Archives ||About Us || Advertise || Feedback || Subscribe-
-
Issue of September 2004 
-

[an error occurred while processing this directive]

  -  
 
 Home > Case Study
 Print Friendly Page ||  Email this story

Security Audit

A security audit for better business

Information Security becomes imperative for an organization when a growing number of its employees gain access to business resources. Organon India Ltd tackled this issue through a security audit. by Soutiman Das Gupta

When bulk pharmaceutical giant Organon India Ltd (OIL), wanted to gain an edge over its rivals, it decided that the best way to do it was to provide its employees with higher levels of access to business critical resources and the Internet. Maintaining an acceptable standard for information assurance however, was equally important.

This was achieved by conducting a third-party information security audit. At the end of the audit exercise the company was able to make a number of process improvements and devise various strategic policies for better information security.

At OIL

Organon (a part of the Akzo Nobel)—headquartered in Roseland, NJ, USA—creates and markets prescription medicines that improve health and quality of human life. OIL’s Indian operations began more than 35 years back, in Mumbai. Its two factories located in and around Calcutta are involved in making bulk drugs. The company's sales and distribution team is spread across the country with regional offices in Calcutta, Delhi, and Chennai.

The organization relies first and foremost on its expertise in research & development to produce medicines.

Need for security audit

Over the past few of years, OIL has used IT as a means of increasing operational efficiencies and as a business driver. Consequentially, the company has invested substantially in areas such as:

  • IT infrastructure
  • Line building
  • Implementing ERP systems
  • E-mail
  • Other workflow applications

As an increasing number of people were gaining access to business critical resources through the growing use of information technology, security became a real concern for the top management.

When the management chose to beat competition by giving employees increased access to business critical resources, it also felt the need to conduct a security audit to get a closer look at the strengths and weaknesses of the current infrastructure along with advice on strategies and policies required to stay competitive.

OIL chose Sify as its auditor. “Since they already were our Internet bandwidth service provider, we felt that they could provide us with world-class network security services as well,” said A.K. Sircar, Controller - Information Technology, for the company.

The audit solution

The audit was divided into three phases: Assessment, Supply & Deployments, and Review.

Assessment

In this phase, a detailed IT infrastructure review was performed. This involved:

  • Vulnerability assessment and analysis of the OIL infrastructure.
  • Detailed study of OIL's internal policies, processes, and procedures pertaining mostly towards IT.
  • GAP Analysis for OIL to uncover the inadequacies of the current processes, procedures, and practices in accordance with the BS7799 standard for information security.

Many documents that formed the network study, security policies, technical procedures and process-related documents were included in the scope of this study. All the IT processes, both at the practical day-to-day implementation and policy/guideline levels of OIL were studied and analyzed.

The study included OIL's security policies, change control processes, configuration management, third-party and internal supply, service level agreements and other relevant areas.

  • Information Resource Risk Assessment: The respective threats and vulnerabilities were identified for the resources. The assessment was done using best-of-breed commercial as well as Open Source tools while the processes were assessed with BS7799 as a reference.
  • Security Architecture Design: To mitigate these risks, detailed and in-depth security architecture design was recommended.
  • Recommendation: The final recommendations, based on the above, were submitted to the management for approval.

Supply & Deployments

In this phase best-of-breed products were recommended to support the security architecture design proposed for OIL infrastructure. These products were in the later stage supplied to OIL. Once the OIL management approved recommendations, the following technical security architecture was deployed:

  • Reorganizing IP addressing schemes for the enterprise.
  • Layer 2 VLANs for internal traffic segmentation with centralized access control for the VLANs.
  • Access control using high performing NetScreen firewalls.
  • Real-time monitoring using ISS real secure network IDS and host-based IDS with fusion module for real-time attack co-relation and monitoring.
  • Virus, worm, Spam, and malware defense using TrendMicro
  • Web usage monitoring using Websense.
  • Firewall log analysis through WebTrends.

The recommended technical architecture was backed by best practice policies as well as processes to ensure mitigation of risks discovered during the assess phase.

Review

In this phase the review of the security policies and processes of the organization would be performed by the global IT teams and would be both scheduled as well as unscheduled. Sify, as a security service provider, would also be responsible for ensuring that the company comes out with little or no severe concerns during the course of the audit.

Assessing the security audit process

The security audit has provided a number of benefits to OIL. It has enabled the company to safely open the network to the Internet,without compromising on the performance. It has helped increase productivity of the employees by ensuring that during official hours only the resources relevant to accomplishing their key result areas are made available.

The results have allowed the company to follow better resource management practices, like bandwidth management by prioritizing traffic. It can now monitor traffic in real-time to access the business critical resources. This helps avoid internal malicious activity and assures higher levels of access to the critical resources.

And the audit has helped increase the efficiencies (with respect to time and effort saved) of the IT team by integrating a firewall log analyzer within the infrastructure.

Going ahead

In the next few months, OIL will regularize its audit practice. This will enable improvements in processes and overall business strategy. And it will help the company continue to use IT as an important business driver.

IT infrastructure at OIL

Organon India Ltd (OIL) has offices in Mumbai, Calcutta, Delhi, Chennai and Hyderabad. Its data center is independently situated in Mumbai.

All business critical resources have been located in the data center.

These include:

  • ERP application, which runs on IBM AS/400 mainframe platform. All users located around the country log-on to the AS/400 and update data, orders, and other ERP-related operations using Citrix
  • Mailing solution
  • Internal workflow applications
  • DNS servers

The OIL WAN rides on the Sify Network to connect its nationwide offices across the country and the data center. The WAN is an IP-based VPN with a mix of leased lines and broadband as the last mile to each of OIL's offices.

The company has Internet connectivity in Calcutta and Mumbai. It is planning a link between the Mumbai data center and the research

center in the Netherlands via Osaka (Japan). This link is being sourced from Equant. The link is to provide access to specific applications and for users to interact with the Netherlands office.

<In a nutshell>
The company

Organon India Ltd (OIL) is a pharmaceutical company that manufactures bulk drugs and carries out a lot of R&D activities.

The need

OIL wanted to provide higher levels of access to business critical resources and the Internet to its employees. At the same time it wanted to maintain an acceptable standard of information assurance.

The solution

It used the services of a third party to conduct an IT security audit.

The benefits

The audit provided the company with the ability to open the network to the Internet, while ensuring that the network is secure, and performance is not compromised. It has helped increase productivity of the employees, ensured better resource management practices, like bandwidth management through prioritizing traffic.

Soutiman Das Gupta can be reached at soutimand@networkmagazineindia.com

 
     
- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.