To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect customer information To protect employee data To detect fraud To identify and correct any manual errors To identify hardware or software errors To proactive monitoring infrastructure For business continuity
People who enjoy our services and products – our customers People who give money to run business – our investors People who run business – our employees
Easy security controls for customer applications. Prevent unauthorized disclosure of customer data. Prevent unintended destruction of customer data. Promptly inform customers about security incidents Help customers in taking corrective actions.
Protect customers Accurate financial reporting ( Sarbanes Oxley Act ) Give good return on investment ( no over investment on security and effective use of control )
Employees require open environment Security control should not reduce productivity. Transparent monitoring Well informed Security Policies
We need to invest in security not to just comply with any legislation or meet any industry or partner requirements But We need to invest in security to protect customer, investor and employees. This is a TRUST business and if we loose TRUST, we will loose everything.
Top down approach Identify critical business goals Identify critical functions to meet business goals Identify risk to critical functions Effective Risk management Reduce Risk Transfer risk Accept Risk
Identify origin of risk ( 3Ps ) People Processes Products Identify and implement controls Verify effectiveness of controls ( Audit )
People are weakest link in any security system. People require policies, standards, guideline and procedure to react in predefined manner. Security Awareness Programs are mandatory for implementation of policies and standards. People should be able to report security incidents or threats and take guidance from incident response team.
Processes are key for smooth and secure business operations Processes implements Policies and Standards. Processes implements separation of duties and need to know concept to comply with any legislation requirements on security. It is require to monitor process deviation in order to identify suspicious activities or Fraud Continuous audit on processes is mandatory to verify compliance.
Products can be any hardware, third party package or custom applications. Products provides platform to implement processes. Products require to generate reports and audit trails to notify deviation in processes. It is required to analyze product based on policies and standards before integrating in environment. To develop applications, extra care of security reviews /testing are required. If product use cryptography, then key protection and data recovery are equally important.