Aneesh Bhargav
August 26, 2014


"Where do I start from" has always remained a thought on the mind most IT Managers at organisations - especially from Non-BFSI/ Non- ITES industries. This thought, as soon as they are convinced that they are ready to take small, yet critical strides in building a secure landscape at their company.Now, Imagine This. You've finally decide to lead a "clinically healthy" life after long years of work. You know that certain aspects of your physiological health is stellar (or thats what you think), and so are you absolutely sure that there are certain aspects for which you need medical assistance (again, thats what you think). The most logical next step would be to consult your trustworthy medical practitioner and let him or her know of your thoughts. The practitioner too cannot be absolutely sure as to what is and what is not a concern with your health. Enter, the much needed diagnostic check! The medical practitioner recommends you to a "Master Medical Health Check" with possible additional focused tests (based on your previous medical history) and you're asked to come back to the clinic with the reports for further course of action.The Master Health Check is comprehensive enough to indicate any potential cause for concern, yet not focused on anything specific.Most IT departments at organisations today have to scale up to business needs in a matter of weeks or in some cases (where I have been personally been witness to) in days thereby giving them no interval to even remotely think of probably business risks owing to the adoption of new technology. However, at some point or the other, owing to either regulatory compliance, prospective customer demands or the self righteous pro-activeness of the IT Manager, organisations are led to adopt an information security program. The foremost thought of the IT Manager being - "Where do I start from?"My analogy of a Master Health Check up can be applied to an Information Security program for such organisations whom I would like to call the 'First Timers'.Going back to the rhetorical basics - An organisation's IT landscape basically boils down to the traditional "PPTs" - its People, Process and Technology. Therefore it would be a natural corollary that Information Security too boils down to the same three basic ingredientsAn organisation's first step towards an Information Security Program (prior to implementation) would be to conduct what I'd like to call an "Information Security Health Check (ISHC)" on the PPT domains. An ISHC would need to be conducted at a level that is comprehensive enough (equivalent to a Master Health Check) to assess any glaring issues across the IT landscape at the same time should be far from a very focused activity like say an IT Security Audit (equivalent of a Laparoscopy ). The ISHC is aimed at broadly answering the following questions of the IT Manager

  • Technology - Does the organisation's technical security control framework address the business' and my perceived risks?
  • Process - Do I have the required level of operational processes to support my technology control framework?
  • People - Could my IT users be the weakest link?

In addition to the perceived risks of the organisation, a typical ISHC should also consider best practices followed by mature organisations in the similar domain and of a comparable size.The resultant of the ISHC should essentially answer core question that I started off from - "Where do I start"?For example, the ISHC traffic lights (report) could suggest that the organisation's Technology and Process level controls are in the Green, however the People seem to be less aware. The direction that the IT Manager would now need to take is in enhancing the skill and awareness levels of his users. If Technology is in the Red, the organisation should focus its energy into tightening the application or network level security controls. If the Process element of the ISHC is weak, the answer to that is to bring about a method to the madness by implementing a crisp,relevant and repeatable IT (Security) process or by adopting a framework like the ISO 270001.In conclusion, a well executed ISHC brings to the forefront the Knowns and the Unknowns, both of which are extremely important for the 'First Timers'