Thursday, March 24, 2011

Governments need to shape up on Information security

Governments are writing cyber laws to tackle security and privacy breaches. The laws are two fold. They penalise business for inadequate due dillegence and perpetuators of cybercrime. The recent draft of a set of rules associated with the Indian IT act specified that the Indian industry should follow a security management standard (ISO 27001).

The Indian Government however is not under the ambit of these rules as they apply to only organisations termed as "body corporate", nor does the Government have a comprehensive policy to implement a security management program to enhance security governance processes, as it launches several egovernance initiatives.

I highlighted the importance of a comprehensive national IT security management framework in an earlier post titled "Porn Surfing & Social Networking a Cyber Risk", where unrestricted Internet access was used to access sites which could be used as an actor vector by hackers. The Indian government was also a victim of a large espionage network called Ghostnet and many key programs hit by Stuxnet a specially crafted peice of malware designed to attack nuclear and space facilities.

While reading this article "Auditor calls for Government ban on Gmail, Hotmail" in the SC Magazine Australia where "the Australian National Audit Office has called on all government agencies to block free web-based email services like Gmail and Hotmail to mitigate security and information integrity risks" it seemed to me that the world over governments seem remarkly slow in the implementation of even a rudimentary set of security policies. The audit office recommended restrictions on Internet access, better password management, patching and content filtering. These recommendations are so basic that the gap between an adequate security posture and what is currently implemented would be fairly large.

Governments should take the lead and set an example in organisational security excellence as they are the largest respository of citizen data and provide services that validate the real identity of a citizens such as social security numbers, passports, citizen id's and so forth. Failure to do so will ensure that organised criminals and unfriendly governments can disrupt ongoing IT initiatives and systems.

No comments:

Post a Comment