Vikas on Security

                   There is no security control which can mitigate or compensate human stupidity. What may seem as common sense to security professionals would be not be so simple for common employees to use and practice. It is therefore essential to incorporate security awareness a part of your security program. Majority of the attacks happening on organisation is due to Social Engineering. By spending effort to train employees to be aware of basic security aspects will help avoid costly mistakes Common methods of security awareness which can be implemented in an organisation include Awareness e mailers  Online Quizzes  Phishing Simulations and training  Training sessions for new joiners  Compulsory online training for all employees once a year  Specialized training for developers, system admins , cloud architects, infrastructure specialists and Senior Management  Awareness weeks twice  ...

Seclore IRM  Seclore is a rights management solution used for protection critical company confidential and customer PII data. Below I have given a brief description of usage of Seclore in our organisation We are using Seclore IRM in our organisation with the objective of restricting access to PII data only to authorized users and providing those users minimum rights as required over the files that are shared. Primary focus area here is data that is shared with  vendors. Following Seclore solutions are being implemented for data sharing with our vendors - ·           Seclore Hotfolder  - We have made one folder over our FTP which is implemented as Seclore Hotfolder. Any file that is put in this Hot-folder gets auto Seclore protected that is shared further with our vendors. ·           Manual protection of files  -  Files can also be Seclore protected manual...

Today most organisations outsource development of their applications to specialist vendors and also host their applications based on  requirements. Besides process and technical controls it is essential that certain legal controls are put in place. This is done by putting specific clauses in the contracts with these partners. I have included some sample contract clauses which can be used for inclusion in contracts  Sample Clauses which can be included for contracts with Outsourced Software development  Contractual requirements for secure design, coding and testing practices; Service provider shall: a) ensure that secure coding practices are incorporated into all stages of an application development process, and that all developers are trained on secure application development regardless of the technology used for programming, b) document and implement a source code review process to ensure that each of the security requirements including the security standard...

As described above the key areas which are for a insurance CISO are  Information Security,  Business Continuity,  Data Protection and  Governance , Audits and Compliance. In this blog I will explain the requirement from a Compliance perspective. The key compliance requirement for a CISO in an Indian insurance firm are the  IRDAI Cyber Security Guidelines,  ISNP ( Insurance Self Network Platform ) Guidelines - Which are applicable for the E Commerce platform to sell insurance policies online  IT Act  Aadhaar Act  The key compliance requirement is the IRDAI Cyber Security Guidelines which were released by IRDAI ( Insurance Regulator in India ) for all insurance companies.  The guidelines consist of two documents - one the main document and second is Annex A which has 307 controls against which an external audit has to be done annually by a CERT - IN empanelled auditor.  My view on any compliance is that it should be ...

In Oct 2017 I was appointed as Vice President - Information Security and CISO for Max Life Insurance. As I near completion of two years of being a CISO, I intend to document my observations and key learning from my experience in handling this role. As a CISO, there were four key areas where my responsibilities lie Information Security  Business Continuity  Data Protection  Governance , Audits and Compliance  As I spent time in the organisation I also felt that a CISO or any senior role also has certain areas which he is responsible for in this role. These are  Security Awareness  Stakeholder Management  Team Management Security Evangelist Budget Management  Some key skills which are needed in a CISO role are  Good collaboration and influencing skills  Effective time management  Prioritization  Good written and presentation skills  Excellent articulation and communication skills  In th...

As an Information Security Professional it is essential to remain in touch with the latest technologies in the IT field to ensure you can are able to suggest suitable measures to protect the business when new technologies are adopted. The key technologies which are being adopted by businesses in the current times are as under  Cloud  IOT  AI and ML  Big Data  Block Chain The First of these - Cloud through providers such as Amazon AWS and Microsoft Azure has transformed IT infrastructure and each day more and more companies are adopting Cloud for their technology needs. To acquaint myself with this I had done a few short online course on the basics of Cloud Technology and then using Cloud Security Alliance for learning key measures to secure Cloud. I also studied for and gained the CCSK Certificate of Cloud Security Knowledge which gives a vendor neutral learning on the key aspects of securing cloud assets. However in the last two years of my j...

Cyber Security Startup competition - CISO Platform I was a Jury member for Best Cyber Security Startup competition organised by CISO Platform. I have made a summary of the companies which presented during the competition  WINNERS - Not ranked ThreatCop by Kratikal  Bug Discover  ProDMARC by ProGIST  Emerging Startup - Matisoft Cyber Security Labs BugDiscover  Managed Bug Bounty and Vulnerability management Platform  Small startup based in Whitfield Model of Open and Private BugBounty  700 researchers - 100 verified  www.bugdiscover.com   Competitors - HackerOne , BugCrowd Accops -  Pune based company - Well established with multiple products Virtualisation and remote access technologies  Products - HyWorks, HySecure , HyID , HyDesk, HyLite, HyLabs  www.accops.com Attivo Networks  ThreatDefend Platform - Network and Endpoint Deception Technology  US based company with R&D centr...

I believe this challenge is faced by everyone be it in civvy street or in uniform. For those transitioning the consequences of not investing in oneself get aggravated due to the drastic switch in environment. In corporate sector large number of technology professionals find themselves waylaid when new technologies or smarter working options come by and make their function obsolete. For techies an example could be how Cloud and DevOps would render old time IT Infrastructure and Sys Admins obsolete or how Automation and RPAs will replace low end outsourcing jobs.   Indians by nature being savers than investors would rather save a penny than invest it to grow it to a pound. In Defence forces most education is free and is by way of nomination where no one is bounded to upskill himself in his own time or money. There is no incentive or benefit for defence personnel to upskill themselves as the personnel /MR branch considers only defence courses for positions and  posting...