Nishidh, CISSP

To comply with Sarbanes oxley and other legislations

To comply with industry standards and business partner requirements

To protect customer information To protect employee data To detect fraud To identify and correct any manual errors To identify hardware or software errors To proactive monitoring infrastructure For business continuity

Because?

People who enjoy our services and products – our customers

People who give money to run business – our investors

People who run business – our employees

Easy security controls for customer applications.

Prevent unauthorized disclosure of customer data.

Prevent unintended destruction of customer data.

Promptly inform customers about security incidents

Help customers in taking corrective actions.

Protect customers Accurate financial reporting ( Sarbanes

Oxley Act ) Give good return on investment ( no over

investment on security and effective use of control )

Employees require open environment Security control should not reduce

productivity. Transparent monitoring Well informed Security Policies

We need to invest in security not to just comply with any legislation or meet any industry or partner requirements

ButWe need to invest in security to protect

customer, investor and employees. This is a TRUST business and if we loose TRUST, we will loose everything.

Top down approach Identify critical business goals Identify critical functions to meet

business goals Identify risk to critical functions Effective Risk management

Reduce Risk Transfer risk Accept Risk

Identify origin of risk ( 3Ps ) People Processes Products

Identify and implement controls Verify effectiveness of controls ( Audit )

People are weakest link in any security system.

People require policies, standards, guideline and procedure to react in predefined manner.

Security Awareness Programs are mandatory for implementation of policies and standards.

People should be able to report security incidents or threats and take guidance from incident response team.

Processes are key for smooth and secure business operations

Processes implements Policies and Standards. Processes implements “separation of duties”

and “need to know” concept to comply with any legislation requirements on security.

It is require to monitor process deviation in order to identify suspicious activities or Fraud

Continuous audit on processes is mandatory to verify compliance.

Products can be any hardware, third party package or custom applications.

Products provides platform to implement processes.

Products require to generate reports and audit trails to notify deviation in processes.

It is required to analyze product based on policies and standards before integrating in environment.

To develop applications, extra care of security reviews /testing are required.

If product use cryptography, then key protection and data recovery are equally important.