Compliance

Compliance is essential for doing business

Security compliance in India may not be a big issue at the moment. However, it is gaining momentum owing to industry and government support along with mandatory requirements from international clients of various enterprises, says Varun Aggarwal

Modern business depends heavily on computers and IT support. At the same time, criminals are constantly creating new ways to use the Internet to invade the corporate network. In spite of these facts, many small and medium sized businesses still lack an up-to-date security solution, which would protect their business environment. Many companies have limited resources and budgets for IT security, while their office environment is becoming increasingly mobile. Additionally targeted attacks are becoming more frequent and make a fully automated security solution the best choice for organizations.

In the above context compliance and regulations has never been so popular in India. That said, many companies, especially the ones doing business with the US or European clients have realized the importance of compliance and the competitive edge that it brings to their business. Apart from being a business requirement, security compliance is also proving to be beneficial to Indian organizations in many different ways.

Sriram Viswanathan, Channel Manager-India & SAARC, RSA (The Security Division of EMC) said, “Security is a key aspect of an organization’s IT infrastructure today and it encompasses solutions at the network points, applications, database and storage. Companies are adopting more security into their infrastructure due to stringent regulatory requirements and compliance is certainly a key part of it.”

Rajendra Dhavale, Director-Technical Sales, CA India added, “Compliance in a regulatory context is a prevalent business concern, perhaps because of an ever-increasing number of regulations and a fairly widespread lack of understanding about what is required for a company to comply with new legislation.”

Understanding risk

Security risk analysis, otherwise known as risk assessment, is fundamental to the security of any organization. “It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed. However, many conventional methods for performing security risk analysis are becoming more and more untenable in terms of usability, flexibility and critically. For example security risk assessment methodology and tools, which are now used by many of the world’s major corporations, the use of the same product to help ensure compliance with security policies, external standards (such as ISO 17799) and with legislation (such as Data Protection legislation),” said Venu Palakirti, Sales Director, F-Secure.

Compliance is the most important part of information security. In order to have an effective information security posture, organizations need to align their people, processes and technologies with their business objectives. Today, the major challenge for any company is to manage huge chunks of data. A more challenging task is to restore the data securely and provide it to the end-customer as and when required. In order to meet these requirements, it is important that compliance and security tools be aligned with people and processes.

“As India becomes a ‘more connected’ economy, the risk of data security breaches has gone up many times. To that extent, compliance and data security are important areas of considerations for IT departments,” noted Soumitra Agarwal, Marketing Director, NetApp.

It is pertinent to note that deployment of storage networks to consolidate storage resources has been demonstrated to simplify data management and reduce costs. “However, consolidation also brings risks—a single security breach can threaten vast amounts of data that comes from across the entire organization. Additionally, data backup and mirroring processes distribute multiple copies of clear text data (unencrypted data that can easily be read) outside the primary data center. Most business continuity plans place data off-site in remote or outsourced facilities. Once your data leaves the data center, it is vulnerable. Indian organizations need to acknowledge and take steps to protect against such data security risks,” explained Agarwal.

Compliance attains mandatory status

For government departments/ agencies coming under the ambit of Right To Information Act (RTI), 2005, the concerned organization need to maintain all its records duly cataloged and indexed in a manner which facilitates the RTI Act. It ensures that all records that are appropriate to be computerized are well protected as it would be connected through a network all over the country on different systems.

With increasing reliance on electronic records to support litigation efforts, the need to prove that those records were not tampered with is becoming another requirement. If we take the example of the banking industry, RBI has indicated a requirement for record retention so that messages required for business and regulatory reasons are safely stored and easily retrievable. “There are corporate governance norms such as Basel II in the banking industry, and SEBI Clause 49 in general, that do not mandate specific compliance requirements from a technical perspective, but are nevertheless important guiding factors when organizations look at their internal control policies with regards to data retention, data access and data security,” added Agarwal.

“In India, Clause 49 is very important, all Indian companies listed in any stock exchange have to comply with this clause, but the legal enforcement should be stricter and though India is lacking behind the US and Europe in terms of compliance adoption, it is catching up very fast as compared to the past. If companies want to do business abroad, they need to have regulations and frameworks such as HIPAA, BS7799 and Basel II in place,” said Palakirti. He explained compliance deals with challenges in terms of network, security, policies, asset protection, etc. Companies need to gather various compliance tools and not just one to overcome these challenges.

Regulatory compliance has emerged as a major force shaping IT infrastructure. However, the majority of new rules and regulations aren’t directed specifically at technology but rather at business processes such as record retention and retrieval, privacy, security, and the accuracy of data. Because most business information is managed electronically, to comply with regulatory mandates, compliance will require many enterprises to rework their IT systems.

Compliance offers an at-a-glance take on solutions that help businesses comply with regulatory requirements. Sarbanes-Oxley (SOX) and Basel II are the two main regulations driving Indian companies towards compliance, especially firms conducting business with American and European companies.

Dhavale said, “Complying with various regulations (be it Industry specific such as HIPAA or Basel II) or cross-industry (such as SOX, SEBI Clause 49) implies a focus on strengthening of internal controls in general. The various regulations aim to enhance corporate governance through measures that will strengthen internal checks and balances and, ultimately, strengthen corporate accountability. Most would agree that the reliability of financial reporting is heavily dependent on a well-controlled IT environment. Accordingly, there is a need for organizations to have a well-defined information security policy to strengthen the IT controls in a financial reporting context.”

Compliance in the payment card industry

In January 2005, payment gateways such as American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International came together to ratify a comprehensive standard called PCI DSS (Payment Card Industry-Data Security Standard) to help organizations proactively protect customer account data.

PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations protect customer account data.

Banks, merchants and payment processors approach PCI DSS compliance as an ongoing effort. Compliance must be validated annually, and companies must be prepared to address new aspects of the standard as it evolves under the auspices of the PCI Security Standards Council. In short, organizations must remain vigilant in order to not just achieve-but also maintain-PCI DSS compliance.

PCI DSS can handle IT related credit card security issues. Sometimes fraud can occur though employee collusion, or through an intent to cheat at a human level (for example, people having valid access under PCI DSS 1.1 have defrauded). PCI DSS 1.1 has not been designed to prevent fraud due to non-IT issues.

Dr. Akif Khan, Technical Sales head, CyberSource Ltd said, “PCI-DSS is mandated by the card schemes, such as Visa and MasterCard, not by individual governments yet. The responsiveness of India organizations has been typical of those in other geographies. Some early adopters have seen the benefit of PCI-DSS and have been quick to begin the process of compliance. However, there is still inertia amongst the large mass of organizations due to the potential costs involved, and the difficulty in justifying such projects with tangible ROI calculations against other projects.”

Challenges in adoption

The lack of proper funding and executive backing and a ‘not-us’ approach are some of the issues that pose a challenge to implementing information security and compliance practices. Today there is a need to identify and manage information security risks, benchmark security practices, comply with regulations and enhance skill levels. The current trends in security are the adoption of risk management and governance, standardization of technology, evolution of threat management systems, and security operation centers and business continuity and disaster recovery.

“The key challenge faced by Indian enterprises is to have a solution that helps them meet various compliance norms/regulations, while at the same time reducing cost, reducing complexity and enabling easy manageability,” said Agarwal.

“Indian enterprises need to choose a solution that will help them to deploy compliance functionality on the same storage platforms that run their enterprise applications. This way, cost/complexity comes down and the solution is more easily manageable. A silo approach, in this context, increases management costs,” added Agarwal.

The other issues that enterprises need to address during their solution evaluation process are the scalability and performance of the solution, which can be verified via third party reports.

Viswanathan said, “Fundamentally, education is the key in implementing compliance to the various regulations. Indian enterprises realize the fact that for doing businesses globally, compliance to various regulations is of vital importance and priority.”

Dr. Khan said, “The difficulties faced by enterprises in following the terms of compliance and regulations are the same globally. It is often difficult to priorities such projects due to the difficult nature of competing against other projects with clearer RoI figures. Additionally, many merchants may feel that they do not need to comply or that compliance is an obstacle to business, thus in every geography some merchants will ‘drag their feet’ until compliance becomes mandatory.”

Compliance means business

Security is not just an IT issue but is a critical business issue for all companies in all sectors. Companies must be prepared and make smart security and compliance decisions so they can best protect their investments—or they risk a negative impact to their bottom line and reputation. Security isn’t simply about protecting an enterprise network from attacks companies need to establish a security governance process that takes into account network security, application security and a host of regulatory compliance issues. Yes as of now it is prominent to companies dealing with the American and European clients but we see that gradually others are also falling in to the compliance league there by not only securing their information data but also making sure that they have regulatory compliance as per the government regulations.

Agarwal explained, “Certainly, those who deal with the US or European clients have to have adequate safeguards and policies in place to comply with the regulations and data privacy norms in their clients’ home countries. From that perspective, IT/ITES, KPO industries certainly have to include these in their IT plans.”

Additionally, businesses which handle a large amount of sensitive or confidential information and are hence more prone to data hacking (because the hacker has more to gain by breaching the data assets in such organizations) need to have data security measures in place. For example verticals such as financial services and banking handle customer information (account information, credit card information, investments, and so on) which are confidential.

“Defense is an obvious candidate considering that it has implications for national security and is hence open to attacks by terrorists or anti-national forces. Telecom companies also handle millions of customer records, including personal information and call details, which people with malicious intentions want access to,” explained Agarwal.

Compliance policies a must

Viswanathan said, “It is of prime importance that Indian enterprises realize that compliance is the way forward and now with increasing amount of outsourcing work done for financial institutions by the BPOs, regulations play a very important role. With organizations already having implemented the ISO standards, it becomes relatively easier for them to comply with new regulations.”

IT has become so crucial that it is being customized according to the needs of each business with alarming dependence on IT, organizations are also keeping up with the need to comply but it is difficult to accommodate each and every regulation in the IT framework. It was the financial sector and BPOs that were effectively adopting and deploying IT to its fullest in India. There is a need to plan ahead and take appropriate steps now so as to secure the future.

Palakirti explained, “This can be done by making security a personal responsibility of each and every employee of the company so as to prevent breaches. The cause of breaches in security such as not taking appropriate steps to prevent unauthorized access and misuse of computers and other devices such as mobile phones, the need to establish a legal framework in every organization is vital today, the essentials of a legal framework are uniformity, stability, consistency, predictability and dynamism.”

Enterprises today should be more careful towards the increase threat of Phishing attacks, especially those that masquerade as a trustworthy business site and steal confidential information of the user, and enterprises should not neglect securing their mobile phones which can be part of their extended network.

Agarwal said, “First of all, the enterprise needs to set its security policies i.e. which compliance regulations will it meet. This will depend on the nature of their business, the clients they do business with and the countries in which they have their own establishments.”

Once the compliance regulations are identified, the enterprise needs to determine the technological implications of meeting the requirements of those regulations.

Finally, the enterprise must translate the technology requirements into an RFP (Request For Proposal) for a compliance solution that prospective vendors need to bid for. The vendors must specifically describe, in detail, how their solution meets the various regulatory requirements and what third party certifications/evaluation reports do they have in place to support their claims.

While procuring a compliance solution, the enterprise must keep in mind the flexibility that the vendor provides for customization or modification to suit special needs as may apply in future and has a clear roadmap to enhance their solution in line with evolving compliance requirements.

“The technology components that help build the complete compliance infrastructure include—storage, data management, archival software, tamper-proofing of data, storage encryption, data discovery, data classification and search. Of course, this is not complete without a comprehensive set of policies that govern the organization’s compliance implementation,” concluded Agarwal.

varun.aggarwal@expressindia.com