The biggest challenge to information and data security right now is indeed found in a company's employees, rather than from outside hackers, according to Tan Ai Tong, Singapore-based Director, Global Information Security of electronics manufacturer Celestica.

Tan, who is responsible for Celestica's global information security, says what makes his job very tricky is his employees' different attitudes and mindsets towards keeping company information safe. These range from how they perceive they should handle the company's vital information, to dealing with spam e-mails.

The Toronto-based company has more than 40,000 employees spread across more than 20 locations worldwide and "everyone has a different view or appreciation of what information security is all about," Tan pointed out. "In the past, we had problems like unknowingly sharing sensitive information and writing down of passwords, and these contributed to security risks."

"To me, that's the people issue. Technology can only solve so much. You can always try to improve on technology by having stricter controls and so forth," he said.

Too many gullible users

With spam e-mails, people are still opening them up. "There is only so much spam filters can do. There will always be some e-mails that get through to users," commented Tan on the technology available to combat spam e-mails.

"The question is how gullible these users are. We actually did a broadcast to our users to warn them about a particular spam e-mail and asked them not to click on it. We even showed them a sample of the spam e-mail looked like," explained Tan. In the end, there are still users who open the spam e-mails.

"Even when the message is so clear, they still want to click on the e-mail. When we question them, most of them say they were careless; they did not read the warning e-mail carefully. Some even said that they just wanted to see what can happen. This goes to show that people are the biggest challenge."

Solutions to address internal issues

One solution used by Tan's team is to ensure constant education of his organization's users. "Make sure that the minute they join the company, there is a proper orientation to explain the importance of information security and what it means, what they should and should not be doing. You need to have the message constantly repeated, either through e-mail, e-newsletter, or HR presentations," said Tan.

Another method is leverage on technology to manage complexity and achieve better accuracy and consistency. Currently, Tan's department managing a SOX-related project to ensure the proper segregation of users' duties (SOD). The project implements a solution which checks the roles of the users within the organization, ensuring they do not have conflicting or excessive take roles, which could result, for example, potential fraud. Utilizing tools from compliance specialist Virsa Systems, the SOD project will be used by more than 100 employers to service thousands of users in Celestica.

"If you are a buyer, you cannot also be the accounts payable person, which would become a situation when you can buy and pay yourself, with no independent checks. All these duties need to be segregated, so that at any point no one will have full control over the whole process, which could give them the capability to manipulate the process and take advantage," explained Tan.

Also running is another project that uses an Arcsight solution to detect anomalies. The project ensures that "people do not abuse their rights and do things that they are not supposed to and provide accountability as well improve auditability."

Highlighting the importance of coping with internal threats, Tan drew the analogy of a customs station. "The customs gate tries to filter out the bad guys, but once a bad guy enters the country, he or she can do whatever he or she wants. My view on security is that you can set up access control and block off certain things externally. But once you are inside, you can potentially have access to almost everything and cause harm."

Maintaining security with partners

During the engagement of external parties like vendors and service providers, Celestica has developed measures to ensure the companies are protecting information security.

"Depending on the scale and type of the job given to them, the processes include an assessment in the form of a questionnaire. They need to explain what they do in terms of information security--how they protect, what their practices are and so on. They also have to provide evidence that their processes are actually working. It works almost like an audit. It is carried out through a series of phone calls and e-mails," said Tan.

For larger scale projects, Tan's team add an additional process by carrying out a physical site review of the external party. The team will look at their security measures, from how they control visitors to their premises, to whether the server room is properly locked and closed off to unauthorized people.

The team takes the approach of repeating questions in the questionnaire to check on the external party's claims. "We will repeat but slightly alter certain questions in the questionnaire. If you answer it differently, we be asking how can it be that you say you are doing this and later on you say on are doing something else?" said Tan.

Certification required

There are also other steps taken to check on the external party. "It depends on the company. If it is listed and based in the US, we will ask for things like SOX certification. That will give us an idea how good the company is, in terms of control and security. If you are not listed and have working relationship with US companies, then we ask for SAS 70. Another certification that we looked out for will be the ISO 27001 (previously ISO17799/BS7799) standard."

SAS 70 (Statement on Auditing Standards No. 70: Service Organisations) defines the professional standards used by a service auditor to assess the internal controls of a service company and issue a service auditor's report. The ISO 27001 standard lists specific security controls and their objectives. According to Tan, the certifications give a good indication of the efficiency of the external party's information security practices and policies.

"If none of these exist, the next question we ask is do you have internal or external audits? We also ask if there is an information security team. We can delve into details like what process they are using to control the users and how they protect certain systems. Eventually we must have a good sense about how strong and mature is the information security in that company."

To ensure that the external parties maintain their information security standards, Tan's team also conducts regular security review on selected vendors and service providers. "It is almost like an information security audit. Our objective is that in an annual basis, we get to go back and revisit the external parties. We ask them if they are still doing what they say they are doing, what has been added and what has changed and we verify to ensure that our information security requirements are still intact," said Tan.