Convergence Plus Logo


www Convergence Plus
 
Sections Online
Convergence India 2005
Broadband
Broadcasting
Datacomm
Expert View
Security
Storage

Security

January 6, 2005
Trends in information security practices

Geetanjali Wadhwa & Pradeep Chakraborty

BANGALORE AND NEW DELHI

Internet Security Systems: International best practices in information security management
Comprehensive information security management - principles based are:

  • OECD Guidelines for the Security of Information Systems and Networks (9 pervasive principles for information security upon which several other guides are based)
  • GAPP - "Generally Accepted Principles and Practices" NIST SP 800-18
  • GAISP - Generally Accepted Information Security Principles
    · NIST 800-26 Self-Assessment Guide for IT Systems

Comprehensive information security management - controls based are:

  • BS 7799 - Parts 1 and 2, Code of Practice for Information Security Management (British Standards Institute)
  • ISO 17799 - Information Technology - Code of Practice for Information Security Management
  • Standard of Good Practice for Information Security (Information Security Forum)
  • NIST 800-12 The Computer Security Handbook, 1995
  • German IT baseline Manual

Capability maturity models

  • ISO 21827 System Security Engineering Capability Maturity Model

Management Guides

  • VISA Cardholder Information Security Program (CISP)

Sector Specific Guides

  • Basel II - The New BASEL Capital Accord - Bank for International Settlements

Legal/Regulatory/Enforcement

  • Sarbanes-Oxley Act (SOX)
  • Gramm, Leach, Bliley Act (GLBA) - The Financial Modernization Act of 1999
  • Health Information Portability and Accountability Act - HIPAA

Risk Management Models

  • NIST 800-30 Risk Management Guide for Information Technology Systems
  • SEI's OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
  • Comprehensive IT Governance and Management
  • COBIT - Control Objectives for Information and Related Technologies (ISACA)

NASSCOM's Trusted Sourcing initiative
NASSCOM recently launched the Trusted Sourcing initiative that seeks to re-inforce India as a secure and reliable technology partner. It also instituted the 4E framework to establish India as a trusted sourcing destination. This framework ensures the highest standard of information security in the outsourcing industry in India.

Under the Trusted Sourcing initiative, NASSCOM comprehensively researched the security framework-regulatory environment and security practices in India. The report benchmarked Indian ITeS and BPO companies with their counterparts in the US and the UK with regard to practices followed on data security, confidentiality and privacy laws.

The report segments information security into five broad categories: network security, information protection and customer privacy, physical security, personnel security, and business continuity and disaster recovery. According to the report:

  • Almost all of the Indian companies have firewalls, anti-virus at various levels, encryption methodologies, authentication and access controls, intrusion-detection systems, VPNs, etc.
  • All companies have strict policies for not carrying mobile phones, pens, paper, etc., in work areas and controlled access to email and Internet.
  • Companies adopt extensive log monitoring, analysis and co-relation, etc.
  • Most companies have facilities, such as security guards, fire suppression systems, etc., in place.
  • Companies use advanced systems such as biometric access controls, etc., depending on the clients' demands.
  • Companies have confidentiality and non-disclosure agreements, background screening, information security education and training for their employees.
  • Approximately 80 percent of the companies have documented business continuity and disaster recovery plans.
  • Most companies have plans to cover the contingences at site, city and country levels.

Mumbai Cyber Lab - MCL
With a view to generate general awareness about the cyber world and safe practices to be followed while online, NASSCOM and Mumbai Police have created the Mumbai Cyber Lab (MCL). Its primary goal is to spread the awareness of cyber-security issues and provide citizens a single resource to address any issues they may have. This venture is being actively backed by IT industry as well as various information security professionals who have volunteered to share their expertise to make the lab the foremost center for information security in the country.

India-US Information Security Summit 2004
In line with NASSCOM's various initiatives to build a risk-free environment, conducive for business transactions and thereby, promote a culture of information security, the Information Technology Association of America (ITAA) and NASSCOM recently hosted the first ever India-US Information Security summit titled 'India and the United States: Protecting the Critical Information Infrastructure Alliance,' in New Delhi.

It focused on the emerging, "always connected, always networked" environment and provided an ideal platform to discuss and debate on cyber security in India; enhancing the US-India high-tech partnership in securing the information infrastructure; cyber security view from the US and India; and information security and physical security challenges. Apart from sharing presentations and case studies, luminaries from the US and Indian ICT sectors shared their experiences on how they prepared for and responded to serious security attacks. Participants from nearby developing nations also shared best practices and international co-operation for improving the global challenge of information security.

Back











Disclaimer: No content may be used from this site without the written permission of the authors, Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd. The views expressed on this site are solely those of the authors and do not reflect those of Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd.