The IT Service Management standard, ISO/IEC 20000-1:2005 is in the process of being updated.  Dr. Jenny Dugmore’s recent blog on the ITP Report  gives a first hand account of the progress being made.   

Dr. Dugmore makes reference to the results of a survey requested within the ITSM industry for input on changes and challenges to the current standard.  It is exciting to see that the input of the folks in the trenches can affect change.     It is also pleasing to see that integration of other ISO standards such as ISO/IEC 9001:2000 and ISO/IEC 27001-1:2005 are being seriously discussed and actions are being taken to find more common ground.  As Dr. Dugmore puts it   “We believe that knowing what the IT service management industry wants is hugely important.  When planning what we do to the current editions of ISO/IEC 20000 series we should have a clear view of what is needed (and wanted), not what we decide is a good idea.”

In the past, W. Edwards Deming, a leading force providing a methodology to introduce quality driven processes into organizations, used to do an exercise called the Red Bead Exercise to demonstrate the stability of predictive systems in organizations and how they can sometimes limit innovation. Recently, Jay Rollins, authored an article in TechRepublic’s IT Leadership newsletter, that pointed out that too much emphasis on standards can become a non-suportive environment within innovation driven companies. While maintaining a stable process driven company can assist a company’s efforts to comply with business continuity standards, information security standards and IT service delivery standards, Mr. Rollins does a nice job in this article to bring our attention to stay focused on that important balance between delivering a stable computing environment and the levels of innovations that so many companies need today to compete in global markets.

The lesson that Mr. Rollins claims that he gets from the “Red Bead Exercise” is not to be too strict with “foreign” software tools or hardware.  Do you agree with his position?

Click here to read this article.

HERE’s AN OPINION FROM ASIA MARKETS: India, the emerging economic superpower, is waking up to certain hard realities, observes Jagan Nathan Vaman, CEO, Secude Solutions India Private Ltd ( www.secude.in).

Indian enterprises will increasingly become soft targets for terrorists and cyber attacks, he sombrely adds, during the course of a recent e-mail interaction with eWorld.

“There is a saying in Sanskrit Heyam dhukkam anagatham— Avert the danger before it arises. Early adoption of IT (information technology) security and IT governance best practices will help guard against such threats,” advises Vaman.

“Above all, a risk-aware culture is the key to preventing a disaster or minimising the impact of a disaster.”

Excerpts from the interview.

We were recently witnesses to how terrorism, equipped with the latest communications technology and firepower, could almost paralyse the economy.

What are the counter-measures you can think of, from the perspective of an IT security professional, on a national scale?

We deal with this in two parts, substance and form.

Governments and enterprises who invested smartly in IT as a strategic weapon simultaneously increased the risk. This results in ‘single point of failure’ in the IT landscape, which involves computer systems, processes and people.

So the ‘substance’ in any countermeasure is created by a risk aware culture, effective IT risk governance process and creating substantive countermeasures for the four types of IT risks, viz. access risk, availability risk, accuracy risk and agility risk.

The form of countermeasures can be setting up of an IT-ATS (anti-terrorist squad) at both the national and state levels with people trained in emergency response when a disaster strikes, which can be an attack on nuclear power stations, a large manufacturing facility, public/private property, or any other asset class.

The important thing is that these IT-ATS units should be manned by highly tech-savvy people with the necessary equipment and resources and should probably report to the highest authority in the country, and function with complete independence.

But everyone should adopt a risk-aware behaviour by educating IT users with risk management principles and countermeasures in case of a disaster or a terrorist attack.

A risk-blind society that believes in looking at security as a trade-off to cost cannot defend itself effectively.

Can you list the key attributes that any functional IT security system should possess to be really effective?

Essentially there are four key attributes, viz. access, availability, accuracy and agility.

Here I am quoting the ‘Westerman and Hunter’ model, which is simple and effective.

Availability relates to the business’s ability to deliver applications reliably at acceptable performance levels.

Access is about security and the ability of business owners to get to the information they need.

Accuracy goes beyond data integrity to examine whether data is accurate, timely and complete, to answer questions such as whether businesses can be certain that their decisions are based on an integrated and complete picture of what’s happening.

Agility is about having the means to respond to unexpected problems and changes in the business.

There is a huge body of knowledge available with frameworks such as CoBIT, ITIL, COSO ERM, ISO 27001, and BS. Organisations can adopt any one of the IT security and controls frameworks based on their own needs, depending on their IT foundation, complexity of application infrastructure, geographical spread and business continuity plans.

At the enterprise level, what are the IT security lessons to be followed up immediately? Would you suggest that any legacy systems that can’t be woven into the security framework may have to be made redundant?

A paradoxical thing happened. Enterprise resource planning (ERP) systems such as SAP, Oracle, PeopleSoft, etc, were implemented with the central idea of throwing out legacy IT systems and have a brand new ERP platform. In reality this never happened. The legacy systems were never retired and ERP systems became the new legacy. So we have to necessarily include legacy in our risk map.

To address the first part of your question:

At the enterprise level, IT and ERP systems have become increasingly central to business success. However, many enterprises consider IT security as a discretionary budget item.

With increasing attacks on networks and applications, IT security cannot remain a discretionary item. Cases in point are: Barings Bank — where Nick Leeson had unlimited authority to make changes in the systems, and Society Generale — where fraudulent transactions were perpetrated by Jerome Kerviel because he had access to backend systems, etc.

All these point to simple access control and authorisation failure.

With increased outsourcing and multi-sourcing, companies are exposed to weaknesses at different levels. IT risk incidents in a complex outsourced environment get amplified and carry much higher damage potential than they used to.

They harm constituents inside and outside the company. That means, corporates need a multi-layered security approach to ensure business continuity and sustainability.

In a complex spaghetti IT environment with ERP, CRM, SCM and legacy systems the focus of IT risk management should be on creating a solid risk governance process and providing the necessary budget and resources to ensure that IT governance does not end up as a ‘nice to have’ function but as a ‘need to have’ function.

From a business continuity angle, do the present IT practices offer enough comfort to corporates?

Are compromises quite common?

Corporates either over-invest or under-invest in IT security/business continuity. CEOs have a high risk appetite being business guys; they naturally tend to dismiss the risk perceptions of the CIO/CISO.

Executives who don’t understand the business implications of IT risks consider IT security as a restriction of their freedom.

Sometimes the IT security vendors push and hard sell ‘point security’ products instead of selling comprehensive security, that should include network, application, access, encryption security features, instead of just selling an anti-virus product.

In some cases, business continuity is also looked at as an extra expense just to ensure continuous uptime and availability of systems.

IT outsourcing vendors sometimes over-sell business continuity.

I know of a large auto component manufacturer who signed a major business continuity contract that included ‘30 minutes recovery’ time.

Now you see a ‘30 minute recovery time’ is critically important for a bank and not an auto component company.

What you need is a holistic view of IT risk management and a culture of enterprise IT governance.

And this tone should be set by the top management — the CEO.

 

 

 

 

Do you foresee a redefining of ‘privacy’ when more secure IT products come into vogue?

Terrorists and hackers play a ‘catch me if you can’ game. With more secure IT products, more vulnerability will be discovered and more and more hackers/terrorists will exploit those vulnerabilities.

There is nothing like totally secure IT products. There is only an acceptable level of security in products and solutions.

Privacy will become a major concern with the increasing use of the Internet, mobile phones and PDAs, as information about anything travels at the speed of thought.

Profiling an individual using data from the Internet will become very easy, and more and more privacy violations, identity theft and cyber crime incidents will occur very soon. With millions of people jobless in a recessionary economic situation, cyber crime is bound to increase.

There is no magic bullet. Companies should use data protection technologies such as full disk encryption, two-factor authentication, secure login and deep defence technologies. The emphasis should be on holistic IT security products/solutions for the protection of enterprises’ IT assets.

What can be the early-warning signs of potential problems (from a security standpoint) that the CIOs must investigate/escalate?

Let us go back to the ‘Westerman and Hunter’ model discussed earlier.

Early warning of availability risks may come out of usage of many different types of technology, tools, ineffective patch/upgrade management, legacy platforms, poor back-up recovery/business continuity, lack of IT skills and poor understanding of business processes and applications.

Early warning of access risks will include the lack of authentication and authorisation protocols, lack of data protection and lack of inherent, detective and preventive controls in applications.

Early warning signs of accuracy and integrity risks can be sensed from the lack of application controls, configuration issues in ERP, SCM, CRM systems and unharmonized data.

Early warning of agility risks can be sensed from complex IT infrastructure with multiple vendor products, ERP legacy systems and lack of standardisation, badly managed projects and infrastructure.

The CIO will definitely need guidance and support of a certified information systems auditor and an IT security professional, to take a deep dive into these risk areas and craft a comprehensive IT governance solution. 

dmurali@thehindu.co.in