Security : A Must

In the profit driven global economy, where business processes are re-invented

to increase profitability by fraction of a per cent, established and growing

companies in India and in other parts of Asia are fast becoming part of the back

office and supply chain of the global economy. In the early days of offshoring

and outsourcing, price was often the single determining factor for these global

companies. But as offshoring and outsourcing became common, customers became

more sophisticated. Other considerations have become significant as well,

including compliance with industry and statutory requirements. Security is now

the deciding factor for customers, and hence for Indian firms as well for

delivering desired capabilities. The fact is that, for a US based firm to meet

sarbanes-oxley requirements, it must validate that its suppliers also meet

selected requirements. Those requirements extend to data integrity as well.

Indian and Asian outsourcers now face same obligations, in order to do business

globally.

Why Compliance Matters?



Why do compliance mandates around the world impact firms in India? As

outsourcers or suppliers, Indian firms are part of the ecosystem that American

and European firms organize, and drive to operate their businesses. Indian firms

potentially have access to, and/or are responsible for sensitive customer

information; financial data; internal business processes. When any of these are

compromised, the impact to ecosystem, and therefore to American or European

firms, can include loss of customers inaccurate financial information, leading

to inaccurate financial reporting damage to corporate reputation, and brand loss

of competitive advantage.

From an IT perspective, technologies that are often used to provide necessary

protection include firewalls, intrusion detection and prevention systems, virus

and malware scanning, and vulnerability management solutions, to name a few.

When properly deployed, managed, and monitored, these technologies can provide

the needed protection, and are a critical component for demonstrating compliance

with the standards that affect the firm.

The auditors' practice of looking at processes and procedures that are in

place, is intended to identify expected outcomes. The processes and procedures

are, in fact leading indicators of the outcome, and auditors focus on processes

and procedures, simply because they result in a set of predictable outcomes.

Conversely, a firm's inability to comply with recognized standards is a

strong predictor of firm's inability to protect its own, and therefore its

customer's sensitive information, financial data, and business processes.

Existing processes and procedures, or lack of them, is a leading indicator of

firm's ability to meet its customer's needs.

The Connection



ISO 27001 is a standard that was published in 2005, and is specifically

focused on information security management.

What matters here is that ISO 27001 has been accepted by American, European,

and Asian organizations as the primary standard for implementing, managing, and

maintaining IT security controls. Accordingly, it is the standard that auditors

look at, in assessing maturity and robustness of an organization's IT security.

It is the standard that Indian firms must pay attention to, and maintain

compliance with, in order to fully meet customers' requirements.

What's Involved



To meet the requirements of ISO 27001, Indian firms need to embrace a

comprehensive set of people, processes, and technology. People include security

experts, and 24x7 coverage. Processes include continuous monitoring,

measurement, and feedback; operating on the assumption that a robust security

infrastructure is one that is dynamic, changing with conditions: to continually

meet the firm's needs. The technologies can include perimeter security such as

firewalls and IDS; authentication solutions to validate user identities;

encrypted communication channels, such as VPNs for transmitting information over

public networks; virus and malware scanning to detect, and remove malicious

software; and vulnerability and patch management to identify, and remediate

documented weaknesses in networks, operating systems, and applications.

In addition to implementing and managing these solutions, which most security

experts are accustomed to, it is also critical to monitor the solutions on a

24x7 basis. For smaller firms, this is cost prohibitive to do internally. And

for mid-size and large firms, it may not be cost-prohibitive, but can certainly

be a new practice. Without monitoring, firms are essentially trusting technology

platforms to be the last line of defense, and forgoing the opportunity to

identify necessary changes in security policies and practices, on time.

Whether the solutions are sourced, managed, and maintained solely with the

firm's own employees, or with varying degrees of assistance from integrators or

managed security service providers (MSSPs); it is at the discretion of IT

executives, provided that the approach taken is sufficiently disciplined, and

robust to meet audit requirements.

Choosing the Right Approach



For Indian firms that have some basic security provisions in place, such as

a firewall, but have realized that more time and expense is yet to be put in,

ISO 27001 can be a big challenge, albeit one that must be met. Before rushing

into complexities of selecting, purchasing, implementing, and managing a

comprehensive set of solutions, it makes sense to consider several different

approaches towards the goal of compliance with ISO 27001, such do

everything internally: hire and retain security expertise; buy, install,

configure, manage, and monitor the solutions; turn to an integrator:

architecture, procurement, implementation, management, and monitoring; turn to

an MSSP for assistance: architecture, procurement, implementation, management,

and monitoring.

Although, it is certainly possible to combine elements of the above

approaches, relying on a subset of the total requirements will leave the firm

short of ISO 27001 compliance. And while compliance may far exceed stand alone

requirements for security for the organization, participation in the global

ecosystem and global economy requires higher level of commitment and investment,

one that may be well beyond what business leaders believe is required for their

own business needs.

The key considerations in selecting the right approach for people, process,

and technology comes down to:

Cost: Is it cheaper to outsource, or keep all these activities in house, or a

combination thereof? Is it necessary to avoid capital expenditures, and rely

solely on operating expenses to achieve the desired solution?

Expertise: Does the firm have necessary skills, and if not, is it willing to

invest in hiring and retaining skilled staff?

Fitness of solution: Can the firm find a notably better architecture from a

particular type of supplier, typically one that is not focused on selling a

narrow set of vendors' offerings?

Scale: As the firm grows and its needs evolve, which approach will provide

necessary flexibility?

MSSPs: Link to compliance Any of the above approaches, for implementing a

comprehensive security solution can enable a firm to meet ISO 27001 standard.

However, when a firm chooses to keep the responsibility in house, it also

accepts responsibility for periodically undergoing ISO 27001 audit. Except for

very large firms, total cost associated with keeping security in house, will

inevitably be higher than turning to an integrator or MSSP.

Integrators have the potential to deliver complete solution for the firm, but

often do so with tremendous reliance on people, and minimal reliance on

repeatable processes. The impact of this choice on security monitoring is less

accuracy in identifying potential security incidents, leading to either over

worked security analysts chasing too many false alarms, or many missed security

incidents.

Securing Entry



Indian firms have capitalized on the offshoring opportunity, that exists

with the US and European companies. However, gaining entry to these companies in

the US and Europe, requires demonstrable security processes; and procedures that

can satisfy increasing pressure for compliance with industry and statutory

standards. In turn, ISO 27001 standard for security best practice can

demonstrate firm's readiness from a security perspective. And for many firms,

most straightforward route to ISO 27001 certification is through an MSSP, that

has already accomplished this, and can provide necessary services in a way that

is far more preferable than the firm obtaining ISO 27001 certification on its

own.

Adam Rice



The author is chief security officer, Tata Communications



vadmail@cybermedia.co.in