корица 1 парциален лак - SEE Top 100 - SeeNews
корица 1 парциален лак - SEE Top 100 - SeeNews
корица 1 парциален лак - SEE Top 100 - SeeNews
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
www.top<strong>100</strong>.seenews.com<br />
biggest enthusiasm for information security<br />
comes out of the non-IT sector, believe it<br />
or not. The most significant issue, however,<br />
is who really needs information security.<br />
Q: Which sectors do you think really need<br />
information security?<br />
A: First, all of the organisations required<br />
to implement information security<br />
policies by law. These are all the public<br />
administrations, because they process and<br />
handle a lot of data that generally don’t<br />
belong to them. Secondly, there are the<br />
health organizations that process highly<br />
sensitive data regarding the health of their<br />
patients, as well as data critical for saving<br />
human lives such as personal allergies. This<br />
is also applicable, but to a lesser extent,<br />
to clinical laboratories and pharmacies.<br />
Thirdly, there are the specialized business<br />
services: investment, law and tax consulting,<br />
insurance, payroll, archiving, auditing and<br />
finance. All of these providers of business<br />
services have the necessary goodwill and<br />
ensure the inclusion of confidentiality clauses<br />
in the relevant contracts, but only a few of<br />
them can guarantee information security due<br />
to a lack of systematic approach. Another<br />
sector is banking where the situation is<br />
slightly different, as they deal with money,<br />
which, actually, represents just electronic<br />
data in their information systems. The<br />
emphasis is not on the confidentiality as<br />
many might think, but on the data integrity,<br />
availability and business continuity. There<br />
are parliamentary debates in Hungary, for<br />
instance, about mandatory implementation<br />
of an information security standard at<br />
all banks. I recall the case with Lloyds<br />
Bank in the UK two years ago, when the<br />
pension data of 10 million people was lost<br />
and could not be properly retrieved. In<br />
rare cases, data could be retrieved from<br />
memory, of course. Data processing, billing<br />
and courier companies also deal with<br />
information security issues. The printing<br />
out and delivery of invoices requires access<br />
to the databases of the telecoms and utility<br />
companies, which contain sensitive data<br />
about the end customers. How would<br />
you feel if information about your home<br />
telephone number and calls becomes<br />
public? Information about a household’s<br />
consumption of gas, electricity and water<br />
can be used to determine people’s habits,<br />
i.e. when there is nobody at home, etc.<br />
Would you insist that this information is<br />
safeguarded? Then there are the outsourcing<br />
companies, which work on secret projects for<br />
big corporations. All outsourcing companies<br />
conclude NDA (Non Disclosure Agreement).<br />
All of them have the intention to uphold<br />
the agreement but how many of them can?<br />
You see, if you want to be in this business,<br />
your information security capabilities need<br />
to be proven. Information security is also<br />
an issue for special institutions like police,<br />
defense and the like where data is either<br />
a state secret or is very sensitive. The law<br />
of classified information stipulates what<br />
needs to be done. The information security<br />
management system explains how it should<br />
be done. All these institutions work with a<br />
broad range of suppliers, who also need to<br />
take into consideration their information<br />
security requirements.<br />
Q: Well, it appears that many sectors have<br />
different reasons to implement information security<br />
policies. Isn’t that very expensive?<br />
A: On the contrary! Elimination of risks<br />
is very expensive. Implementation of<br />
information security system does not<br />
eliminate the risks, but reduces them to<br />
an acceptable level. By doing so, data<br />
sets with varying degree of value receive<br />
different level of protection. The level of<br />
protection depends on the identified risks.<br />
There is no business sense to spend money<br />
on information protection if the value of<br />
the information is less than the cost of the<br />
protection. Because of this “business logic”,<br />
the top managers are very accepting of<br />
information security. A lot of companies<br />
have implemented good information security<br />
practices, but haven’t integrated everything<br />
together. It is time that they make a return<br />
on their investment in information security.<br />
The fastest way is to approach the issue<br />
systematically. Then we have a pay-off.<br />
Q: It still appears that the implementation of an<br />
information security system is a task that only<br />
Bureau Veritas Certification<br />
4th Floor, 81A, Bulgaria Blvd., 1404 Sofia, Bulgaria<br />
Tel. +359 (2) 983 60 00; Fax +359 (2) 983 60 65<br />
certification.bulgaria@bg.bureauveritas.com<br />
http://www.bureauveritas.com<br />
<strong>SEE</strong> TOP <strong>100</strong> Banks<br />
big companies can take on. Is that so?<br />
A: I don’t think so. One well organized<br />
small pharmacy meets about 90% of the<br />
information security standard requirements.<br />
The same applies to the small private medical<br />
laboratories, which I had contacts with.<br />
What is missing is the synchronization of<br />
the security controls, analysis and awareness<br />
of the risks and business continuity plans.<br />
Small firms have a small volume of valuable<br />
information and can protect it easier with<br />
less protection mechanisms. A smaller staff<br />
offers some advantages like easier prevention<br />
of information leaks. The time for training<br />
and awareness is also shorter.<br />
Q: Does it mean that the smaller firms don’t<br />
need to implement all requirements and security<br />
controls?<br />
A: Yes, it does. The information security<br />
standard allows justified exemptions. If<br />
we come back to the small pharmacy<br />
example, all network control requirements<br />
can be excluded. There are very seldom<br />
more than two computers – no need for<br />
network segregation, routing security<br />
or other network controls. We only do<br />
what is needed. This is the essence of the<br />
information security standard. It applies<br />
to small and big companies, to everyone.<br />
Q: Are there many companies in Bulgaria that<br />
have implemented this standard?<br />
A: There is no definitive answer. A lot<br />
of companies have implemented a lot of<br />
requirements and control measures, without<br />
knowing that such a standard exists. If we<br />
talk about the companies that can prove<br />
the implementation there are about 60.<br />
Q: How can the companies prove their information<br />
security level?<br />
I have only one answer to that – accredited<br />
certification. There are about 60 companies<br />
in Bulgaria that hold accredited certificates<br />
for information security. I had the pleasure<br />
to audit most of them. The interest<br />
towards information security certification<br />
is increasing. The excitement is yet to come.<br />
I am confident about the future.<br />
<strong>SEE</strong> TOP <strong>100</strong> Banks<br />
21<br />
page 21