Information is the heart of any business, be it banking, medicine, healthcare, insurance, retail etc. Hence it becomes imperative to protect the information for any business and its enablers. This is how the concept of information security could have been conceived. Information Security ensures to keep the Confidentiality, Integrity, and Availability of information intact. With evolving trends in the industry, security requirements emerged over a period of time including few listed below,
1. Authentication and password management
2. Authorization and role management
3. Audit logging and analysis
4. Network and data security
5. Code integrity and security testing
6. Cryptography and key management
7. Data validation and sanitization
8. Third party component analysis
In today’s world, organizations are largely dependent on outsourcing having multiple vendors, physically located across various different geographies and yet logically interconnected through cloud-based services through the public, private or hybrid cloud or on-premise infrastructure. They also utilize products and service offerings in S-a-a-s (Software as a Service), P-a-a-s (Product as a Service), I-a-a-s (Infrastructure as a Service) mode. This, in turn, could be multi-tenanted as well.
Considering all these factors of the new generation network/applications architecture, it extends the horizon and gates for the unintended audience, exposes information to a greater & higher risk for the business. Considering the business needs and organizational risk appetite, need to form Security Policy and implement the same across domains of Information Security on a need basis. Ensuring CIA triad – Confidentiality, Integrity, and Availability - helps the businesses ensuring Privacy to internal and external customers and provides Safety as well, making the organization more reliable, increases the trust level.
As per a study conducted by Allianz Risk Barometer and available publicly over internet shows the main causes of cyber incidents and the main causes of economic loss after the same.
Considering the numbers mentioned in the above figures, it is apparent that organizations have started giving more importance to “Security Requirements” like never before. This is becoming a culture and being adopted by leadership as a backbone to the business which it ideally should be. This Security enabled culture drives the organization a more reliable, dependable and trustworthy organization.
The organization could prioritize security requirements based on various factors including but not limited to below,
1. Business Domain and functions
2. Legal and Regulatory requirements based on business domain and geography
3. Risk Appetite of the organization
4. Audit Requirements
5. Network topography
6. Management attitude towards technology
As guidance to drive and implement security culture in the organization, there are frameworks and standards available to refer like, COBIT, ISO27000, PCI-DSS (for credit card handling), HIPPA (US legislation to safeguard health/medical information), HISO (the NZ health information security framework) and so on.
Authored By - Disha Sharma
TCS Cyber Security Practice