Dynamics of a career in IT security

Information security is the process of protecting the availability, privacy and integrity of information. The scope of information security is perhaps highest in the domain of information technology (IT). Given this fact, the Indian government and corporate fraternity has a lot in hand, with Delhi hosting the Commonwealth Games 2010. " It would perhaps be a good idea to make offices and establishments that are particularly high on information security needs wisely inaccessible. Secondly, organisations have to protect and strengthen their firewalls prior to the onset of the Games," says Indrani Dasgupta, an IT consultant employed at Mitnick Security Consulting. Today an increasing number of organisations store business and individual information on servers, much of which is highly confidential and not for public viewing. "Personal staff details, client lists, salaries, bank account details, marketing and sales information may all be stored in a database . Without this information, itwould be impossible for a business to operate and hence information security systems need to be implemented to protect this information ," says Medha Sharma, an employee of Hexaware Technologies Ltd.Threats and safeguards Wipro and other Indian outsourcing vendors are bolstering their security and privacy practices in response to US concerns stemming from the compliance requirements of laws such as Sarbanes-Oxley and Gramm-Leach-Bliley. The key threats include unauthorised data access, accidental information loss and sabotage, loss of intellectual property and damage from worms and viruses. Professional hackers who make a living from hacking or breaking through information security systems are clearly the biggest threat. Firewalls, which are designed to prevent access to a computer's network, can be bypassed by a hacker with the right hardware. "A computer hacker can gain access to a network if a firewall is shut down for only a minute," says Dasgupta. Computer viruses are another big threat. Often hackers plant computer viruses that can erase all information. According to Rohit Pradhan, a senior executive at the information security division of KPIT Cummins, one of the biggest potential threats to information security are the people who work within organisations operating computers. "A workplace may have excellent information security systems in place, but security can be easily compromised. If a help desk worker gives out or resets passwords without verifying who the information is for, then anyone can easily gain access to the system. Hence computer operators should be made fully aware of the importance of security prior to the onset of the Games. This is especially critical as the volume of business transactions are likely to escalate during this period," he adds. Informing of some blanket security tips that can be followed by the common man during the Commonwealth Games, Dasgupta says, "Changing passwords on one's computer and using combinations of letters and numbers makes it harder for hackers to gain access. Also, one should not keep a note of one's password where it can be easily accessed." Effective information security systems incorporate a range of policies, security products, technologies and procedures . "However, software applications which provide firewall information security and virus scanners are not self-sufficient in terms of protecting information. Instead, a set of procedures and systems need to be applied to effectively deter access to information," observes Sharma. Work scope The domain of IT security is constantly contending with fresh challenges. In today's internet era, IT security professionals are entrusted with the responsibility of defining an information security policy to protect information assets of the firm that they are employed with. "Hence, some of the predominant work challenges of IT security professionals begin and centre on two pivotal questions — how does one write the security policy statement which is binding and how does one convince people to really accept the security policy and implement it in their routine work?" informs Sharma. "In order to write the security policy one needs to take a look at the information assets of a company in terms of hardware and software and consider the future investment plans in IT," says Pradhan. The next step is a risk assessment exercise that includes business risks, physical risks, environmental risks, technological risks, human risks, and so on. "The approach ideally should be to document every risk, which a company may have encountered in the past, by companies in similar business, companies in the same geographical area and companies using the same technology," he observes. Security policy is not the last and final word. It is a master plan, which identifies a company's security concerns and is but the first step towards building a secure infrastructure . "Security can never be achieved through a single tier of defense. Multiple layers are required to protect IT assets. For each security risk that is tabulated, preventive measures that could be used to reduce the risk should be identified. The measures for risk mitigations could be administrative measures, physical measures and technical measures," informs Pradhan. "Administrative measures consist of policies, procedures, standards and guidelines; personnel screening and security awareness training. Physical measures could be perimeter control measures, physical access control, intruder detection, fire protection and environmental monitoring. Technical measures on the other hand include logical access control, network access controls, identification and authentication devices and data encryption," he elaborates. After the policy is ready comes the bigger task of training the us.

Read more: Dynamics of a career in IT security - The Times of India http://timesofindia.indiatimes.com/tech/careers/education/Dynamics-of-a-career-in-IT-security/articleshow/6445730.cms#ixzz0zJHN5Y6W