CIOL Network DataQuest PCQuest Voice&Data LivingDigitalIndia DQWeek DQChannelIndia CyberMedia
 | Videos Audio  Contest  Newsletters  Specials  RSS  Blogs
Login | Register
Home > Specials > Security > Features presented by    
 
 

Security standards and best practices
Are Indian enterprises looking at aligning their security initiatives with international security standards?

Accroding to 42 per cent CIOs, plans to adopt international best practices and get certification are on the anvil; 25 per cent of the respondents either follow best practices laid down by ISO 27001 or BS 7799 and have received the certification or are in the process of getting certified, while 33 per cent say that they have not yet considered following any international standard but follow internally formed rules and policies to achieve maximum benefits.

Best-of-breed or end-to-end?
The majority, 80 per cent voted for best of breed; remaining 20 per cent were in favor of end-to-end or a combination of both. “While debates continue on the advantage of each type of solution, we believe that a properly integrated best-of-breed solution would add up to a larger quantum that the sum of the individual parts,” comments RV Ashok.

“Both have their positives and negatives; I believe deploying best-of-breed solution with a good SI support is a better alternative,” opines Subhash Palav.

Viewpoints:

KB Singh, Head –IT, Reliance Energy Ltd KB Singh, Head-IT , Reliance Energy

•  Robust security policies are a must for any security initiative to succeed', your views on this.

The purpose of a security policy is to inform and educate users, staff and managers of their requirements for protecting technology and information assets. The policy should specify the mechanisms through which these requirements can be met.

The characteristics of a good security policy are:

•  It must be achievable through system administration procedures, publishing of acceptable user guidelines, or other appropriate methods.
•  It must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible.
•  It must clearly define the areas of responsibility for the users, administrators, and management.

The components of a good security policy includes

  • Computer Technology Purchasing Guidelines
  • Privacy Policy
  • Access Policy
  • Accountability Policy
  • Authentication Policy
  • Information Technology System & Network Maintenance Policy
  • Violations Reporting Policy

Once the security policy has been established it should be clearly communicated to users, staff, and management. Having all personnel sign a statement indicating that they have read, understood, and agreed to abide by the policy is an important part of the process. Finally, the policy should be reviewed on a regular annual basis to see if it is successfully supporting our security needs.

•  What according to you is the role of ‘people' in making or breaking security?
A key priority is creating the right tone at the top in which management conveys the importance of IT security controls to the organization.

Operating management must provide specific policies, procedures, and controls. Hence p eople play a great role to make it or break it. In an organization there are different categories of people depending on their personal background, educational background, ethical background and others and thus posing a real challenge for the information security of an organization. Hence to combat the same the following should be taken care of on a periodic basis:

  • Accountability
  • Awareness
  • Ethics
  • Resource Allocation
  • Integration
  • Timeliness and Effectiveness
  • Ongoing Assessment
  • Compliance and Equity

*****************************************

CS Murty, Chief of Information Management, Tata Ryerson CS Murthy, Chief of Information Management, Tata Ryerson

Are there any Security Best Practices/ Security standards that your organisation follows to mitigate security risks?

We follow guidelines as indicated in ISO 27001. We are currently in the process of implementing as per its guidelines and then achieve the certification.

How are your employees' made aware/educated about the importance of security in the organization and the various security policies that have been formulated? Is there an employee awareness program that is run? What does your organization do to take their commitment? Is there a penalty clause in case somebody defaults?

We post all the information with regard to Information Security on our Intranet and also publish in the in-house journal. In addition we have conducted training sessions to concerned personnel. In order to make each and every employee be part of the implementation of Information Security we plan to organize some “melas” / “quizzes” in near future.

TG Dhandapani, CIO, Sundaram - Clayton Ltd

Are there any Security Best Practices/ Security standards that your organisation follows to mitigate security risks? If yes, please specify the need for doing so; the standard that your company has adopted or plans to adopt in the near future; the benefits; the process etc.

•  The following practices are adopted :
•  Vulnerability assessment at regular intervals by outside agencies
•  Penetration testing at regular intervals by outside agencies
•  Security awareness programs for internal staff at regular intervals
•  Good housekeeping through Japanese concept, 5S
•  Visitor passes department wise
•  Access control systems for key departments
•  Plans on the anvil
•  BS7799
•  Business continuity plans – Disaster recovery

How your employees' are made aware/educated about the importance of security in the organization and the various security policies that have been formulated? Is there a penalty clause in case somebody defaults.

Employee awareness is created through the under mentioned activities :

    • Training programs
    • Mail circulations on key initiatives and the need for the same
    • Enforcement through policies
    • Sharing of articles through Intranet

There is no penal clause as such, however for some security measures, enforcement of policies are done with strict adherence to the same.

Are you in favour of end-to-end security solutions or do you believe in deploying the best of breed solution?

While debates continue on the advantage of each type of solution, we believe that a properly integrated best-of-breed solution would add up to a larger quantum than the sum of the individual parts.

ER Batliwala, Former CIO, Tata Power

 ER Batliwala How are your employees' made aware/educated about the importance of security in the organization and the various security policies that have been formulated? Is there a penalty clause in case somebody defaults.

We are currently running an extensive Information Security Awareness and Training program in our organization , intending to cover 100% of management staff in the “do's and don'ts” of InfoSec

What are your views on ROI on security? Do you think it is measurable? Do you have to justify ROI on security to your CEO? Please state with reasons.
No, RoI on security is not easily measurable (same is the case with many IT investments). One should, however, perform a risk assessment (in terms of possibility of occurrence vs impact of occurrence) to judge how to prioritize and where to focus one's security improvement efforts.

What according to you is the role of ‘people' in making or breaking security?
People play the vital role in complying with or breaching security. Unfortunately, experience proves that unless the ‘people factor' is addressed properly, security procedures will just not work.

Are there any Security Best Practices/ Security standards that your organisation follows to mitigate security risks?

•  Yes, we pattern our security measures around the ISO 27001 (earlier BS 7799) guidelines.

 
 
    Article Home Previous
 
 
Product Reviews
Forsa GeForce 7600 GS
Share Music over iTunesDigital Communication
Go Local For Broadband
RFID: Emulate the Internet		 Channel Tech
Super Storage On Its Way
Globalsat GPS gets certified by Dell