Realms of text have been written on the topic of how employees are the weakest link in IT security. It is often said that employees:by ignorance, carelessness or choice:expose organizations to dangers. But what if, this perceived weakest link, which is the employee, is made responsible for the security function? Rather than asking the employee to adhere to a security policy, what if the organization asks the employees to drive, monitor and shape its security policies? One organization in India has already taken such an innovative approach, and is benefiting from improved compliance and better security.
This firm is Ajuba, a BPO specializing in the healthcare domain. Ajuba provides revenue cycle management services to healthcare service providers in the US. In the US, enactments such as the Health Information Technology for Economic and Clinical Health (HITECH) Act, accompanied by supplementary laws such as Health Insurance Portability and Accountability Act (HIPAA) and Fair Debt Collection Practices Act (FDCPA) have significant implications on information and data security. In the outsourcing context, this has increased significance. Healthcare providers in the US are extremely sensitive to the controls that outsourcing service providers have in place to ensure that patient information is protected throughout the process cycle. Security of information is hence of paramount importance to the firm given that the regulatory environment for the US healthcare industry is extremely stringent and is built around the need to protect the privacy and confidentiality of patient information.
Traditional approach | Replaced by |
| Central Security team | Centrally-enabled participative team |
| CISO | Steering committee co-ordinated by a Chairperson |
| Policy enforcement | Participation and peer pressure |
Vigilance and monitoring | Peer reporting and health check |
| Disciplinary action | Reward and recognition |
| Internal audit | Peer review |
| ISMS (Information Security Management Systems) | ISMS (I Support Maintaining Security!) |
While Ajuba had achieved ISO27001 certification in a single year of commencing operations, the management felt that the benefits had not percolated across the organization to all employees. ‘We were not merely looking for certification but wanted to take information security closer to all employees,’ says T Jaganathan, Director – Technology and ISSC Chairperson, Ajuba. Accordingly, Ajuba started a pilot exercise to re-orient the information security function to include representation from all teams across the board. Devendra Saharia, President, Ajuba International, LLC, explains the rationale. ‘Given the criticality of information security in our busi- ness and the fact that every employee at Ajuba has a responsi- bility to ensure compliance with various healthcare-related laws, we decided early on that, instead of taking a top-down approach to implementing information securi- ty, it would be far better to educate, train, and involve employees across the organization, across various functions.’ The results of the pilot were highly encouraging and the manage- ment decided to take further steps to institutionalize this approach.
Employees Drive Security
Employee participation is the key difference in Ajuba’s approach to information security. Under this approach, a central security team is replaced by cross-functional teams. Emphasis is given to ensure representation from every section of employees, both horizontally and ver- tically. Cross-functional teams are mandated with the task of framing the policies, processes and enforcement. The seriousness of this approach can be seen from the fact that information security-related objectives are a significant part of the KRAs for all leaders at Ajuba. Another important divergence in this approach is the internal audit process. Internal Audits are conducted once in six months by peers coordinated by an identified ‘Lead Auditor.’ Again the emphasis is on ‘Peer Review’ rather than an audit by a central audit team.
 | “Instead of taking a top-down approach to implementing information security, we decided it would be far better to educate, train, and involve employees across the organization’ – Devendra Saharia, President, Ajuba International, LLC |
While the traditional Information Security Model (according to the framework designed by ISACA) considers ‘People’, ‘Process’, ‘Technology’ and ‘Organization’ as the four pil- lars of the information security practice, Ajuba has slight- ly tweaked this model to make the ‘People’ factor the central theme. (See ‘Ajuba Information Security model’ diagram below) ‘The ‘People’ factor is given more importance over other factors in this approach. ‘Process’ and ‘Technology’ are ultimately woven around ‘People” explains Jaganathan. Ajuba believes that the traditional approach has loopholes in terms of the ‘lack of owner- ship’ from the workforce. ‘Traditionally, the Information Security function has more of a watchdog approach. With this approach, it is a challenge to ensure ‘beyond a point’ compliance from a large and especially younger workforce. The tradition- al approach is normally management-driven rather than employee-driven,’ says Jaganathan. The inclusive approach has helped Ajuba correct this anomaly.
Fig: Ajuba Information Security model
360 Degree View To Security
Ajuba’s approach ensures a more com- prehensive overview of security com- pared with the traditional model where a central team is responsible for security. The information security team is drawn from various functions and is a true rep- resentation of the employee base. (See box ‘Various ISMS teams at Ajuba’) All these teams complement each other, and provide Ajuba with a compre- hensive 360 degree view of security. Today, 145 employees handle ISMS func- tions of a total 1,700 employees. This comprises a whopping 8.5 percent. Most of these roles are part-time voluntary commitments. To encourage participa- tion, Ajuba holds a regular weekly online ISMS quiz, with teams being recognized for their compliance to security.
| Various ISMS teams at Ajuba | |
| Team | Responsibility |
| Information Security Steering Committee (ISSC) | Overall direction and management |
| ISMS core team | Overall management of ISMS function |
| Information Security Task Force (ISTF) | Implementation and compliance |
| Incident Response Team (IRT) | Resolution of reported security incidents |
| Internal Audit Team (IAT) | Peer review |
| Emergency Response Team (ERT) | Trained to respond during emergency situations (e.g. evacuations) |
Proactive Security Reduces Risks
A key measure of the success of information security measures are the level of violations and non-compli- ances reported. At Ajuba, all the metrics:such as access rights violations, camera phone violations, non-com- pliance with information security policies:have shown consistent, year-on-year reductions. Ajuba’s employee-centric approach effort has resulted in employees being more aware and participative in infor- mation security efforts. The awareness is not restricted to work-related compliance. Personal secure practices such as safe cyber use, threats from social network sites, phish- ing, etc are also covered. Clients also appreciate this approach, since they ben- efit from better compliance. ‘When clients get to know about our IS processes and policies, they are also confident that they are dealing with a bunch of professional and trust- worthy people on the other side. So, more than financial or legal benefits, information security policies and procedures help in maintaining the ‘trust factor’ between us and our clients,’ says Dominic Rajesh, Training Manager and a member of the ISMS Core Team.
 | “As Ajuba’s core business is US Healthcare, the importance of information security especially relating to patient information cannot be over emphasized’ – Maya Mohan, Director
Subscribe
0 Comments
Oldest
|
