Forging ahead

With a brand new risk assessment procedure, Kuwait's Zain Telecom is working towards an impregnable data stronghold.

  • E-Mail
By  Sathya Mithra Ashok Published  March 31, 2008

The way to success

Once the contract was signed between the two organisations, a kick-off meeting was conducted where both sides agreed on the project milestones and the schedule for the same.

"In risk assessment, there is the black box, the grey box and the white box. The black box is where the consultant's team needs to know nothing more than the organisation's name and conducts testing exercises on its own. In the grey box area though a certain level of access is needed and some information is required from Zain.

The reason for the risk assessment from a third party is to check on what we are doing; sometimes there are things that you need a different eye to look at.

Scheduling these meetings at that point in time can cause delays, which is why a lot of people think risk assessment procedures take time. We avoided this completely by deciding the date and time for each of these meetings at this initial stage," says AlKhudhari.

"All of this was put down in a project definition document. Timelines, meetings between members, who is responsible for what task - all of this is entered into a document that we all sign in the start to ensure that everybody is going to abide by it," says Michael Wellington, CEO of Kurt Information Security.

According to Wellington, Kurt uses a specific methodology that has been developed by the company based on its experience and market dynamics. Though it is customised based on certain elements of the project, the basic framework remains the same and Kurt's team uses it as the backbone for any risk analysis procedure.

The framework largely consists of elements from ISO 27001, ISO 20000, COBiT and CRAM. However, the R&D team constantly works on modifying and updating it based on market feedback.

Wellington enforces that during the black box stage of vulnerability assessment there is no interaction necessary with the client (Zain in this case) while the grey box demands a certain level of working together.

In the white box stage, the team has a much higher knowledge level and looks into the system for largely configuration and patching related issues.

This is where they also relate what they saw in the black box stage to what they find in the white box thus understanding causality for problems if any.

"So in this time there are phases where the organisation needs to deal with the consultant's team and where it does not need to. The consultant doesn't fully interact with the client due to the need for validity of the findings.

That is what a lot of companies make a mistake with - they start asking you questions about the process when you are supposed to be doing this on your own.

This is also something that differentiates one vendor from the other - knowing that you should not do anything to reduce the validity of information.

You need to look at the circumstances as a hacker would approach it and after this, when you get into policy valuation, you can interact with the client to get him on the same page and share your understanding with him," states Kurt's Wellington.

To ensure consistent knowledge transfer between the two teams, regular weekly meetings were held to bring them together and discuss findings. This was followed by a thorough workshop after the entire risk assessment procedure was completed.

"The idea was not just to present final findings to the team but actually make them understand how we got to those findings so that they are able to understand the flaws that we want to correct. How you get to a certain point, explaining that to your clients and letting him understand is much more important than just presenting the findings," explains Wellington.

The findings and later

After the extensive risk assessment procedure, Kurt presented its findings and made some recommendations to Zain.

(Kurt's Wellington states that continuity is critical in security assessments and the company works with clients even after risk assessment - in regular monthly or weekly meetings - to ensure that security changes are implemented and that general quality is maintained.)

According to AlKhudhari, the company will use some of the recommendations to improve its security processes, but the essential policy will remain the same since the firm was practicing and certified in ISO 27001 in the first place.

"The end-user buy-in into security policies has also been achieved with this procedure. The goal is to show them that security is not about just one hand, everybody is involved in it. To do something when you are convinced about it is much better than being forced to adhere to it. That is my belief," says AlKhudhari.

Employee awareness of security measures is kept high with posters, e-mails and sessions with various departments. Teaching employees the basics of security is a part of ISO 27001 as well and Zain ensures that it does not miss the element.

AlKhudhari states that Zain will continue to perform annual risk assessment and vulnerability testing procedures in its pursuit to higher levels of security and in ensuring that all of its operations and data is safe behind foolproof security.

"Since we have been certified for five years we already have security measures. The reason for the risk assessment from a third party is to check on what we are doing; sometimes there are things that you need a different eye to look at.

We have our systems and we are very confident that they are secure. This is just rechecking. It is like taking your car for a service, you are confident that it is doing good - but you take it to a regular service just to check the floors or just general patching. It is the same concept," concludes AlKhudhari.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code