We, as CIOs, deal with systems and data that are valuable to the organization. In other words we are custodians of all the information assets of the organization and therefore assume the responsibility of securing and protecting them.
I have spoken to a lot of information systems practitioners and the moment there is a mention of security, the talk immediately shifts to firewalls, perimeter security, UTM, and the like. It seems as if people have been conditioned to think of tools as the only means for addressing the issue. A formal approach to the subject would, however, reveal other issues that need to be attended to so that we develop a holistic view on matters of security.
There are two aspects to security. One is to preserve and protect data so that it is always available for access and the second is to keep it secure so that it is inaccessible to people who are not authorized to do so. A simple and a clear thinking would reveal three aspects that need to be addressed, such as, people, process, and technology. Let’s discuss each of them separately.
People: You may have all the technology and tools but it ultimately will depend on the people who run them. The first thing is to make them aware of the necessity of keeping data and information secure so that the data is available as and when they want.
Many organizations hold awareness and training sessions for employees so that they understand their respective responsibilities and also the dos and don’ts of dealing with organization’s data. They are also apprised of the security policies framed, their roles and also consequences of breach.
People often tend to ignore these advisories, and therefore, many companies regularly send e-mail blasts to all employees so that they sit up and notice, while others install wallpapers and screen savers on the user desktops so that they are constantly reminded of their roles and responsibilities.
Process: When data is to be kept secure, one would need to have a set of rules and processes which act as a guide for execution of the steps necessary to ensure safe keeping of data. All good organizations compile documents listing the standard operating procedures for back-up of data and for ensuring security from unauthorized access.
Companies call these as a ‘back-up policy’ or a ‘security policy’ document. This is circulated amongst employees or posted on their intranet pages for ready access for people who may want to refer to it. If these procedures are communicated, employees cannot feign ignorance for non-compliance. It is, however, not enough to just inform and sit back; adherence to process must be monitored regularly either through a process of internal audit or by audits conducted by an external party.
Documentation of all complaints, incidents, rectifications need to be preserved for study for any serious breach in security.
Technology: In a complex computing environment of today, where we are connected within and outside the organization, it may be difficult to ensure safety and security without the use of automated tools.
Organizations should evaluate and assess technologies that are appropriate and relevant for the needs of the organization. Choosing of the right technology elements should be based on the computing environment and the organization risk assessment based on the criticality of various business opportunities and risks.
It is here that we talk of firewalls, perimeter security, intrusion prevention, antivirus/ spam, identity management, UTM boxes, automated back-up tools, storage technologies, disaster recovery solutions, etc. In my opinion, this forms the third aspect of our preparedness and tools only go on the serve the larger business purpose.
The whole talk of security is incomplete if we do not talk of all aspects of security and safety. Only a reference to technology and tools leaves us woefully short of our task to provide the organization the right environment where the business can function with ease without being unduly bothered about the safety and security of their information assets.