Thursday, December 6, 2007

IT SECURITY IN A DEVELOPING COUNTRY –A CASE OF MALAWI…..A CHALLENGE?

Having born, lived and worked (especially working with the government IT department) in Malawi, one of the so called developing countries .I have seen, observed and experienced some of the issues worth sharing on the Information Systems security status. I was privileged some years back to travel overseas in Japan where I was trained as an information security Specialist and also had a stint with one of the renowned Audit Firms in the world(KPMG), working locally as an Information Risk Management Specialist. The general observation is that In Malawi like in any other developing country the ICT Sector is growing rapidly. But …..One of the challenges is the risk associated with the new technology…….is there advocacy for this or we are just promoting the introduction and ignoring the RISKS and how to mitigate them ?

In any field ,the business assumptions - the way it was……….
“That products would not change dramatically, that the processes used to produce them would remain basically the same that the workforce would remain loyal, that new competitors would occasionally appear but the playing field would be level”
But the above is not the same especially in IT.

Today’s IT Environment is associated with the growing cost if security is to be achieved ,distributed , heterogeneous, complex ,higher expectation , increasing risk ,high business dependency .

What the IT function must deliver

• Security / integrity
• Effectiveness and efficiency
• Implementation to impossible timetables
• Reduced Costs - (“Total cost of ownership” - TCO)
• Service levels
• Innovative solutions
• Value for money
• And….source, implement and exploit risky new technology

The above may be achieved but has a cost to a developing country like Malawi in terms of resources, personnel and Government commitment. Even in countries where ICT is like a model to us the road has not been smooth as I quote:

“IT has been the longest running disappointment in business in the last 30 years!”
Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997

“Technology can help fulfil a visionary dream, but often its use is closer to a sobering nightmare!”
Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998

I am writing a book on the history of information Technology…in order to better understand why it is such a mess!”
Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001

IT investments did not have an impact on productivity in 53 out of 59 economic sectors”
McKinsey report 2001

The above means that for a country like Malawi to have a sound ICT infrastructure and services ,there has to be a big investment planning for all ;Government and the Private sector.
The business IT challenges is all about increasing consumer trust in technology and ensuring that IT contributes significantly and effectively to enhanced and sustainable shareholder value and these include:
– Improving the value for money obtained from IT investment
– Improving security and control in order to increase trust in consumer and corporate use of technology solutions
– Improving accessibility and reliability of technology based solutions
– Seeking greater opportunities for the exploitation of advanced technology for stakeholder benefit
– Understand and promote best practices in IT governance
– Ensuring that we have the human capabilities to deliver satisfactorily on these objectives

But is a pathetic situation that the Government of Malawi has no NATIONAL ICT POLICY (The draft is not yet approved despite being sent to parliament). And even at departmental level there is an ICT Policy in the department of Information Systems and Technology Management Services –it is just gathering dust in the shelves-NO IMPLEMENTATION!!! Even if you go to companies ,ask for the ICT Security policy –oops, only a few would produce it, even if they mean that they rely on ICT for their business-Kodi inu mwayiwala za Celtel –itapsa bwanji ? There was no back up services –Take care!

The issue here is , "let’s start taking this issue of achieving IT security serious" –Mbite!!!

Friday, November 16, 2007

Enterprises Lack Effective Risk Management According to New AESRM Report

From ISACA:

Rolling Meadows, Illinois, USA (5 September 2007)—The currently popular silo approach to managing enterprise risk is inadequate because it leaves too many gaps and provides no reliable way to evaluate an enterprise’s risk position, according to a new research report issued by The Alliance for Enterprise Security Risk Management (AESRM), a partnership of leading international security associations ISACA and ASIS International. The report is available as a free download at www.aesrm.org.
The Convergence of Physical and Information Security in the Context of Enterprise Risk Management shows that while risk management is fundamental to most enterprise managers, many risk reduction initiatives are not coordinated or integrated across all risk areas. Only 19 percent of executives surveyed said their company has a robust process in place for identifying when risk tolerance approached or exceeded defined limits.
To address these risk challenges, organizations are investigating more inclusive enterprise risk management (ERM) programs and converging traditional and information security functions. Although this convergence is intuitive and logical, it is still in its early stages, according to the research conducted by Deloitte.
“The need for enterprises to understand, measure and mitigate their risk is a leading factor driving the increase in security convergence,” said Ray O’Hara, CPP, chairman of AESRM. “Globalization and high-profile security breaches have gained the attention of boards and management, who increasingly realize how effective risk management protects their assets and supports growth.”
When asked to identify the major drivers of their companies’ security integration efforts, 73 percent of the executives cited “reducing risk of combined information and physical security threats,” 58 percent said “increased information sharing,” and 50 percent noted “better protection of the organization’s people, intellectual property and corporate assets.” The survey shows that security integration and ERM, when aligned, add value throughout an organization.
“Even though our study found that convergence is in its infancy, it is clearly a concept that is not going away,” said Adel Melek, global leader of the security and privacy practice at Deloitte Touche Tohmatsu. “But like any new idea, it takes pioneers or ‘visionaries’ to propel it forward. The visionaries of our report’s case studies, typically executives, have a strong belief in the benefits of convergence and have the personal commitment to see their ideas to completion despite the uncharted territory in which they may find themselves.”
The report also includes case studies of successful ERM programs from SAP; Constellation Energy Group; the City of Vancouver, BC, Canada; and other organizations that achieved cost reductions, increased risk intelligence and mitigation, and reduced duplication. More information and examples of convergence are at http://www.aesrm.org/.
Media contact:For ISACA: Kristen Kessinger, kkessinger@isaca.org, 847.590.7455For ASIS: Eileen Smith, esmith@asisonline.org, 703.518.1404
About AESRM—The Alliance for Enterprise Security Risk Management (AESRM) (http://www.aesrm.org/) was formed in February 2005 to encourage board and senior executive attention to critical security-related issues and the need for a comprehensive approach to protect the enterprise. The alliance—consisting of ASIS International and ISACA—brings together more than 90,000 global security professionals with broad security backgrounds and skills to address the significant increase and complexity of security-related risks to international commerce from terrorism, cyber attacks, Internet viruses, theft, fraud, extortion and other threats.
About ISACA—With more than 65,000 members who live and work in more than 140 countries, ISACA (http://www.isaca.org/) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal®, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 50,000 professionals since inception, and the Certified Information Security Manager (CISM) designation, a groundbreaking credential earned by more than 6,500 professionals since it was established in 2002.
About ASIS—ASIS International (ASIS) (http://www.asisonline.org/) is the preeminent organization for security professionals, with more than 35,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s number one magazine—Security Management—ASIS leads the way for advanced and improved security performance.
About Deloitte—Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 140 countries. With access to the deep intellectual capital of approximately 150,000 people worldwide, Deloitte delivers services in four professional areas—audit, tax, consulting and financial advisory services—and serves more than 80 percent of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” “Deloitte & Touche,” “Deloitte Touche Tohmatsu,” or other related names.

Friday, November 2, 2007

Information Systems Security Unleashed !

Welcome to my blog.On this space i will mostly be sharing issues in Information systems security and subjects will include but not limited to Information systems Security practices and international standards,Network Management with security in mind ,Security Audit and Risk analysis and any other related issues not forgetting Data Management and Some social issue. So watch this space!!!!