Interviews for SecureSynergy Security Strategist Awards 2003

An ongoing process

SB Patankar, Director Information Systems - The Stock Exchange

How do you ensure that your company's security solutions are up-to-date?

Our belief is that security is an ongoing process and cannot be static. Vulnerabilities have to be assessed at regular intervals. The Stock Exchange (TSE) has a clear-cut policy that takes care of virus protection for the complete group's operations. The same policy also takes care of access control. These policies should be evaluated from time to time.

In case of anti-virus deployment we have a virus protection server. The whole anti-virus policy is governed by it. Managing anti-virus updates is an automated process. We keep getting the latest virus alerts and patches from service providers.

In case of firewalls and IDSs, TSE believes in best-of-breed solutions. The AMC signed by equipment and software suppliers is helpful in regularly updating these products.

Does the role of IT security extend to encompass physical security measures?

It is an essential part of the overall information and IT security. For example, we had a problem of employees sitting at the same place where critical servers were located. This was perceived as a serious threat to our systems as we cannot keep a vigil on every employee all the time.

Then we thought of the logical way to keep these two apart. The management decided to keep the servers at an alternate location. This place was highly safe and secure and the access was given to only a few authorized people in the IS department.

Not even general hardware engineers were allowed to access the server rooms. TSE issued access cards and put Biometrics fingerprint identification mechanisms in place. In addition to this, we use CCTV to keep an eye on activities in the server rooms and other sensitive locations. So, there are multiple levels of physical security.

What was the process that you followed while drawing up your company's security policy? How frequently do you update it?

Earlier, we were doing regular audits for our security. But later we decided that there should be a proper documented security policy derived from the actual needs being mentioned by key people in top management.

The security policy defined the process of implementation of the policy and its efficient administration. Escalation of troubles, information of possible intrusion and alert mechanisms were also defined in TSE's security policy. This was purposefully done to prevent the unwanted users from accessing the TSE's network and systems.

The security policy also has provisions for physical data classification, access control, database access, and administration.

Review of security policy is conducted on a case to case basis. Whenever there is a sign of an intrusion or a virus attack, we review the policy and if it needs to be amended, we make the necessary changes. A dedicated team takes care of all the security needs of the organization and it is supervised by the CIO.

Intrusion detection is outsourced to a third party service provider. And the logs generated from the firewalls and security audits are outsourced to third party service providers. The security team makes sure that the policy is strictly administered and implemented.

Is it important to build security at the application design and deployment level? Are companies doing it?

Over these years, we have realized that security of information and applications should be considered at the design level. If it is not, then the same can affect the entire orgaanizational workflow. Especially in case of TSE where all systems are online, it makes sense to have security embedded at the design and deployment level.

Apart from the security at the design and deployment level of applications, it is important to make sure that both the network and server layers have embedded security. Earlier our company had a software-based firewall but due to a few critical threats we decided to shift to an appliance-based firewall.

We have a number of share traders who want to connect to the TSE network for daily trading. We have to take special care so that the data of one broker is not visible to others. This security is handled at the network layer and we have separate deployed VLANs for the users. Depending upon the requirements, we can also have IP-based, MAC address-based, and certificate-based authentication.

Do companies need a separate person in the role of a Chief Security Officer?

Yes, it's essential. Information security and data protection is a full time job that requires a dedicated team. A person who has the capability to direct the team should be made the Chief Security Officer (CSO). In some cases this job is outsourced to a third party. At TSE, we don't have a CSO. The CIO is fully responsible for this job.

What is the most important tool in a security strategist's kit?

I believe that security monitoring is paramount. This can be done in many ways. One way of doing it is automated monitoring so that you can minimize threats and vulnerabilities.