Print this article

Comment This

Email this article

Organizations are increasingly looking at information as a valuable asset that needs to be protected. Losing information to a competitor can be highly detrimental to the business. An organization can lose sensitive information to its competitor by physical theft, pilferage of its IT infrastructure, or hacking. It also needs to guard against loss of information due to virus attacks, and natural disasters. In these days of fierce competition, an organization cannot afford to have disruptions due to breakdown of its IT infrastructure. CIOs have to be always vigilant and alert to any attempts to steal and destroy information.

The need to secure information applies to all organizations, irrespective of whether they are involved with e-commerce and their networks are exposed to the Internet or not. Information security applies to defense laboratories, space research organizations, atomic energy organizations, financial institutions, public and private enterprises involved in research and development, and government departments handling confidential data. Surveys carried out last year by Confederation of Indian Industry and PricewaterhouseCoopers indicated that Indian companies are now more prone to attacks on their information systems and there is an increase in the number of breaches and hacking. Viruses continue to be a very serious problem too.

Information security deals with protecting information from threats, ensuring continuity of business in case of natural disasters, and minimizing loss of business due to disruption of IT infrastructure. The subject of information security is gaining importance all over the world, and International Organization for Standardization (ISO) has come up with a standard for Information Security Management. It is called ISO 17799 and is an adaptation of the British Standard BS 7799.

ISO Objectives
ISO 17799 aims at securing information by maintaining:

n Confidentiality: Protecting sensitive information from unauthorized disclosure or intelligible interception

n Integrity: Safeguarding the accuracy and completeness of information and software

n Availability: Ensuring that information and standard IT services are available when required

n Accountability: Holding all concerned people responsible for any security lapses

These goals can be achieved by implementing a set of controls, which could be policies, procedures, organizational structures and software functions.

An Information Security Management System (ISMS) conforming to ISO 17799 follows the ‘Plan, Do, Check, Act’ (PDCA) philosophy of ISO. It calls for establishing the ISMS plan, implementing and operating it, monitoring and reviewing it, and maintaining and improving it.

Any organization developing an ISMS requires to define a security policy and undertake an assessment of risks to its information assets. RA deals with identifying the threats to assets and assessing the harm to business that might result from security failure. Steps for risk mitigation should follow after assessing the risks.

ISO 17799 specifies a set of controls for the treatment of risks. Any organization intending to build an ISO 17799-based ISMS must document the selection of the specified controls in the statement of applicability. These controls can be grouped under the following heads:

n Organizational Security: Information security infrastructure, security of third party access, outsourcing

n Asset Classification and Control: Accountability of assets, and classification of information

n Personnel Security: Security in job definition, user training, responding to security incidents

n Physical and Environmental Security: Definition of secure areas and equipment security and controls for prevention of theft of information

n Communications and Operations Management: Operational procedures and responsibilities, system planning and acceptance, protection against malicious software, housekeeping, network management, media handling, exchange of information and software

n Access Control: Business requirement for access control, user access management, user responsibilities, network access control, operating system access control, application access control, monitoring system access and use, mobile computing and teleworking

n System Development and Maintenance: To cover security requirements of systems, security in application systems, cryptographic controls, security of system files, security in development and support processes

n Business Continuity Management: Continuity of business operations and counteract effects of major failures and disasters

n Compliance: Compliance with legal requirements, reviews of security policy, and system audit

ISO 17799 has a list of 127 controls to cover all aspects of security breaches. Although it will suffice for most organizations, ISO allows an organization to have additional controls, if it is necessary to prevent loss or damage of information.

Dr Anirban Basu director (quality+)