 |
INFORMATION SECURITY
Why Information Security
There is a need to establish a comprehensive Information Security Management System within all major IT companies of Pakistan as in the modern day business; they need to ensure the confidentiality, integrity, and availability of both vital corporate information and customer information. The standard for Information Security Management System (ISMS) ISO 27001 has fast become one of the world's established biggest sellers and hence it is the right time to launch a project to assist IT companies in adopting this standard. Pakistan IT has seen a recent up thrust and many companies are now working with blue chip companies of the world. Recent scams of client information trading illegally by the middle level office staff of certain companies (not Pakistani companies) have ignited the need of strong information security processes implementation around the globe. As a result of these scams most foreign companies / organizations have now started to check the information security arrangements at their client companies before outsourcing any business to them. Implementing this standard in the country’s IT industry would surely raise the credibility of Pakistan’s IT sector.
What is an Information Security Management System
An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. It ensures business continuity, minimizes business damage through the management of information security risks and maximizes business opportunities.
What is ISO 27001
ISO 27001 is a specification for the management of Information Security. It is applicable to all sectors of industry and commerce and not confined to information held on computers. It addresses the security of information in whatever form it is held.
The information may be printed or written on paper, stored electronically, transmitted by post or email, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, ISO 27001 helps an organization ensure it is always appropriately protected.
Information security can be characterized as the preservation of:
| Confidentiality |
Ensuring that access to information is appropriately authorized |
| Integrity |
Safeguarding the accuracy and completeness of information and processing methods |
| Availability |
Ensuring that authorized users have access to information when they need it |
ISO 27001 contains a number of control objectives and controls. These include:
- Security policy
- Organizational security
- Asset classification and control
- Personnel security
- Physical and environmental security
- Communications and operations management
- Access control
- System development and maintenance
- Business continuity management
- Compliance
What is required to Implement ISO 27001
Developing an Information Security Management System (ISMS) that satisfies the requirements of ISO 27001 involves three steps:
| Creation of a management framework for information |
This sets the direction, aims, and objectives of information security and defines a policy which has management commitment |
| Identification and assessment of security risks |
Security requirements are identified by a methodical assessment of security risks. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks. |
| Selection and implementation of controls |
Once security requirements have been identified, controls should be selected and implemented. The controls need to ensure that risks are reduced to an acceptable level and meet an organization’s specific security objectives. Controls can be in the form of policies, practices, procedures, organizational structures and software functions. They will vary from organization to organization. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. |
Adopting ISO 27001 cannot make an organization immune from security breaches but it will make them less likely and reduce the consequential cost and disruption if they do occur.
Benefits of ISO 27001
- Demonstrates that you have addressed, implemented and controlled the security of your information.
- Comforts customers, employees, trading partners and stakeholders – in the knowledge that your management information and systems are secure.
- Demonstrates credibility and trust.
- Can lead to cost savings. Even a single information security breach can involve significant costs.
- Establishes that relevant laws and regulations are being met.
- Ensures that a commitment to Information Security exists at all levels throughout an organization.
The Project
The project was originally aimed at assisting 5 companies in achieving ISO 27001 but due to huge demand by the IT industry, PSEB is in process of extending it to 10 companies. PSEB is funding 80% cost of achieving ISO 27001 on behalf of companies and is providing them the technical assistance through its panel of consultants. The selected IT companies for PSEB assistance are as follows:
- NetSol Technologies (Pvt.) Ltd.
- Ikonami (Pvt.) Ltd.
- Systems (Pvt.) Ltd.
- Innovative (Pvt.) Ltd.
- Digital Processing Systems, INC.
The ISO 27001 consultancy companies on PSEB’s panel are as follows:
- NetSol Consulting (Pvt.) Ltd. / IT Butler e-Services (Dubai)
- Quality Assurance Institute, Middle East, Africa and Pakistan
- Quality Management Systems 9000
The consultancy cost per company is around 1.5M while audit cost will be determined upon selection of ISO 27001 audit bodies.
In addition to this, PSEB is planning to train 100 ISO 27001 lead implementers and 20 Lead Auditors.
For any queries, please contact:
Mr. Kashif Amin
Head of Projects
Pakistan Software Export Board (G) Limited
2nd Floor Evacuee Trust Complex
F-5, Aga Khan Road
Islamabad - 44000
Telephone: 92-51-9204074, Extension 113
Fax: 92-51-9204075
E-mail: kamin@pseb.org.pk
|
|
|
|
