In the profit driven global economy, where business processes are re-invented
to increase profitability by fraction of a per cent, established and growing
companies in India and in other parts of Asia are fast becoming part of the back
office and supply chain of the global economy. In the early days of offshoring
and outsourcing, price was often the single determining factor for these global
companies. But as offshoring and outsourcing became common, customers became
more sophisticated. Other considerations have become significant as well,
including compliance with industry and statutory requirements. Security is now
the deciding factor for customers, and hence for Indian firms as well for
delivering desired capabilities. The fact is that, for a US based firm to meet
sarbanes-oxley requirements, it must validate that its suppliers also meet
selected requirements. Those requirements extend to data integrity as well.
Indian and Asian outsourcers now face same obligations, in order to do business
globally.
Why Compliance Matters?
Why do compliance mandates around the world impact firms in India? As
outsourcers or suppliers, Indian firms are part of the ecosystem that American
and European firms organize, and drive to operate their businesses. Indian firms
potentially have access to, and/or are responsible for sensitive customer
information; financial data; internal business processes. When any of these are
compromised, the impact to ecosystem, and therefore to American or European
firms, can include loss of customers inaccurate financial information, leading
to inaccurate financial reporting damage to corporate reputation, and brand loss
of competitive advantage.
From an IT perspective, technologies that are often used to provide necessary
protection include firewalls, intrusion detection and prevention systems, virus
and malware scanning, and vulnerability management solutions, to name a few.
When properly deployed, managed, and monitored, these technologies can provide
the needed protection, and are a critical component for demonstrating compliance
with the standards that affect the firm.
The auditors' practice of looking at processes and procedures that are in
place, is intended to identify expected outcomes. The processes and procedures
are, in fact leading indicators of the outcome, and auditors focus on processes
and procedures, simply because they result in a set of predictable outcomes.
Conversely, a firm's inability to comply with recognized standards is a
strong predictor of firm's inability to protect its own, and therefore its
customer's sensitive information, financial data, and business processes.
Existing processes and procedures, or lack of them, is a leading indicator of
firm's ability to meet its customer's needs.
The Connection
ISO 27001 is a standard that was published in 2005, and is specifically
focused on information security management.
What matters here is that ISO 27001 has been accepted by American, European,
and Asian organizations as the primary standard for implementing, managing, and
maintaining IT security controls. Accordingly, it is the standard that auditors
look at, in assessing maturity and robustness of an organization's IT security.
It is the standard that Indian firms must pay attention to, and maintain
compliance with, in order to fully meet customers' requirements.
What's Involved
To meet the requirements of ISO 27001, Indian firms need to embrace a
comprehensive set of people, processes, and technology. People include security
experts, and 24x7 coverage. Processes include continuous monitoring,
measurement, and feedback; operating on the assumption that a robust security
infrastructure is one that is dynamic, changing with conditions: to continually
meet the firm's needs. The technologies can include perimeter security such as
firewalls and IDS; authentication solutions to validate user identities;
encrypted communication channels, such as VPNs for transmitting information over
public networks; virus and malware scanning to detect, and remove malicious
software; and vulnerability and patch management to identify, and remediate
documented weaknesses in networks, operating systems, and applications.
In addition to implementing and managing these solutions, which most security
experts are accustomed to, it is also critical to monitor the solutions on a
24x7 basis. For smaller firms, this is cost prohibitive to do internally. And
for mid-size and large firms, it may not be cost-prohibitive, but can certainly
be a new practice. Without monitoring, firms are essentially trusting technology
platforms to be the last line of defense, and forgoing the opportunity to
identify necessary changes in security policies and practices, on time.
Whether the solutions are sourced, managed, and maintained solely with the
firm's own employees, or with varying degrees of assistance from integrators or
managed security service providers (MSSPs); it is at the discretion of IT
executives, provided that the approach taken is sufficiently disciplined, and
robust to meet audit requirements.
Choosing the Right Approach
For Indian firms that have some basic security provisions in place, such as
a firewall, but have realized that more time and expense is yet to be put in,
ISO 27001 can be a big challenge, albeit one that must be met. Before rushing
into complexities of selecting, purchasing, implementing, and managing a
comprehensive set of solutions, it makes sense to consider several different
approaches towards the goal of compliance with ISO 27001, such do
everything internally: hire and retain security expertise; buy, install,
configure, manage, and monitor the solutions; turn to an integrator:
architecture, procurement, implementation, management, and monitoring; turn to
an MSSP for assistance: architecture, procurement, implementation, management,
and monitoring.
Although, it is certainly possible to combine elements of the above
approaches, relying on a subset of the total requirements will leave the firm
short of ISO 27001 compliance. And while compliance may far exceed stand alone
requirements for security for the organization, participation in the global
ecosystem and global economy requires higher level of commitment and investment,
one that may be well beyond what business leaders believe is required for their
own business needs.
The key considerations in selecting the right approach for people, process,
and technology comes down to:
Cost: Is it cheaper to outsource, or keep all these activities in house, or a
combination thereof? Is it necessary to avoid capital expenditures, and rely
solely on operating expenses to achieve the desired solution?
Expertise: Does the firm have necessary skills, and if not, is it willing to
invest in hiring and retaining skilled staff?
Fitness of solution: Can the firm find a notably better architecture from a
particular type of supplier, typically one that is not focused on selling a
narrow set of vendors' offerings?
Scale: As the firm grows and its needs evolve, which approach will provide
necessary flexibility?
MSSPs: Link to compliance Any of the above approaches, for implementing a
comprehensive security solution can enable a firm to meet ISO 27001 standard.
However, when a firm chooses to keep the responsibility in house, it also
accepts responsibility for periodically undergoing ISO 27001 audit. Except for
very large firms, total cost associated with keeping security in house, will
inevitably be higher than turning to an integrator or MSSP.
Integrators have the potential to deliver complete solution for the firm, but
often do so with tremendous reliance on people, and minimal reliance on
repeatable processes. The impact of this choice on security monitoring is less
accuracy in identifying potential security incidents, leading to either over
worked security analysts chasing too many false alarms, or many missed security
incidents.
Securing Entry
Indian firms have capitalized on the offshoring opportunity, that exists
with the US and European companies. However, gaining entry to these companies in
the US and Europe, requires demonstrable security processes; and procedures that
can satisfy increasing pressure for compliance with industry and statutory
standards. In turn, ISO 27001 standard for security best practice can
demonstrate firm's readiness from a security perspective. And for many firms,
most straightforward route to ISO 27001 certification is through an MSSP, that
has already accomplished this, and can provide necessary services in a way that
is far more preferable than the firm obtaining ISO 27001 certification on its
own.
Adam Rice
The author is chief security officer, Tata Communications
vadmail@cybermedia.co.in