A security audit for better business
Information Security becomes imperative for an organization
when a growing number of its employees gain access to business resources. Organon
India Ltd tackled this issue through a security audit. by Soutiman Das Gupta
When bulk pharmaceutical giant Organon India Ltd (OIL), wanted to gain an edge
over its rivals, it decided that the best way to do it was to provide its employees
with higher levels of access to business critical resources and the Internet.
Maintaining an acceptable standard for information assurance however, was equally
This was achieved by conducting a third-party information
security audit. At the end of the audit exercise the company was able to make
a number of process improvements and devise various strategic policies for better
Organon (a part of the Akzo Nobel)headquartered in Roseland, NJ, USAcreates
and markets prescription medicines that improve health and quality of human
life. OILs Indian operations began more than 35 years back, in Mumbai.
Its two factories located in and around Calcutta are involved in making bulk
drugs. The company's sales and distribution team is spread across the country
with regional offices in Calcutta, Delhi, and Chennai.
The organization relies first and foremost on its expertise in research &
development to produce medicines.
Need for security audit
Over the past few of years, OIL has used IT as a means of
increasing operational efficiencies and as a business driver. Consequentially,
the company has invested substantially in areas such as:
- IT infrastructure
- Line building
- Implementing ERP systems
- Other workflow applications
As an increasing number of people were gaining access to
business critical resources through the growing use of information technology,
security became a real concern for the top management.
When the management chose to beat competition by giving employees increased
access to business critical resources, it also felt the need to conduct a security
audit to get a closer look at the strengths and weaknesses of the current infrastructure
along with advice on strategies and policies required to stay competitive.
OIL chose Sify as its auditor. Since they already were our Internet bandwidth
service provider, we felt that they could provide us with world-class network
security services as well, said A.K. Sircar, Controller - Information
Technology, for the company.
The audit solution
The audit was divided into three phases: Assessment, Supply & Deployments,
In this phase, a detailed IT infrastructure review was performed. This involved:
- Vulnerability assessment and analysis of the OIL infrastructure.
- Detailed study of OIL's internal policies, processes, and procedures pertaining
mostly towards IT.
- GAP Analysis for OIL to uncover the inadequacies of the current processes,
procedures, and practices in accordance with the BS7799 standard for information
Many documents that formed the network study, security policies,
technical procedures and process-related documents were included in the scope
of this study. All the IT processes, both at the practical day-to-day implementation
and policy/guideline levels of OIL were studied and analyzed.
The study included OIL's security policies, change control
processes, configuration management, third-party and internal supply, service
level agreements and other relevant areas.
- Information Resource Risk Assessment: The respective threats and vulnerabilities
were identified for the resources. The assessment was done using best-of-breed
commercial as well as Open Source tools while the processes were assessed
with BS7799 as a reference.
- Security Architecture Design: To mitigate these risks, detailed and in-depth
security architecture design was recommended.
- Recommendation: The final recommendations, based on the above, were submitted
to the management for approval.
Supply & Deployments
In this phase best-of-breed products were recommended to
support the security architecture design proposed for OIL infrastructure. These
products were in the later stage supplied to OIL. Once the OIL management approved
recommendations, the following technical security architecture was deployed:
- Reorganizing IP addressing schemes for the enterprise.
- Layer 2 VLANs for internal traffic segmentation with centralized access
control for the VLANs.
- Access control using high performing NetScreen firewalls.
- Real-time monitoring using ISS real secure network IDS and host-based IDS
with fusion module for real-time attack co-relation and monitoring.
- Virus, worm, Spam, and malware defense using TrendMicro
- Web usage monitoring using Websense.
- Firewall log analysis through WebTrends.
The recommended technical architecture was backed by best
practice policies as well as processes to ensure mitigation of risks discovered
during the assess phase.
In this phase the review of the security policies and processes of the organization
would be performed by the global IT teams and would be both scheduled as well
as unscheduled. Sify, as a security service provider, would also be responsible
for ensuring that the company comes out with little or no severe concerns during
the course of the audit.
Assessing the security audit process
The security audit has provided a number of benefits to OIL. It has enabled
the company to safely open the network to the Internet,without compromising
on the performance. It has helped increase productivity of the employees by
ensuring that during official hours only the resources relevant to accomplishing
their key result areas are made available.
The results have allowed the company to follow better resource
management practices, like bandwidth management by prioritizing traffic. It
can now monitor traffic in real-time to access the business critical resources.
This helps avoid internal malicious activity and assures higher levels of access
to the critical resources.
And the audit has helped increase the efficiencies (with respect to time and
effort saved) of the IT team by integrating a firewall log analyzer within the
In the next few months, OIL will regularize its audit practice. This will enable
improvements in processes and overall business strategy. And it will help the
company continue to use IT as an important business driver.
Organon India Ltd (OIL) is a pharmaceutical company that manufactures bulk
drugs and carries out a lot of R&D activities.
OIL wanted to provide higher levels of access to business critical resources
and the Internet to its employees. At the same time it wanted to maintain
an acceptable standard of information assurance.
It used the services of a third party to conduct an IT security audit.
The audit provided the company with the ability to open the network to
the Internet, while ensuring that the network is secure, and performance
is not compromised. It has helped increase productivity of the employees,
ensured better resource management practices, like bandwidth management
through prioritizing traffic.
Soutiman Das Gupta can be reached at firstname.lastname@example.org