Empowering Resilience & Strategic Growth: Insights for Emerging Leaders
Information Security - Implementation Effectiveness
1. 45thectoforum.com 07 FEBRUARY 2010
CTOFORUM
Cost of being indifferent.Organisations
should stress on security audits for detecting incidents at
an early stage.
MOST organisations have docu-
mented Information Security (IS)
policies to comply with international
standards. However, when it comes
to implementation effectiveness, the
human factor and attitude play a
crucial role.
Two most important areas for
effective IS implementation are inci-
dent management and responsive-
ness to non-compliances identified
in IS audits. Most of the time the
incidents are logged by those who
are managing SQA (Service Quality
Assurance), as an outcome of secu-
rity audits as non compliances. The
real incidents have to be logged by
the person who has seen them first
— immediately after they happen
— but it seldom happens that way.
Most of the time people think that
it is somebody else’s job and this
indifference proves costly for the
organisation while compromising
on information security.
Some of the examples of human
indifference in IS areas are as follows:
Not having a realistic Business
Continuity Plan (BCP)
Not conducting Disaster Recovery
incidents
Not reviewing maintenance logs of
physical environment and assets
Not reviewing non-compliances
and CAPA
Unauthorised rights given for
internet usage
Unauthorised usage of software
Printouts/copying of sensitive
information without authorisation
Root cause for the above
mentioned issues is that these are
left to SQA department to find and
manage information security —
mainly to take care of certification
management.
To address the issues regarding the
human factor, one needs to follow
certain strict guiding principles.
Guiding principles
Top management of an enterprise
should lead and promote
risk management across the
organisation. Risk management
should be integrated into all
decision-making and planning
processes. To have a well
controlled information security
implementation, everybody needs
(DR) exercise at regular intervals
Not reviewing and updating
BCPs based on DRs, even if it is
conducted
Not taking backups of project
data at regular intervals; failure in
restoring and verifying the same
Not raising incidents as soon as
they occur, and not analysing them
properly
(For example: In case of access
control, entries related to failed
attempts should be in the incident
category and are not to be identi-
fied as non-compliance. If this is
identified as non compliance during
formal security audits, it will indi-
cate that regular review of logs was
not being done, which points to the
indifference by authorised persons
assigned to the job. Similarly, allow-
ing people to enter restricted areas
without proper access control cards
is yet another example of human
indifference.)
Not doing enough vulnerability
testing while acquiring systems
Not reviewing systems, access
control and admin logs daily, all of
which are crucial inputs to
“Top man-
agement of
an enter-
prise should
lead and
promote risk
manage-
ment across
the organi-
sation”
BYINVITATIONVENKIDESAN NARAYANAN | venkidesann@yahoo.co.in
THE AUTHOR IS Consultant - Programme
Management, Efficacy Auditing, Delivery
Management (Software Development )
2. BY I NVITATION SECURIT Y AUD IT S
to be aware of risks and therefore
should take the responsibility for
managing the same. This proactive
management of risk will help reduce
the consequence and likelihood of
adverse incidents. Without genuine
support from the top, information
security implementation has always
been a failure. Similarly, without
proper implementation, it is a
burden.
The approach needs to move away
from a compliance environment,
where the output was a risk register,
to an approach that focuses on the
processes which work around the
identification, mitigation and
management of risks within an
organisation.
The measures of
effectiveness
The critical success factors focus
on improving accountability, risk
awareness and communication. For
this, everyone within an organisa-
tion should know their risk manage-
ment responsibilities, which need
to be continuously reviewed and
improved. Organisations should
stress on the need to analyse inci-
dents at an early stage rather than
allowing the same to become non-
compliances, which are identified
during formal security audits.
While strategising, the above
points should be considered. Each
functional unit should be responsi-
ble for managing its own risk. Man-
agement and staff should have spe-
cific accountability requirements in
the risk management approach. The
responsibilities can be identified as
a mandatory KRA to emphasise the
seriousness of the issue.
It is crucial for the leadership to
involve in the risks management
activities by reviewing and measur-
ing effectiveness at regular intervals.
In lesser successful IS implementa-
tions, it is seen that top manage-
ment doesn’t show the required
commitment to do their job. Even
though individuals are accountable
for compliance, the indifference
from higher leadership has a greater
adverse impact on the effectiveness
of IS implementations.
How to measure?
To ensure that the risk management
practice is effective, comprehensive,
documented and visible across all
business units, the review needs to
be done more frequently and
quantitatively (at least quarterly),
instead of the mundane annual
audit cycles followed by most organ-
isations.
The review should also focus on get-
ting deviations from targets, which
are measurable, and accountability
should be strictly enforced in case of
any deviation.