Information security as a whole
Mani Mulki, GM-Information Systems, Godrej Industries
How do you ensure that your company's security solutions
are up to date?
In the first place, whenever we buy a product there is an AMC involved. Then
there is an SLA in case we tie up with a service provider. Our arrangement is
such that the anti-virus is automatically downloaded on the server and from
there it is sent to the clients.
We have bought
anti-virus solution from three different vendors for three different touch points,
the gateway, the Microsoft Exchange server, and at the desktop level. This way
we are not dependent on a single vendor. We use Symantec on desktops, Trend
Micro at the gateway, and Sophos on the Exchange server.
We have deployed CheckPoint firewalls with assistance from Ramco. The Ramco
team visits twice a month to check all the logs and gives us an update and regular
reports. This helps us follow a standardized practice.
An IDS is also deployed on our network, which is a freeware product. IDS is
not actually deployed on all the servers. Since it generates large amounts of
logs, it's used only on critical servers. We are planning to extend it to all
the servers in the company's data center.
Does the role of IT security extend to encompass physical
security measures too?
Instead of calling it IT security, we should call it information security. With
just technology, we address a small domain. There is a large amount of information
lying in the company's physical environment in the form of printouts, unmanned
PCs, and photocopies.
To address this, the IT policy has dedicated a lot of attention to physical
security. And, it also includes the awareness being brought by the top management
and IT people among the employees. In what we call 'social engineering', we
show our employees video clips of movies, which demonstrate how they can actually
protect the organizations and its information.
The server rooms are all under lock and key, and the keys are kept only with
the chief systems administrator. If the server room is opened for any reason,
the person has to make an entry in the log kept outside and has to explain it
to the CIO.
If the server room is opened for maintenance or repair, it can only be done
with the prior information of the IT head. The company is also planning to shortly
introduce an access card system.
What was the process that you followed while drawing up
your company's security policy? How frequently do you update it?
Unlike many cases, we didn't just accept any security policy that was readymade
for a particular type of industry. Our security consultants MIEL had many such
samples but we clearly told them that we wanted a security policy exclusive
to us. And the entire process from conceptualization to drafting, and to finalizing
the policy took us almost six months.
The first step towards creating the security policy was to have detailed interviews
of the top management including the chairman Adi Godrej to know their needs
and requirements for information security. Once the needs were defined then
it was decided on what could be the most vulnerable areas of threats to information.
Encryption policy and server authentication were defined at the policy level.
There were nearly 22 domains covered by the security policy of Godrej Industries
Limited (GIL). Each of these domains is extensively covered, with 10-15 pages
dedicated to it. The security policy is now 400 pages long and took three months
We then carved out the gist of the document into five pages and circulated it
to the users. After this there was an extensive awareness workshop held at least
thrice a week to make users aware of security systems and their importance.
Once you have a policy in place you have to really push it to users.
To make sure that the policy is observed strictly we deployed punitive measures
for any violation of this policy. It can lead to suspension or termination of
an employee with the help of cyber police. One such person has been caught like
this in GIL.
There is no fixed frequency for revision of the security policy and it is done
whenever there is a need to do so. We regularly perform vulnerability assessment
and penetration testing and if we feel a need to amend the policy, we take the
Is it important to build security at the application design
and deployment level? Are companies doing it?
Although it is essential and should be the first step taken, not many companies
are really bothered with this. At GIL, we have realized that we have to safeguard
applications and to do that we have to go back to the basics. But when we build
such a case for the perusal of the top management, it bites the dust because
information security unfortunately, is the least important subject of discussion
for the CEO.
You just can't show any RoI for security and thus the proposal gets turned down.
But by showing the grave consequences of neglecting the information security
we can probably build that temper.
Do companies need a separate person in the role of a Chief
It really depends on the industry and company whether it wants to have a Chief
Security Officer (CSO). Ideally there should be a CSO to guard the information
of any company and that very CSO should not be from the IT department.
He should be a non-IT person reporting directly to the CEO having a dotted line
relationship with the CIO. We don't have a CSO as of now, and as the CIO, it
is an inevitable part of my job to shoulder the CSOs responsibilities.
However, our systems audit department has four CISA graduates who play an active
role in the deployment and administration of an information security policy.
What is the most important tool in a security strategist's
To me it is the alignment of top management with the information security setup
in a company. The CIO must convince the CEO that security of information and
the network is his/her responsibility and he/she should take proper care of