Archive for February 2007
Is ISMS relevant to SME and Non-Profit Organizations?
I often get asked about the relevance of an Information Security Management System (ISMS), such as the ISO/IEC 27001:2005, to small and medium enterprises (SME) given that such a practice (of ISMS) originated from large organizations that have much more resources to protect and also deal with the problems of securing information. Yesterday, a student extended the question with an interesting twist, asking whether it is also relevant to non-profit organizations. I think this should be a good place to share my thinking about this question (and its extended question).
Based on my experience, the question is not really about the size or nature of the organization, but whether an organization has (1) a need, and (2) recognized that need for information security. If neither is true, an ISMS will be redundant, regardless of size of the organization, for profit or not for profit.
Most organizations today will agree that they have a need for information security, at least for the mere fact that they use the Internet for their business. But the basic consideration should be the "information" that the business has acquired/generated/stored/etc, which should be the key consideration. If there’s no critical information – for example, all information are publicly available – then why be concerned about security? If presence is a concern, then the focus should be on survivability, continuity, and perhaps recoverability, not information security. In most cases, there are elements of information criticality, presence, and trust (since security breaches will diminish public/user confidence), that add up to the need for information security.
A need, however, does not necessarily translate into its recognition and action, as businesses always have other priorities that the owner/management will think are more important than doing something to make sure nothing bad happens. The size and nature of the business normally have significant impact on the priority, so as regulators’ attention in the particular industry. If there’s no law requiring information security practices to be implemented for that industry, normally, the priority is lower.
As for ISMS, Policy, and related standards, I regard them as framework of common practices, or strategy that provides direction and guidance on what to consider, and how to formulate action plans, when the (1) need, and (2) recognition have been achieved. ISMS (for example, ISO/IEC 27001) is as applicable to a non-profit organization as to a for-profit one, and also as applicable to small companies as to large multi-nationals. In fact, smaller ones can use it more effectively, since the intensity of organizational politics will be lower to obstruct such an initiative. The cost of ISMS is not in the practice of ISMS. There’s little cost associated with ISMS implementation. The external consultants are charging a high cost today because the extent of work required is not well known, the demand is low, and few expertise exists. The costly part is the implementation of actual security measures (or controls, in the words of ISO/IEC 27001) as that will involve buying stuff and implementing them. For small companies or non-profit organization, like others, an ISMS framework provides a thinking process to work through the risks that the organization faces in terms of information security, then rationalize how to treat those risks. The risk assessment is likely to end up with only a small scope of protection required given the size of the organization, and therefore, if done right, few security measures will need to be adopted. As such, the cost of security will also be lower. This will still make the company 27001-complaint, since the framework is applied in the risk management process, not how much they have spent in the process.
Lastly, personally, based on what I have experienced working with several non-profit organizations, they are often not poor in terms of financial capacity. If they are poor, they would have been gone. But they have perhaps a much higher benchmark and expectation for accountability, since their money are not from selling goods and services. The challenge they have in most cases is that they don’t have the knowledgeable/skilled people to strategize and execute projects that meet their needs (as an organization.) They have to use people who come forward, regardless of whether those people have the skills/knowledge to be an effective volunteer. If they spend money hiring skilled staff or external consultants, they have to justify a lot more to be accountable. These days, such spending are becoming even more sensitive, and therefore will invite more scrutiny. Therefore, their need for information security, and recognition for information security will be much harder to come by. It is easy to place the blame on standards, size, and nature of organization though. Peter Drucker’s book on Managing Non-Profit Organizations talks about the challenges and things to do from a management perspective. This is a good reading for more insight as well.
Yet another flight delay :-(
February 9, 2007 – This is the third trip in a row over the last five weeks that I have on a Silkair flight. The first was to Trivandrum, which was delayed by an hour at the Changi Int’l airport. Then it was from Kochi to Singapore, for another few hours, after I had traveled for five hours on the road from Trivandrum to Kochi in southern India. And today, again, from Langkawi to Singapore, at the Langkawi airport, for more than three hours. for the long wait, Silkair provided a dinner coupon with a value of RM 10. I went to the restaurant and ordered a plate of Mee Goreng (fried noodle in Malay style), and a glass of orange juice (more precisely, orange syrup), and they cost RM 11.50. After waiting for two hours, I bought a bottle of mineral water, and there goes another RM 1.50. What makes them think that RM 10 is sufficient for a dinner for three hours wait in this airport? Should they have a system for actual reimbursement given the frequency of such delays nowadays?
Such a problem is not just Silkair’s perhaps. Not too recently, I was scheduled to board an United Airline’s flight at the Seattle-Tacoma Int’l airport at 1230hrs. The airline again cited mechanical problem and postponed it for 20 hours, till 0930hrs the next day. Two reasons they mentioned. One is the time required to get the replacement parts, and the other is that the crew will be illegal to fly after N hours of delay. But it is not illegal to just keep a few hundred passengers on hold in their life journey. Again, the delay was announced at around 11am, and the compensation, even for business and first class passengers, included one night stay at an airport motel-like hotel, and two meals–dinner and breakfast, but no lunch. There was no contact person to ask about lunch or means to claim it once we were sent to the hotel (to get there on our own actually.)
There isn’t seems to be anything, regulation or otherwise, that will penalize the carrier for such delays. Passengers, like me, who need to travel frequently for our livelihood, can only sigh and wait, and even spend extra, whenever someone working on a flight caused the flight to be delayed. The reasons were often “mechanical”. If there’s so many mechanical errors, are these aircraft still safe to fly? If they are minor problems, the many instances in just these few weeks seems to say that someone is not paying attention. Are there quality issues or management issues? If they are minor, why can’t they be prevented in the first place? What’s happening to this industry? Three hours per passenger. For a flight of say 100 passengers, that’s 300 man hours, a big waste of resources. I think maybe the regulators for this industry should start to step up their scrutiny and make sure that the customers are not wasting their resources waiting, waiting, and waiting all the time. When we wait and waste, the airliner should be paying for our losses.
Trivandrum to Kochi
January 17, 2007 – Today is another one of those travelling days, but a very long journey on the road though. There’s no flight from Trivandrum to go back to Singapore directly today, and I have to get back to Singapore by tomorrow morning. I have to take ride on a car to Kochi, which is approximately 270 km away. It is a five hours journey. The Kerala Police Department was kind to arrange for a police car to send me there, and also have a police constable (PC) accompany me for the trip, plus a driver. Throughout most of the journey, we talked about general stuff concerning Kerala and the living condition and culture of people there. Rajeesh, the PC, also told me about his girlfriend who is living in Kochi, and how they had met in a temple in Trivandrum, and planned to get married in two years time. The journey was accompanied by loud Indian pop songs, mostly love songs, as I’ve understood from Rajeesh.
Rajeesh also spoke fondly about the love story of Taj Mahal in Delhi, and the backwater phenomenon in Kerala. I think I should extend a day in my coming trip to Delhi to visit the Taj. The backwater apparently will bring in seawater, with fishes, during the hot seasons, and rainwater, as fresh water, suitable for use in agricultural use during other season.
We stopped at a roadside motel’s restaurant for a break of coffee, with the Indian fried corn cake and fried banana about 150 km from where we started. The tea break costs Rps38.45, which is less than USD1, for all the three of us. Rajeesh said that the cost of living there is less than UDS10 a day, including accommodation in the local hotel. Ironically, the hotel rate at the Leena (in Trivandrum) was USD320 per day, which means enough to stay for more than a month. This is apparently around two months’ pay for Rajeesh as well.
Bright Stove 