Forging ahead

With a brand new risk assessment procedure, Kuwait's Zain Telecom is working towards an impregnable data stronghold.

For Kuwait-based Zain Telecom, quality is not a buzzword. It is a guiding principle by which the organisation directs all of its functions from administration to operations to service provision.

This interest and dedication to ensure only the best in its functioning is also felt in the way the company invests in and maintains its information technology solutions and structure.

 

This is reflected even more strongly in the security measures it puts in place for its physical setups as well as its information. In pursuit of higher levels of security, the firm implemented and follows the ISO 27001 standard.

Not only does this make it one of the very few in the Middle East who follow the security benchmark, but also one of the earliest since the firm certified itself in the standard nearly five years ago.

The move to ISO standard certification began four to five years back. The standard provides you with guidelines on how to implement security. We did not want to reinvent the wheel and so we decided to use these guidelines instead of starting from scratch.

We have been certified on quality for around nine years and the security certificate is an add on to what we already do. Once we have put in practice the stipulations of the standard, the certification comes to us automatically.

There is no back door to this - you have to practice what the standards say and prove yourself to the auditors," states Nasser Mansour AlKhudhari, corporate security manager at Zain Kuwait.

Everything in the security arena falls under the specially formed security division of the company.

"The formation of the department came from the executive management. We handle and save very sensitive information and data, and the purpose of the department is to protect that. The security department is not just about information security; the goal was to have all kinds of security from physical security to data security under that department.

This is because in the real world, when you are protecting assets, one cannot be considered independent of the other. Our corporate security effectively combines all the different aspects of defence," says AlKhudhari.

The firm has a well-developed physical security system that connects all GSM base stations and headquarters, through biometrics and CCTV, to a single central security operations centre (SOC) where all access and actions are monitored and archived. Needless to say, the firm invests in and maintains an equally sophisticated and effective information security infrastructure.

In keeping with the strictures of the ISO standard, Zain does an annual risk assessment procedure, where it calls in a third party to conduct a thorough test of its security systems and ensure that everything is running to scale.

AlKhudhari, who started at Zain in the IT department and has been heading the 25-member security department for a year, wanted to make an organisational impact with his very first risk assessment and do something different from those of previous years.

"I had a dream. When I conducted the risk assessment this time over, it would be a pure team effort. We have a management team that is well aware of the risks we face. In fact, the management has been highly supportive of our goals and encouraged our work to reach higher security metrics. But I believed that was not enough.

The employees themselves, who are working on the systems everyday, have to know what risks are out there. All employees have to be aware of security and practice it in their workday every day - I wanted them to think what if something happens? That was my goal," states AlKhudhari.

With this in mind, AlKhudhari decided to see what the market had to offer instead of going with the same consultant who had conducted the security risk assessment for the firm in previous years.

"Before choosing the vendor, I put together a technical team. This team comprised of personnel from IT, networks and even the finance team.

I sat down and explained to them all about risk assessment, its importance to the organisation and what they can gain in terms of knowledge from the process. I also explained that security was not a one-point development and that it had to be a combined task covering the organisation.

I then asked them to have a look at their systems and inform me of any vulnerabilities that they come across," explains AlKhudhari.

With the team in place, Zain started its search for vendors. In this too, AlKhudhari brought his distinctive touch, insisting that the consultants send their technical team - the one which was going to perform the risk assessment - instead of being satisfied with the sales personnel usually sent to such pre-sales meetings. Zain's technical team not only met the people from the vendor, but even went through their resumes and references to ensure that they were properly qualified.

"We selected Kurt Information Security at the end of this process. We ranked all the vendors on criteria including price, knowledge, tools used and so on. Kurt consistently ranked high on most of them," says AlKhudhari.

The risk assessment process was conducted across two months covering December 2007 and January 2008. According to AlKhudhari, the team spent almost three months selecting the vendor - more time than they did on the entire risk assessment.