Information is one of the organisation’s most important assets.  Protection of information assets is necessary to establish and maintain trust between the organization and its customers, maintain compliance with the law, and protect the reputation of the institution.  Timely and reliable information is necessary to process transactions and customer decisions.  An organisation’s earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed.

Information security is the process by which an organization protects and secures its systems, media, and facilities that process and maintains information vital to its operations.  The security of the organisation’s systems and information is essential to its safety and soundness and to the privacy of customer information.  Individual organizations and their service providers must maintain effective security programs adequate for their operational complexity.  These security programs must have strong board and senior management level support, integration of security activities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities. 

Organizations often inaccurately perceive information security as the state or condition of controls at a point in time.  Security is an ongoing process, whereby the condition of a financial institution’s controls is just one indicator of its overall security posture.  Other indicators include the ability of the institution to continually assess its posture and react appropriately in the face of rapidly changing threats, technologies, and business conditions.  An organization establishes and maintains truly effective information security when it continuously integrates processes, people, and technology to mitigate risk in accordance with risk assessment and acceptable risk tolerance levels.  Organizations’ protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks.

SECURITY OBJECTIVES

Information security enables an organization to meet its business objectives by implementing business systems with due consideration of information technology (IT)-related risks to the organization, business and trading partners, technology service providers, and customers.  Organizations meet this goal by striving to accomplish the following objectives.

Availability—The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information.  This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems.

Integrity of Data or Systems—System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

Confidentiality of Data or Systems—Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.

Accountability—Clear accountability involves the processes, policies, and controls necessary to trace actions to their source.  Accountability directly supports non-repudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records.

Assurance—Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended.  Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.   

SECURITY PROCESS

The security process is the method an organization uses to implement and achieve its security objectives.  The process is designed to identify measure, manage, and control the risks to system and data availability, integrity, and confidentiality, and to ensure account-ability for system actions.  The process includes five areas that serve as the framework

Information Security Risk Assessment—A process to identify and assess threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes. 

Information Security Strategy—A plan to mitigate risk that integrates technology, policies, procedures, and training.  The plan should be re-viewed and approved by the board of directors.

Security Controls Implementation—The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk-appropriate controls, and the assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties. 

Security Monitoring—The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated.  These methodologies should verify that significant controls are effective and performing as intended.

Security Process Monitoring and Updating—The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls.  This information is used to update the risk assessment, strategy, and controls.  Monitoring and updating makes the process continuous instead of a one-time event.

NEED FOR IMPLEMENTING ISO 27001

No matter how secure and well protected an organisation appears to be, sensitive information can be leaked without you even realising until it’s too late.  All information, whether on electronic media, paper or in the heads of those you employ, is at risk from any number of real threats. Information security is no longer just an issue for IT managers – a single breach of information security could cost your company hard earned profits whilst doing irreparable damage to your image and reputation. Your capacity to trade profitably depends on your ability to manage this risk effectively.  As the number of reported information security breaches consistently increases, the need to create a management framework for information security intensifies. ISO 27001:2005 provides a well-proven to initiate, implement, maintain and manage information security within any organisation. 

FEATURES OF ISO/IEC 27001:2005
Due to the all encompassing nature of ISO/IEC 27001:2005, there are eleven control areas that needs attention to be certified to it. 

• Security policy – A document to demonstrate management support and commitment to the Information Security Management System process.
• Communications and operations management – Optimise your communication to facilitate smooth operation of the Information Security Management System.
• Security organisation – An established management framework to initiate and control the implementation of information security within your organisation and to manage ongoing information security provision.
• Access control – Network management to ensure that only those with the appropriate responsibility have access to information in the networks and the protection of the supporting infrastructure.
• Asset classification and control – A comprehensive inventory of assets with responsibility assigned to ensure that effective security protection is maintained.
• Systems development and maintenance – Ensuring that IT projects and support activities are conducted in a secure manner through data control and encryption where necessary.
• Personnel security – Well defined job descriptions for all staff outlining security roles and responsibilities. 
• Business continuity management – A managed process for developing and maintaining business contingency plans which protect critical business processes from major disasters or failures.
• Physical and environmental security – A clear and concise definition of the security requirements for your premises and the people within them.
• Compliance – A demonstration to clients, employees and the authorities of your commitment to meet statutory or regulatory information security requirements.
• Incident Management - To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.

SPECTRUM

Spectrum is a leading end-to-end IT Services and Information Security Consulting Company based in the Dubai Internet City. It caters to a cross section of industries and sectors across the Middle East, the Sub-continent and Africa.  Their services are currently extended to the end-user community directly, as well as through a network of partners, who avail of their expertise.

 Spectrum has a wide diversity in terms of product offerings but we can sum them up into these three core segments: -  

High-end network services – design, audit, trouble-shooting and optimization of heterogeneous and complex networks, IT Security audits, Vulnerability assessment and penetration testing 

Knowledge transfer services – we are the authorized and exclusive training center for several products including Microsoft security, Juniper, Foundry, Kaspersky etc.  They also have US$1M+ state-of-the-art laboratories in Dubai Internet City and Riyadh, KSA where they can simulate and provide proof of concept solutions.   They also provide courses from EC Council including CEH (Certified Ethical Hacker)

Management Systems Consulting – full-blown consultancy or specific key activities for information security (ISO 27001), business continuity (BS25999), IT service management, quality, environment, health and safety, risk assessments and others  

Within a short span of four years, Spectrum has established an impressive list of customers globally. These include Government, Banking, Financial services and Insurance, Defense, Telecoms, ISPs, Software companies, Logistics, Airlines, Retail, BPOs, etc.        Middle East customers include Etisalat, Emirates Airlines, Saudi Telecom, Ericsson, Dubai International Financial Center (DIFC), SABIC, Riyadh Bank, ADNOC, Ministry of Interior – NIC (KSA), HSBC, Dubai Holdings, Mubadala Investments; to name a few.