Issue 5, 2013. October-November

   

PROTECTION OF INFORMATION ASSETS: A WORK IN PROGRESS

A few years ago the Georgian government embarked on major e-governance projects to ease and streamline delivery of public services for citizens, non-residents and organizations.E-governance is also an efficient and effective communication channel among government agencies. For this purpose the Data Exchange Agency (DEA) was formed as the designated government body for supporting e-governance initiatives, both technically and legally. One of the main aspects of DEA's operations is the development of information security policies and procedures, especially for the public entities whose business continuity is deemed to be critical for country's economic and defense security.

Nelson Petrosyan

Government's Efforts in E-governance

In post-Soviet countries, Georgia has been the pioneer in many aspects of the move toward better public service through e-governance. For quite some time now, information and communications technologies have been increasingly integrated into the operations and business processes. And in the search for better governance, the business of "public governance" had to embrace this opportunity, like it is done in the business sectors. Clearly, in industries like banking and telecoms, information technologies are the game changers.

Information Security for the Financial Sector

In the financial sector it is an imperative, and, in many cases, mandatory requirement, to ensure secure handling of information. It is worth mentioning that in the last two to three years enormous effort has been made to meet information security requirements, especially in the banking sector.

Besides that, new technology and modern approaches to corporate governance contribute to credibility among the society at large, foreign investors and international financial institutions. More often requirements for information security are being met in different international standards in the areas of audit, financial statements and internal control systems (Sarbanes-Oxley, COSO, COBIT, IPPF).

Market Perception of "Protection of Information" and "Information Security" Concepts

The most obvious information security role and need are seen in the financial services sector. The regulators, central and national banks, establish information security risk management requirements for the banking sector, including the commercial banks. These requirements are commonly adapted versions of ISO 27002:2005 set of security controls. Being the international standard for information security management systems, it is expected that in the next few years ISO 27001:2005 will become a mandatory requirement for the banking sectors in many post-Soviet jurisdictions.

Demand for Information Security

The Government of Georgia has made a foundational step in regards to cyber security, by setting up respective regulation. This regulation puts cyber security on the same page in terms of importance with land, naval and air protection. Moreover, the March 2013 decree by President relates to the sphere of applicability of these rules and makes it clear which entities and structural units are considered as the most critical for sustainable operability. Since ISO 27001:2005 does not distinguish implementation between public and private companies, the methodology and processes are the same. Obviously, each legal entity has its own specifics and this should be taken into account during standard implementation. However, implementation of ISO 27001:2005 for state agencies constitutes also the adherence to country's cyber and information security. Specifically, the Data Exchange Agency (DEA), the key agency responsible for nation-wide cyber security, has already issued a number of legislative acts in that regard.

Expected Changes and Scarcity of Professionals

ISO 27001:2005 is a component of internal control systems. It defines basic principles of information security, information systems security and control environment, which includes 144 controls for implementing information security management systems. Implementation of the ISO 27001:2005 standard allows banks to secure protection of one of their most important assets — the information asset — based on internationally acceptable standards. As with any system, an information security management system also requires an information security specialist for implementation and further maintenance. There are very few such professionals, and certainly not enough to meet the current demand.

The answer is in training and certification of professionals, as the common education institutions do not yet prepare such specialists.

Professional Education and Certification Board (www.pecb.org) has a partnership agreement for Georgia authorizing it to carry out certification training and conduct certification exams for ISO 27001:2005 Lead Auditor, ISO 27001:2005 Lead Implementer, and other professional certifications.

Nelson Petrosyan is the Managing Partner of Grant Thornton in Georgia. He has over 14 years experience in management consulting, corporate governance and business risks, financial audits and management. For more information, please visit www.granttornton.ge.