DATA SECURITY: Risk Mitigation Controls

VoicenData Bureau
New Update

Organizations are increasingly looking at information as a valuable asset

that needs to be protected. Losing information to a competitor can be highly

detrimental to the business. An organization can lose sensitive information to

its competitor by physical theft, pilferage of its IT infrastructure, or

hacking. It also needs to guard against loss of information due to virus

attacks, and natural disasters. In these days of fierce competition, an

organization cannot afford to have disruptions due to breakdown of its IT

infrastructure. CIOs have to be always vigilant and alert to any attempts to

steal and destroy information.



need to secure information applies to all organizations, irrespective of whether

they are involved with e-commerce and their networks are exposed to the Internet

or not. Information security applies to defense laboratories, space research

organizations, atomic energy organizations, financial institutions, public and

private enterprises involved in research and development, and government

departments handling confidential data. Surveys carried out last year by

Confederation of Indian Industry and PricewaterhouseCoopers indicated that

Indian companies are now more prone to attacks on their information systems and

there is an increase in the number of breaches and hacking. Viruses continue to

be a very serious problem too.

Information security deals with protecting information from threats, ensuring

continuity of business in case of natural disasters, and minimizing loss of

business due to disruption of IT infrastructure. The subject of information

security is gaining importance all over the world, and International

Organization for Standardization (ISO) has come up with a standard for

Information Security Management. It is called ISO 17799 and is an adaptation of

the British Standard BS 7799.

ISO Objectives

ISO 17799 aims at securing information by maintaining:


n Confidentiality: Protecting

sensitive information from unauthorized disclosure or intelligible interception

n Integrity: Safeguarding

the accuracy and completeness of information and software

n Availability: Ensuring

that information and standard IT services are available when required


n Accountability: Holding

all concerned people responsible for any security lapses

These goals can be achieved by implementing a set of controls, which could be

policies, procedures, organizational structures and software functions.

An Information Security Management System (ISMS) conforming to ISO 17799

follows the ‘Plan, Do, Check, Act’ (PDCA) philosophy of ISO. It calls for

establishing the ISMS plan, implementing and operating it, monitoring and

reviewing it, and maintaining and improving it.


Any organization developing an ISMS requires to define a security policy and

undertake an assessment of risks to its information assets. RA deals with

identifying the threats to assets and assessing the harm to business that might

result from security failure. Steps for risk mitigation should follow after

assessing the risks.

ISO 17799 specifies a set of controls for the treatment of risks. Any

organization intending to build an ISO 17799-based ISMS must document the

selection of the specified controls in the statement of applicability. These

controls can be grouped under the following heads:

n Organizational Security: Information

security infrastructure, security of third party access, outsourcing


n Asset Classification and

Accountability of assets, and classification of information

n Personnel Security: Security

in job definition, user training, responding to security incidents

n Physical and Environmental

Definition of secure areas and equipment security and controls for

prevention of theft of information


n Communications and

Operations Management:
Operational procedures and responsibilities, system

planning and acceptance, protection against malicious software, housekeeping,

network management, media handling, exchange of information and software

n Access Control: Business

requirement for access control, user access management, user responsibilities,

network access control, operating system access control, application access

control, monitoring system access and use, mobile computing and teleworking

n System Development and

To cover security requirements of systems, security in

application systems, cryptographic controls, security of system files, security

in development and support processes


n Business Continuity

Continuity of business operations and counteract effects of

major failures and disasters

n Compliance: Compliance

with legal requirements, reviews of security policy, and system audit

ISO 17799 has a list of 127 controls to cover all aspects of security

breaches. Although it will suffice for most organizations, ISO allows an

organization to have additional controls, if it is necessary to prevent loss or

damage of information.

Dr Anirban Basu

director (quality+)