Interviews for SecureSynergy Security Strategist Awards 2003
An ongoing process
SB Patankar, Director Information Systems - The Stock
How do you ensure that your company's security solutions
Our belief is that security is an ongoing process and cannot be static. Vulnerabilities
have to be assessed at regular intervals. The Stock Exchange (TSE) has a clear-cut
policy that takes care of virus protection for the complete group's operations.
The same policy also takes care of access control. These policies should be
evaluated from time to time.
In case of anti-virus deployment we have a virus protection server. The whole
anti-virus policy is governed by it. Managing anti-virus updates is an automated
process. We keep getting the latest virus alerts and patches from service providers.
In case of firewalls and IDSs, TSE believes in best-of-breed solutions. The
AMC signed by equipment and software suppliers is helpful in regularly updating
Does the role of IT security extend to encompass physical
It is an essential part of the overall information and IT security. For example,
we had a problem of employees sitting at the same place where critical servers
were located. This was perceived as a serious threat to our systems as we cannot
keep a vigil on every employee all the time.
Then we thought
of the logical way to keep these two apart. The management decided to keep the
servers at an alternate location. This place was highly safe and secure and
the access was given to only a few authorized people in the IS department.
Not even general hardware engineers were allowed to access the server rooms.
TSE issued access cards and put Biometrics fingerprint identification mechanisms
in place. In addition to this, we use CCTV to keep an eye on activities in the
server rooms and other sensitive locations. So, there are multiple levels of
What was the process that you followed while drawing up
your company's security policy? How frequently do you update it?
Earlier, we were doing regular audits for our security. But later we decided
that there should be a proper documented security policy derived from the actual
needs being mentioned by key people in top management.
The security policy defined the process of implementation of the policy and
its efficient administration. Escalation of troubles, information of possible
intrusion and alert mechanisms were also defined in TSE's security policy. This
was purposefully done to prevent the unwanted users from accessing the TSE's
network and systems.
The security policy also has provisions for physical data classification, access
control, database access, and administration.
Review of security policy is conducted on a case to case basis. Whenever there
is a sign of an intrusion or a virus attack, we review the policy and if it
needs to be amended, we make the necessary changes. A dedicated team takes care
of all the security needs of the organization and it is supervised by the CIO.
Intrusion detection is outsourced to a third party service provider. And the
logs generated from the firewalls and security audits are outsourced to third
party service providers. The security team makes sure that the policy is strictly
administered and implemented.
Is it important to build security at the application design
and deployment level? Are companies doing it?
Over these years, we have realized that security of information and applications
should be considered at the design level. If it is not, then the same can affect
the entire orgaanizational workflow. Especially in case of TSE where all systems
are online, it makes sense to have security embedded at the design and deployment
Apart from the security at the design and deployment level of applications,
it is important to make sure that both the network and server layers have embedded
security. Earlier our company had a software-based firewall but due to a few
critical threats we decided to shift to an appliance-based firewall.
We have a number of share traders who want to connect to the TSE network for
daily trading. We have to take special care so that the data of one broker is
not visible to others. This security is handled at the network layer and we
have separate deployed VLANs for the users. Depending upon the requirements,
we can also have IP-based, MAC address-based, and certificate-based authentication.
Do companies need a separate person in the role of a Chief
Yes, it's essential. Information security and data protection is a full time
job that requires a dedicated team. A person who has the capability to direct
the team should be made the Chief Security Officer (CSO). In some cases this
job is outsourced to a third party. At TSE, we don't have a CSO. The CIO is
fully responsible for this job.
What is the most important tool in a security strategist's
I believe that security monitoring is paramount. This can be done in many ways.
One way of doing it is automated monitoring so that you can minimize threats