Platform for info security
By Aimie Pardas
28th March 2002 (Computimes)

PROFESSIONALISM in information security will be better served with the creation of an association representing information security specialists in the country.

Such an association can provide a platform for the information security community to exchange ideas, according to information security expert Thomas Peltier

Peltier, who is also president of information security training and consulting firm Peltier and Associates, suggested that a local chapter of the Information Systems Security Association (ISSA) be set up here.

The ISSA is a non-profit international organisation of information security professionals and practitioners that provides education forums, publications and peer interaction opportunities to enhance knowledge, skill and professional growth of its members. Currently, the nearest chapter is located in Australia, with no chapter in Asia, said Peltier, a Certified Information Systems Security Professional (CISSP).

"Malaysia is beginning a process of attaining the right certification, and holding seminars is a good step. Nevertheless, information security is achieved by implementing a suitable set of controls, which should include policies, practices, procedures, organisational structure and software functions," he told Computimes.

On a related matter, Peltier said a successful implementation of information security constitutes identifying requirements such as risk analysis, laws and regulations, which has to be implemented enterprise-wide.

"A risk analysis or assessment can be done to determine the number of controls that are needed. Not all solutions available need to be implemented, only those that are necessary and cost-effective in relation to the risk involved," he said.

Once the controls are implemented, companies will have to take a look at them, making sure that they work and conduct assessments periodically to ensure that the controls continue to work, he added.

Peltier said common controls and best practices include information security policy, allocation of security responsibilities, education and training, and business continuity planning. Companies can also make sure that their information security practices and procedures comply with international standards that are available for them.