The evaluation process

The method behind the selection of the winners of the Microsoft Security Strategist Awards.

Security has emerged as an integral part of the management framework. It is among the top priorities on a CIO’s list. As a result, companies are looking at solutions that offer both protection and management in a single product. Looking at this trend, the Indian Express Group organised the Microsoft Security Strategist Awards to recognise organisations that have made exemplary and innovative use of IT to deliver significant business value. Ernst & Young (E&Y) was the process advisor for the awards.

The three categories for the awards were Banking & Finance, General Industries, and IT/ITES/Telecom.

Criteria for evaluation

Devendra Parulekar

Information Security Governance, Asset Profiling, Processes and Operational Practices, Technical Security Architecture, People and Organisational Management, and Security Programme Compliance and Reporting were parameters for evaluating nominees.

Further, the proactiveness of the solution, its continuity and validation, and its continuous monitoring and auditing were evaluated before shortlisting nominees.

Successful conceptualisation, the implementation of an innovative IT project, and the successful utilisation of emerging technologies that could be regarded as a pioneering effort by the industry were also taken into consideration before finalising the winner. The criteria included information security governance, asset profiling, processes and operational practices, technical security architecture, people and organisational management, security programme compliance and reporting.

Award process

The Indian Express Group invited participants for the awards. Applications were received as a completed questionnaire, together with details of the initiative. Then shortlisting of the nominees was done for each category, and invalid applications were disqualified.

After this, three companies were chosen for each of the above categories, following which each nominee gave a presentation of its IT initiative in front of the jury panel. The jury evaluated and rated the nominees, and E&Y tabulated the scores to determine winners.

E&Y rated the nominees on a scale of zero to three, where zero referred to an organisation that had ad hoc processes which were person-dependent with no or little documentation. Level 1 was where documentation processes were in place, and were generally performed but not standardised across locations. Level 2 companies were those where standardised processes existed enterprise-wide. Level 3, the topmost level, consisted of those companies that continuously improved their processes and got them validated by third-party auditors.

Of the many factors which were used to weigh the nominees in the balance, information security governance accounted for 30 percent of weightage.

The jury panel consisted of Arvind Tawde, CIO, Mahindra & Mahindra; Mitish Chitnavis, Group CISO, EDS, Mphasis; Sunil Chandiramani, Partner, Ernst & Young; Sanjiv Mathur, Director, Enterprise Marketing, Microsoft India, and Prof Bernard Menezes of IIT Mumbai, who evaluated every aspect of a security initiative.

The Security Framework

Says Devendra Parulekar, Assistant Director, Ernst & Young, “In an information security framework, documentation is the key, but more important is how you monitor it. The Security Framework is a single-view representation of the people, process and technology components that should be addressed in the development of an enterprise security programme.”

Some of the top security threats identified by Microsoft are viruses, spyware and worms, botnets, rootkits, phishing and fraud. Security challenges are identity management and access control, managing access in the extended enterprise, and the security risk of unmanaged PCs. Security management includes deploying security updates, system identification and configuration, and security policy enforcement.