QUESTION & ANSWER

Advice for information security policy implementation and management

By Jasmine Desai, Principal Correspondent, SearchSecurity.in 31 Aug 2009 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

How much of a role does technology play when it comes to ISMS?

Ravikiran Mankikar

Ravikiran Mankikar: ISMS is not necessarily technologically driven, since information can be in various forms such as [physical] documentation or technology. The ultimate objective of putting a security policy in place is to protect the business.

Through ISMS, the essential focus is on protecting all the critical functions and making sure that downtime is kept minimal. Thus the spotlight is on people, processes and then on technology.

What are the aspects to be kept in mind while designing the ISMS?
Mankikar: The most important facet in any information security policy is its adoption. So while designing an ISMS you should look at HR, operative and business policies. Always consider steps taken by the organization for educating employees into increasing information security awareness and accordingly adopt policies.

Take the working environment into consideration. You should look at different processes adopted by the organization -- right from procurement and business to backup and email. Assess how these areas impact the business. Take into consideration the organization's policies to conduct periodic business analysis and the adopted risk assessment methodology. Within risk assessment, it is advisable to look at how a risk is assessed, and ways to arrive at the residual risk. What are the steps being taken by the organization to address those risks? What are the controls that are in place? Are those controls being periodically tested and reviewed?

Based on this review, look at the technology aspect. This technology can be for business operations, security or daily transactions. Thus, business processes and people have to be supplemented by appropriate technology. You can then consider the organization's outlook towards meeting business objectives while protecting assets.

Can you give us some ISMS implementation best practices?
Mankikar:

A policy or procedure should not be so water-tight that business is affected, nor should it be very loose. There should be a balance between what you are trying to secure and how you go about it. Ravikiran Mankikar GM - Information Technology, Shamrao Vithal Co-operative Bank

Security is always a top-down approach. It starts from the top and then relays down to the grassroots level. By making use of awareness, education and elementary security drills, one can draw policies. A policy or procedure should not be so water-tight that business is affected, nor should it be very loose. There should be a balance between what you are trying to secure and how you go about it.

While implementing security, the process starts from the bottom, while policies have a top-down approach. Security is driven by business, and depending on the need of security for each unit, the overall impact will change. Even within the same vertical, organizations will have different needs.

What measures should be taken after implementing an information security policy?
Mankikar: A policy has to be reviewed regularly, as the business and people factors may change. Thus, you should continually update the policy according to these changes. PDCA -- Plan, Do, Check and Act -- is a standard method for this, which reflects continual review, implementation, and updates. In addition, a suitable framework should be adopted (such as ISO 27001 or COBIT) keeping in mind organizational needs.

A certification gives comfort to the stakeholder that the organization is secure. This does not necessarily guarantee that the organization is secure. It merely states that the processes have been followed. Alongside the processes, one should also look at the practicality. Conforming to these processes is a step towards ensuring security.

Tags: Information security policies and end-user awareness training,  Risk Management Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security policies and end-user awareness training ISO 27001 certification: Preparation in four steps Cloud Security Alliance releases top cloud computing security threats Fraud risk management is key to avoid Wipro-like incidents Security awareness is the key... cultivate employee loyalty Information security awareness mantras from the Apeejay campaign Preventing password fatigue with single sign-on (SSO) authentication PCI DSS checklist: Mistakes and problem areas to avoid Creating and enforcing a clear-desk policy CISO career 101: Chief Information Security Officer route basics Creating a HIPAA employee training program Risk Management Strategies What's a risk management strategy worth to your S&P credit rating? ISO 27001 certification: Preparation in four steps PCI tokenization push promising but premature, experts say 11 application security tweaks for a secure SDLC Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Zeus Trojan continues reign infecting 74,000 PCs in global botnet RAM-scraping attacks are a rising -- but preventable -- threat Jim Reavis on cloud computing security and regulatory compliance The TCS Website hack: Don't let your company join the list

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CERT-In  (SearchSecurityIN.com) Information Technology Amendment Act 2008  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary