arabianbusiness
April 2, 2008
With a brand new risk assessment procedure, Kuwait's Zain Telecom is working towards an impregnable data stronghold.
For Kuwait-based Zain Telecom, quality is not a buzzword. It is a guiding principle by which the organisation directs all of its functions from administration to operations to service provision.
This interest and dedication to ensure only the best in its functioning is also felt in the way the company invests in and maintains its information technology solutions and structure.
This is reflected even more strongly in the security measures it puts in place for its physical setups as well as its information. In pursuit of higher levels of security, the firm implemented and follows the ISO 27001 standard.
Not only does this make it one of the very few in the Middle East who follow the security benchmark, but also one of the earliest since the firm certified itself in the standard nearly five years ago.
The move to ISO standard certification began four to five years back. The standard provides you with guidelines on how to implement security. We did not want to reinvent the wheel and so we decided to use these guidelines instead of starting from scratch.
We have been certified on quality for around nine years and the security certificate is an add on to what we already do. Once we have put in practice the stipulations of the standard, the certification comes to us automatically.
There is no back door to this - you have to practice what the standards say and prove yourself to the auditors," states Nasser Mansour AlKhudhari, corporate security manager at Zain Kuwait.
Everything in the security arena falls under the specially formed security division of the company.
"The formation of the department came from the executive management. We handle and save very sensitive information and data, and the purpose of the department is to protect that. The security department is not just about information security; the goal was to have all kinds of security from physical security to data security under that department.
This is because in the real world, when you are protecting assets, one cannot be considered independent of the other. Our corporate security effectively combines all the different aspects of defence," says AlKhudhari.
The firm has a well-developed physical security system that connects all GSM base stations and headquarters, through biometrics and CCTV, to a single central security operations centre (SOC) where all access and actions are monitored and archived. Needless to say, the firm invests in and maintains an equally sophisticated and effective information security infrastructure.
In keeping with the strictures of the ISO standard, Zain does an annual risk assessment procedure, where it calls in a third party to conduct a thorough test of its security systems and ensure that everything is running to scale.
AlKhudhari, who started at Zain in the IT department and has been heading the 25-member security department for a year, wanted to make an organisational impact with his very first risk assessment and do something different from those of previous years.
"I had a dream. When I conducted the risk assessment this time over, it would be a pure team effort. We have a management team that is well aware of the risks we face. In fact, the management has been highly supportive of our goals and encouraged our work to reach higher security metrics. But I believed that was not enough.
The employees themselves, who are working on the systems everyday, have to know what risks are out there. All employees have to be aware of security and practice it in their workday every day - I wanted them to think what if something happens? That was my goal," states AlKhudhari.
With this in mind, AlKhudhari decided to see what the market had to offer instead of going with the same consultant who had conducted the security risk assessment for the firm in previous years.
"Before choosing the vendor, I put together a technical team. This team comprised of personnel from IT, networks and even the finance team.
I sat down and explained to them all about risk assessment, its importance to the organisation and what they can gain in terms of knowledge from the process. I also explained that security was not a one-point development and that it had to be a combined task covering the organisation.
I then asked them to have a look at their systems and inform me of any vulnerabilities that they come across," explains AlKhudhari.
With the team in place, Zain started its search for vendors. In this too, AlKhudhari brought his distinctive touch, insisting that the consultants send their technical team - the one which was going to perform the risk assessment - instead of being satisfied with the sales personnel usually sent to such pre-sales meetings. Zain's technical team not only met the people from the vendor, but even went through their resumes and references to ensure that they were properly qualified.
"We selected Kurt Information Security at the end of this process. We ranked all the vendors on criteria including price, knowledge, tools used and so on. Kurt consistently ranked high on most of them," says AlKhudhari.
The risk assessment process was conducted across two months covering December 2007 and January 2008. According to AlKhudhari, the team spent almost three months selecting the vendor - more time than they did on the entire risk assessment.
The way to success
Once the contract was signed between the two organisations, a kick-off meeting was conducted where both sides agreed on the project milestones and the schedule for the same.
"In risk assessment, there is the black box, the grey box and the white box. The black box is where the consultant's team needs to know nothing more than the organisation's name and conducts testing exercises on its own. In the grey box area though a certain level of access is needed and some information is required from Zain.
Scheduling these meetings at that point in time can cause delays, which is why a lot of people think risk assessment procedures take time. We avoided this completely by deciding the date and time for each of these meetings at this initial stage," says AlKhudhari.
"All of this was put down in a project definition document. Timelines, meetings between members, who is responsible for what task - all of this is entered into a document that we all sign in the start to ensure that everybody is going to abide by it," says Michael Wellington, CEO of Kurt Information Security.
According to Wellington, Kurt uses a specific methodology that has been developed by the company based on its experience and market dynamics. Though it is customised based on certain elements of the project, the basic framework remains the same and Kurt's team uses it as the backbone for any risk analysis procedure.
The framework largely consists of elements from ISO 27001, ISO 20000, COBiT and CRAM. However, the R&D team constantly works on modifying and updating it based on market feedback.
Wellington enforces that during the black box stage of vulnerability assessment there is no interaction necessary with the client (Zain in this case) while the grey box demands a certain level of working together.
In the white box stage, the team has a much higher knowledge level and looks into the system for largely configuration and patching related issues.
This is where they also relate what they saw in the black box stage to what they find in the white box thus understanding causality for problems if any.
"So in this time there are phases where the organisation needs to deal with the consultant's team and where it does not need to. The consultant doesn't fully interact with the client due to the need for validity of the findings.
That is what a lot of companies make a mistake with - they start asking you questions about the process when you are supposed to be doing this on your own.
This is also something that differentiates one vendor from the other - knowing that you should not do anything to reduce the validity of information.
You need to look at the circumstances as a hacker would approach it and after this, when you get into policy valuation, you can interact with the client to get him on the same page and share your understanding with him," states Kurt's Wellington.
To ensure consistent knowledge transfer between the two teams, regular weekly meetings were held to bring them together and discuss findings. This was followed by a thorough workshop after the entire risk assessment procedure was completed.
"The idea was not just to present final findings to the team but actually make them understand how we got to those findings so that they are able to understand the flaws that we want to correct. How you get to a certain point, explaining that to your clients and letting him understand is much more important than just presenting the findings," explains Wellington.
The findings and later
After the extensive risk assessment procedure, Kurt presented its findings and made some recommendations to Zain.
(Kurt's Wellington states that continuity is critical in security assessments and the company works with clients even after risk assessment - in regular monthly or weekly meetings - to ensure that security changes are implemented and that general quality is maintained.)
According to AlKhudhari, the company will use some of the recommendations to improve its security processes, but the essential policy will remain the same since the firm was practicing and certified in ISO 27001 in the first place.
"The end-user buy-in into security policies has also been achieved with this procedure. The goal is to show them that security is not about just one hand, everybody is involved in it. To do something when you are convinced about it is much better than being forced to adhere to it. That is my belief," says AlKhudhari.
Employee awareness of security measures is kept high with posters, e-mails and sessions with various departments. Teaching employees the basics of security is a part of ISO 27001 as well and Zain ensures that it does not miss the element.
AlKhudhari states that Zain will continue to perform annual risk assessment and vulnerability testing procedures in its pursuit to higher levels of security and in ensuring that all of its operations and data is safe behind foolproof security.
"Since we have been certified for five years we already have security measures. The reason for the risk assessment from a third party is to check on what we are doing; sometimes there are things that you need a different eye to look at.
We have our systems and we are very confident that they are secure. This is just rechecking. It is like taking your car for a service, you are confident that it is doing good - but you take it to a regular service just to check the floors or just general patching. It is the same concept," concludes AlKhudhari.
Print page
