Financial Daily from THE HINDU group of publications
Monday, Nov 28, 2005
Financial Daily from THE HINDU group of publications Monday, Nov 28, 2005 |
|
|
|
|
|
|
|
eWorld
-
Security Columns - Security Musings In the spotlight R.K. Raghavan
SUCCESSFUL modern corporations are extremely sensitive to possible risks in their day-to-day lives, and take adequate precautions against anticipated problems. This is why risk managers are at a premium. Disaster management, otherwise known as business continuity planning, is now a sophisticated field of practical knowledge that has become an integrated feature of the management of risks that govern the running of huge data centres which many companies, especially those in the IT business, run for their own needs or to streamline management of data received from clients. I personally know that many multinationals pack an assessment of the disaster management infrastructure into their due diligence visits before they award outsourcing contracts to Indian IT companies. Even the slightest misgiving over the quality of planning for risks, arising from both man-made and natural calamities, could mean the difference between the award of a contract and its denial. I recently stumbled on a 90-page `Directors and Corporate Advisors' Guide to Digital Investigations and Evidence' prepared in September 2005 by the Information Assurance Advisory Council (IAAC) of the UK.This is a goldmine of information to those serious about protecting themselves and their organisations against the fall-out of security breaches. A prudent Chief Information Officer (CIO) or Chief Security Officer (CSO) will refuse to read it only at his peril. A CIO's fundamental duty is to keep himself abreast of what the ordinary law of the land and current corporate regulations enjoin upon him to do for protecting information that flows through or is stored in his organisation. No information — especially e-mails — is too trivial to be eliminated from a system just for the sake of convenience, if not out of a dishonest intention. Laws in many countries have made this position clear. The Sarbanes-Oxley Act (SOX) in the US now imposes specific penalties for intentional destruction of crucial files. Once caught for destruction or even a failure to produce information demanded by a regulator, it is a corporation's responsibility to account for non-availability of the data called for. The consequences of a failure to come up with a credible explanation could be forbidding. It may damage a reputation built assiduously over decades because of the sheer failure to archive data. This is why a good system to store information and an efficient mechanism to retrieve it in a contingency should be part of a crisis management programme. Unfortunately, many companies lay on excellent arrangements to meet contingencies arising from fire, flood and a power breakdown, but forget to fuse preservation of digital evidence into it. This neglect can prove costly, as the IAAC guide says, because digital evidence is "highly volatile and easily compromised." There are software packages that help recovery of information. If, however, you are not able to pinpoint the source from which an item of information has been lost, no software can come to your rescue. A new dimension to the Indian scene has been added by the arrival of the Right to Information Act. Going by the general lack of transparency in the Indian ambience, pressure could mount on government organisations to disclose information that they will not ordinarily be willing to share. With the growing digitisation of public records, including land documents, court papers, income-tax returns/assessments, company law department registers, etc, very few government officials can take the stance that records are not available. So, preservation of digital evidence is not a mere private industry concern. It is equally germane to government and government-aided outfits, including NGOs. Once the Act becomes evolved, private commercial establishments may also be under moral pressures to be transparent about information sharing. The situation calls for a high degree of planning and identification of an official or a group in an organisation that would be accountable for preserving information and dispensing it when required by public authorities, including courts. According to the IAAC Guide, information relating to disputed transactions, allegations of employee misconduct, compliance with regulations such as SOX and occurrences that result in losses and which could possibly lead to an insurance claim will all have to receive top priority for protection and archiving. This will form part of what we may call a Forensic Readiness Plan. Preservation of information is closely linked to network security whose principal aim is not only to ensure that information does not fall into unauthorised hands, but it is also not tampered with. The system is reasonably well-established the world over, with the help of firewalls, anti-virus software, intrusion-detection systems and well-conceived physical security measures. The problem, however, lies mostly in respecting the protocol laid on for ferreting out and copying information from a host of files in an archive for transmitting in an acceptable form to the lawful authority that demands it. Skilled IT managers are required to avoid heavy-footed execution of this important task. Talking of heavy-footedness, I understand the producers of the widely popular TV programme `Crime Scene Investigation' (CSI) recently committed a faux pas that will take several years for them to unlive. In a recent episode, when investigators arrive at a crime scene and look out for valuable evidence, one of them straightaway heads off to a computer available at the spot and turns it on to find out what the files contained in the system carried. Nothing can be more disastrous, because the axiom in collecting digital evidence is never switch on the screen at the start of an investigation, but first remove the hard disk as well as any floppy disks lying around the system with minimum direct handling with ungloved hands, pack them with suitable soft but firm material, and examine these in a laboratory environment, before proceeding with the rest of the protocol. The emphasis in such situations is on a mature and professional examination of available systems, rather than panicky responses. The importance of well-conceived and scientifically devised TV shows cannot be overstated, especially in the context of the CSI gaffe. (The writer is a former CBI Director who is currently Adviser (Security) for TCS Ltd.) Picture by Mohammed Yousuf
Article E-Mail :: Comment :: Syndication :: Printer Friendly Page More Stories on : Security | Security Musings
|
Stories in this Section |
|
The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |
Copyright © 2005, The
Hindu Business Line. Republication or redissemination of the contents of
this screen are expressly prohibited without the written consent of
The Hindu Business Line
|