Introduction

Information security is one of the most important topics in the present business scenario. With increasing usage of Information Technology in the day to day affairs of life and also the increasing competition in the business scenario, every business strives to keep its assets and intellectual property secure. People expect to be always connected requiring a constant flow of information in all directions and from all directions; people expect that Technology will enable them to do things that they cannot otherwise do comfortably. While this is a great thing to happen, it also exposes businesses to threats like getting hacked or other forms of loss of confidential information via phishing etc.

Information Security Technology has grown manifold in the past few years. Information security has become a topic of national and political interest and many countries are implementing legislation around information security. Information security officers are in high demand and command very good pay packages – making it a lucrative career option.

1. Why is Information Security important? Is it something optional?

Every business wants to conduct its business securely. Conducting business securely means protecting the intellectual property, providing a secured working environment to the employees and ensuring that the partners do not divulge any information that they may have access to via signing non-disclosure agreements.

Now, all businesses rely on IT to varying extents, and the business security must be extended to IT as well. In ITIL®, the goal of the Information Security Management (ISM) process is to align the IT security with business security and ensure that information security is managed in service and service management activities. In modern businesses, ISM is an important part of corporate GOVERNANCE, and has therefore, strategic importance. As a result, all ISM objectives are aligned with the business objectives and vice versa, and the management of information security risks is overseen by the company leadership. Although we are exploring ISM in the context of ITIL, it is not just something that is related to IT, it is very much a key aspect of doing business. It is a must-have, and not optional.

2. What are the typical security objectives of an organisation?

The following are some of the security objectives of an organization:

• Information is available and usable when required
• However, the information should be only available to those who need it, and who have the privileges to access that information. In other words, confidentiality should be maintained.
• The IT systems that provide the above information are secured – i.e. they can resist attacks
• The IT systems should be able to prevent failures or recover from failures should there be one. The systems should be available.
• The information should be complete, accurate and protected against modification. If the information is modified in error or maliciously, an audit log of the modification should be available. This is referred to as the integrity of data.
• All business transactions and information exchange between the stakeholders must be trustworthy. Communication channels must be secured.
• Business processes will define the priority of the confidentiality, integrity and availability aspects; the business objectives will drive this.

3. What is a security framework? Who defines this?

A security framework is an essential component of the Information Security Management (ISM) process and will generally consist of the following:

• An overarching Information Security policy
• Specific security policies that derive from the above, but is more specific to strategies, controls and regulation
• A set of security controls to support the above policies
• The Information Security Management System (ISMS) – these will contain the standards, guidelines and procedures for managing them
• Security strategy – closely interlinked with the business objectives
• A security organization – with roles, responsibilities and people mentioned therein
• A repository of the security risks and how these will be managed
• A communications plan for how the security topics shall be disseminated in the organization, including training and awareness sessions
• Finally, a monitoring framework to keep a tab on the status of compliance and the effectiveness of the security controls and communication plan

Providing a security framework is the responsibility of the executive management. They hold the final accountability for protecting the information related to the organization. Once the policy is framed, the security organization is tasked with ensuring compliance, and become the ‘guardians’ of the policy.

4. Have you heard of ISMS? Can you tell more about it?

ISMS is an acronym for Information Security Management System. The ISMS will contain the standards and guidelines that support the information security policies. The ISMS also provides the procedures on how these will be managed.

As a management system, the ISMS is a continuous cycle of Planning, Implementing, Evaluating and Maintaining of the standards and the guidelines.

As a part of the planning process, the Service Level Agreements (SLA), Operational Level Agreements (OLA), Underpinning Contracts must contain references to the security policy of the organisation wherever applicable.

As a first step of implementation, Security awareness must be created within the organization. Security must be implemented for the staff, networks, applications, end user computing devices. All assets must be registered and classified as per their sensitivity, and access to these must be controlled and monitored. Any breaches, i.e. security incidents must be reported and dealt with as per the procedures laid in the ISMS.

The next step, evaluation, is realized through conducting of internal and external audits, self-assessments and performing the causal analysis of security incidents.

Learnings at every stage of this continuous cycle must be used to maintain the ISMS and plan for more effective upholding of the security policy. These should be reported back to the stakeholders.

5. Do you have an Information Security Officer? What are his duties?

An Information Security Officer is referred to as an Information Security Manager as per ITIL terminology. The main duties or responsibilities of this role are as follows:

• They will assist in developing and subsequently maintaining the Information Security Policy
• They will create information security awareness in the organization through appropriate means, including training of personnel
• Classify the configuration items (CI) in terms of the levels of protection and control
• Perform risk management activities – like identify potential security risks and work on creating mitigation and contingency plans
• MANAGE all the security breaches by taking remedial action
• Analyse the security breaches and create an improvement plan for reducing the volumes of such incidents in the future
• Participate in the change management process by performing the security impact analysis of changes and provide estimates for any information security related changes
• Perform self-assessment security tests, conduct internal and external security audits
• Uphold the security clauses in the Service Level Agreements and discuss any breaches or changes with the customer
• Uphold the security clauses in the Operational Level Agreements and discuss any breaches or changes with the suppliers
• Keep the executive management informed about the latest industry developments in the information security

6. You have joined a new company as an Information Security Officer. You realize that assets are not classified. What would you do next?

As the Information Security Officer my first step would be to understand the configuration items (CI) and how these are maintained in the organization, i.e. the configuration management database (CMDB). With an up to date CMDB in place, the next step is to organise the information assets as per ISO 27001 standards that directly apply in the ITIL context: Confidential (only senior management have access); Restricted (most employees have access, likely on a ‘need to know’ basis); Internal (all employees have access) and Public (everyone has access).

Depending on the nature of the business, there may be other levels that may need to be created, e.g. in a medical institution, doctors may have access to patient information, but not necessarily how the finances of the hospital work; on the other hand, the top management may not have access to the patient records. These levels must be discussed and agreed with the executive management – and must be in line with the business objectives and the information security policy.

Classification of the information provides buckets into which assets are LOGICALLY arranged. The next step is to design the exceptions and the approval mechanisms for the exceptions. Once this is done, access rights must be provided as per the information security policy.

In a business scenario, new information assets are created regularly. Therefore, the next step is to educate the creators of the assets on how the newly created assets must be classified. This is achieved via training.

Once the above setup is complete, self-assessments and audits must be regularly scheduled to check for compliance to the classification policy, usually, these will be a part of the wider security audits.

7. Have you heard about the GDPR? Can you give some details?

GDPR is an acronym for General Data Protection Regulation and is hailed as the toughest privacy and security law in the world. It was enforced on 25-May 2018 by the European Union (EU). However, this law imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU; e.g. if you are an Indian IT company doing a PROJECT that involves data related to people in EU - you become accountable for compliance!

There are 6 principles of GDPR and a final accountability principle, making it a total of 7 principles:

1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
2. Purpose limitation —You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
3. Data minimization —You should collect and process only as much data as necessary for the purposes specified.
4. Accuracy —You must keep personal data accurate and up to date.
5. Storage limitation —You may only store personally identifying data for as long as necessary for the specified purpose.
6. Integrity and confidentiality —Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
7. Accountability —The data controller is responsible for being able to demonstrate GDPRcompliance with all these principles.

An organization that violates the GDPR must cough up a lot of money as penalty. First, the data subjects are liable for being compensated for the damages as a result of the breach. Secondly, the data protection regulator in each EU country can slap a fine of up to 20 million euros or 4% of the global annual revenue of the organization in the previous financial year – whichever is higher. The amount varies with the severity of the breach.

Please visit the GDPR website for more details - https://gdpr.eu/what-is-gdpr/

8. Let me tell you 3 keywords – ‘Information Security’, ‘data protection’ and ‘privacy’? Are these same or different ?

'Privacy' and 'data protection' are very close in meaning, and the usage depends on the country. E.g. in the US, the term 'privacy' will be used in the context of the controls associated with the processing of personal data. In the European Union (EU), 'data protection' will mean the same thing. The difference may be ascribed to difficulty of making a translation to the multiple languages being used in the EU.

However, the situation with 'data protection' versus 'information security' is different. When an IT service provider or a website mentions about 'information security' being provided - it may mean that, e.g., they use encryption to transfer files so that only the sender and the recipient know the content being transmitted and no one else. But this may not protect the information related to the users themselves. E.g. to send a file, the sender needs to create a profile - how is the IT service provider dealing with the sender information? This is where data privacy (or data protection) comes in. It is a common wrong belief that an IT service provider promising 'information security' is also protecting the data of the users of the system. E.g. A few years back Yahoo declared that they were hacked in 2014 (a breach of 'information security') and user data for about half a billion users was stolen (a 'privacy' breach). This shows the difference between the two terms.

Note that 'privacy' and 'data protection' always refer to personal data, but 'information security' is different – it is more generic and ‘impersonal’.

9. What is the ISO:27001?

ISO 27001 (ISO/IEC 27001:2013) is a globally recognised information security standard that specifies how an organization can build a world-class information security management system (ISMS). It helps organisations manage their information security processes in line with best practice while controlling costs. Although it is related to information technology, it is technology agnostic and applies to all organisations - big or small. This universality has resulted in the standard being widely adopted across the globe.

ISO 27001 enables organisations to achieve accredited certification by an accredited certification body following the successful completion of an audit. It supports compliance with GDPR (General Data Protection Regulation) of the European Union.

Following are the controls that are offered by the standard:

• Information security policies
• Organisation of information security
• Human resources security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operational security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

10. Can a customer impose an SLA related to security? Can you give some examples?

Considering the nature of the business, the customer can always impose some service level agreements (SLA) related to Information Security. Examples include, but are not limited to:

• Restriction of physical access to the project area and server rooms
• Onboarding of a new project personnel happens only after Information Security training is completed and a Non-Disclosure Agreement (NDA) is signed
• Performing a background check on project personnel and submitting the report to the customer
• Periodically force reset of password, employ a strict password policy
• Scanning of the service provider’s networks and devices on an agreed schedule
• Restriction on the use of chat tools, mobile cameras
• Usage of customer provided proxy server for accessing the internet
• Installation of monitoring software on the project computers
• Keeping a record of all access requests
• Usage of a secure virtual private network and devices provided exclusively by the customer

Each of the above may be subject to audit periodically by the customer and any breach of the same may make the service provider liable to pay financial penalty. The amounts of the penalty and the conditions when it will be imposed are usually included in the contract along with other service level agreements, terms and conditions. With the introduction of strict security laws like the GDPR, customers are increasingly tightening the security requirements for the service providers.