Home >> Insights  >>

Enterprise Information Security

by Suresh Kumar Guntuka, - Vice President & Head - Global IT Operations, CSS Corp Pvt Ltd April-2019

In current technology driven world, Information Security for any Enterprise is becom­ing a huge challenge as in recent past cyber-attacks/Ransomware outbreaks like WannaCry, Petya etc which created huge loss to enterprise communities.

Though enterprises have their own set of controls to overcome these attacks, in my view following areas need to be relooked in detail and pri­oritized by the management...

1. People
2. Process
3. Technology

As per the industry findings, most of the information security breaches happened due to breach by internal stakeholders. This may be due to lack of information security awareness among the various human resources (employees, contractors, vendors etc) who are part of organi­zation’s ecosystem. It is leadership team’s responsibility to inculcate "se­curity first" vision and showcase their sensitivity towards Information Se­curity breaches. Sometimes a simple campaign like "clean desk initiative" may have great impact on controlling information breach.

Second most important area is processes that organization im­parted to handle Information secu­rity. Though most of enterprises have stringent data handling processes, still quite a lot of organizations do not have sufficient processes defined to handle critical information which can reach to miscreant’s hands. Well defined processes on secure way of information handling will surely pro­tect organization’s security risks.

Usually a myth prevails in lot of organizations that Information Secu­rity is only IT function’s responsibil­ity by implementing latest technol­ogy tools/infrastructure. This culture need to be changed to "Information Security is everyone's responsibility" as whatever technology solutions you implement, the risk with people and processes are still the same. Now a­ days organizations are moving to­wards cloud infrastructure adoption to leverage the cloud provider’s secu­rity controls which are known to be stronger and agile to security threats from different sources.

Though Information security falls under everyone's responsibility, IT function plays a crucial role in pre­venting Information security breach­es by enhancing/implementing con­trols with apt technology tools and infrastructure. It is always advisable to go with Org wide third-party se­curity assessments through ISO/IEC 27001 standard to get a 360 degree view on current controls and to iden­tify gaps that may adversely impact on organization’s security controls. Most of the organizations adopt mul­ti layered data security approach at various levels of touch points in Or­ganization wide security echo system

• People Level:  Defining strin­gent ISMS Policies, Procedures and creating awareness to all stakeholders by periodic Security training with mandatory assessment test

• Physical Security Level:  Door/ Biometric Access Control, Facility Security Surveillance etc

• Perimeter network secu­rity Level:  Network Firewall / Switches, Intrusion Prevention System (IPS) etc

• Internal Network Level:  Web content filtering, Network Data Leak prevention, VLAN Partitioning / MAC binding etc

• Host Level:  End Points (Lap­tops/Desktops) and Server Protec­tion by implementing Anti Virus, Encryption, Data Leak Prevention, Privileged User Access Control etc

• Application Level:  Role Based Access/Single Sign-on, Vulnerability Assessments/Pen­etration Testing (VA/PT) and Code Scanning etc.