Business Daily from THE HINDU group of publications
Thursday, Aug 27, 2009
ePaper | Mobile/PDA Version | Audio | Blogs
News
Features
Stocks
Cross Currency
Shipping
Archives
Google

Group Sites

 Opinion - Interview
Corporate - Accounting Standards
Web Extras - Accountancy
Columns - Account Speak
The information security road to biz process maturity

The primary advantage that an organisation can get from an Information Security Management System is the ability to manage risks in this world of uncertainties.



GOVIND SRINIVASAN, CEO, PARAMOUNT DATAWARE PVT. LTD., CHENNAI

If your recall of 27001 is an old telephone number or a truncated postal code, you perhaps don’t belong to the information security field. For, the number 27001 jumps off from the site www.iso27001security.com , as part of the ISO27k family of standards, which provide “guidance on designing, implementing and auditing Information Security Management Systems to protect the confidentiality, integrity and availability of the information assets on which we all depend.”

A Wikipedia page informs that ISO/IEC 27001, published in October 2005 by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), has as its full name ‘Information technology – Security techniques – Information security management systems – Requirements’ though commonly known as ‘ISO 27001.’

This is a business process maturity standard, avers Govind Srinivasan, CEO, Paramount Dataware Pvt. Ltd., Chennai ( www.paramountworld.com ). Implementing ISO 27001, if done with all seriousness, helps an organisation create an excellent integration within itself, he adds, during our pre-breakfast interaction recently at Nageswara Rao Park, Chennai.

“We hear about many ‘cyber security’ incidents. ISO 27001 controls can help an organisation do as much as possible to keep cyber risks at bay,” observes Govind. Though ISO 27001 implementation does not provide 100 per cent security to any organisation, the difference can show in terms of maturity in handling any incident, he explains.

“ISO 27001 also has great relevance to organisations that are into manufacturing, supply chain, transportation and research. But most of these kinds of companies in India have not looked into ISO 27001 with keen interest. The Standard comes handy to any company that has a need to protect its or its customers’ intellectual property.”

Excerpts from the interview:

Do enterprises stand to gain significant advantages in their operations and revenues, as a result of adopting IS standard? Examples, if any.

An ISMS (Information Security Management System) is an enabler for protecting critical information assets in an organisation. Protection means protecting the basic attributes of any information asset, which are ‘Confidentiality, Integrity and Availability’ (CIA).

Thus, security is not just confidentiality, as often perceived. If ‘availability’ suffers a dent, it certainly is an issue from the ISMS perspective. The single-biggest advantage that an organisation can get from a well-established-and-maintained ISMS is the ability to manage risks in this world of uncertainties, be it anything that can affect any critical information asset. Since the term ‘information asset’ captures almost all that has value to an organisation, a well-maintained ISMS is a proof of business process maturity.

Threats can be anything such as swine flu, criminal act, credit card misuse, impersonation, server failure, network connectivity loss, unauthorised access, and hacking. All these threats exploit vulnerabilities. Simply put, vulnerabilities are weaknesses. When vulnerability is exploited by threat, it creates loss to an organisation. This loss can directly or indirectly be associated with monetary costs, depending on what is lost. The loss can affect the operations or production and lead to a decline in customer-confidence eventually.

ISO 27001 has all the ingredients in it to integrate an entire organisation by design. You can view the ISMS as the cauldron, where managers responsible for different domains and functions (such as operations or production, HR, administration, IT, sales and marketing, and senior management) converge systematically. Business continuity management from the information systems perspective is one of the domains in ISO 27001, which has a total of 11 domains divided further into 39 control objectives and 133 controls. ROI (return on investment) has been a never-ending debate in assessing the value of ISMS. ISO 27001 does not recommend any particular method for assessment of risks. It can be qualitative or quantitative. Most organisations certified to ISO 27001 in India follow the qualitative risk assessment. If an organisation wants to create a mapping of its ISMS performance with ROI, it is certainly possible. ISO 27001 gives great flexibility to an organisation in the implementation and maintenance of information security, without compromising on essentials.

What are the common myths about information security that you encounter in organisations?

Information security is not just IT security, from an ISMS perspective, despite the fact that a large number of controls mentioned in the ISO 27001 standard relate to IT. But many organisations still see ISMS from the IT security perspective. This is a myth.

For IT security, there are other specific standards and frameworks. An ideal ISMS is supposed to be very balanced and the inputs are ‘people, process, technology and physical infrastructure’.

In many organisations, it is the IT manager who is roped in to manage ISMS tasks, by default. This fixation, again, is a myth. Ideally, the Chief Information Security Officer (CISO) should be the manager who reports to the senior management (stakeholders) from an operations perspective, assisted by the IS manager. The IT manager, of course, has a big role to play in ISMS.

Yet another myth is that information security deals with ‘confidentiality’. If ‘integrity and availability’ are compromised, from the set values given to different information assets, these are equally serious issues.

Can you tell us about the challenges faced in IS standard implementation?

The standard expects an organisation to attach great importance for conducting appropriate training and awareness in information security. This is a direct responsibility of the stakeholders (management). But many SMEs (small and medium enterprises), certified to ISO 27001, tend to neglect this aspect. There is no point in conducting basic information security awareness programmes all the time for all the managers and staff. One size does not fit all in information security.

Reporting security incidents and weaknesses are ISO 27001 controls. The ability of the organisation to maintain the ISMS comes out of its competence in doing root-cause analysis, corrective and preventive actions. Quite a number of ISO 27001-certified companies don’t maintain internal mechanism for finding out unreported incidents and weaknesses.

There is a wrong belief, in many SMEs, that the third-party auditors may view security incidents and weaknesses adversely, which is not true at all. Third-party auditors look for evidence of internal capabilities and maturity in handling security incidents.

Showing metrics, which is nothing but an evidence of evolving maturity in handling information security management, is another great challenge. A lot of innovation is possible in showing security metrics and they can even serve as marketing collaterals for a company.

But then, it is the management that has to show all seriousness in setting a direction and be concerned about internal accountabilities in ISMS. Woefully, though, information security is often seen by those in management as a cost centre activity, which it certainly is not.

Are information security practices relevant to SMEs and services?

Most of the organisations already certified to ISO 27001 in India fall under the SME category. Again, most of them come under the ‘service sector’. After all, it is immaterial if an organisation is small or big, when it comes to counting the information assets that fall into at least four categories — people, process, technology, and physical infrastructure.

‘Physical infrastructure’ is something that I have added to the globally-accepted ‘People, Process and Technology’ (PPT) structure, as I consider it to be a separate category of information asset. ISMS can be a boon to SMEs, as it gives respectability in the marketplace. Customers do attach significance, when a service provider or a product company is certified to ISO 27001. But managing to get the certification, without putting the hard work in implementation, can easily be noticed by discerning customers.

D. MURALI

AccountSpeak.blogspot.com

More Stories on : Interview | Accounting Standards | Accountancy | Account Speak

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Accounting for interest-free govt loans

Low-voltage idea
A matter of trust
Time the RBI started mopping-up operations
Creeping increase in public holdings
The information security road to biz process maturity
Mamata reaches out to industry: A new focus on development
Partner performance counselling
Partition at Shimla


The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | The Hindu ePaper | Business Line | Business Line ePaper | Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright © 2009, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line