Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
05 September 2005  
Untitled Document
Sections

Market
Management
Technology
 Technology Life
Columns

Between The Bytes

Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Exp. Hotelier & Caterer
Exp. Travel & Tourism
feBusiness Traveller
Exp. Pharma Pulse
Exp. Healthcare Mgmt.
Exp. Textile
Group Sites
ExpressIndia
Indian Express
Financial Express
Home - Technology - Article

Vendor Accent

Understanding IT security assessment

Protecting information should be the top priority of IT managers and CIOs, says Diwakar Dayal.

Today, data security needs are increasingly driven by regulation and legislation. In the West, there are laws affecting almost every form of IT operations, especially for the BPO segment.

Securing data simply means maintaining confidentiality by ensuring that only the right people have access to critical information, that too on a need-to-know basis, while the unauthorised are denied access and kept out of the corporate network. Securing data also calls for maintaining the integrity of information at all points in its lifecycle. Finally, it also means that it is available at any point of time wherever needed and does not interrupt business.

Understanding compliance

In the compliance world, you are not compliant until someone looks at your organisation and says that you are. Whatever processes or systems you’ve got in place doesn’t matter; the rule of the game is that only an assessment can determine whether your organisation is compliant.

The Sarbanes-Oxley Act 2002 (in the US) mandated by the SEC insists that top corporate executives sign off on the security and integrity of their data. It basically revolves around accountability and record keeping. Companies must maintain tight control over their data and keep records of who can and has accessed data over a period of time.

There is also the HIPAA that mandates rules for handling, storage and disclosure of personal information of patients in the healthcare industry. Since information travels and resides over the organisation’s IT infrastructure, ensuring that the network, access and processes are secure will help comply with regulations.

Then there is the Gramm-Leach-Bliley Act which applies to all financial services organisations in the US and imposes HIPAA-like standards to protect customer information.

Though these laws and several such are applicable and enforced in the US, they affect every Indian company doing business with American companies. Thus, the only way Indian companies can ensure that they are legally compliant is by conducting regular security assessments. Such assessments provide valuable insights and answers to where the company is vis-à-vis where it should be. Today in India, for a CIO, a security assessment is something he can’t wish away.

Selling assessment internally

CIOs need to make the case for a security assessment internally before embarking on one. IT security assessments reveal risks inherent in the enterprise IT infrastructure.

Assessment or compliance reports can be used as vaccines for helping Indian corporates further negotiate contracts with their overseas clients. They have multiple benefits even within the company. Apart from helping make a good marketing brochure, they also help plan your IT roadmap and set realistic expectations from the top management.

It reveals the true network picture by pointing out various ports and entry points that could make the company’s network vulnerable to attack from outsiders; discover points where an overload of data may lead to a system breakdown; and finally track inventory and return on investment of various devices.

Assessments help identify and trace attacks originating from inside and outside the company which most of the time go unnoticed. They help in aligning the company’s IT infrastructure with the new legislative mandates.

Types of assessment

There are various types of assessments that a CIO can choose from based on their periodicity and objectives. Hence, it’s important to understand this before signing the next security assessment budget.

A security assessment is an evaluation of the organisation’s security, and encompasses many areas including logical security (network, servers, passwords, firewalls), physical security (doors, access, keys, fireproofing, etc) and administrative security (polices and procedures).

A security assessment is definitely not a one-size-fits-all project. Different firms have different needs and defining what is uniquely important to your firm is the key to a successful assessment.

Risk assessment/ complete audit

A full strategic assessment will help the organisation get a deep understanding of its IT operations and security, in addition to a roadmap for improving security. Here the assessors will start with identifying and assigning value to business assets and then defining risk levels for these assets. They will also help identify controls and policies that may or may not be protecting these assets and functions. An assessment of policies and procedures will try to discover how executives manage the IT side of the business; delve into how IT is implemented and run, look at what type of procedure is in place to review newer applications, and so on. The management team can also use the assessment to ensure that a business is complying with new regulations impacting data security.

It is advisable to conduct such assessment every 2-3 years. It is always done with the help of an external team only. Within the banking and financial industry, regular security assessments are a compulsory part of running business operations. This is to address the regulatory and supervisory concerns in online banking, core banking and customer data back-ups. The assessments can cover the adoption of technology standards for access control, encryption/decryption, firewalls, verification of digital signatures, Public Key Infrastructure, etc.

Pen test

Penetration testing performed by security analysts involves attempts to circumvent the security features of a system. The purpose of penetration testing is to identify methods of gaining access to a system-server, a network device, or even a desktop, by using tools and techniques commonly used by attackers. A complete ‘pen test’ will attempt to breach and compromise organisational IT security. It looks for things like unprotected computer ports, or a wireless local area network that nobody knew about. Penetration testing is only performed after careful notification and planning, and it may slow the target system’s response time temporarily or possibly cause problems that will be identified during planning activities. It is recommended for businesses where IT security is of paramount concern. Penetration testing should ideally be done every 1-2 years.

Vulnerability scan

Using tools having industry standards, assessors will scan the corporate network for known system vulnerabilities. It is an active scan of the system. During this phase, security experts probe existing network devices, servers and desktops, both internally and externally (from the Internet) for known vulnerabilities. Constant assessment will help determine whether the IT teams’ patch management strategy is working or not.

Vulnerability scans can be conducted by internal staff or consultants. There are ways to automate these scans as a periodic service done weekly, monthly or quarterly.

There are also other focussed assessments like a security policy assessment that evaluates the existing policy against changing business needs. A physical security assessment reviews the physical security of the organisation. This includes a review of server rooms, wiring closets, network access points, fireproofing and workstation areas; it is suggested for data centres and all buildings.

After an assessment

In quality management, what you cannot measure you cannot improve. In the security department, just because you don’t know doesn’t mean your security is working

A security assessment is targeted at finding problems with the business information security, and a stringent assessment usually does find them. Fixing the problems calls for a remediation strategy which is time-consuming and expensive. This needs to be treated as a separate project or sub-project to be executed by an external party or a dedicated team. Prioritisation and available budgets will help chalk out a plan to know what to fix and in what order.

Creating a secure environment is always a challenge as it involves people, processes and products that are dynamic in nature. To achieve this, you need to constantly evolve with periodic security assessments that help measure and lay out the groundwork for making the change.

In quality management, what you cannot measure you can’t improve. And in the security department, just because you don’t know doesn’t mean your security is working.

The author is a CISSP and Security Specialist, Datacraft India.

He can be reached at diwakar.dayal@datacraft-asia.com

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.