A two-pronged strategy
Nandu Bhat, GM-IT, Zip Telecom Limited
How do you ensure that your company's security solutions
are up to date?
company had chosen a two pronged strategy. We have an anti-virus solution provided
by SecureSynergy that generates Web-based reports. Through this, SecureSynergy
can monitor all client machines and if required, update the version and send
a patch immediately after any incident has occurred. We have almost 150 machines
on this system.
We have a single point Net connection that is outsourced. We bought firewalls
from Sify and they are responsible for updating us on risks and vulnerabilities.
We have Intrusion Prevention Systems (IPSs) built into the firewall provided
by Sify. This firewall is an appliance-based product from WatchGuard, called
WatchGuard 700. All Internet connectivity is through this firewall.
So, there are three levels of protection at our company. Anti-virus by SecureSynergy,
a Postmaster Email Gateway bundled with Virus Scan by Quantum Link, and firewalls
and IPSs by Sify.
Does the role of IT security extend to encompass physical
security measures too?
We think that physical security is as important as digital security. All our
server rooms are properly locked and guarded. Servers are placed in locked racks
and the key always remains with the network administrator. If he is absent,
the keys are procured with the permission of the head of technology in the company.
What was the process that you followed while drawing up
your company's security policy? How frequently do you update it?
Primarily, the security policy of Zip Telecom Limited is based on the external
threats perceived by the organizations. It was decided at the policy level that
we will hide all internal IP addresses of the clients. The policy also defines
the possible vulnerabilities to the data and the possible remedies. Internal
threats like misuse of content and database theft were also kept in mind during
The beauty of the security policy is that it was drafted without any interference
of a security consultant. We only took our vendor partners into confidence for
New threats bring about changes in security policies. We are in the process
of maintaining the inventory of all the files backed up from any cut-off point.
Subsequently any backup taken will result in a log of the same file written
on a medium other than a hard disk.
Is it important to build security at the application design
and deployment level? Are companies doing it?
We have embedded security at the design and development level for the ERP application.
It is done at two levels. First, an employee's master is created and is given
a validation number. That validation number works as the password to access
all the applications. Second, a remote worker accesses the applications through
the Citrix secure server. We also have a standard policy for desktop encryption.
Do companies need a separate person in the role of a Chief
We being a very small organization have the network manager playing the role
of a CSO.
What is the most important tool in a security strategist's
It's all about keeping ourselves updated for new external threats, virus attacks,
and hacking mechanisms. We also read up classic case studies so that we can
learn some exemplary deployments, which can come in handy.