Security Audit

A security audit for better business

Information Security becomes imperative for an organization when a growing number of its employees gain access to business resources. Organon India Ltd tackled this issue through a security audit. by Soutiman Das Gupta

When bulk pharmaceutical giant Organon India Ltd (OIL), wanted to gain an edge over its rivals, it decided that the best way to do it was to provide its employees with higher levels of access to business critical resources and the Internet. Maintaining an acceptable standard for information assurance however, was equally important.

This was achieved by conducting a third-party information security audit. At the end of the audit exercise the company was able to make a number of process improvements and devise various strategic policies for better information security.

At OIL

Organon (a part of the Akzo Nobel)—headquartered in Roseland, NJ, USA—creates and markets prescription medicines that improve health and quality of human life. OIL’s Indian operations began more than 35 years back, in Mumbai. Its two factories located in and around Calcutta are involved in making bulk drugs. The company's sales and distribution team is spread across the country with regional offices in Calcutta, Delhi, and Chennai.

The organization relies first and foremost on its expertise in research & development to produce medicines.

Need for security audit

Over the past few of years, OIL has used IT as a means of increasing operational efficiencies and as a business driver. Consequentially, the company has invested substantially in areas such as:

• IT infrastructure
• Line building
• Implementing ERP systems
• E-mail
• Other workflow applications

As an increasing number of people were gaining access to business critical resources through the growing use of information technology, security became a real concern for the top management.

When the management chose to beat competition by giving employees increased access to business critical resources, it also felt the need to conduct a security audit to get a closer look at the strengths and weaknesses of the current infrastructure along with advice on strategies and policies required to stay competitive.

OIL chose Sify as its auditor. “Since they already were our Internet bandwidth service provider, we felt that they could provide us with world-class network security services as well,” said A.K. Sircar, Controller - Information Technology, for the company.

The audit solution

The audit was divided into three phases: Assessment, Supply & Deployments, and Review.

Assessment

In this phase, a detailed IT infrastructure review was performed. This involved:

• Vulnerability assessment and analysis of the OIL infrastructure.
• Detailed study of OIL's internal policies, processes, and procedures pertaining mostly towards IT.
• GAP Analysis for OIL to uncover the inadequacies of the current processes, procedures, and practices in accordance with the BS7799 standard for information security.

Many documents that formed the network study, security policies, technical procedures and process-related documents were included in the scope of this study. All the IT processes, both at the practical day-to-day implementation and policy/guideline levels of OIL were studied and analyzed.

The study included OIL's security policies, change control processes, configuration management, third-party and internal supply, service level agreements and other relevant areas.

• Information Resource Risk Assessment: The respective threats and vulnerabilities were identified for the resources. The assessment was done using best-of-breed commercial as well as Open Source tools while the processes were assessed with BS7799 as a reference.
• Security Architecture Design: To mitigate these risks, detailed and in-depth security architecture design was recommended.
• Recommendation: The final recommendations, based on the above, were submitted to the management for approval.

Supply & Deployments

In this phase best-of-breed products were recommended to support the security architecture design proposed for OIL infrastructure. These products were in the later stage supplied to OIL. Once the OIL management approved recommendations, the following technical security architecture was deployed:

• Reorganizing IP addressing schemes for the enterprise.
• Layer 2 VLANs for internal traffic segmentation with centralized access control for the VLANs.
• Access control using high performing NetScreen firewalls.
• Real-time monitoring using ISS real secure network IDS and host-based IDS with fusion module for real-time attack co-relation and monitoring.
• Virus, worm, Spam, and malware defense using TrendMicro
• Web usage monitoring using Websense.
• Firewall log analysis through WebTrends.

The recommended technical architecture was backed by best practice policies as well as processes to ensure mitigation of risks discovered during the assess phase.

Review

In this phase the review of the security policies and processes of the organization would be performed by the global IT teams and would be both scheduled as well as unscheduled. Sify, as a security service provider, would also be responsible for ensuring that the company comes out with little or no severe concerns during the course of the audit.

Assessing the security audit process

The security audit has provided a number of benefits to OIL. It has enabled the company to safely open the network to the Internet,without compromising on the performance. It has helped increase productivity of the employees by ensuring that during official hours only the resources relevant to accomplishing their key result areas are made available.

The results have allowed the company to follow better resource management practices, like bandwidth management by prioritizing traffic. It can now monitor traffic in real-time to access the business critical resources. This helps avoid internal malicious activity and assures higher levels of access to the critical resources.

And the audit has helped increase the efficiencies (with respect to time and effort saved) of the IT team by integrating a firewall log analyzer within the infrastructure.

Going ahead

In the next few months, OIL will regularize its audit practice. This will enable improvements in processes and overall business strategy. And it will help the company continue to use IT as an important business driver.

<In a nutshell>

The company Organon India Ltd (OIL) is a pharmaceutical company that manufactures bulk drugs and carries out a lot of R&D activities. The need OIL wanted to provide higher levels of access to business critical resources and the Internet to its employees. At the same time it wanted to maintain an acceptable standard of information assurance. The solution It used the services of a third party to conduct an IT security audit. The benefits The audit provided the company with the ability to open the network to the Internet, while ensuring that the network is secure, and performance is not compromised. It has helped increase productivity of the employees, ensured better resource management practices, like bandwidth management through prioritizing traffic.

Soutiman Das Gupta can be reached at soutimand@networkmagazineindia.com