Realms of text have been written on the topic of how employees
are the weakest link in IT security. It is often said that
employees—by ignorance, carelessness or choice—expose
organizations to dangers. But what if, this perceived weakest link,
which is the employee, is made responsible for the security
function? Rather than asking the employee to adhere to a security
policy, what if the organization asks the employees to drive,
monitor and shape its security policies? One organization in India
has already taken such an innovative approach, and is benefiting
from improved compliance and better security.
This firm is Ajuba, a BPO specializing in the healthcare
domain. Ajuba provides revenue cycle management services to
healthcare service providers in the US. In the US, enactments such
as the Health Information Technology for Economic and Clinical
Health (HITECH) Act, accompanied by supplementary laws such as
Health Insurance Portability and Accountability Act (HIPAA) and
Fair Debt Collection Practices Act (FDCPA) have significant
implications on information and data security. In the outsourcing
context, this has increased significance. Healthcare providers in
the US are extremely sensitive to the controls that outsourcing
service providers have in place to ensure that patient information
is protected throughout the process cycle. Security of information
is hence of paramount importance to the firm given that the
regulatory environment for the US healthcare industry is extremely
stringent and is built around the need to protect the privacy and
confidentiality of patient information.
|
Traditional approach
|
Replaced by |
| Central Security team |
Centrally-enabled participative team |
| CISO |
Steering committee co-ordinated by a Chairperson |
| Policy enforcement |
Participation and peer pressure |
|
Vigilance and monitoring
|
Peer reporting and health check |
| Disciplinary action |
Reward and recognition |
| Internal audit |
Peer review |
| ISMS (Information Security Management Systems) |
ISMS (I Support Maintaining Security!) |
While Ajuba had achieved ISO27001 certification in a single year
of commencing operations, the management felt that the benefits had
not percolated across the organization to all employees. “We
were not merely looking for certification but wanted to take
information security closer to all employees,” says T
Jaganathan, Director - Technology and ISSC Chairperson, Ajuba.
Accordingly, Ajuba started a pilot exercise to re-orient the
information security function to include representation from all
teams across the board. Devendra Saharia, President, Ajuba
International, LLC, explains the rationale. “Given the
criticality of information security in our busi- ness and the
fact that every employee at Ajuba has a responsi- bility to ensure
compliance with various healthcare-related laws, we decided early
on that, instead of taking a top-down approach to implementing
information securi- ty, it would be far better to educate, train,
and involve employees across the organization, across various
functions.” The results of the pilot were highly encouraging
and the manage- ment decided to take further steps to
institutionalize this approach.
Employees Drive
Security
Employee participation is the key difference in Ajuba’s
approach to information security. Under this approach, a central
security team is replaced by cross-functional teams. Emphasis is
given to ensure representation from every section of employees,
both horizontally and ver- tically. Cross-functional teams are
mandated with the task of framing the policies, processes and
enforcement. The seriousness of this approach can be seen from the
fact that information security-related objectives are a significant
part of the KRAs for all leaders at Ajuba. Another important
divergence in this approach is the internal audit process. Internal
Audits are conducted once in six months by peers coordinated by an
identified ‘Lead Auditor.’ Again the emphasis is on
‘Peer Review’ rather than an audit by a central audit
team.
 |
"Instead of taking a top-down approach to implementing
information security, we decided it would be far better to educate,
train, and involve employees across the
organization”
- Devendra Saharia, President, Ajuba International, LLC
|
While the traditional Information Security Model (according to
the framework designed by ISACA) considers ‘People’,
‘Process’, ‘Technology’ and
‘Organization’ as the four pil- lars of the information
security practice, Ajuba has slight- ly tweaked this model to make
the ‘People’ factor the central theme. (See
‘Ajuba Information Security model’ diagram below)
“The ‘People’ factor is given more importance
over other factors in this approach. ‘Process’ and
‘Technology’ are ultimately woven around
‘People’” explains Jaganathan. Ajuba believes
that the traditional approach has loopholes in terms of the
‘lack of owner- ship’ from the workforce.
“Traditionally, the Information Security function has more of
a watchdog approach. With this approach, it is a challenge to
ensure ‘beyond a point’ compliance from a large and
especially younger workforce. The tradition- al approach is
normally management-driven rather than employee-driven,” says
Jaganathan. The inclusive approach has helped Ajuba correct this
anomaly.
Fig: Ajuba Information Security model
About Author
An award-winning journalist with more than 14 years of experience, Srikanth RP is Senior Associate Editor with InformationWeek India. Srikanth is passionate about writing on topics which clearly show the business impact of technology.
More articles by Srikanth RP