Let's Build a Responsible Cyber Society

Visit
www.ceac.in


Visit
www.arbitration.in

Cyber Security- Need for a Structured Approach

By

Naavi

Cyber Security is a complex process which involves the three dissimilar factors such as

a)      Technology

b)      Law

c)      Human Behaviour

The technology aspect of cyber security revolves around technical tools for access management, Firewall systems, Intrusion Detection systems, Disaster recovery plans etc. Identification of the right technology, the tools, source code audit are issues that need to be tackled in managing the technology of security.

The legal aspects of cyber security revolves around the statutory prescriptions of what should be the security in a given situation and what would be the consequences of not providing the same. This basically manifests in vicarious liability on system owners for security breaches that includes external cyber crime threats and internal employee frauds.

The third aspect of Cyber security is the management of the human factors involved. This revolves around what makes an IT user adopt or reject the security prescriptions. What motivates him for better security orientation, how to handle non compliance in an organization without HR fall out, how to involve different functional departments in the implementation programme etc.

Implementation of Cyber Security was initially the responsibility of the IT team which provided the facilitation of technology in any functional task. It was more a reflection of “Quality” than a means of protection against “Threats”. Initial approach of technologists was not oriented towards building systems to meet  targeted attacks. But today this has become necessary.

As a result frequent reviews of technical security in the light of global incidents reported becomes necessary. Such reviews may throw up upgradation of security requirements which need an enterprise level action.

Laws keep expanding and changing. New Court rulings change corporate responsibilities. Changes in technology affect the implementation and interpretation of laws. All this dynamic changes need to be closely monitored and adequately addressed.

The human aspect of the security dimension is even more dynamic than the technology and law. People behave differently at different points of time for the same stimulus. Corporate responses to HR aspects of security therefore depends on an accurate reading of the likely behavioural responses of people to a given security prescriptions and strategizing how the targeted behaviour can be achieved.

A successful management of these complex processes cannot be effectively achieved by an adhoc process. There is a need to adopt a “Structured” approach which is developed after a thorough research which is flexible enough to move with the times and innovative enough to meet the dynamic changes in requirement.

Some of the “Security Audit” prescriptions try to address these issues. However over a period of time each security audit prescription tends to become too rigid and until an official review of the prescriptions is made the system will run in a sub optimal manner.

For an organization, effective security is more important than which standard is followed. The standard itself is ideally a moving standard which the organization itself can fathom.

The IT industry in India  can study the Indian Information Security prescriptions such as IISF 309  and the Theory of IS Motivation based on Security Pentagon model  and design their security information processes for better effectiveness of IS management.

Naavi

October 9, 2009

[Comments Welcome]

 Comments are Welcome at naavi@vsnl.com


 

Visit
www.Naavi.net

Visit
www.lookalikes.in