By Staff writer
While Middle East organisations have been widely criticised for not doing enough to protect their IT systems, a number of companies here are now waking up to the looming IT security crisis by adopting international standards.
According to managed hosting and security consulting firm eHosting Datafort, three companies in the region have become certified under the ISO 27001 standard — Dubai Aluminium Company (Dubal), Saudi Binladin Group in Saudi Arabia and Mobile Telecommunications Company (MTC) Vodafone in Bahrain — with the Dubai Ruler's Court due to follow.
The security firm said it is working with another eight companies towards achieving certification, and is in discussion with a dozen other firms.
The certification is given to companies that meet the standard's requirements in terms of securing data held on their systems — such as employee or customer information.
ISO 27001 requires companies to meet standards in a number of categories, which fall into three broad areas — confidentiality, integrity and availability. It replaced the BS7799 this year as the only certifiable security governance standard and allows companies to comply with regulations such as the US's Sarbanes Oxley laws and the UK's Data Protection Act.
Ahmed Baig, manager of security consulting for eHosting Datafort, said the fact that so many organisations are looking at or have already acquired the ISO 27001 certification is a very positive sign. "It's quite encouraging because in this small market these numbers are quite big," he claimed. "Businesses are realising more and more that there are a lot of incidents being reported within the GCC and people are taking this quite seriously," he added.
"They are becoming aware and they are trying to figure out if they are not aware, what are the best ways to protect themselves."
Ibrahim Awad, information security officer at the Dubai Ruler's Court, which is in the process of being certified, explained that security of information is particularly important for his organisation, which provides shared IT services for all government departments in Dubai.
"We have a government information resource department, which holds the other departments' data on the ERP system and we provide this system to the government departments like the police department and Municipality," said Awad. "We also have their finance information, HR records and logistics data. So we needed proven and used technology to secure this data and secure the IT infrastructure as well."
He went on to say that the government is in talks over whether to implement the ISO 27001 standard across all its different departments.
The process of certifying the Dubai Ruler's Court is expected to be completed by the end of this year and has been going on for around six months.
Dubal completed the process in August and is now fully ISO 27001 certified.
The firm's IT architecture manager, Jagan Rao, said the company is now better able to protect the valuable company data held on its IT systems such as project proposals, customer orders, sales contract information and budget or financial planning information.
"Information is one of our main assets; we have to protect it and we have a very strong infrastructure and methods in place to protect against hacking or a denial of service attacks and information leakage or espionage," said Rao.
"This helps us to align with the international best standards and practices. And it gives us and the management the assurance that things are done in the right way," he added.
Baig said it is particuarly important for companies to become certified in the UAE where the government has recently enacted a new cyber law. This law will require companies to monitor the information they hold and the content being emailed from the company by employees.