Symantec.com
Partners
About Symantec
cartCart
  CIO Digest Logo  
  Current Issue
 | 
 Back Issues
 | 
 Subscribe
 | 
 Advertise
 | 
 Online Only
 | 
 About
 | 
 Contact

Daniel Lai, Chief Information Officer, Mass Transit Railway Corporation

IT on Wheels

Well-run systems keep technology on track at Hong Kong's MTR

If you're in a hurry in Hong Kong, here are two bits of advice: Ride the MTR, and don't discuss cybersecurity with Daniel Lai. MTR (short for Mass Transit Railway) Corporation whisks 2.5 million riders throughout Hong Kong each day with 99.9 percent on-time performance. As MTR's chief information officer, Lai is responsible for its huge, interconnected security infrastructure. He could describe his work for hours, but he sums it up this way: "We take a holistic view of security, especially information security," he says. "We believe that physical security and cybersecurity are converging."

Education plus systems

In 2004, the company formed a corporate information security committee-chaired by Lai-to develop security policy. Broad participation is essential because, as Lai says, "with one person it's difficult to address all security aspects within the organization." Led by an information security manager, a smaller information security group executes the committee's plans and responds to security incidents.

Education is central to the game plan. MTR uses many channels to market security to its 6,000 end users. New employees receive information security training and sign an agreement to abide by company security policies. Every time a computer boots, information security banners pop up; users must acknowledge them before beginning work. The corporate intranet offers security information. About 200 power users in the company attend occasional three-day seminars for new security threat information. Outside experts lead the seminars, using MTR-internal examples to illustrate points, and attendees are expected to share what they learn with colleagues.

There's more to security than education; it also requires systems. Lai discusses two that MTR uses: an information classification system that puts about a million company documents into four security hierarchies (secret, confidential, restricted, or normal) with rules for each, and a two-factor, token-based authentication system for the 400 MTR employees who need secure remote access to MTR's network. Employees who need remote access get a pocket-sized electronic device that generates a numeric key. The user must input the key, along with his or her log-in and password, to gain access to systems. Checked-out laptops are also "sanitized"-checked for viruses-when employees return from traveling.

Lai declines to give figures on the effectiveness of MTR's security programs. Looking at numbers doesn't mean anything, he says, because the better your measurement tools, the more you're able to measure. When the company starts tracking a new threat, the number of security incidents may increase but that doesn't necessarily mean that there are more-just that more are being counted. Similarly, MTR doesn't apply a strict financial benchmark to security. "We have to look at the potential loss in revenue and corporate reputation, and the impacts if a security fraud takes place. Just looking at return on investment (ROI) would be difficult."

1 2 next>>
Article Finder
>



TOP ENTERPRISE LINKS

ENTERPRISE RESOURCES
Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2007 Symantec Corporation