MODELING AN INFORMATION SECURITY ROADMAP FOR CORPORATE NIGERIA
Information security roadmap refers to the protection and safeguarding of data to guarantee veracity, confidentiality and availability. Along with utilizing automated tools, other factors must also be considered. These are the institution of procedures and policies, employing highly-skilled manpower resources, educational awareness through trainings and seminars, performing risk assessments, management necessities, and legal requirements.
In Nigeria, there is an increasing attention on the effectiveness of existing information security roadmaps utilized by some businesses. This has been brought about by the rising volume of organized criminals breaking into an organization’s data environment.
These have brought about an outbreak of legislations which authorize to ratify information security measures. Although this has been done only in one country, it may also have a worldwide impact as some of the organizations whose networks have been breached are multinational corporations.
The Gramm Leach Bliley Act of 1999 poses requirements for adequate and effective security programs. The Board of Directors must approve and oversee the total security program. Risks must be identified accurately and assessed. Both internal and external threats must be included in the risk identification. In risk assessment, consider the possibility that breach could occur and visualize the possible damage or effect to the organization and/or to the customers. Evaluate also the method of how the existing process or policies deal with risks.
Identified risks must be controlled and managed. Recommended measures to apply are data encryption, intrusion detection, background checks for employees, and intrusion response programs. Service providers must also be supervised to ensure that security measures are functioning well to delete risks from external factors.
Manpower resources that are in any way connected to implementation of information security measures and those that are connected to the data being guarded against must be given adequate and sufficient training so that they will recognize a threat when they see one and will respond to it accordingly.
The security measure implemented must be tested, checked and reviewed regularly. It is strongly recommended that those who will do the testing, checking and reviewing be an independent third party. They must not be in any way related or connected to the people who developed and are currently maintaining the program.
The program must be flexible enough to be adjusted or modified to be aligned with the ever changing demands of the company and the business environment. Above all, the Board should always be on top of the situation.
Based on the surveys performed by National High Tech Crime Unit, [I] the following were identified as top security threats: virus attacks, theft of confidential information, internal staff abusing internet access, theft of computer equipment, unauthorized web site modification, unauthorized access to systems, system sabotage, financial fraud through deception, and denial of service attacks.
As an example, the cleanup cost of the Sasser worm amounted into hundreds and millions of dollars. It is equivalent to repairing damages caused by a major calamity.
As a first step, businesses should follow the guidelines set by the industry standard information security. Next is to acquire certification of ISO 27001.
ISO 27001 is a code of practice for information security management that is composed of a wide and various range of issues dealing with security. It deals with system policy, security organization, asset management, personnel security, physical security, communications and operations management, access control, information systems development and maintenance, business continuity management, and compliance.
In Nigeria, electronic commerce is emerging as a tool used for business transactions. Organizations that deal with financial services as banking institutions must see to it that they are reaping the benefits of a secure information security roadmap.
It is suggested that Nigeria’s Cyber crime and Information security laws should include in their draft that risk assessments be made compulsory by financial companies that offer services related to the internet.
Nigeria should ratify legislations that make it obligatory and compulsory for businesses to implement information security roadmap depending on the scale of the risks involved. This is also a way for Nigeria to align itself to legislative standards globally.
[i] www.nigerianmuse.com
Credit:ivythesis.typepad.com
0 comments:
Post a Comment