Business News

Kenya works on training information security managers

Rebecca Wanjiku

April 28, 2008 (IDG News Service) A lack of training institutions for information security management has made IT investment expensive for many organizations in Kenya.

Companies have invested in training IT managers abroad, which is expensive for small and medium-size businesses in Africa, said James Gathage, a consultant at QualityPlus, a Kenyan training company for information security management professionals.

This has led some companies to neglect information security and management as integral parts of business and organizational growth, he said. So, to reduce costs and make courses affordable, training companies are bringing experts in to train local IT managers.

The reduced cost is expected to encourage government offices as well as corporate entities to start addressing the issue of information security management.

“Today’s professionals have learned to travel light, keeping only what’s necessary. [Criminals] do not need to steal the whole computer to destroy the company,” Gathage said. “A simple flash disk can be used to steal sensitive data from the office.”

Gathage sees this security challenge as the main reason government offices have resisted full computerization and digitization of all services.

According to Gathage, government offices have huge cabinets where they file tax records and payroll information — records that are now being transferred to computers. In a corporate setting, the computer system is likely to have financial data from suppliers and credit-card numbers from customers.

“In the hands of an identity thief, this information is a tool for draining bank accounts, opening bogus lines of credit and going on the shopping spree of a lifetime — at the expense of your company, your employees and the customers who trust you,” Gathage said.

To safeguard client information and protect themselves from corporate espionage, companies are forced to adopt information security management systems (ISMS).

The key concept of ISMS is for an organization to design, implement and maintain a coherent suite of processes and systems for effectively managing information security, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks.

An ISMS makes business sense, because customers want to do business with entities that will not expose their personal information and businesses want to seal all loopholes that may expose them to risks.

Gathage noted that an ISMS, as with all management processes, must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. An effective ISMS guarantees that the internal and external loopholes are sealed.

“For example, most hospitals in Kenya are keeping their records in electronic form. How are patients assured that their records are well protected and will not land in the hands of their enemies or people who may expose them?” Gathage said.

The training, offered at QualityPlus offices in Nairobi, helps large corporate organizations develop information security policies and adopt a standard that will make it easier for other international companies to identify with.

After training, the information security manager must establish and maintain a security program that ensures three things: the confidentiality, integrity and availability of the company’s information resources. Those have long been established as the core principles of information security.

The international standards body ISO has established a standard recommending that during a risk assessment, it should be established that a company has a security policy as well as strategies for asset management, human resources security, communications and operations management, information systems acquisition, information security incident management, and regulatory compliance.