Last week, I attended a 2 day course on ISO 27001: Information Security Management System. The course was meant for auditors and as part of the course we discussed the relevance of Business Impact Analysis (BIA) and Risk Assessment (RA) in the context of Information Security Management System (ISMS). The questions that was asked was what comes first: BIA or RA?
My immediate response was Risk Assessment. As an organisation, one would need to identify all risks, Rank the risks based on the quantum of impact and probability of occurance, and finally Formulate mitigation plan for top risks. By my argument, business impact analysis was a sub set of Risk Assessment.
However, there was a counter argument to this. For large organisations, it is time and effort intensive exercise, if not impossible, to identify all risks and assess their impact. So rather than carrying out risk assessment, it would be a lot easier to carry-out Business Impact Analysis upfront. This would involve identifying critical activities of the business value chain or critical assets and assessing the impact (in terms of loss of production, loss of revenues, loss of person hours of time, etc) to the overall business in case of their non performance. Risk assessment would then be carried out to identify the risks that would impact these critical value chain activities or assets adversely, which is followed by formulating a mitigation plan for the top risks identified.
On the second thoughts the later approach seemed very rational and logical. What do you think?
Showing posts with label Information Security. Show all posts
Showing posts with label Information Security. Show all posts
Sunday, December 27, 2009
Monday, June 30, 2008
Sidewalk: Security Token for Life Insurance Portals - A good idea?
My opinion was sought recently on a proposal to implement two factor authentication in the form of a security token for our (a Life Insurance Company) customer portal. There are two considerations
1. Risk Exposure, and
2. Convenience and Ease of use
Risk Exposure depends on the information displayed and transactions facilitated on the portal. To a large extent these two elements determine the exposure to attacks by hackers or frauds. Of course, a hacker may attack a portal just to harm the credibility and reputation of an organization.
The whole idea behind having a customer portal is to offer convenience to the customers. Customers can operate at any time from any where as long as they are able to connect. But with security token, customers now not only have to carry additional hardware but also make sure not to loose the token. I am being forced to use such a token by an MNC bank operating in India and I am not particularly pleased about it as I have to carry the token with me wherever I go. No doubt, customers want secure transactions, but they certainly do not want onus for this to be passed on to them.
I do not think Life Insurance companies need to go for two factor authentication for customers. First, the risk exposure is not as high as banks offering online banking service. Second, active customer ratio accessing insurance portal is very low. Typically, Insurance customers access portal to pay renewal premium, to view fund details and to carry fund switch / fund redirection transactions. This information and transaction need brings life insurance customers to the portal as less as once or twice a month in case of highly active customers. So, any additional hurdle such as security token to access the portal will further dampen the active customer ratio.
What has been the experience of insurance customers in developed economies? As a service provider or as a customer of a life insurance company, have you come across a life insurers enforcing two factor authentication for their customer portals?
1. Risk Exposure, and
2. Convenience and Ease of use
Risk Exposure depends on the information displayed and transactions facilitated on the portal. To a large extent these two elements determine the exposure to attacks by hackers or frauds. Of course, a hacker may attack a portal just to harm the credibility and reputation of an organization.
The whole idea behind having a customer portal is to offer convenience to the customers. Customers can operate at any time from any where as long as they are able to connect. But with security token, customers now not only have to carry additional hardware but also make sure not to loose the token. I am being forced to use such a token by an MNC bank operating in India and I am not particularly pleased about it as I have to carry the token with me wherever I go. No doubt, customers want secure transactions, but they certainly do not want onus for this to be passed on to them.
I do not think Life Insurance companies need to go for two factor authentication for customers. First, the risk exposure is not as high as banks offering online banking service. Second, active customer ratio accessing insurance portal is very low. Typically, Insurance customers access portal to pay renewal premium, to view fund details and to carry fund switch / fund redirection transactions. This information and transaction need brings life insurance customers to the portal as less as once or twice a month in case of highly active customers. So, any additional hurdle such as security token to access the portal will further dampen the active customer ratio.
What has been the experience of insurance customers in developed economies? As a service provider or as a customer of a life insurance company, have you come across a life insurers enforcing two factor authentication for their customer portals?
Sunday, December 30, 2007
Sidewalk: Password Pains
The downside of being an on-line users is that at any point in time I have to remember atleast 5-7 different usernames and passwords. Be it my e-mail, bank, on-line trading account, insurance policy account, every service provider of these on-line services implements a different information security and user management policy.
Yesterday, while I was subjected to change my internet banking password, I stumbled upon a shocking gap in the password policy of my bank, which is one of the best private banks in India. The password policy of this bank forces me to change the password at regular intervals and enforces that my current password is different from my last 3 passwords. However, to my surprise, I could change the password 3 times successively and could return to my original password within a matter of few minutes.
Are such stringent password policies really secure and safe for customers? I do not think they achieve anything other than complicating the lives of customers and users of on-line services. Having to remember 5-7 different usernames and passwords, I expose myself to risk of identity theft by recording them on an easily accessible medium for easy reference.
Why is that the brick & mortar world does not force me to change my signature every now and then? What do you think is the right approach?
Yesterday, while I was subjected to change my internet banking password, I stumbled upon a shocking gap in the password policy of my bank, which is one of the best private banks in India. The password policy of this bank forces me to change the password at regular intervals and enforces that my current password is different from my last 3 passwords. However, to my surprise, I could change the password 3 times successively and could return to my original password within a matter of few minutes.
Are such stringent password policies really secure and safe for customers? I do not think they achieve anything other than complicating the lives of customers and users of on-line services. Having to remember 5-7 different usernames and passwords, I expose myself to risk of identity theft by recording them on an easily accessible medium for easy reference.
Why is that the brick & mortar world does not force me to change my signature every now and then? What do you think is the right approach?
Subscribe to:
Posts (Atom)