It Risk Management

‘Create a risk-aware IT behaviour’ Secude on the fundamental steps to play safe in the physical and cyber worlds.. “In a complex spaghetti IT environment with ERP, CRM, SCM and legacy systems the focus of IT risk management should be on creating a solid risk governance process.” Jagan Nathan Vaman India, the emerging economic superpower, is waking up to certain hard realities, observes Jagan Nathan Vaman, CEO, Secude Solutions India Private Ltd ( www.secude.in). Indian enterprises will increasingly become soft targets for terrorists and cyber attacks, he sombrely adds, during the course of a recent e-mail interaction with eWorld. “There is a saying in Sanskrit Heyam dhukkam anagatham — Avert the danger before it arises. Early adoption of IT (information technology) security and IT governance best practices will help guard against such threats,” advises Vaman. “Above all, a risk-aware culture is the key to preventing a disaster or minimising the impact of a disaster.” Excerpts from the interview. We were recently witnesses to how terrorism, equipped with the latest communications technology and firepower, could almost paralyse the economy. What are the counter-measures you can think of, from the perspective of an IT security professional, on a national scale? We deal with this in two parts, substance and form. Governments and enterprises who invested smartly in IT as a strategic weapon simultaneously increased the risk. This results in ‘single point of failure’ in the IT landscape, which involves computer systems, processes and people. So the ‘substance’ in any countermeasure is created by a risk aware culture, effective IT risk governance process and creating substantive countermeasures for the four types of IT risks, viz. access risk, availability risk, accuracy risk and agility risk. The form of countermeasures can be setting up of an IT-ATS (anti-terrorist squad) at both the national and state levels with people trained in emergency response when a disaster strikes, which can be an attack on nuclear power stations, a large manufacturing facility, public/private property, or any other asset class. The important thing is that these IT-ATS units should be manned by highly techsavvy people with the necessary equipment and resources and should probably report to the highest authority in the country, and function with complete independence. But everyone should adopt a risk-aware behaviour by educating IT users with risk management principles and countermeasures in case of a disaster or a terrorist attack. A risk-blind society that believes in looking at security as a trade-off to cost cannot defend itself effectively.

Can you list the key attributes that any functional IT security system should possess to be really effective? Essentially there are four key attributes, viz. access, availability, accuracy and agility. Here I am quoting the ‘Westerman and Hunter’ model, which is simple and effective. Availability relates to the business’s ability to deliver applications reliably at acceptable performance levels. Access is about security and the ability of business owners to get to the information they need. Accuracy goes beyond data integrity to examine whether data is accurate, timely and complete, to answer questions such as whether businesses can be certain that their decisions are based on an integrated and complete picture of what’s happening. Agility is about having the means to respond to unexpected problems and changes in the business. There is a huge body of knowledge available with frameworks such as CoBIT, ITIL, COSO ERM, ISO 27001, and BS. Organisations can adopt any one of the IT security and controls frameworks based on their own needs, depending on their IT foundation, complexity of application infrastructure, geographical spread and business continuity plans. At the enterprise level, what are the IT security lessons to be followed up immediately? Would you suggest that any legacy systems that can’t be woven into the security framework may have to be made redundant? A paradoxical thing happened. Enterprise resource planning (ERP) systems such as SAP, Oracle, PeopleSoft, etc, were implemented with the central idea of throwing out legacy IT systems and have a brand new ERP platform. In reality this never happened. The legacy systems were never retired and ERP systems became the new legacy. So we have to necessarily include legacy in our risk map. To address the first part of your question: At the enterprise level, IT and ERP systems have become increasingly central to business success. However, many enterprises consider IT security as a discretionary budget item. With increasing attacks on networks and applications, IT security cannot remain a discretionary item. Cases in point are: Barings Bank — where Nick Leeson had unlimited authority to make changes in the systems, and Society Generale — where fraudulent transactions were perpetrated by Jerome Kerviel because he had access to backend systems, etc. All these point to simple access control and authorisation failure. With increased outsourcing and multi-sourcing, companies are exposed to weaknesses at different levels. IT risk incidents in a complex outsourced environment get amplified and carry much higher damage potential than they used to. They harm constituents inside and outside the company. That means, corporates need

a multi-layered security approach to ensure business continuity and sustainability. In a complex spaghetti IT environment with ERP, CRM, SCM and legacy systems the focus of IT risk management should be on creating a solid risk governance process and providing the necessary budget and resources to ensure that IT governance does not end up as a ‘nice to have’ function but as a ‘need to have’ function. From a business continuity angle, do the present IT practices offer enough comfort to corporates? Are compromises quite common? Corporates either over-invest or under-invest in IT security/business continuity. CEOs have a high risk appetite being business guys; they naturally tend to dismiss the risk perceptions of the CIO/CISO. Executives who don’t understand the business implications of IT risks consider IT security as a restriction of their freedom. Sometimes the IT security vendors push and hard sell ‘point security’ products instead of selling comprehensive security, that should include network, application, access, encryption security features, instead of just selling an anti-virus product. In some cases, business continuity is also looked at as an extra expense just to ensure continuous uptime and availability of systems. IT outsourcing vendors sometimes over-sell business continuity. I know of a large auto component manufacturer who signed a major business continuity contract that included ‘30 minutes recovery’ time. Now you see a ‘30 minute recovery time’ is critically important for a bank and not an auto component company. What you need is a holistic view of IT risk management and a culture of enterprise IT governance. And this tone should be set by the top management — the CEO. Do you foresee a redefining of ‘privacy’ when more secure IT products come into vogue? Terrorists and hackers play a ‘catch me if you can’ game. With more secure IT products, more vulnerability will be discovered and more and more hackers/terrorists will exploit those vulnerabilities. There is nothing like totally secure IT products. There is only an acceptable level of security in products and solutions. Privacy will become a major concern with the increasing use of the Internet, mobile phones and PDAs, as information about anything travels at the speed of thought. Profiling an individual using data from the Internet will become very easy, and more and more privacy violations, identity theft and cyber crime incidents will occur very soon. With millions of people jobless in a recessionary economic

situation, cyber crime is bound to increase. There is no magic bullet. Companies should use data protection technologies such as full disk encryption, two-factor authentication, secure login and deep defence technologies. The emphasis should be on holistic IT security products/solutions for the protection of enterprises’ IT assets. What can be the early-warning signs of potential problems (from a security standpoint) that the CIOs must investigate/escalate? Let us go back to the ‘Westerman and Hunter’ model discussed earlier. Early warning of availability risks may come out of usage of many different types of technology, tools, ineffective patch/upgrade management, legacy platforms, poor back-up recovery/business continuity, lack of IT skills and poor understanding of business processes and applications. Early warning of access risks will include the lack of authentication and authorisation protocols, lack of data protection and lack of inherent, detective and preventive controls in applications. Early warning signs of accuracy and integrity risks can be sensed from the lack of application controls, configuration issues in ERP, SCM, CRM systems and unharmonised data. Early warning of agility risks can be sensed from complex IT infrastructure with multiple vendor products, ERP legacy systems and lack of standardisation, badly managed projects and infrastructure. The CIO will definitely need guidance and support of a certified information systems auditor and an IT security professional, to take a deep dive into these risk areas and craft a comprehensive IT governance solution. http://www.thehindubusinessline.com/ew/2008/12/15/stories/2008121550190400.htm [email protected]