An increasing number of UAE-based organisations conducted information security audits in 2009 due to the global recession as IT networks became vulnerable putting confidential information at risk.
Until last year, the focus for companies was on engineering and process audits and not IT (information technology) security audits in the country. "IT security audits have been low in priority but as government agencies and departments push for achieving certifications, the scenario has changed in the past few months. The public sector has been proactive as there has been a serious government initiative that all departments must be certified," said Ahmad Hassan, team leader monitoring and response at aeCERT (UAE's Computer Emergence Response Team).
In the private sector, companies are going in for certifications for quality purposes and gaining a customer base. "In the UAE, it is seen that companies are working towards achieving a certificate and complying with it," added Hassan.
Organisations such as DNV(Det Norske Veritas) and BSI (British Standards Institution) certify organisations and conduct IT and information security audits for companies in the region. The most popular and accepted is ISO 27001 certification for information security.
"Awareness on information security has grown over the past four to five years. Organisations not certified by ISO 27001 are realising that [their] reputation is at stake. Security awareness and architecture of the company will be underestimated by the outside world," said S Ramanathan, Area Manager-UAE, Kuwait and Oman at DNV Business Assurance (Dubai).
Ramanathan has seen an increase in awareness in applying for the certification among companies in Dubai and Abu Dhabi. The region's outsourcing destinations such as Egypt and Jordan are also taking up information security seriously as huge amounts of data are stored in IT infrastructures and networks. Countries such as Qatar and Bahrain are also joining the bandwagon.
In Abu Dhabi, Adsec (Abu Dhabi security council) has mandated a framework for all government entities whereby they comply by security requirement. "Governments are pushing organisations to adopt best practices in IT and information security. The number of companies secured and audited has increased rapidly. There has been an increase in interest in both public and private sectors. Banking, airline and medical sectors are most proactive in information security," said Ahmad Al Khatib, General Manager at BSI Management Systems at Abu Dhabi.
These experts attribute the global recession as one of the reasons for this change in attitude. "Protecting reputation in such kind of an economic scenario becomes important. Cyber crime also increased last year with both financial and government websites being attacked, due to which security practices were put in place," said Al Khatib.
Security audits are done on a periodic basis, especially as organisations get on to online services it is considered as priority.
"Awareness on security threats is on a high in spite of limited budgets. Five years back awareness was low and it was considered as a luxury. As systems worked fine, IT manager would often ask: Why do I need an audit? But now as company information can be accessed online, there should not be any backdoor access available to details," said Mohamed Rizvi Thajudeen, Manager-Information Security and Advisory services at eHostingDatafort.
Today security is a concern for both small and large companies, therefore, there is demand for such activities at both levels. Mandates from the government and company shareholders have compelled companies to run secure businesses as confidential integrity is maintained.
"There has been a demand for security assessments due to which we are also considering providing free services. These services would include assessing networks for an IT security audit," added Thajudeen.
Information security audit is related to data loss in organisations. "Normally data loss is not discussed in the country. Looking back at the global economic recession last year, it happened more because of fraud. Information was hidden and therefore is a case of risk management. This risk analysis is not confined to IT as it includes screening of employees especially [those who are in] critical roles in IT and database," said Ramanathan.
Certifications such as ISO 27001 gain relevance in such a scenario as organisations develop a security framework in this regard. "The need to confirm to ISO standards is becoming essential and the percentage in the region is increasing. It is not expensive to get a certificate but building and auditing the system. IT security audit was never taken seriously largely also because of the Arab culture," added Ramanathan.
Customers in the region are still sensitive about giving information but due to globalisation the UAE and neighbouring countries are changing their attitude.
In the UAE and the rest of the region, telecom companies have been proactive in these IT processes especially as they expand businesses into international markets.
Organisations such as DNV have experienced y-o-y growth of up to 30 per cent. "In 2009, many customers delayed plans to apply for an ISO certification. The infrastructure was made ready but due to the recession attaining a certification was not priority," said Ramanathan.
While organisations in the UAE are getting their infrastructure compliant for ISO 27001, there is also a debate on mandatory requirements, which is not prevalent today.
"Organisations should not be forced to get a certificate as companies should not look at gaining benefits out of this certification. When a company conducts an audit it should be done based on requirements and work towards attaining a certificate," argued Ramanathan.
Agreeing to this view, Thajudeen said, "Companies should not be reactive but proactive and security audits must be looked at based on the size of the organisation. Changes within the organisation, business and services are also relevant factors. If any organisation conduct audits every six months it makes sense. With banks, as public information is involved, central bank intervention would also help in the long run.
By Nancy Sudheer
© Emirates Business 24/7 2010
