Organizations are increasingly looking at information as a valuable asset
that needs to be protected. Losing information to a competitor can be highly
detrimental to the business. An organization can lose sensitive information to
its competitor by physical theft, pilferage of its IT infrastructure, or
hacking. It also needs to guard against loss of information due to virus
attacks, and natural disasters. In these days of fierce competition, an
organization cannot afford to have disruptions due to breakdown of its IT
infrastructure. CIOs have to be always vigilant and alert to any attempts to
steal and destroy information.
The
need to secure information applies to all organizations, irrespective of whether
they are involved with e-commerce and their networks are exposed to the Internet
or not. Information security applies to defense laboratories, space research
organizations, atomic energy organizations, financial institutions, public and
private enterprises involved in research and development, and government
departments handling confidential data. Surveys carried out last year by
Confederation of Indian Industry and PricewaterhouseCoopers indicated that
Indian companies are now more prone to attacks on their information systems and
there is an increase in the number of breaches and hacking. Viruses continue to
be a very serious problem too.
Information security deals with protecting information from threats, ensuring
continuity of business in case of natural disasters, and minimizing loss of
business due to disruption of IT infrastructure. The subject of information
security is gaining importance all over the world, and International
Organization for Standardization (ISO) has come up with a standard for
Information Security Management. It is called ISO 17799 and is an adaptation of
the British Standard BS 7799.
ISO Objectives
ISO 17799 aims at securing information by maintaining:
n Confidentiality: Protecting
sensitive information from unauthorized disclosure or intelligible interception
n Integrity: Safeguarding
the accuracy and completeness of information and software
n Availability: Ensuring
that information and standard IT services are available when required
n Accountability: Holding
all concerned people responsible for any security lapses
These goals can be achieved by implementing a set of controls, which could be
policies, procedures, organizational structures and software functions.
An Information Security Management System (ISMS) conforming to ISO 17799
follows the ‘Plan, Do, Check, Act’ (PDCA) philosophy of ISO. It calls for
establishing the ISMS plan, implementing and operating it, monitoring and
reviewing it, and maintaining and improving it.
Any organization developing an ISMS requires to define a security policy and
undertake an assessment of risks to its information assets. RA deals with
identifying the threats to assets and assessing the harm to business that might
result from security failure. Steps for risk mitigation should follow after
assessing the risks.
ISO 17799 specifies a set of controls for the treatment of risks. Any
organization intending to build an ISO 17799-based ISMS must document the
selection of the specified controls in the statement of applicability. These
controls can be grouped under the following heads:
n Organizational Security: Information
security infrastructure, security of third party access, outsourcing
n Asset Classification and
Control: Accountability of assets, and classification of information
n Personnel Security: Security
in job definition, user training, responding to security incidents
n Physical and Environmental
Security: Definition of secure areas and equipment security and controls for
prevention of theft of information
n Communications and
Operations Management: Operational procedures and responsibilities, system
planning and acceptance, protection against malicious software, housekeeping,
network management, media handling, exchange of information and software
n Access Control: Business
requirement for access control, user access management, user responsibilities,
network access control, operating system access control, application access
control, monitoring system access and use, mobile computing and teleworking
n System Development and
Maintenance: To cover security requirements of systems, security in
application systems, cryptographic controls, security of system files, security
in development and support processes
n Business Continuity
Management: Continuity of business operations and counteract effects of
major failures and disasters
n Compliance: Compliance
with legal requirements, reviews of security policy, and system audit
ISO 17799 has a list of 127 controls to cover all aspects of security
breaches. Although it will suffice for most organizations, ISO allows an
organization to have additional controls, if it is necessary to prevent loss or
damage of information.
Dr Anirban Basu
director (quality+)