|
One of the alarming trends noticed in the past year was the way corporates
were responding to the challenges of digital security. A bit of fear is
essential to kick start any change and given a choice between an indifferent
management and a concerned one. Most would prefer the latter. However, when the
concerns of an ignorant management lead to paranoid actions, the results could
be devastating.
Advances in technologies and great products notwithstanding, let us not
forget that the aim of security is to reduce risk to acceptable limits. It is
not to try and eliminate risk at the cost of business. However, several
experiences seem to indicate that many organizations have launched a digital
security crusade that ignores this basic tenet of risk management.
The most apparent of this manifestation is the management's obsession with
monitoring employees and laying down 'security' restrictions. Various
companies ask their visitors to deposit their cell phones and USB drives at the
security counter. This is done to avoid any security breaches.
 Security or Embargo
Let's try and get real here. What is the aim of a corporate office? Among
other things, an organization's headquarter is its interface with the external
world. Sure there are certain areas which are sensitive and it is only fair to
restrict entry to such parts of the premises but when one is asked to deposit
all electronic items at the gate, it is reminiscent of a high security prison
rather than a corporate office. But for the sake of argument let us take this a
step further and examine whether such extreme measures actually improve
security. Actually they don't.
Firstly, the security guards are pretty much relying on the declaration of
the visitor about his personal belongings. If the organization gets about 400
visitors a day chances are that more than 99% of them are law abiding citizens
with no ulterior motive. And the one odd hostile person will hardly
'declare' his intent at the gate. Thus a system that relies on the thief to
declare his intent of theft is a pretty lame one. Besides, where does one stop?
An iPod can double up as a USB drive. Incidentally, recent versions of the Swiss
army knives have USB drives built in and frankly until networks within companies
get upgraded to the levels of transporting megabytes of data in real-time, the
USB drives do perform a very real function.
Tackling Web Threat
Certain corporates also seem to have fallen for the classic parody of
using technology just because it is there. Web monitoring is one such example.
There are a plethora of tools that allow the management to monitor the web
activities of their employees. So in theory, one can observe just what each one
is up to. But the question is-to what purpose? It is a given fact that on a
typical day a certain percentage of time of the employees will be spent in
browsing the net or perhaps checking private mails. So what? Couldn't the
employee be making private calls or writing private letters? In an age where
most employees spend upward of 12 hours in the job environment or commuting to
it, isn't it fair to expect them to attend to some personal tasks during that
time. Ok, so there is that one odd person who is spending most of the time on
the net surfing, but since when did software becomes a substitute for managing
results?
| Prescription
For Improving Information Security |
-
CEOs should have an
annual information security evaluation conducted, review the results
with staff, and report on performance to the board of directors
-
Any security system
should take into account the human resource angle
-
Organizations
should conduct periodic risk assessments of information assets as part
of a risk management program
-
Organizations
should establish a security management structure to assign explicit
individual roles, responsibilities, authority, and accountability
-
Organizations
should provide information security awareness, training and education
for accountability among all users, including partners, suppliers and
vendors
-
Implement
mechanisms for user authentication and authorization when accessing
organization's network
-
Organizations
should conduct periodic testing and evaluation to determine the
effectiveness of information security policies and procedures
-
Control physical
access to information assets and information technology
-
Develop business
continuity and recovery plans. Test them regularly
|
Besides, there is the point of privacy. In any socio-economic framework,
every employee has the right to her privacy. While the management may have a
technical right to monitor it's assets, one can doubt that it does much good
for the morale of the employees to get the message that they are not trusted.
There can be some basic hygiene such as barring of porn or sites containing
racial material but banning Web mail accounts etc is downright unwarranted. Not
in this day and age where most employees are considered to be knowledge workers,
even if they are engaged in non-IT work. This makes it absolutely essential for
organizations to understand the implications of stringent procedures and polices
on its most valuable asset, employees. Hence to achieve its desired goals, a
corporate security policy should align itself to the HR policies of the
organization.
Best Practices in Place
Understand that the entire gamut of security management systems comprise
primarily of three components-identity and access management, threat
management, and security information management. All these help an organization
achieve operational efficiencies and regulatory compliance, as well as contain
costs, mitigate risk and ensure continuous business operations.
| In an age
where most employees spend upward of 12 hours in the job environment or
commuting to it, isn't it fair to expect them to attend to some personal
tasks during that time |
In order to achieve these corporate objectives, organizations need to have a
robust system in place. The reason why most of the organizations act
over-zealously in matters of security because they do not incorporate some of
the best practices into their operations to improve information security.
So a concerned management must exercise jurisprudence while protecting their
assets. With increased number of online users and the associated challenges,
organizations must understand the need of security within the IT framework.
Their criterion should be that whatever the IT deployment, it has to bring value
to the company both in terms of data protection, increased business and enhanced
employee morale. Finally, security system should serve its purpose rather than
be deployed because others are doing it. In short there is no need to get
paranoid about security else one could end up with a very secure but demoralized
and inefficient organization.
Captain Raghu Raman, CEO,
Mahindra Special Services Group
maildqindia@cybermedia.co.in Page(s) 1
| 
Print
Comment
Email
Digg
Del.icio.us
Reddit
Twitter
