Saturday, December 14, 2013

Maintain Online Privacy. How to do that?

   One of the big issues of online activities is to maintain a right balance of information that is voluntarily shared with information that is not shared. However, there is a general agreement or baseline which tells us what is private information. This baseline would contain recommendations like donot share private telephone number; do not share primary email id etc etc.

    This perceived privacy posture may vary from person to person. The privacy settings and features on many sites and applications are provided in a elaborated fashion these days. But these keep changing very often and it is very difficult for a user to keep track and manage them. Therefore what one needs do is follow three simple rules:

    Rule 1: Initially assume everything is private information

    Rule 2: Always share or post only when required and only with few(required)

    Rule 3: Remove, rename, modify all information that can be traced to you,
                   identify   you  or identify your activities.

This link can be used to directly access the privacy setting features of your favourite  application.  

Monday, October 7, 2013

Next 5 biggest Info sec challenges

In my previous post I had listed the biggest 5 challenges. The challenges listed in this post are the next  five.

6.  Formulating and Enforcing data classification data destruction policies

Data discipline in terms of classification and management which would include labelling for archiving or disposal/ destruction is still quite casual by end users who generate documents. Though most users understand such policies for hard copies or physical documents and implement them to a large extent, they fail to do so for digital data. Duplicate and uncontrolled versions  of unstructured data(e.g word documents) lead to quite a few embarrassing situations.

7.   Consolidation and leverage of user initiated software systems

In a reasonably big, diverse and geographically wide spread enterprise the local IT people tend to design and use their own software tools. In such cases the overall organisation requirements  are not the issue but day to day task achievements are the goals. Consolidation and control of these from an ISMS point of view is often overlooked by central IT management. The local IT people also resist such attempts most of the time.

 8.   Disposal of old and decommissioned IT assets

Not much thought is given to old and decommissioned systems and they become a sore point. This happens despite having policies and regulations on the subject. 

9.   Individualistic continuance of IT initiatives and their management

Continuous dependence on such individuals would definitely lead to security issues in future. Processes should be evolved for managing these systems and after giving due credit such  individuals  should be taken away from these projects.  

10.  IT asset ownership issues

This topic continues as a thorn and requires resolution by regular education and awareness  programs.

Saturday, September 28, 2013

5 Biggest Challenges in Information Security Management

Based on my past experiences in implementing ISMS as an Information security Manager, I would rate the following as the biggest five challenges

1.  Attitude or the prevailing culture:
The responsibility of implementing and ensuring security automatically qualifies one as  "not so friendly" for computerisation and IT services. The top management(c-level) want you to implement and drive the policies and strategies but general employees who are end users of the various IT assets want minimum barriers and maximum convenience.

You end up sandwiched between both the parties hating you as you are not listening to them. It takes time and considerable effort to change attitude and culture for better cyber security health  although it is worth the effort. Surmounting such attitudes and changing the culture is the biggest challenge.

2. Technology as a solution:
Every medical problem does not have a medicine. Even if there are medicines available, they may not treat you completely. You do not rule out the side effects of the medicines though advances are being made everyday.

Similarly technology alone is not a complete security solution. Just the other day we heard of google getting affected due to  redundant network path failures simultaneously.
The ultimate success and efficacy of any security program will always be due to people, procedures and processes in conjunction with technology.

Most management and end users still perceive technology and products as the magic bullet. Breaking this myth is the next  biggest challenge.

3. Incorrect priorities:
CIA which stands for Confidentiality, Integrity and Availability is not clearly understood. Every functional organisation and every department needs to understand which one element is more important than the other two or one. Giving equal priority to all the three aspects may hamper the work  output and operations and would lead to unnecessary friction. Security professionals need to understand this and should advise accordingly.

4. Under Staffing:
The next biggest challenge is of under staffing. Though the situation in IT per say has improved to some extent, the situation in security remains grim. Senior management needs to appreciate this and provide sufficient staff to overlook information security.

5. Skill Retention:
The last of the five challenges in my opinion is of skill retention or continuity of job for lower level of Information security staff who are actually responsible to translate the policies and decisions into actions.  Insufficient skill and under staffing  not only increase the implementation gaps but also increase the stress level of the IT security staff.