Let's Build a Responsible Cyber Society

 

Reorienting Information Security Infrastructure

by

Naavi

Article Published in Infosecuritymagz.com , June 2007

 

Risk Management in the context of corporate business is the art and science of identifying parameters that can have an adverse impact on the business and taking steps to reduce and ideally eliminate the losses that may arise out of the materialization of any of the risks.

 In the context of “Information Security Risk Management” (ISRM), the success of ISRM in any organization lies in the proper identification of the risks of losses to the organization arising out of the use of IT,  followed by proper administration of the risk mitigation programme.

 The residual risk manifestations after the implementation of the ISRM plan is to be considered as an “Accident” and is a subject matter for “Information Insurance”.

 At present most Information Security managers consider that IS boundaries lie in managing a good “Information Access Control” and implementing the best Disaster Recovery Plan (DRP) complimented with Business Continuity Plan (BCP). The end-objective of this DRP-BCP approach to Information Security is that whenever Information security is breached, the lost information is restored in quick time without the continuity of business being disrupted.

 This approach is being increasingly found to be inadequate as indicated by some of the recent security breach incidents where the Information Owners have been left with residual liabilities arising out of a security breach despite the near real time restoration of information lost or even when no information is lost at all.

 To understand this new dimension of ISRM, let us consider the following incident.

 An Employee of a Company A is being interviewed for a software developer’s position by a HR Manager of Company B, a competing firm, in the presence of some members of the software development team. In the course of the interview, the HR Manager asks probing questions about the details of the software developed by the employee in his current employment. The interviewee out of his anxiety to get the new job, reveals the finer details of the software supplemented with a power point presentation containing some critical source code elements. The information is taken note of by the technical team and used for upgradation of its own software to the competitive disadvantage of Company A. Upon its investigators finding out the leakage of the source code information, Company A files a complaint with the Police under Section 66 of the Information Technology Act 2000 on Company B, and its team of officials including the CEO, HR Manager and the technical members present in the interview. A claim for damages under Section 43 of Information Technology Act is also filed with the adjudicator on the Company and the executives for a sum of Rs 100 lakhs.

 In this incident, Company A has suffered a security breach and a loss in terms of its IPR despite its ISRM efforts. The Company B is also liable both for payment of damages and arrest of its key executives. In a way it is a security risk for them too.

 In the real incident of the above type which occurred in Chennai a few years back, the employee had actually taken out a CD containing the source code from the premises of his company, joined the second company working in Bangalore and also implemented the software using the CD brought in by him. The erring employee was arrested and the company  which hired him entered into an out of court settlement with the first company agreeing to  withdraw from the competitive business to escape prosecution.

 It is in incidents such as these, the short comings of the “Technical Security Measures” such as Firewalls and IDS show up. DRP and BCP is also not very relevant in such cases since no data has been lost.

 Now, let us discuss  what is the lesson from this incident to the IS Manager and what  should other IS Managers do to mitigate similar risks.

 It is to be understood that any security breach will affect an organization at two levels. The first level is the loss of data which is countered by the technical security measures and the DRP-BCP infrastructure.

 At the second level, the organization faces a

 a)      Liability arising out of the breach which may be financial or criminal

b)      Right arising out of the breach to sue for damages.

 A total ISRM scheme should therefore ensure that the organization preserves its ability to defend against liability arising on itself and the right to sue for damages.

 This can be referred to as

 a) Defensive Legal Protection (DLP)

b) Offensive Legal Remedy (OLR)

 A security plan that includes this DLP-OLR approach is what can be called a “Techno Legal Information Security Plan” and is superior to the currently used DRP-BCP approach.

 An organization can migrate from the current IS system to the more robust Techno Legal Information Security system by incorporating a “Cyber Law Compliance Programme” over an and above its current security programme.  This requires a Cyber Law Compliance audit to identify the Cyber Law related risks to the organization and implementing the risk mitigation plans.

 The transformation from the Technical Security approach to Techno-Legal security approach is the need of the hour in the IT industry and its impact can be reviewed briefly with reference to the security breach incident cited above.

 If Company A had implemented the Cyber Law Compliance programme, its HR Manager would have been “Aware” that probing an interviewee beyond reasonable limits is mining for corporate secrets of the competitor which can be interpreted as “inciting the employee to commit an offence”. The “Recruitment Policy” of the organization would have included that “During the interview process, the Interviewer would not put the candidate under pressure forcing him to reveal corporate secrets”.  Some times, “ A secret possessed is as much a danger to the possessor as it is to the revealer” and this applies to the current situation.

 Additionally, Company A would follow other Cyber Law Compliance precautions before using the intellectual property carried by an employee coming from a rival organization so that it does not lend itself to the accusation of having engineered the IPR theft.

 From the Company B’s point of view, the Cyber Law Compliance measures aimed at providing legal remedies would include

a) Creating awareness amongst its employees about the risk of IPR loss during job switches or otherwise

b)      Enabling collection of judicially admissible evidences in case of a security breach of the type mentioned.

 It is important to mention here that in the real case , the company from which the IPR was lost lacked proper evidence to prove its case in a Court of law and some of the evidences had been lost due to the lack of security awareness amongst other staff who were not involved directly in the breach.

 As one can easily make out, the starting point of Cyber Law Compliance in any organization which is either the victim or the beneficiary of a security breach is the level of “Employee Awareness” about the risks arising to the organization and to themselves on account of the laws applicable to their environment of working.  From out of such awareness raises the “Risk Mitigation Efforts” which require “Risk Mitigation Tools”. It is for this reason that some of the progressive BPOs in Chennai have made it mandatory for all its employees being made aware of Cyber Law related risks as a part of the induction programme and a few IT companies are also eyeing the market for Cyber Law Compliance tools and services.

 If an organization covers identifiable risks, the residual risks arising out of “Accidents” beyond the control of the organizations, amenable for insurance coverage. The insurance companies (if there are any) will agree to cover the cyber law related risks provided the organization satisfies them that reasonable Cyber Law Compliance measures have been taken by them. They may fix their risk premium based on their assessment of the efficacy of the Cyber Law Compliance measures instituted by the organization. The proof of such measures would be revealed in Cyber Law Compliance Audits that the organizations need to conduct. Even when an insurance claim is made, it may be necessary for experienced Cyber Law Compliance auditors to revisit the company and make an “Assessment of the Cyber Law Compliance measures” which will determine if the insurance holds or not.

 A  proper reading of the ISO 27001 document also indicates that a proper ISO audit will also require such a Cyber Law Compliance Audit. However, leading ISO auditors operating in the country at present have inadequate exposure to identification and mitigation of Cyber Law Related Risks and hence they need to team up with Cyber Law Experts to bundle Cyber Law Compliance Audits as part of the ISO 27001 audit.

 Thus in the coming days, Cyber Law Experts are likely to play a key role in the Information Security as all IT operators have to migrate their Information Security Infrastructure from DRP-BCP orientation to DLP-OLR orientation.

 

Na.Vijayashankar

(Naavi)