Monday, 21 November 2011

Security Compliance: An Important aspect for organization

Introduction

Information is the most valuable asset of any organization. It belongs to the organization itself and sometimes it is public and/or government. Across the world, government and standard bodies have issued a growing number of regulations designed to ensure the triad of information security viz. confidentiality, integrity and availability of personal and corporate data. These mandates apply on a range of industries, from financial institutions to healthcare providers to utilities firms to retailers and beyond. Regulatory compliance is mandate for the organizations as well as individuals. Non-compliant of any applicable regulation can lead to legal action against the organization and/or individuals.

The specific details of these regulations are as varied as the industries they serve. However, most contain sections that require companies to secure each user’s credentials and manage all access to IT-based systems. Taken together, these individual regulatory guidelines point toward a growing consensus of what constitutes best practices in identity management and IT security.

As the organization grows there is mandatory demand of compliance but the problem faced by many organizations are identifying applicable regulations, standards and implementing them effectively. At the same time auditing the same is another concern. This white paper explores these compliance-driven best practices, how unified solutions support them, and how prioritizing their implementation makes good business sense beyond the fulfillment of compliance requirements.

Compliance Requirements

Basically, compliance means conforming to a rule, specific policy, standard or law. To run a business smoothly and for uninterrupted service delivery, organizations are required to comply with certain regulations and/or standards. Regulations have direct impact on business whereas standards do not impact business (if not adhered to) but it may cause violation of certain regulation and lead to create severe impact on business. Therefore organizations have to identify those applicable regulations and standards requirement for their business. It can be categorized as follows:

1. Commercial requirement

2. Legal requirement

Commercial Requirements:

1. Client/customer/stakeholder: requirement of control/condition for invitation to tender.

2. Marketing seen as giving a competitive edge in marketing of products/services.

3. Cash flow/profitability

Legal requirements:

1. Companies trading regulations

2. Copyright, design and patent regulations

3. Data protection requirements

4. Computer misuse

5. Regulations of investigatory powers

6. Control of proprietary software copying

7. Safeguarding organizational records

8. Statutory

9. Criminal or civil obligation

10. Commercial contracts

11. Intellectual property rights

12. Obscene publication act

13. Race relation act

Compliance affects:

1. Information assets

2. Paper documents

3. Software assets

4. Physical assets

5. People

6. Company image and reputation

7. Services

Assessment of legal and business requirement:

1. Identify value for legal and commercial requirements

2. Consider

a. How serious impact to business

i. If legal/contractual or business requirements not fulfilled

b. What consequences for

i. Assets

ii. Whole ISMS

c. How likely this is to happen

3. Results should be used to identify an appropriate value for asset

ISO 27001:2005 reference:

A.15.1 Compliance with legal requirement

Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirement.

Risks:

1. Bomb attack

2. Communication infiltration

3. Eavesdropping

4. Illegal import/export of software

5. Illegal use of software

6. Masquerading of user identity

7. Misuse of resources

8. Network access by unauthorized person

9. Theft

10. Unauthorized use of software

11. Use of network facilities in an unauthorized way

12. Use of software in an unauthorized way

A.15.2 Compliance with security policies and standards and technical compliance

Objective: To ensure compliance of systems with organizational security policies and standards.

Risks:

1. Bomb attack

2. Communication infiltration

3. Eavesdropping

4. Failure of communication services

5. Illegal import/export of software

6. Illegal use of software

7. Malicious software (e.g. viruses, worms, Trojan horses etc.)

8. Masquerading of user identity

9. Misuse of resources

10. Network access by unauthorized person

11. Theft

12. Unauthorized use of software

13. Use of network facilities in an unauthorized way

14. Use of software in an unauthorized way

15. Willful damage

A.15.3 Information system audit considerations

Objective: To maximize the effectiveness of and minimize interference to/from the system audit process.

Risks:

1. Communication infiltration

2. Eavesdropping

3. Failure of communication services

4. Illegal import/export of software

5. Malicious software (e.g. viruses, worms, Trojan horses etc.)

6. Masquerading of user identity

7. Misuse of resources

8. Network access by unauthorized person

9. Theft

10. Unauthorized use of software

11. Use of network facilities in an unauthorized way

Purpose of policy:

The purpose of the policy is to protect the information assets owned and used by the computer from all threats whether internal or external, deliberate or accidental and to meet all regulatory and legislative requirements, specifically:

1. GLB Act (Gramm-Leach-Bliley Act)

2. Health Insurance Portability and Accountability Act

3. SOX (Sarbanes Oxley)

4. GISRA/FISMA (Government Information Security Reform Act/Federal Information Security Management Act)

5. FTC (Federal Trade Commission)

6. Children's Online Privacy Protection Act

7. Federal Privacy Act

8. State Laws

9. Basel II

10. Federal Financial Institutions Examination Council (FFIEC) standards

11. North American Electric Reliability Corporation (NERC) / Critical Infrastructure Protection (CIP)

12. Payment Card Industry (PCI) Security Standard

13. Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR17.00)

14. Cyber Crime Laws

15. The Computer Fraud and Abuse Act

16. The Electronic Communication Privacy Act of 1986 (ECPA)

NON-Regulatory Sources of Security Obligations:

1. Operating Rules

2. An Attorney's Obligation to Secure Attorney-Client Communications

Unity in Diversity: A view



Sunday, 15 May 2011

Compliance in Industries: Introduction


Information is the most valuable asset of any organization. It belongs to the organization itself and sometimes it is public and/or government. Across the world, government and standard bodies have issued a growing number of regulations designed to ensure the triad of information security viz. confidentiality, integrity and availability of personal and corporate data. These mandates apply on a range of industries, from financial institutions to healthcare providers to utilities firms to retailers and beyond. Regulatory compliance is mandate for the organizations as well as individuals. Non-compliant of any applicable regulation can lead to legal action against the organization and/or individuals.

The specific details of these regulations are as varied as the industries they serve. However, most contain sections that require companies to secure each user’s credentials and manage all access to IT-based systems. Taken together, these individual regulatory guidelines point toward a growing consensus of what constitutes best practices in identity management and IT security.

As the organization grows there is mandatory demand of compliance but the problem faced by many organizations are identifying applicable regulations, standards and implementing them effectively. At the same time auditing the same is another concern.

My intention for this post is to explore these compliance-driven best practices, how unified solutions support them, and how prioritizing their implementation makes good business sense beyond the fulfillment of compliance requirements.

This post is a piece of my in progress white paper on compliance which I am sharing with you all. This is incomplete without involvement of people and I request you all to share your views and expert solutions to this high priority concern of information security.

Looking forward to receive your precious comments!

Sunday, 6 December 2009

Customer Services: Part III: No To Know

In continuation to my last blog here I have something for you that require your contribution. I am going to discuss about something which also affect our personal life. Although I will not discuss any personal matter, however, you can post your comments relating it to personal life.

How many times do you say ‘No’ in your personal/professional life? How often you hear this word from your friends, partner, family members, colleagues and business rivals? How do you feel when you hear this word? What do you feel about the person who speaks this word to you?

I found it very important to discuss here. There are almost eight times out of ten when your customer’s expectations go off your (individual and or organizational) limitations. The moment becomes very embarrassing when you have to say ‘No’. There is always a fear of break up or rift in your relation. The relation may be personal or professional.

As I was going through a case of a bank, I found one very good scenario to discuss here. Let us do some sort of analysis. In a top banking firm, in phone banking department, an agent got a call from a customer. This customer had problem with one of the branch office of the same bank. He was searching for a branch of the same bank at his native place so that he could fulfill his banking related stuff from his native place. He asked a banker for the same and got reply that there was no branch at Kannur (customer’s native place in India). He was very much frustrated. He contacted the phone banking department of the bank. As the agent received the call he started vomiting his frustration on her and insisted her on transferring his call to manager. She got stuck by listening to him. She tried to make him calm down but all of her efforts were appearing useless. She understood his problem and searched from her end. She found that there was really no branch at that place. She searched for the customer profile and found that he had been very loyal to the bank for a long time. She was in dilemma of how to deal with this customer.

A very difficult scenario where the answer is crystal clear, it’s none other than a simple ‘No’. Instead of saying No you try to make him understand your limitations and throw the problem into a cold bag. And the customer is left in dissatisfaction. You don’t even think of his problem after that. You forget his importance and that is the point where customer feels that nobody is there to listen to his problem. It is your responsibility to understand his problem and make him feel that you are working for him. He is the most important person for the organization.

Once you know his problem you can start our analysis over it. Let us take it as an opportunity. How many times a customer gives feedback of your service? How frequently you/your organization say No to the customer? Does your organization maintain any database for the requests for which the answer is No? Have you ever thought that this No comprises a lot of information in it? It contains the need of your customer which your organization does not provide. Also tells you the area of improvement. It works like your complaint box if you pay more attention to it.

Here I am stopping to write further on this and want to know your views. Please share your ideas on how to convert this No to Know.

Saturday, 21 November 2009

Customer Services: Part II: Understanding our Customer

Dear readers! It has been too long for my next blog. Actually, I was very much cautious this time before writing anything and gathering more and more information. In my last blog I discussed a little bit about basic things of customer services. As I move ahead I find the next thing come in the process is to know your target customer. It’s again a tough job. There are certain points to be discussed here:
1. Customer psychology

2. Need of our customer

3. Current market trend


I personally feel banking sector is the best example for the understanding of customer psychology. From banking prospect if we think, a customer chooses his bank not merely on economic or psychological considerations, but also due to influences through 'word of mouth' by his own circle of friends and associates. It is, therefore, advisable for banks to work on their present clients to secure new ones through personal recommendations. It should be the constant endeavor of the banks to study the needs of the population in their areas and devise appropriate schemes to cater to them. They have to be courteous and appreciative of customers' aspirations and view-points. They have to build-up goodwill for the banks. In short, there is need for a humanized banking system. Most of the time we do mistake by neglecting the customer’s need and focusing on our own products/services, which leads to break up in the customer relationship. The current market is highly volatile as we all are aware of it. And the customer’s demands change frequently. Hence, surviving in this scenario is really very difficult for any industry.


If we consider large organizations, they encourage their customers to give feedback. Also they give them confidence to provide innovative ideas so that they (organization) can work on their needs and provide better services.


There are lot more things to discuss. But I would be grateful if your participation is there. Please share your views on the same.

Sunday, 9 August 2009

Customer Services: Part I: Who is Our Customer


“A customer is the most important visitor on our premises; he is not dependent on us. We are dependent on him. He is not an interruption in our work. He is the purpose of it. He is not an outsider in our business. He is part of it. We are not doing him a favor by serving him. He is doing us a favor by giving us an opportunity to do so.”
Mahatma Gandhi

Now this is the first one which I want to share with you all. I have only two years of experience and in these two years luckily I was able to interact with two customers; first was a non Indian customer and the second one was an Indian customer. Also I have a very experienced staff around me so I can say that I have more than 30 years of customer experience. In retrospect, I feel dealing with non-Indian client was easier than that of with the Indian one. I am putting here my personal view on marketing based on my personal experience (including what I got from my highly experienced staff at Mumbai) till now.

This world is a market and two kind of people live here: 1) Seller and 2) Buyer. The first one is salesperson and the second one is Customer. We all come under these two categories. Most of us find ourselves as a customer but at the same time we are salesperson as well but we do not realize it. Let’s take a very simple example; ‘I remember an instance of my school when I was in class third, everyone was very much fond of other's lunch box and to get that they use all means of ways. In that scenario motive was “lunch box” and the customer was “classmate”. Also when one found a very rich customer (in terms good food), he/she tried to retain that so that he/she can enjoy the delicious food for a long turn.’ There are so many if you can think how many times you acted as a customer and as a salesperson. Now think about the above for a while how focused was one to achieve ones goal. If we relate it with the current market scenario than the “lunch box” is “money” and “classmate” is “customer”. There are two things I have noticed very important:
1) Making new customer
2) Retention of customer

Both are very difficult in current market situation but in my views the second one is the most important aspect of customer services for any organization. Also it requires a lot of research and analysis. Most of the successful organizations focus on that part only.

When we go to market to sell our product/services, two things we keep in mind 1) our motive (to make money) 2) Attract customer. But we always do mistake by forgetting the fact that money comes from customer and at the end of the day we finish with praising our product/services and forget the customer. We start working on our services/product without proper investigation and research on customer. We don’t know who is our target customer and we only focus on our services.

There are lots of things to share on this but I want to have some inputs from your experience. Please tell me “Who is our Customer?”

Please give your valuable suggestions and feedback on this. All kinds of comments are welcome.

Sunday, 2 August 2009

Dezires or D-zires


I don’t know how to start but I have to anyhow. I have lots of thoughts to share with you all. Whenever I am alone so many thoughts come in my mind but I don’t know how to pen down the entire thing in a manner such that my feelings reach out to you. All thoughts get jumbled and when I put these things on papers, all seem random i.e. no sequence. But now I think I should write no matters in whatever manner.


However my blog is purely Business management blog, I am starting writing with the name of my blog ‘D-zires’.


Whatever has happened to us or happening with us is just because of us. We cannot blame others for this. We all know this but we forget many times. It’s we only who are responsible for all good and bad things with ourselves. And at the same moment I find myself victim of my own desires. My desires are very high and with the time it has become so strong that I cannot stop here. I am helpless and my desire is taking me from my all the relations as well as myself. I have got different perception about myself, what really I am not. From my childhood till now I used to suppress my feelings and desires but when the saturation point was crossed it made me crazy. And it completely took over me. I got health problem just because of it. There was no way to get out of it for me. Then I started meditation and it really helped me a lot. Now I am well but it doesn’t mean my desires are over. They are still there but in my control. I have taken my own example here to explain a bit about desire from my personal experience.


Desire is everywhere in everyone’s life. With your help I want to search a solution for excess of desires. I feel a person should rule his/her desire otherwise it will kill his/her identity. But this is also true that after a certain limit controlling your desire is very difficult because you are stuck in it so much that you have made it your life and getting out of it means getting out of life. However I believe it can be managed.


Also coin has another side too. Desires are very important as far as our progress or growth is concerned. Suppose today you have a small sweet corner in a very small town or village, until and unless you desire to become richer you won’t extend your shop to a restaurant. There are so many examples to illustrate it very well. I would love to take example of Late Mr. Dheerubhai Ambani. He was the man who ruled out his desires and fulfilled his dream. If he had no desire to become richest would he be able to be so? No, never. But again I would say he was not slave of his desires, he was ruler.


Now coming to the conclusion of it I find that managed desires can lift you higher and higher but an unmanaged one will certainly make you mentally ill and one day you will be so much stressed and won’t find anyone around you. And that will be too late. You can imagine that time; it’s really dangerous more than an atom bomb within you for you as well as your work. A company is known by its employees and to create a healthy environment everyone’s participation is necessary. It’s your decision where you want to take your life and your career by chasing a well managed desire or an unmanaged killer D-zires.



Please post your comments so that I can improve and come up with more efficiency.