What kind of security compliance should businesses and industries need to
have?
Different industries have different requirements. If you are into
processing, transmitting, storing credit card information you have to observe
the compliance called payment card industry data security standards (PCI DSS).
If you are in financial industry like banks you have to observe Basel II
compliance. Basically, it includes operational and technological risks. So, I
think organizations and industries need to have to go for different security
compliances according to the industry s requirements and standards.
What is your view of the security compliance in Indian IT, and banking?
Lot of companies here understand the importance of information security and
management systems (ISMS), so they will have to document necessary controls to
adhere to the ISO27001 certification. However, I am a bit worried about those
Indian companies certified by ISO 27001 as there might be the forced perception
that they are secured but actually they are not. Security, unfortunately is more
complicated than buying an product.
What are your views on the global certifications and standards?
To a certain extent, ISO 27001 is a type of standard that is applicable
across different countries. But different industries behave differently. For the
payment card industry ISO 27001 is not sufficient for security of information.
So the card industry associations such as VISA, American Express and others have
built a new standard called PPI to specifically address the major concerns of
leaking of payment card data. Generally speaking, the ISO27001 would be a great
starting point but depending on specific industries and businesses you need
better security standards.
What is the awareness level about security compliance in India?
ISO 27001 certification is very big in India, about 450 companies are
certified. Its more matured than the US in terms of companies spending on
increasing security compliance and standards. But risk factors in different
countries are different. For instance in the US, you see huge number of hacking,
data losses or leakages. Whereas in India, companies are not viewing that kind
of risk exposures. Eventually the same risk exposures can be seen by Indian
companies. So its the matter of time, when Indian organizations wake up and say
that they need more protection than just ISO 27001.
Pankaj Maru/CMN
maildqindia@cybermedia.co.in