Information security as a whole

Mani Mulki, GM-Information Systems, Godrej Industries Limited

How do you ensure that your company's security solutions are up to date?

In the first place, whenever we buy a product there is an AMC involved. Then there is an SLA in case we tie up with a service provider. Our arrangement is such that the anti-virus is automatically downloaded on the server and from there it is sent to the clients.

We have bought anti-virus solution from three different vendors for three different touch points, the gateway, the Microsoft Exchange server, and at the desktop level. This way we are not dependent on a single vendor. We use Symantec on desktops, Trend Micro at the gateway, and Sophos on the Exchange server.

We have deployed CheckPoint firewalls with assistance from Ramco. The Ramco team visits twice a month to check all the logs and gives us an update and regular reports. This helps us follow a standardized practice.

An IDS is also deployed on our network, which is a freeware product. IDS is not actually deployed on all the servers. Since it generates large amounts of logs, it's used only on critical servers. We are planning to extend it to all the servers in the company's data center.

Does the role of IT security extend to encompass physical security measures too?

Instead of calling it IT security, we should call it information security. With just technology, we address a small domain. There is a large amount of information lying in the company's physical environment in the form of printouts, unmanned PCs, and photocopies.

To address this, the IT policy has dedicated a lot of attention to physical security. And, it also includes the awareness being brought by the top management and IT people among the employees. In what we call 'social engineering', we show our employees video clips of movies, which demonstrate how they can actually protect the organizations and its information.

The server rooms are all under lock and key, and the keys are kept only with the chief systems administrator. If the server room is opened for any reason, the person has to make an entry in the log kept outside and has to explain it to the CIO.

If the server room is opened for maintenance or repair, it can only be done with the prior information of the IT head. The company is also planning to shortly introduce an access card system.

What was the process that you followed while drawing up your company's security policy? How frequently do you update it?

Unlike many cases, we didn't just accept any security policy that was readymade for a particular type of industry. Our security consultants MIEL had many such samples but we clearly told them that we wanted a security policy exclusive to us. And the entire process from conceptualization to drafting, and to finalizing the policy took us almost six months.

The first step towards creating the security policy was to have detailed interviews of the top management including the chairman Adi Godrej to know their needs and requirements for information security. Once the needs were defined then it was decided on what could be the most vulnerable areas of threats to information.

Encryption policy and server authentication were defined at the policy level. There were nearly 22 domains covered by the security policy of Godrej Industries Limited (GIL). Each of these domains is extensively covered, with 10-15 pages dedicated to it. The security policy is now 400 pages long and took three months to compile.

We then carved out the gist of the document into five pages and circulated it to the users. After this there was an extensive awareness workshop held at least thrice a week to make users aware of security systems and their importance. Once you have a policy in place you have to really push it to users.

To make sure that the policy is observed strictly we deployed punitive measures for any violation of this policy. It can lead to suspension or termination of an employee with the help of cyber police. One such person has been caught like this in GIL.

There is no fixed frequency for revision of the security policy and it is done whenever there is a need to do so. We regularly perform vulnerability assessment and penetration testing and if we feel a need to amend the policy, we take the necessary steps.

Is it important to build security at the application design and deployment level? Are companies doing it?

Although it is essential and should be the first step taken, not many companies are really bothered with this. At GIL, we have realized that we have to safeguard applications and to do that we have to go back to the basics. But when we build such a case for the perusal of the top management, it bites the dust because information security unfortunately, is the least important subject of discussion for the CEO.

You just can't show any RoI for security and thus the proposal gets turned down. But by showing the grave consequences of neglecting the information security we can probably build that temper.

Do companies need a separate person in the role of a Chief Security Officer?

It really depends on the industry and company whether it wants to have a Chief Security Officer (CSO). Ideally there should be a CSO to guard the information of any company and that very CSO should not be from the IT department.

He should be a non-IT person reporting directly to the CEO having a dotted line relationship with the CIO. We don't have a CSO as of now, and as the CIO, it is an inevitable part of my job to shoulder the CSO’s responsibilities.

However, our systems audit department has four CISA graduates who play an active role in the deployment and administration of an information security policy.

What is the most important tool in a security strategist's kit?

To me it is the alignment of top management with the information security setup in a company. The CIO must convince the CEO that security of information and the network is his/her responsibility and he/she should take proper care of it.