By Computerworld Philippines Staff
April 26, 2010
Four IT executives reveal that budget constraints and lack of user support and awareness are pulling back the compliance efforts of their IT departments.
At a glance, the terms “security” and “compliance” may appear to denote the same thing—the application of safety measures. But at Computerworld Philippines’ monthly CIO Roundtable, we learn that its practice and meaning varies from one organization to another.
At the roundtable, four CIOs coming from companies with different lines of businesses explained the various ways security and compliance are met, and the reasons behind such actions. They also reveal different strategies in ensuring compliance to security policies across the organization as well as the technologies needed to help in achieving the goal.
For Ross Sherwin de Claro, Information Security Officer (ISO) of the government owned and controlled company the Philippine Amusement & Gaming Corporation (PAGCOR), compliance is “more of a guide than rules to follow” in order for their organization to succeed.
For his part, Christopher Eslava, IT manager of SYSU Group of Companies, shares that as a result of their joint venture with McCormick US, they adopted a pre-defined policy as a standard. He says that audit is done as a measure of internal control wherein data should be properly protected against lost, damage and growing internet fraud, viruses and malware.
Yet over at First Life Financial Company, Inc., the local company developed its own internal IT policies. The Assistant Manager, Information Systems Department, Marianito Alveniz says the increasing dependency on information resources forced them to comply with IT security.
Giving differing opinion and practice on compliance and security is Anton Estepa, IT manager of Marubeni Philippines Corp., a subsidiary of Marubeni Corp. in Japan which is involved in international trade. Compliance for them, he says, is “very broad” since they have different branches and companies. “Japan will give us lists of compliance then we need to select and follow. It’s either these list of compliance are regulatory by law or compliance under in-house compliance or just company compliance,” Estepa says. “For security, Japan provides us a procedure or guide on how we can comply for that certain compliance.” Estepa personally believes that focusing too much on regulatory compliance may hurt security postures and that it is essential to have a balance between compliance for security and the compliance for business.
During the meeting, Ricky Carreon, assistant vice president of MIS, Fortune General Insurance Corp., served as the event’s guest moderator and led the discussion along with CWP’s editorial group. Clarence Phua, country sales manager, of Sophos ASEAN, was also there to represent the sponsoring company.
EXCERPTS OF THE ROUNDTABLE
DISCUSSION FOLLOW:
Computerworld (Ricky Carreon): Before we proceed directly to the discussion, we’d like to know your expectations about the topic on security and compliance. I read an article on security and compliance, there is a law, there’s a regulation that we need to comply. Or is it about how we implement security?
Ross Sherwin de Claro: For us at PAGCOR, we’re quite similar to BSP (Bangko Sentral ng Pilipinas) because we’re doing the regulatory function when it comes to the gaming industry. However, right now, majority of the gaming facilities or casinos are managed by PAGCOR. But if you look into the local gaming industry, there is also online gaming involved. And we’re the ones regulating their compliance. It’s similar to BSP in a way that they’re the ones providing BSP circulars to banks.
Computerworld: So PAGCOR will enumerate all the security policies and these companies should comply?
De Claro: Yes, and the other aspect of provision security is we have competition. There’s Macau, there is Singapore. One of the missions of PAGCOR is to be competitive internationally. So definitely if we want to be competitive—we must be, in some way, comply with the international standards. That’s why we’re complying with that but not formally venturing into something like the ISO 27001. As for local information security compliance, not much is covered for us but the initiatives that we see are those of the National Computer Center and the Commission on Information and Communications Technology which are the public key infrastructure initiatives sent by the office of the president. Those are the things that we’re looking at and maybe in the next two years, we might be able to implement for the NCC and CICT compliance.
Computerworld: When you say security and compliance, as far as Sherwin is concerned, the thing that comes into your minds of course is the rules and regulations that you would want these other companies to follow, or is there a system that you would want to secure but have to comply with another regulation?
De Claro: Each industry has its own sort of best practice when it comes to compliance. It’s like there is a best practice for gaming, there’s a best practice for banking and so forth. The focus is not so much about what you need to follow but more about what you need to look at as guides, sort of a best practice or standards that have been proven effective for many organizations. So it’s more of a guide, not rules.
Estepa: For my part, when we say compliance, it’s very broad because we have different branches, different companies. First, Japan will give us a list of compliance policies then we need to select what compliance we need follow. It’s either the policies are regulatory by law or just company compliance. For security, Japan provides us a procedure or guide on how we can comply for that certain compliance. Now, for example in the Philippines, we don’t have any compliance regulatory. Actually we started only in 2000 when we were attacked by a virus. For Japan, they always comply based on the regulatory made by the Japanese government. Actually, our company right now is a member of 27001 ISP standard and we’re not the type who are required to comply with the Philippine standard or that of Singapore or Thailand. It really depends on the budget of a company branch and what it needs to comply when it comes with security.
Christopher Eslava: With our joint venture with Mc- Cormick US, they gave us a pre-defined policy that we have to follow after they conducted a yearly audit compliance check. So right now, we are following the US rules. So we have to make sure that we are complying with the standard.
Marianito Alveniz: In our case, since we are a local company, we developed our own IT policies although they are not that comprehensive. And one of our projects this year includes strengthening our IT policies. Now we consider those regulatory compliance mentioned but our focus, besides those that are from government bodies, is our internal policies.
Computerworld: Is there an increasing pressure for the IT department to be a champion of compliance when it comes to IT security? Why or why not? What factors are pushing compliance in your company?
Eslava: I would say yes, because information is very important in every business. Now we, as the IT officers and the assigned data and IT infrastructure custodian, we have to make sure that we are providing the end-user the accurate information that they need in our daily operation. This information should not be damaged, stolen, or infected by viruses and should be regularly available whenever they need it. Now in terms of what’s pushing the compliance in our company, like I said a while ago, as a manufacturing and distribution company and a joint venture of McCormick US, we comply with the predefined policies set by them. Audit is annually conducted as a measure of internal control. Data should be properly protected against lost, damage and growing Internet fraud, viruses and malware.
Alveniz: Information asset is critical to our business growthand operation. Protecting it is a significant challenge and the increasing dependency on information resources forced us to ensure compliance to IT security.
De Claro: For PAGCOR, there is definitely increasing pressure when it comes to compliance, most especially in terms of confidentiality of information. This concerns our very own bread and butter— our customers. Some of the business processes regarding information have been automated because of international competition. Locally of course, the information within that automated system must be there but with the highest level of confidentiality, not only in terms of information like computer data but the physical data as well, like printed information. So those are also critical for us. That’s the reason why there are also policies when it comes to using office equipment like printers and scanners. We don’t want the physical data to be converted into digital and go somewhere else. When it comes to factors that push for compliance, it is our internal requirements, which involves information about our customers. Second is the outside competition, locally and internationally. Third are requirements that are set up by the Philippine government like the initiatives of NCCCICT, which is about public infrastructure. They were the ones who pushed for it.
Estapa: For me, there’s not much pressure yet because like what I said, Japan sends me the list of compliance then I select only the essential compliance. I believe when the IT professional focuses on the regulatory compliance, it may hurt security postures. We need to balance between the compliance for security and the compliance for business. What Tokyo gives is general compliance for business and for IT. Now the big pressure is in Japan because the head of the IT is in Japan. So they are the ones who are making the compliance and the guidelines for the security.
Computerworld: What is your strategy to ensure compliance to security policies across the organization?
Alveniz: Some of First Life Financial’s strategies are the following: First, a management buy-in for compliance enforcement is very important, because they are the ones who will give administrative actions to employees of their organizations and their teams. Then we have to regularly review and ensure that the security architecture infrastructure is implemented using the right configuration because some malware might come into the future if not configured properly. Also, we have to ensure that proper controls are in place, it can be physical, technical, or procedural, so it depends. Then, in order to protect our information assets, counter measures to threats are highly considered. So we have to know how to kill it if a threat is able to get in. Similarly, personnel and organizational structure are also an important area which includes roles and responsibilities as well as the skill sets. So we must deploy the right skills for that specific task if problems occur. Lastly, awareness programs and education, especially for new employees.
Computerworld: Could you share a profile of your infrastructure set-up? Like how is your data being secured?
Eslava: Our head office is located in Panay Avenue, Quezon City, the database is housed there and we have branches in Novaliches and Baisa that is also in Quezon City. And we have sales offices in Visayas and Mindanao and then aside from that, we have the international company which is McCormick US. We connect through their email which is Lotus Notes. The set-up is more on a wide area network. So we have BPN connections connecting our sales offices and lease lines connecting our warehouse and manufacturing in the factory. We have the Linux firewall set for security authentication for the SAP servers which is our database and then we have remote access from mobile users through BPN. We have a BPN router for the mobile users, so basically that’s the overview of our IT infrastructure. The strategy here is just like what Nito (Alveniz) said about the awareness program. That’s the first strategy that we have. We have an information drive where we conduct orientation for newly hired employees about IT security. We also plan to include policies and procedures to our employees handbook so they will have guidelines not for labor related matter only but also for IT security. That strategy I thinkwill help us comply with IT security compliance of policies and procedures. Second is hardening the security by checking our policy and reviewing it quarterly.
De Claro: For PAGCOR, basically we have nationwide operations. We have 14 branches and there are some small sites that we own like Citystate & Ronquillo. It’s not a big casino but it is considered as one of PAGCOR’s branches.
Computerworld: When you say PAGCOR remote office, it’s a casino?
De Claro: Yes it’s a casino. Data are distributed in nature. Each branch has its own sets of data. And even within PAGCOR, it’s considered a competition. Each branch has its own target, its own loyal customers of a certain branch. It has its own marketing strategy depending on the location. Pavilion has its own marketing strategy although right now our focus is more on providing amenities. It’s a bit centralized as a standard so that wherever the customer is, he can avail it. Those are the kind of information that we protect from external threats and from the internal threats as well. We have policies implemented like the creation of passwords. Each employee has its own password that basically enforces accountability on the information. We even have policies that enforce that requirement. So right now, majority of our application are active directory integrated. We do monitor compliance. We found that sometimes there are end-users who share their passwords. So there’s a clear HR memorandum wherein if anyone is proven to have shared his or her account, he or she could be suspended or terminated because you have access to confidential information. We also review policies and update policies on a regular basis to accommodate new changes. Besides implementation, another strategy is awareness programs.
Estepa: As for our IT infrastructure, each branch has a server but the main and critical servers are located in Tower Center in Japan. So if something happens to a local server here, the servers in Japan will take over for business continuity. For compliance, we conduct awareness seminars for our employees. We also educate them regarding the restrictions imposed on them.
Computerworld: What are the stumbling blocks to full compliance of security policies or standards?
Eslava: I would say the lack of support from the endusers. Second is the cost of security treatment and then lack of information given by the vendors.
Alveniz: It is in the event of insufficient information dissemination to current employees and especially to new employees. That’s where noncompliance to IT security starts especially if takes long before you send out reminders.
De Claro: For us, actually it’s more on the people, their acceptance to the policies. The other one is budget. Because even though you have awareness programs, if you don’t have enough budget to fly people from Davao or fly in people to Manila to attend the awareness program, it spells a program.
Estepa: One of the stumbling blocks is the budget because in Marubeni, we have to discuss it first with head office. We need to defend our proposal. So that is one of our problems. We need to talk more. We need to discuss more because we need the budget.
De Claro: Actually the concern on the budget depends on the target. If the target is technology, then the cost would be hard to compromise. In our case, the issue was more on the awareness side. The strategy that we did was to utilize on what we have which is our own internal portal system.
Computerworld: How do you address that challenge on end-users for them to be compliant?
Estepa: Even if you complied there are still risks coming from your end-users. And so I inform them about our awareness policies. We post these in bulletin boards and also email them. We really warn them because in Japan it’s very strict, even if you enter only more than or less than the required number of characters for a password, you are suspended for one week.
Alveniz: In our company, we guide users through our IT literacy program but it’s not the classroom-type scheme. We do this in short messages and even put cartoon characters or images so that when it reaches them it’s easier for them to relate with and understand.
Eslava: I have to partner with the HR department because it’s more effective if warnings are coursed through them. There’s not much sting when the IT department issues a memo.
Possibly Related Posts:
Loading ...
