A two-pronged strategy

Nandu Bhat, GM-IT, Zip Telecom Limited

How do you ensure that your company's security solutions are up to date?

Our company had chosen a two pronged strategy. We have an anti-virus solution provided by SecureSynergy that generates Web-based reports. Through this, SecureSynergy can monitor all client machines and if required, update the version and send a patch immediately after any incident has occurred. We have almost 150 machines on this system.

We have a single point Net connection that is outsourced. We bought firewalls from Sify and they are responsible for updating us on risks and vulnerabilities.

We have Intrusion Prevention Systems (IPSs) built into the firewall provided by Sify. This firewall is an appliance-based product from WatchGuard, called WatchGuard 700. All Internet connectivity is through this firewall.

So, there are three levels of protection at our company. Anti-virus by SecureSynergy, a Postmaster Email Gateway bundled with Virus Scan by Quantum Link, and firewalls and IPSs by Sify.

Does the role of IT security extend to encompass physical security measures too?

We think that physical security is as important as digital security. All our server rooms are properly locked and guarded. Servers are placed in locked racks and the key always remains with the network administrator. If he is absent, the keys are procured with the permission of the head of technology in the company.

What was the process that you followed while drawing up your company's security policy? How frequently do you update it?

Primarily, the security policy of Zip Telecom Limited is based on the external threats perceived by the organizations. It was decided at the policy level that we will hide all internal IP addresses of the clients. The policy also defines the possible vulnerabilities to the data and the possible remedies. Internal threats like misuse of content and database theft were also kept in mind during drafting.

The beauty of the security policy is that it was drafted without any interference of a security consultant. We only took our vendor partners into confidence for their inputs.

New threats bring about changes in security policies. We are in the process of maintaining the inventory of all the files backed up from any cut-off point. Subsequently any backup taken will result in a log of the same file written on a medium other than a hard disk.

Is it important to build security at the application design and deployment level? Are companies doing it?

We have embedded security at the design and development level for the ERP application. It is done at two levels. First, an employee's master is created and is given a validation number. That validation number works as the password to access all the applications. Second, a remote worker accesses the applications through the Citrix secure server. We also have a standard policy for desktop encryption.

Do companies need a separate person in the role of a Chief Security Officer?

We being a very small organization have the network manager playing the role of a CSO.

What is the most important tool in a security strategist's kit?

It's all about keeping ourselves updated for new external threats, virus attacks, and hacking mechanisms. We also read up classic case studies so that we can learn some exemplary deployments, which can come in handy.