Shipra Arora
Regulatory compliance may not as yet be the primary motivating factor driving
security investments for enterprises in India, but it is beginning to influence
their security strategies. Is the focus ill-placed, considering the growing
incidences of newer and more threatening attacks from traditional sources such
as worms, viruses and spams?
A major concern that arises in such a scenario is the fact that too much
corporate focus on compliance can undermine security. Meeting regulatory
requirements is becoming a business reality and, therefore, cannot be ignored.
However, it is only part of a broader security strategy and should, therefore,
be considered only as that. The CIO will need to keep in perspective and factor
in the other realities of today's dynamically changing environment including the
growing threat from the Internet and the mobility enabled extended enterprise
considering that these threats are no longer stand-alone and can cause major
downtime to the business. If taken in the right measure, the focus on compliance
can complement the other aspects of the strategy and help in making the overall
information security set-up more robust.
As Hemant K Singh of the Information Systems Division, Abhishek Industries,
points out, "Virus and worms had been a matter of concern for a CIO in the past
and will remain in future. Though the approach to combat such kind of threats
will change with the advent of new technologies. However, the major focus will
be adhering to security compliance, as this will help the enterprise to
systematically deal with the security issues and help them to mitigate the net
impact." According to Arindam Bose, head, IT at LG Electronics India, while the
traditional threats will always remain a big concern, as mobile handsets become
data enabled in a 3G environment, there will be new concerns, making the focus
on compliance important.
Indian Compliance Scenario
Though it may be a little early for compliance requirements driven security
initiatives to become mainstream in the Indian market, experts predict that it
may not be too far in the future when it takes lead as the most important driver
for information security. At the 8th annual Global Information Security Survey
released in October last year, Ernst&Young affirmed this emerging trend with
almost two-third of the respondents (representing 1,300 global companies) citing
compliance with regulations as the primary driver of information security. It is
for the first time that compliance surpassed worms and viruses as the primary
driver of information security.
Why is security critical to the compliance issue? According to Rajendra Dhavale,
consulting director, CA India and SAARC, it is important to have an
internal-control framework for Sarbanes-Oxley or any other internal-control
program. Without that full compliance with Section 404 of Sarbanes-Oxley is
nearly impossible. "If you have not adopted an internal-control framework, then
an independent auditor will not have any criteria against which it can measure
effectiveness.
The organizations are required to establish definitive controls in the areas of
strong authentication, access control, data protection and audit trailing at a
minimum to establish compliance. Thereby, impacting the dynamics of the
enterprises' information security set-up.
According to Ajay Kumar, country manager, Aventail India, it might be fair to
expect compliance overtaking Anti Virus in the next couple of years. However,
there are others who believe that compliance as a primary driver for security
initiatives has already arrived. According to Gopal Sapharu, research associate,
ICT Practice, Frost&Sullivan, compliance has become the most important driver
for the information security. The trend for compliance is catching up now in the
country and it is expected to become one of the primary drivers for information
security in the forthcoming years. This is because if the enterprises set their
compliance right, then it means that the total security is up and running in a
proper manner.
Key Regulations
To be globally competitive, Indian companies would have to meet the
increasingly demanding standards of international corporate and IT security
governance. Already, the security factor has become vital to the growth of the
Indian BPO industry. To be perceived as a 'trusted sourcing destination',
besides quality capability of Indian companies, their security capability is
also important. Companies in India are governed by both national and
international regulations. Regulations of the US and the European countries need
to be followed by the Indian subsidiaries of the companies based out of these
countries.
Some of the international regulations that warrant compliance by the different
sections of the companies in India include Sarbanes-Oxley, BASAL II
(international financial compliance), HIPAA, SAS70, GLBA. In addition to this,
there are Indian regulations such as the SEBI Clause 49 for listed companies.
Presently, international regulations are in abundance, Indian companies or
branches very often have to comply with the various international regulations to
stay globally competitive.
The different segments of the Indian industry are affected in different ways and
to different degrees. Indian pharmaceutical companies exporting to the US must
comply with 21 CFR Part 11, ITeS and BPO companies must comply with the basic
tenets of the Sarbanes-Oxley, GLBA, HIPAA, DPA, etc. These are mandatory for
them to continue to service the organizations which have given them work. For
medical associations, if they want to be part of any global work or tie-ups,
they are required to comply with the HIPPA regulation.
Indian banks operating in the US, Singapore and Hong Kong must comply with FFIEC
and 2-Factor Authentication Mandates issued by the financial authorities for
protecting consumer identities and assets over Internet services such as
banking/broking. Indian banks will have to cease their online presence in those
geographies unless they comply with the mandates.
Coming to Indian regulations, the noticeable one as of now is SEBI Clause 49 for
listed companies, which also lays emphasis on internal controls and corporate
governance. In the telecom space, as part of the licensing commitments, there is
need to protect customer privacy. "The burden of monitoring and preventing
misuse of telecom networks for antinational or antisocial activity also falls on
the operator. Failure to provide relevant information on requests from the
authorities is considered as breach of licensing agreement. If such an incidence
happens from an extended organization, it could be a major embarrassment,"
explains S Sridhar, head, IT, Hutch.
Of the various regulations the one that is likely to be the most impactful is
Sarbanes Oxley, which requires compliance from all the American MNCs in the
country. According to Ravi Srinivasan, co-founder and senior VP-Client &
Technology Solutions, OfficeTiger, Sarbanes-Oxley is the key legislation for
outsourcers and Indian multinationals.
Apart from these mandated regulations, there are others such as the BS7799 and
ISO17000. Organizations, especially in the IT and ITeS industry are increasingly
adopting these standards as a means to attract more outsourcing business. These
standards help in enlisting the trust of the clients with respect to the
security set-up of their vendors here.
The 'M' Factor
Productivity at the work place is driving the need for anywhere anytime access
of IT resources. As a result, another major area of concern for the CIOs today
is security breach during remote access. The CIOs are worried that their remote
users can be hacked and the hacker can then launch a routed attack on the LAN.
According to Menon, mobile devices such as PDAs and cell phones are considered
as the new battlegrounds for viruses, spam and other potential security threats.
Bluetooth and other wireless technologies pose new exposures for hackers to
target.
According to Srikiran Raghavan, many organizations are attempting to provide
remote access to corporate applications to categories of their user base, in
order to improve speed of decision-making or provide flexibility in work style.
This is a significant driver for investment in strong authentication and access
control systems. According to Sridhar, with employees with mobility access, data
stored in the mobile device could reach the wrong hands and, hence, the trend is
to encrypt the data stored in mobile device based on enterprise authentication
system.
The drivers vary with each industry segment. However, it could suffice to say
that a combination of regulatory pressure, standards compliance, information
compromise, high attrition, large number of applications and associated
productivity impact as well as increase in identity theft have led to Indian
customers looking at a framework that allows them to solve these problems
centrally and through standards-based solutions. The central thread that runs
through all these challenges, is the increased use of applications in core
business processes.
These threats will continue to pose a challenge for CIOs as they struggle to
maintain a balance between strategic and operational excellence. "However,
compliance, whether to security standards or regulations, serves as a benchmark
against which an organization structures itself from a security standpoint,
thereby ensuring that these areas are covered as well," concludes Srikiran
Raghavan.
Information Security Agenda of the CIO
We asked some experts what they feel are the essentials that organizations
need to keep in mind while devising their information security strategies. No
security framework is foolproof. Most of the risk is mitigated through a
combination of the right tools, structured processes and people willing to
participate in the process willingly. Here is what they suggest as their 5-point
agenda for creating a near foolproof Information Security strategy
Gopal Sapharu, research associate, ICT Practice, Frost & Sullivan, India
- Need to have necessary budgets for Information security
- Create awareness about the impact of threats internally
- Auditing should be done on a regular basis
- Implementing open standard of solutions
- Redundant security solutions should be setup across the network
Tata Rao, vice president, Systems Engineering, Enterprise India & SAARC
- Compressive security policy in place
- Pervasive & integrated security than point products (system based
approach) - Proactive security rather than reactive Security
- Monitor/Measure/Update
- Invetment protection
Arindam Bose, head, IT, LG
- Watch the authorized users
- 24 x 7 monitoring is absolutely necessary
- Vulnerable points should be clearly identified-Security Audit
- Security, though expensive, is not a dumb overhead-organization wide
awareness - Security should not be a hindrance for the good guys getting more
information
S Sridhar, head, IT, Hutch
- Ensure that IT Security frame work of firewall, IDS, Web access control,
email content filer, virus prevention system are in place and managed with
alerts attended to in near real time basis. - Identity management with entry, user life cycles with respect to roll and
exit. Control access as per roll. Create framework for audit trails. Review
and react on audit trails. - SLAs & Agreements with partners cover IT security deployment in their
organization to meet your organization's security requirement. - New technology considered along with new generation security systems.
- Automated audit system, with least dependency on people
Ravi Srinivasan, co-founder and Sr VP, Client & Technology Solutions,
OfficeTiger
- Base security infrastructure and standards
- Management buy-in
- Corporate security awareness training
- Security research
- Security division independent of CIO
The Emerging Trends
- Regulatory compliance driven security strategies
- Security initiatives increasingly factoring in mobility and wireless
technology - Growing traction towards application security rather than just
infrastructure security - End point security is expected to gain traction
- Integrated security appliances get more popular
- SSL VPN is likely to see a healthy growth
- Suits of antivirus are expected to gain popularity