A Report
Of
Seminar on
Information Security
& Business Continuity
New Risks - New
Imperatives
Held on 23rd October, 2002, New
Delhi
Organised
By
The
Associated Chambers of Commerce & Industry of India
23-October 2002
New Delhi
As Organizations consider new ways to exploit their IT infrastructure, they must also consider the potential negative implication of exposing their networks to viruses, hackers and disgruntled employees. However, research has suggested that awareness on information security aspects is lacking and this is often the major contributor to a security breach. To gauge the level of awareness of business enterprise on various facets of Information Security, ASSOCHAM conducted a on day seminar on "Information Security And Business Continuity, New Risks-New Imperatives" , 23 October 2002, at Assocham House, New Delhi. The tremendous growth in organizational and consumer utility of the internet, a fairly open and decentralized infrastructure and increasing focus on e-business within enterprises, gives hackers, criminals and corporate spies ever-expanding opportunities and incentives to practice their malicious activities. Therefore, in the webbed world of today , Information Security has become of prime importance and no longer be neglected.
Experts on I.T security from renowned InfoTech Organisation were the speakers and shared their views and experiences regarding Information Security and Business Continuity Management (BCM).Mr. S.V.Ramana, Vice President, Systems Integration Division, CISCO Systems; Mr. Sanjay Dhawan – Executive Director, KPMG; Mr Sivarama Krishnan, Senior Manager, PWC ;Mr. Haridas Raigaga,Principal Consultant, ICICI Infotech ; Seminar Mr. Raghavendra Mathur,Head, IT Infrastructure, Tata Steel ,took the stage and discussed various issues. Prime amongst these were: Security threats to an organization in terms of I.T.; Job profile of Information Security Officer within an Organization ; Information security breaches; Importance and need for business.
The seminar began at 9:30 am with the participants registration. At 10 am the Inaugural session began in which Mr. R.K Somany ( President, ASSOCHAM) welcomed the participants and stressed the importance of the seminar in the current scenario where information has become the lifeline of today’s business organizations. The imperativeness of the theme was again recounted by Mr. Umang Das (Chairman ,Communications Convergence Committee, ASSOCHAM) in his address.
In the first Technical session : “Importance and Need for Business Continuity Planning” which began at 10:30 am Mr. S.V Ramana (V.President, Systems Integration Division, Cisco System) . In his presentation Mr. Ramana highlighted the need of a well drawn Business Continuity Plan. This plan according to him should cater for all the possible threats like Hacking ,Virus Attacks, Hoax Virus Attacks, Premeditated internal attacks. He gave a comparative study of a organization with a well defined BCM in place. Further he specified that in accordance to a recent survey report, dated may 2001, the percentages of downtime in the business organizations were divided as
9% due to software
32% due to Hardware failure
10% due to Natural disasters.
Hence he stressed the need to stabilize and bring down the downtime of the information systems in the organizations. With regard to its dependence on computer based information systems, Mr. Ramana said that his organization ,i.e, CISCO could close its accounts world wide in just four hours . He outlined four phases of Risk management as a) Identification of Risk 2) Assessment of Risk 3) Prioritization of Risk 4) Response towards the Risk. At the end of his presentation he highlighted the need for proper authorization , as to who should access what.
The Second Speaker in this technical session was Mr. Sanjay Dhawan ( Executive Director, KPMG). He began his presentation with a outline of Business Continuity Management , which in his words means being ready no matter what. He brought forth a scenario where a organization providing a service is facing a downtime and the competitor at this time can easily walk away with the business. In these times of lower brand loyalty and lower switching costs. So the need for Disaster recovery should be in place so that the organization can drastically reduce the downtime and safeguard its business.
Mr. Dhawan then identified the need for creating a coherent structure for handling security disasters results in minimizing reaction times and facilitating faster resolutions, thereby reducing organizational risks. In response to a query on risk prioritization , he responded by saying that the incidents responses should be prioritized to ensure emergencies are appropriately dealt with. Further he stated that after a organization has deployed technological solutions to deal with information security threats. Managerial involvement and precautions also reduce the chances of security breaches, so once the risks have been identified a business enterprise needs to then design and document the Business Continuity Plan (BCP).
The next Speaker was Mr. Haridas Raigaga, Principal Consultant, ICICI Infotech, His presentation began with an outline on BUSINESS CONTINUITY PLAN and BUSINESS CONTINUITY RISKS with references to the competition within the enterprises. He then resolved the question Why BCP? . In this context he stated the reasons like Disasters Do Occur, Industries have to Satisfy an Audit Concern and Customer/Shareholder responsibilities. He identified the disaster Types and continued with inter related topics like the Goal of BCP, employee confidence and then highlighted the need of identifying threats to Information assets by doing a location study gathering information and formulating procedures that will be followed in case of
disaster Business Impact and Risk analysis, determining Recovery, strategies cost of recovery
Phases of Recovery Process, immediate response steps ,environmental restoration, functional restoration, return to normal operations. As the steps involved in BCP. Finally he stressed the importance of training the employees about BCP.
Towards the conclusion of the Seminar Mr. Raghavendra Mathur, Head, IT Infrastructure, Tata Steel gave a insight to the Business Continuity Panning that has been implemented by his organization to take care of interruption to business and business processes in the event of disasters. He said his organization had started the BCP process by first Identifying interruptions & business risks and the impact which interruptions could have on business, then, Formulated the business continuity strategy aligned to business objectives and priorities, further the next step was to have a documentation of Business Continuity plans and have regular testing and updating of plans to continue Business in such eventualities until workarounds are found and have a site outage . He also gave some sample Events like a Fire at the data center; critical server failure
Electrical outage in the building, Credit authorization system down, Main supplier cannot ship due to its own problem. And then identified the sample solutions like, Recovery site in a different location , Recovery site in a different power grid etc. He then presented data from a survey which outlined three Key Objectives while planning Disaster Recovery
1) Recovery Point Objective : How much data can I afford to loose?
2) Network Recovery Objective :How much of the Network must be
restored in order to continue operations?
3) Recovery Time Objective : How long can I afford to be
without IT System?
With these outlines he wished all the modern organizations of today a successful implementation and hoped everyone would have a secure Information infrastructure for a better future.
The Seminar was brought to an end by a word of thanks presented by Mr. Umang Das (Chairman ,Communications Convergence Committee, ASSOCHAM) , who concluded the seminar by saying that despite the increasing threats and vulerabilities to information systems, business enterprises worldwide allocate only a meager proportion of their yearly revenues to ensure confidentiality and integrity of information, for this he said ASSOCAM has conducted studies to guage the level of awreness among Indian enterprises on various aspects related to Information Security and Continuity Planning, and this seminar was one such effort to bring in to context ,the importance of this awareness.
With these closing remarks the Seminar came to an end.
Compiled By :
Khavar Meraj Handoo
C.E
Data Centre, J&K Bank Ltd.
New Delhi