page 20
SEE TOP 100 Banks
Interview: Bureau Veritas Sees Rising Demand for Data Security Certification Services in Bulgaria Bureau Veritas is one of the largest conformity assessment organizations in the world. It was founded in 1828 and since then has developed a network of 900 offices and laboratories in 160 countries employing over 40,000 people. It is the biggest certification body in the world covering quality, environment, health and safety, security and social accountability. Bureau Veritas has been present in Bulgaria since 1994, certifying the first Bulgarian company for compliance with the ISO 9000 standard A: We have to kill the myth that information security is about confidentiality. The protection of the confidential and valuable information is only one component. But there are two more: availability and integrity of information. Information security is a question of balance. Every company is different and should define the required level of all three components as per their needs. This is a dynamic process, the needs change with fluctuations in the business environment, legislation and competition. Kalin Panev graduated at the Technical University of Varna majoring Information Technologies. He holds a Master’s Degree in IT after specializing at the University of Kingston. He joined Bureau Veritas in 1996 after induction in the central certification office in London. Kalin Panev is one of the 52 corporate auditors of IBM and the first Bulgarian information security lead auditor (ISO 27001) registered in IRCA. His information security experience covers IT, aerospace, defense, banking and public sectors. Since 2001 he has been the director of Bureau Veritas Certification (Bulgaria). Kalin Panev also holds a Master’s Degree in Business Administration (MBA) from the University of Sheffield (UK) and Diploma for Business Strategy from the Chartered Management Institute (CMI UK) as member MCMI.
For example for a notary office, the availability of information is not a priority. There is no big difference whether the needed information will be made available in one day or one second. This is the nature of the notary business – the deals are executed in days. The biggest priority is data integrity, i.e. no mistakes, omissions or discrepancies. On the other hand, for an FX broker the availability of information is of top importance. It is assumed that the information will not be precise, reliable and error-free, but it is important to get it on time, before things happen. Every second counts.
Q: A lot of myths about information security have appeared recently. What is your opinion on this issue?
Q: Does this mean that information security is possible without confidentiality?
A: Information security usually has to do with particular information technology (IT) solutions. The technology resolves only part of the problems, because despite the advanced solutions the overall level of information security at a particular company doesn’t change. Information security depends on the technology, as well as on the physical infrastructure, employees, business models, internal communication and operating procedures. Investment only in IT solutions is not justified as it is not effective from organizational point of view. We need a change in the global vision and priorities. Q: Could you elaborate on that point?
20
SEE TOP 100 Banks
A: Yes, it does. Taking care to ensure data integrity and availability means you are taking care of information security as well. Taking measures to ensure that the information is processed correctly without errors with proper controls against falsification or destruction means a specific level of information security is achieved. It is used by the public authorities and non-governmental organizations to ensure transparency. All forms of information security are possible depending how much confidentiality, integrity and availability we need. Q: What is necessary to achieve information security? A: Achieving information security is a chimera. We can achieve an acceptable level of information security and maintain
it when priorities, the environment or business changes. Most important is to nail the problem. Then the management and shareholders need to decide whether they need information security or not. If they do, the management needs to elaborate and to define the desired levels of the three components: confidentiality, integrity and availability. Of course, the management needs to take into account the business needs, traditions, operational business model and habits of people and to work systematically with the key stakeholders. At all times, the management needs to bear in mind the value of the information, the levels of risk and business effects and to select adequate measures. After all, it makes no business sense to safeguard information if the cost of data protection is greater than the information’s value. Q: Is it a question of balance then? A: Yes, it is. The management system is the only way to achieve a balance within the organization. It helps the management to attune the three information security components to their needs. The information security management system is a set of business and operation rules, procedures and instructions, policies, technological solutions, trained people, feedback methods, monitoring, measurement and management control. It changes the behavior of the employees. With time, all rules are transformed into tradition and company culture. Q: You are coming up with quite a maverick view about information security. Is it accepted by the Bulgarian business? A: Yes, it is, especially by the top managers. I have encountered a variety of views on this among our corporate clients but we all share the same opinion about the balance and the global approach. The most interesting part is that this opinion is shared by small private entrepreneurs as well as by large corporations like IBM. Paradoxically, the