Enterprise Security Audits Going Mainstream: ISACA

by Faiz Askari    May 07, 2012

The concept of security audit is gradually picking up in Indian Enterprise business. What is your observation on its current status? According to you, what are the industry segments that are adopting security audits for their networks?

Security audit of networks is being adopted by large enterprises who have deployed ERP solutions, core banking solutions and who have large investments in IT. The industry segments who have security audit of network include banking, telecommunications, oil and gas, retail, stock exchanges, internet service providers and IT vendors who provide cloud computing services.
What are the key threats with regards to IT infrastructure that are effecting on the large enterprise market?
The ministry of information technology of government of India has set up an independent body CERT-IN: http://www.cert-in.org.in/ that is responsible for monitoring security threats and providing reactive and proactive advice to enterprises. Under the Information Technology amendment act 2008 to perform various functions relating to collection, coordination, monitoring and reporting on cyber security. Based on the past data, some of the key threats to IT infrastructure affecting large enterprise are:
• Breach of security due to hacking resulting in non-availability of IT resources
• Breakdown of IT infrastructure due to inadequate business continuity plans
• Lack of adequate risk management strategy and remedial measures
• Over dependency on key personnel
• Lack of appropriate clauses in SLA resulting in enterprises being at mercy of IT vendors

Cloud is becoming a very popular in most of enterprise IT set ups, what should be the key security parameters to consider while moving into cloud infrastructure?
As per Gartner prediction, by 2012, India-centric IT services companies will represent 20 percent of the leading cloud aggregators in the market (through cloud service offerings). Gartner is seeing India-centric IT services companies leveraging established market positions and levels of trust to explore nonlinear revenue growth models (which are not directly correlated to labor-based growth) and working on interesting research and development (R&D) efforts, especially in the area of cloud computing. The collective work from India-centric vendors represents an important segment of the market’s cloud aggregators, which will offer cloud-enabled outsourcing options (also known as cloud services).

What are the key parameters of ensuring security on Cloud environment?
ISACA is addressing how governance, security and control could be implemented for cloud computing environment.
ISACA identify the following key assurance issues that will need to be considered in reviewing cloud computing security:
• Transparency: Service providers must demonstrate the existence of effective and robust security controls, assuring customers that their information is properly secured against unauthorized access, change and destruction.
• Privacy: With privacy concerns growing across the globe it will be imperative for cloud computing service providers to prove to existing and prospective customers that privacy controls are in place and demonstrate their ability to prevent, detect and react to breaches in a timely manner. Information and reporting lines of communication need to be in place and agreed on before service provisioning commences. These communication channels should be tested periodically during operations.
• Compliance: Most organizations today must comply with a litany of laws, regulations and standards. There are concerns with cloud computing that data may not be stored in one place and may not be easily retrievable. It is critical to ensure that if data are demanded by authorities, it can be provided without compromising other information. Audits completed by legal, standard and regulatory authorities themselves demonstrate that there can be plenty of overreach in such seizures. When using cloud services there is no guarantee that an enterprise can get its information when needed, and some providers are even reserving the right to withhold information from authorities.
• Trans-border information flow: When information can be stored anywhere in the cloud, the physical location of the information can become an issue. Physical location dictates jurisdiction and legal obligation.

Similarly, mobile applications are becoming very popular among enterprise organizations, where does ISACA can play its role in ensuring a secured experience to common users?
ISACA has been very proactive in recognizing the need for enterprises to use mobile computing. It has identified the key issues and challenges of implementation and the steps to be taken to mitigate the risks. ISACA as a thought leader in this area has been providing guidance through a dedicated section in knowledge center of its website.