Is information security vital to your business? _____________________ By Rey V. Villacorta, Jr. It was a weekend, trying to make up for the busy nights of the past weeks. Suddenly, an alarm sounded and discovered that it was the phone ringing. Slowly reached for the phone, only to find out that some marketing agent is offering a certain product! Believe it or not, you are not the only victim of this “hard-selling” strategy. Further, you may also be a victim of an information security breach. Information security is the protection of crucial information from unwanted disclosure, alteration, and delay or even loss of availability to its users. Crucial information maybe customer’s unpaid balances and credit terms, customer and employee personal data, business strategy, product formula, confidential payroll or any information that can cause negative operational impact to the business when maliciously disclosed, modified, or lost. Now, is information security vital to your business? Let me assist you in responding to this by going through the following questions: • What if your entire customer listing is disclosed to your competitor? Customer listing reflects the market segment the company is serving or targeting. This list can be used by your competitor in providing better service, product, or payment terms to your customer and eventually contact them and be lured to change suppliers/service providers. • What if transactions you are processing in behalf of your customer is altered, disclosed or lost? Performance of certain functions that involves access to data, is now being outsourced to companies here in the Philippines by foreign countries as well as by local companies. Outsourcing customers are expecting a certain level of protection of their data and when this is not satisfied, can result in business opportunity loss for both the service provider and the outsourcing customer. • What if you are outsourcing your IT functions? Outsourcing of IT functions can provide the service provider almost every kind of access to your corporate data especially in cases where management of your database server is being outsourced. • What if your patient’s health records are disclosed? Health records are personal information that each patient doesn’t want to be disclosed to just anybody. That is why there is “doctor-patient confidentiality.” Unwanted disclosure of health records can raise questions on the professionalism and trustworthiness of a doctor or even the hospital. • What if your anti-virus is not able to detect and protect your computers from virus attack? Clean-up activities for virus infection can take days or weeks and can also mean additional cost to catch up with the delayed operational activities and answering customer complaints, or even non-submission of your very well crafted business proposal. What are the regulators doing? The Philippine regulators are continuously supporting information security by formulating and issuing directions in protecting information. Just to name a few, these are the Republic Act (RA) 1405 – Law on Secrecy of Bank Deposits, an act prohibiting disclosure or inquiry of bank deposits with any banking institution; RA 8792 – Electronic Commerce Act of 2000 or E-Commerce Law, an act for use of electronic commercial and non-commercial transactions, which also discusses penalties for hacking; BSP Circular 511 – Guidelines on Technology Risk Management, provides guidelines for banking institutions to effectively manage technology-related risks; BSP Circular 542 – Consumer Protection for Electronic Banking, provides rules in protecting users of electronic banking facilities; and Data Protection Act of 2005, an act to protect the confidentiality of personal data. In addition, the Payment Card Industry Council issued the Payment Card Industry Data Security Standard to help credit card facility providers and users in protecting credit card information. A pro-active environment against information security threats Having a pro-active information security environment can mitigate the effects of information security breaches discussed earlier. This environment will assist management to prevent or detect information security breaches on a timely basis, and decide on the appropriate measures to manage the possible negative effects to an organization. However, there are several challenges in creating this environment and this never happens overnight. One of the major challenges encountered is obtaining management and users support for information security. As our vice-chairman for Audit and Risk Advisory Services, Mr. Jorge S. Sanagustin, always say “bad habits die hard.” Most IT users don’t support their company’s information security initiatives because these slow down their operational activities. In this case, an IT user can always raise an issue so a better information security initiative or control be formulated and implemented. But the sad fact is, there are corporate IT users that resist information security because this will limit their Internet access (e.g., music or video downloading and chatting with their friends). For these IT users, please bear in mind that the computers you are using are just entrusted to you and are the properties of your company. Doesn’t it state in your company’s end-user IT security policy that all computers should only be used for business related purposes? Not having an end-user IT security policy is another challenge. Most organizations opted to start creating a pro-active information security environment by undertaking any of the following: IT security diagnostics, user awareness training, risk identification and analysis, and formulation of information security policy. User awareness training is very important in a pro-active information security environment, as users can either be the strongest or weakest link in the information security chain. The International Organization for Standardization issued ISO 27001 – Requirements for Information Security Management Systems and ISO 27002 – Code of Practice for Information Security Management, in order to assist organizations in having the framework and controls in managing information security. Upon formulation and implementation of information security controls, continuous monitoring of how controls are put into practice (e.g., independent information security audit) is needed to validate effectiveness and ultimately improve the current controls of an organization or a business partner. An independent audit can be done by your internal audit, business partner, reputable third party advisor, or an ISO 27001 certification body. Applying lessons learned from security experiences of the organization itself as well as other organizations also helps in maintaining a pro-active information security environment. I have a firewall, my information is secured! Firewalls intend to control traffic to and from the network. Unfortunately, there are firewalls configured to be slightly opened allowing unauthorized access to the network. There are also anti-viruses that are not configured to automatically update to the latest virus definition that makes your computer susceptible to new virus attacks. Try to right-click on your anti-virus icon which is normally located at the lower right corner of your computer screen, and check the date of your virus definition. If it says November 2006, please immediately get the latest virus definition. Information security is not just about technology (e.g. firewall or anti-virus) but includes people and processes as well. Our continuous dependence on IT often times makes us complacent in strengthening or updating our information security controls. We often focus on purchasing security devices and software, and put less emphasis on training our people and reviewing our processes to ensure that our information are reasonably protected. To the executives out there, you may want to check how you protect your company’s and customer’s information. You may not just be dealing with an unwanted phone marketer in the future but rather dealing with a disappointed customer or business partner. |