Sierra Atlantic to get information security certifications by year-end

Sierra Atlantic is going for information security certifications "� British Standard (BS) 7799 and Statement on Auditing Standards 70 (SAS 70). The offshoring enterprise applications company is likely to get the certifications by the end of this year.

Speaking to Business Standard, Raju Reddy, chief executive officer of Sierra Atlantic, said, "Information security is a significant aspect in our sector. And if we wish to be a global company, we need to get these certifications to enthuse confidence among our customers."

"Our existing customers have not asked for provision of such certifications as we already implement information security measures. But implementation of these standards will demonstrate our commitment to information security and, therefore, increase the comfort levels of the existing and new customers," Reddy said.

Information security involves protection of systems, media and facilities that process and store information which are significant for an organisation. Indian IT and ITeS organisations are realising the importance of implementing information security policies and are, therefore, working towards the protection of customer-related information.

BS 7799 is one such policy that provides an organisation a framework to implement a security policy so that a secure environment is created and the company's information is protected.

The certification defines standards on various domains like security policy, asset classification and control, personnel security, physical and environmental security, system access control and so on. These standards, therefore, help an organisation to implement an Information Security Management System (ISMS) framework.

SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that assesses the internal controls of a service organisation.

While a Type I report just focusses on the fairness of the presentation of an organisation's description of controls and whether the controls are designed to achieve the objectives, a Type II report includes the auditor's opinion on whether the controls as stated by the organisation were operating effectively when reviewed.

"We are in an advanced stage of our initiatives and are likely to get the BS 7799 compliant by mid 2005 and SAS 70 Type II audit by the end of December," he added.