Cyber
Security- Need for a Structured Approach
By
Naavi
Cyber
Security is a complex process which involves the three dissimilar factors
such as
a)
Technology
b) Law
c) Human
Behaviour
The technology aspect of cyber security revolves around
technical tools for access management, Firewall systems, Intrusion
Detection systems, Disaster recovery plans etc. Identification of the right
technology, the tools, source code audit are issues that need to be tackled
in managing the technology of security.
The legal aspects of cyber
security revolves around the statutory prescriptions of what should be the
security in a given situation and what would be the consequences of not
providing the same. This basically manifests in vicarious liability on
system owners for security breaches that includes external cyber crime
threats and internal employee frauds.
The third aspect of Cyber
security is the management of the human factors involved. This revolves
around what makes an IT user adopt or reject the security prescriptions.
What motivates him for better security orientation, how to handle non
compliance in an organization without HR fall out, how to involve different
functional departments in the implementation programme etc.
Implementation of Cyber
Security was initially the responsibility of the IT team which provided the
facilitation of technology in any functional task. It was more a reflection
of “Quality” than a means of protection against “Threats”. Initial approach
of technologists was not oriented towards building systems to meet
targeted attacks. But today this has become necessary.
As a result frequent
reviews of technical security in the light of global incidents reported
becomes necessary. Such reviews may throw up upgradation of security
requirements which need an enterprise level action.
Laws keep expanding and
changing. New Court rulings change corporate responsibilities. Changes in
technology affect the implementation and interpretation of laws. All this
dynamic changes need to be closely monitored and adequately addressed.
The human aspect of the
security dimension is even more dynamic than the technology and law. People
behave differently at different points of time for the same stimulus.
Corporate responses to HR aspects of security therefore depends on an
accurate reading of the likely behavioural responses of people to a given
security prescriptions and strategizing how the targeted behaviour can be
achieved.
A successful management of
these complex processes cannot be effectively achieved by an adhoc process.
There is a need to adopt a “Structured” approach which is developed after a
thorough research which is flexible enough to move with the times and
innovative enough to meet the dynamic changes in requirement.
Some of the “Security
Audit” prescriptions try to address these issues. However over a period of
time each security audit prescription tends to become too rigid and until
an official review of the prescriptions is made the system will run in a
sub optimal manner.
For an organization,
effective security is more important than which standard is followed. The
standard itself is ideally a moving standard which the organization itself
can fathom.
The IT industry in India
can study the Indian Information Security prescriptions such as
IISF 309 and the Theory of IS Motivation based on Security Pentagon
model and design their security information processes for
better effectiveness of IS management.
Naavi
October 9, 2009
[Comments
Welcome]
Comments are Welcome at naavi@vsnl.com
