A Security Policy for All Seasons

Early this month, one of India’s top BPO players came close to losing a
valuable contract with an American credit card company. Reason: A security audit
revealed that the BPO company did not have an enterprise-wide IT security policy
in place.

The US company was more concerned with compliance issues like
Gramm-Leach-Bliley Act of 1999, which stipulates a clear privacy policy for
financial institutions and their service providers, and it was found that the
Indian provider had done nothing on the subject.

And this company is not an isolated example. This clearly highlights the need
for a concerted security initiative on the part of BPO organizations, if they
are to remain competitively attractive to US companies.

"About 50% of large Indian businesses have in place a formal and
enterprise-wide security policy, while a significant others have some sort of
guidelines in place," says Neel Ratan, executive director and head of
security services at Price water house Coopers..

However ground realities might be different. Felix Mohan, CEO of
SecureSynergy, a security consulting company, contends this figure and claims
that only 15% of all businesses would have an exhaustive and
"actionable" security policy. "There are cases where companies
have put in place an ad-hoc policy often to meet their clients requests. These
policies are little more than a paper in the term that they are neither created
nor implemented seriously," says Mohan.

"Every company will state that it has a security policy in place,
although none will admit that the policy was either loosely crafted or have not
been reviewed and refined since it was first formulated," says a
spokesperson for Trend Micro.

Clearly planning, creating and implementing a security policy is not the
easiest job for an organization. The daunting scope of the subject itself forces
many enterprises to keep some basic precautions and then bury their necks deep,
hoping that nothing untoward will happen to them.

But as Praveen Kanwaria, president and CEO of Impetus Technologies says,
"Implementation of a robust security framework is no longer a ‘feel-good’
factor, but rather a very critical element of the organization’s
backbone."

Dataquest spoke to a few security experts and came out with tactics that can
help a CIO create and implement a comprehensive security policy.

Risk Assessment is Paramount

Creating a security policy can be a matter of hours–downloading sample
policies from dozens of sites on the net and making necessary amendments is all
it takes for a basic policy document in place. Unfortunately, many enterprises
end up doing exactly the same, without taking due regard of the unique risks
applicable to their business. The risks are unique depending on factors as
diverse as line of activity, size of business and even IT infrastructure in
place. For example, a business with an in-house data center will consider
investing in smart cards and access control devices, which are not applicable
for those outsourcing their data centers, according to Microsoft’s manager for
enterprise marketing Jasminder Gulati.

Ratan says an organization should clearly work on information classification–demarcating
different types of information like email archives, excel sheets and ERP data
into categories such as classified, secret, and top secret. Based on this
assessment, 4-5 types of information can be identified as most critical and a
significant amount of resource placed on securing this information.

And finally, the super-specialized nature of securing an organization’s IT
infrastructure demands help from subject experts. There are dozens of companies
ranging from big consultants–PwC, Ernst & Young and KPMG–to one-man
shops, offering help with drafting a comprehensive security policy and framework
around it. Organizations should find a partner they can trust and then leave the
job to him, according to Gulati.

Benchmark It

Businesses should clearly look at standardized security policies adhering to
IS17799, an international Standard on best practices in security. The standard
traces its roots in Britain as BS7799, first published in 1995. The first
document was just an advisory one but BS7799 part 2 is fully business-oriented
according to an expert. The document is based in security risk assessment. Only
once the business decisions are made, does the security policy start to consider
product types.

An organization can even evaluate itself against the Capability Maturity
Model (CMM) of Carnegie Mellon University. BS7799 categorizes stages of maturity
beginning from Chaos through Piecemeal, Managed to Best Practice.

Then there is GAISP (Generally Accepted Information Security Principles),
created by ISSA, a US-based non-profit group of security professionals and
practitioners, on the lines of GAAP (Generally Accepted Accounting Principles).
GAISP chairman Michael Rasmussen says GAISP is different from IS17799 because it’s
operationally oriented. It provides the common language for what best and
acceptable security practices mean, and how organizations should go about
achieving good security. For instance, health care organizations are racing to
become compliant with the Health Insurance Portability and Accountability Act (HIPAA).

Enlist Support

No matter how the security policy has been designed, the weakest link is
still the enforcement and getting each and every employee to observe the safety
instructions, according to Trend Micro spokesperson. Time and again, corporate
users are not taught to stop and think before they respond to that urgent email
from a potentially rich heir in Nigeria or click on a link that promises to show
scandalous pictures of lonely girls, he adds.

And clearly, effective implementation demands a more than fair share of
efforts. Businesses should look at designating someone in top management as its
chief security officer, someone responsible for overall information security,
according to Gulati. While a CEO or CFO is a perfect candidate for the role,
most often it falls over to CIO’s lap. Security policy should be printed and
delivered to all employees and efforts made to ensure their complete
understanding of it, says Mohan.

Ratan adds that a document in simple English should be created as user
handbook, which lists dos and don’ts for the users. The policy should also
make adherence to security guidelines as part of employment contract–whereas
disregard of procedures could attract a penalty as high as a firing.

Refresh

A security policy is not a dead document–it has to be constantly revised
and updated as risks and business prerogatives around an organization change,
according to Mohan.

Shahani adds that there should be routine, incremental changes to security
policy. He says that organizations need to refrain from facing a situation where
their security program resembles a bell curve–where risk is lowest when policy
is framed and procedures adhered to in the beginning, then the risk grows as
newer threats and vulnerabilities emerge, and finally it again starts falling
when an attack actually happens and the organization is forced to review its
policy and procedures.



From procedures side too, Mohan advocates snap checks and Gulati says a security
charter is not a bad idea–the designated person performs desired actions like
checking for patch updates and marks a tick against each action performed.

Rishi Seth in New Delhi

Security Tips

Risk Assessment: What an organization buys as security products
(firewalls, intrusion prevention system etc) is clearly guided by the security
needs that surfaced at the time of risk assessment

Benchmarking: Businesses should clearly look at standardized security
policies like IS17799 and BS7799—international Standards on best practices in
security

Enforcement: Companies should appoint someone from the top management
not necessarily the CIO as security officer

Revision: A security policy has to be constantly revised and updated
as risks and business prerogatives around an organization change