
a mandatory KRA to emphasise the
seriousness of the issue.
It is crucial for the leadership to
involve in the risks management
activities by reviewing and measur-
ing effectiveness at regular intervals.
In lesser successful IS implementa-
tions, it is seen that top manage-
ment doesn’t show the required
commitment to do their job. Even
though individuals are accountable
for compliance, the indifference
from higher leadership has a greater
adverse impact on the effectiveness
of IS implementations.
How to measure?
To ensure that the risk management
practice is effective, comprehensive,
documented and visible across all
business units, the review needs to
be done more frequently and
quantitatively (at least quarterly),
instead of the mundane annual
audit cycles followed by most organ-
isations.
The review should also focus on get-
ting deviations from targets, which
are measurable, and accountability
should be strictly enforced in case of
any deviation.

More Related Content

What's hot

Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandKienbaum Consultants
 
Organization behavioral human factors contributing to accident (Ajeenkya D Y ...
Organization behavioral human factors contributing to accident (Ajeenkya D Y ...Organization behavioral human factors contributing to accident (Ajeenkya D Y ...
Organization behavioral human factors contributing to accident (Ajeenkya D Y ...Ajeenkya D Y Patil
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyEMC
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...Levi Shapiro
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case StudyPraveen Vackayil
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Riskphanleson
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamJohn D. Johnson
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk ManagementResolver Inc.
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In ITpbhugenberg3
 

What's hot (20)

Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile Island
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochure
 
Organization behavioral human factors contributing to accident (Ajeenkya D Y ...
Organization behavioral human factors contributing to accident (Ajeenkya D Y ...Organization behavioral human factors contributing to accident (Ajeenkya D Y ...
Organization behavioral human factors contributing to accident (Ajeenkya D Y ...
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report
 
2010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.12010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.1
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity Journey
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case Study
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive Team
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk Management
 
Integrated risk management
Integrated risk managementIntegrated risk management
Integrated risk management
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In IT
 

Similar to Information Security - Implementation Effectiveness

Human Factors as Driver for Safety Management, Engineering, and Risk Governance
Human Factors as Driver for Safety Management, Engineering, and Risk GovernanceHuman Factors as Driver for Safety Management, Engineering, and Risk Governance
Human Factors as Driver for Safety Management, Engineering, and Risk GovernanceThe Windsdor Consulting Group, Inc.
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperrickkaun
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingTory Quinton
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management -  A Gateway to managing the risk profile of your...Operational Risk Management -  A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Information systems and its components ii
Information systems and its components   iiInformation systems and its components   ii
Information systems and its components iiAshish Desai
 
Risk Assessment And Its Effects On The Workplace
Risk Assessment And Its Effects On The WorkplaceRisk Assessment And Its Effects On The Workplace
Risk Assessment And Its Effects On The WorkplaceMarie Stars
 
A Paradigm Shift in Audit Process
A Paradigm Shift in Audit ProcessA Paradigm Shift in Audit Process
A Paradigm Shift in Audit ProcessPadmapriya V
 
Risk monitoring and response
Risk monitoring and responseRisk monitoring and response
Risk monitoring and responseZyrellLalaguna
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot SpotsRon Steinkamp
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
RH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdfRH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdfssuser2209e8
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxcravennichole326
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
Measure of safety culture
Measure of safety cultureMeasure of safety culture
Measure of safety cultureSalim Solanki
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessmentDrMohammedFarid
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 

Similar to Information Security - Implementation Effectiveness (20)

Human Factors Presentation
Human Factors PresentationHuman Factors Presentation
Human Factors Presentation
 
Human Factors as Driver for Safety Management, Engineering, and Risk Governance
Human Factors as Driver for Safety Management, Engineering, and Risk GovernanceHuman Factors as Driver for Safety Management, Engineering, and Risk Governance
Human Factors as Driver for Safety Management, Engineering, and Risk Governance
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaper
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management -  A Gateway to managing the risk profile of your...Operational Risk Management -  A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Information systems and its components ii
Information systems and its components   iiInformation systems and its components   ii
Information systems and its components ii
 
Risk Assessment And Its Effects On The Workplace
Risk Assessment And Its Effects On The WorkplaceRisk Assessment And Its Effects On The Workplace
Risk Assessment And Its Effects On The Workplace
 
A Paradigm Shift in Audit Process
A Paradigm Shift in Audit ProcessA Paradigm Shift in Audit Process
A Paradigm Shift in Audit Process
 
Risk monitoring and response
Risk monitoring and responseRisk monitoring and response
Risk monitoring and response
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
RH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdfRH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdf
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
Measure of safety culture
Measure of safety cultureMeasure of safety culture
Measure of safety culture
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessment
 
eob_dec14.artok
eob_dec14.artokeob_dec14.artok
eob_dec14.artok
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 

Recently uploaded

How the Heck do you Teach Level Design? Educating in the Studio
How the Heck do you Teach Level Design? Educating in the StudioHow the Heck do you Teach Level Design? Educating in the Studio
How the Heck do you Teach Level Design? Educating in the StudioChristopher Totten
 
Tackling Fake Agility w/ Johanna Rothman
Tackling Fake Agility w/ Johanna RothmanTackling Fake Agility w/ Johanna Rothman
Tackling Fake Agility w/ Johanna RothmanStefan Wolpers
 
The Role of Fishbone Diagram in Analyzing Cause and Effect
The Role of Fishbone Diagram in Analyzing Cause and EffectThe Role of Fishbone Diagram in Analyzing Cause and Effect
The Role of Fishbone Diagram in Analyzing Cause and EffectCIToolkit
 
Analyzing and Monitoring Processes through Time Value Mapping
Analyzing and Monitoring Processes through Time Value MappingAnalyzing and Monitoring Processes through Time Value Mapping
Analyzing and Monitoring Processes through Time Value MappingCIToolkit
 
Test_document_upload_SQL_minimum_fourteen
Test_document_upload_SQL_minimum_fourteenTest_document_upload_SQL_minimum_fourteen
Test_document_upload_SQL_minimum_fourteenolgaz9
 
HR for Non HR_Learning and Development.
HR for Non HR_Learning  and Development.HR for Non HR_Learning  and Development.
HR for Non HR_Learning and Development.azischin
 
Value Stream Map: A Visual Approach to Process Optimization
Value Stream Map: A Visual Approach to Process OptimizationValue Stream Map: A Visual Approach to Process Optimization
Value Stream Map: A Visual Approach to Process OptimizationCIToolkit
 
An Important Step Toward Process Improvement
An Important Step Toward Process ImprovementAn Important Step Toward Process Improvement
An Important Step Toward Process ImprovementCIToolkit
 
Forget Fiverr : Fractional Employment the ins and outs
Forget Fiverr : Fractional Employment the ins and outsForget Fiverr : Fractional Employment the ins and outs
Forget Fiverr : Fractional Employment the ins and outsStephan Koning
 
A3 Thinking: A Structured Approach to Problem Solving
A3 Thinking: A Structured Approach to Problem SolvingA3 Thinking: A Structured Approach to Problem Solving
A3 Thinking: A Structured Approach to Problem SolvingCIToolkit
 
What is 5S principles of trainers for training institutions.pdf
What is 5S principles of trainers for training institutions.pdfWhat is 5S principles of trainers for training institutions.pdf
What is 5S principles of trainers for training institutions.pdfBALASUNDARESAN M
 
Organizations in a Future with Generative AI
Organizations in a Future with Generative AIOrganizations in a Future with Generative AI
Organizations in a Future with Generative AIKye Andersson
 
Performance Management Notes for MBA Students
Performance Management Notes for MBA StudentsPerformance Management Notes for MBA Students
Performance Management Notes for MBA StudentsManickam Gajapathy
 
Roadway to GDSC- Session 1 Powerpoint Presentation
Roadway to GDSC- Session 1 Powerpoint PresentationRoadway to GDSC- Session 1 Powerpoint Presentation
Roadway to GDSC- Session 1 Powerpoint Presentationgdscghrcem
 
Improving Operations through Observation and Gemba Walks
Improving Operations through Observation and Gemba WalksImproving Operations through Observation and Gemba Walks
Improving Operations through Observation and Gemba WalksCIToolkit
 
ANIn Coimbatore March 2024 | Agile & AI in Project Management by Dhilipkumar ...
ANIn Coimbatore March 2024 | Agile & AI in Project Management by Dhilipkumar ...ANIn Coimbatore March 2024 | Agile & AI in Project Management by Dhilipkumar ...
ANIn Coimbatore March 2024 | Agile & AI in Project Management by Dhilipkumar ...AgileNetwork
 
From Command Line to Reporting Line: The Diary of a First-Time EM
From Command Line to Reporting Line: The Diary of a First-Time EMFrom Command Line to Reporting Line: The Diary of a First-Time EM
From Command Line to Reporting Line: The Diary of a First-Time EMGloria Chow
 
Applying the PDCA Cycle: A Blueprint for Continuous Improvement
Applying the PDCA Cycle: A Blueprint for Continuous ImprovementApplying the PDCA Cycle: A Blueprint for Continuous Improvement
Applying the PDCA Cycle: A Blueprint for Continuous ImprovementCIToolkit
 
Empowering Resilience & Strategic Growth: Insights for Emerging Leaders
Empowering Resilience & Strategic Growth: Insights for Emerging LeadersEmpowering Resilience & Strategic Growth: Insights for Emerging Leaders
Empowering Resilience & Strategic Growth: Insights for Emerging LeadersMahmoud Rabie
 

Recently uploaded (20)

How the Heck do you Teach Level Design? Educating in the Studio
How the Heck do you Teach Level Design? Educating in the StudioHow the Heck do you Teach Level Design? Educating in the Studio
How the Heck do you Teach Level Design? Educating in the Studio
 
Tackling Fake Agility w/ Johanna Rothman
Tackling Fake Agility w/ Johanna RothmanTackling Fake Agility w/ Johanna Rothman
Tackling Fake Agility w/ Johanna Rothman
 
The Role of Fishbone Diagram in Analyzing Cause and Effect
The Role of Fishbone Diagram in Analyzing Cause and EffectThe Role of Fishbone Diagram in Analyzing Cause and Effect
The Role of Fishbone Diagram in Analyzing Cause and Effect
 
Analyzing and Monitoring Processes through Time Value Mapping
Analyzing and Monitoring Processes through Time Value MappingAnalyzing and Monitoring Processes through Time Value Mapping
Analyzing and Monitoring Processes through Time Value Mapping
 
Test_document_upload_SQL_minimum_fourteen
Test_document_upload_SQL_minimum_fourteenTest_document_upload_SQL_minimum_fourteen
Test_document_upload_SQL_minimum_fourteen
 
HR for Non HR_Learning and Development.
HR for Non HR_Learning  and Development.HR for Non HR_Learning  and Development.
HR for Non HR_Learning and Development.
 
Value Stream Map: A Visual Approach to Process Optimization
Value Stream Map: A Visual Approach to Process OptimizationValue Stream Map: A Visual Approach to Process Optimization
Value Stream Map: A Visual Approach to Process Optimization
 
An Important Step Toward Process Improvement
An Important Step Toward Process ImprovementAn Important Step Toward Process Improvement
An Important Step Toward Process Improvement
 
Forget Fiverr : Fractional Employment the ins and outs
Forget Fiverr : Fractional Employment the ins and outsForget Fiverr : Fractional Employment the ins and outs
Forget Fiverr : Fractional Employment the ins and outs
 
A3 Thinking: A Structured Approach to Problem Solving
A3 Thinking: A Structured Approach to Problem SolvingA3 Thinking: A Structured Approach to Problem Solving
A3 Thinking: A Structured Approach to Problem Solving
 
What is 5S principles of trainers for training institutions.pdf
What is 5S principles of trainers for training institutions.pdfWhat is 5S principles of trainers for training institutions.pdf
What is 5S principles of trainers for training institutions.pdf
 
Organizations in a Future with Generative AI
Organizations in a Future with Generative AIOrganizations in a Future with Generative AI
Organizations in a Future with Generative AI
 
Performance Management Notes for MBA Students
Performance Management Notes for MBA StudentsPerformance Management Notes for MBA Students
Performance Management Notes for MBA Students
 
Capacity2 - Briefing and Facilitation training slides
Capacity2 - Briefing and Facilitation training slidesCapacity2 - Briefing and Facilitation training slides
Capacity2 - Briefing and Facilitation training slides
 
Roadway to GDSC- Session 1 Powerpoint Presentation
Roadway to GDSC- Session 1 Powerpoint PresentationRoadway to GDSC- Session 1 Powerpoint Presentation
Roadway to GDSC- Session 1 Powerpoint Presentation
 
Improving Operations through Observation and Gemba Walks
Improving Operations through Observation and Gemba WalksImproving Operations through Observation and Gemba Walks
Improving Operations through Observation and Gemba Walks
 
ANIn Coimbatore March 2024 | Agile & AI in Project Management by Dhilipkumar ...
ANIn Coimbatore March 2024 | Agile & AI in Project Management by Dhilipkumar ...ANIn Coimbatore March 2024 | Agile & AI in Project Management by Dhilipkumar ...
ANIn Coimbatore March 2024 | Agile & AI in Project Management by Dhilipkumar ...
 
From Command Line to Reporting Line: The Diary of a First-Time EM
From Command Line to Reporting Line: The Diary of a First-Time EMFrom Command Line to Reporting Line: The Diary of a First-Time EM
From Command Line to Reporting Line: The Diary of a First-Time EM
 
Applying the PDCA Cycle: A Blueprint for Continuous Improvement
Applying the PDCA Cycle: A Blueprint for Continuous ImprovementApplying the PDCA Cycle: A Blueprint for Continuous Improvement
Applying the PDCA Cycle: A Blueprint for Continuous Improvement
 
Empowering Resilience & Strategic Growth: Insights for Emerging Leaders
Empowering Resilience & Strategic Growth: Insights for Emerging LeadersEmpowering Resilience & Strategic Growth: Insights for Emerging Leaders
Empowering Resilience & Strategic Growth: Insights for Emerging Leaders
 

Information Security - Implementation Effectiveness

  • 1. 45thectoforum.com 07 FEBRUARY 2010 CTOFORUM Cost of being indifferent.Organisations should stress on security audits for detecting incidents at an early stage. MOST organisations have docu- mented Information Security (IS) policies to comply with international standards. However, when it comes to implementation effectiveness, the human factor and attitude play a crucial role. Two most important areas for effective IS implementation are inci- dent management and responsive- ness to non-compliances identified in IS audits. Most of the time the incidents are logged by those who are managing SQA (Service Quality Assurance), as an outcome of secu- rity audits as non compliances. The real incidents have to be logged by the person who has seen them first — immediately after they happen — but it seldom happens that way. Most of the time people think that it is somebody else’s job and this indifference proves costly for the organisation while compromising on information security. Some of the examples of human indifference in IS areas are as follows: Not having a realistic Business Continuity Plan (BCP) Not conducting Disaster Recovery incidents Not reviewing maintenance logs of physical environment and assets Not reviewing non-compliances and CAPA Unauthorised rights given for internet usage Unauthorised usage of software Printouts/copying of sensitive information without authorisation Root cause for the above mentioned issues is that these are left to SQA department to find and manage information security — mainly to take care of certification management. To address the issues regarding the human factor, one needs to follow certain strict guiding principles. Guiding principles Top management of an enterprise should lead and promote risk management across the organisation. Risk management should be integrated into all decision-making and planning processes. To have a well controlled information security implementation, everybody needs (DR) exercise at regular intervals Not reviewing and updating BCPs based on DRs, even if it is conducted Not taking backups of project data at regular intervals; failure in restoring and verifying the same Not raising incidents as soon as they occur, and not analysing them properly (For example: In case of access control, entries related to failed attempts should be in the incident category and are not to be identi- fied as non-compliance. If this is identified as non compliance during formal security audits, it will indi- cate that regular review of logs was not being done, which points to the indifference by authorised persons assigned to the job. Similarly, allow- ing people to enter restricted areas without proper access control cards is yet another example of human indifference.) Not doing enough vulnerability testing while acquiring systems Not reviewing systems, access control and admin logs daily, all of which are crucial inputs to “Top man- agement of an enter- prise should lead and promote risk manage- ment across the organi- sation” BYINVITATIONVENKIDESAN NARAYANAN | venkidesann@yahoo.co.in THE AUTHOR IS Consultant - Programme Management, Efficacy Auditing, Delivery Management (Software Development )
  • 2. BY I NVITATION SECURIT Y AUD IT S to be aware of risks and therefore should take the responsibility for managing the same. This proactive management of risk will help reduce the consequence and likelihood of adverse incidents. Without genuine support from the top, information security implementation has always been a failure. Similarly, without proper implementation, it is a burden. The approach needs to move away from a compliance environment, where the output was a risk register, to an approach that focuses on the processes which work around the identification, mitigation and management of risks within an organisation. The measures of effectiveness The critical success factors focus on improving accountability, risk awareness and communication. For this, everyone within an organisa- tion should know their risk manage- ment responsibilities, which need to be continuously reviewed and improved. Organisations should stress on the need to analyse inci- dents at an early stage rather than allowing the same to become non- compliances, which are identified during formal security audits. While strategising, the above points should be considered. Each functional unit should be responsi- ble for managing its own risk. Man- agement and staff should have spe- cific accountability requirements in the risk management approach. The responsibilities can be identified as a mandatory KRA to emphasise the seriousness of the issue. It is crucial for the leadership to involve in the risks management activities by reviewing and measur- ing effectiveness at regular intervals. In lesser successful IS implementa- tions, it is seen that top manage- ment doesn’t show the required commitment to do their job. Even though individuals are accountable for compliance, the indifference from higher leadership has a greater adverse impact on the effectiveness of IS implementations. How to measure? To ensure that the risk management practice is effective, comprehensive, documented and visible across all business units, the review needs to be done more frequently and quantitatively (at least quarterly), instead of the mundane annual audit cycles followed by most organ- isations. The review should also focus on get- ting deviations from targets, which are measurable, and accountability should be strictly enforced in case of any deviation.