The Hues of Security - Security Strategist 2004

Archives ||About Us || Advertise || Feedback || Subscribe-

Issue of November 2004

Home > Security Strategist 2004

Print Friendly Page ||

Email this story

The Hues of Security

Rajiv Seoni

Confidentiality, integrity, careful strategy, rigorous policy, intensive education and participation, complete credibility, and perennial availability are features of the security setup that make Rajiv Seoni, Assistant VP and Head IT Hughes Software Systems (HSS), a winner of the SecureSynergy Security Strategist award in the IT/ITES category. by Deepali Gupta

Breaking off from the IT department of Hughes Network Systems, Hughes Software Systems (HSS) is today a software provider to several telecom companies. As an offshoot company, HSS had to maintain an individual identity. The first and most critical step for that was to establish watertight security to inspire confidence among the clients.

"Our clients share designs and plans. And thus, confidentiality and data security are critical," says Seoni. Therefore security requirement was driven by customer concerns.

"In a software development organization, it is not difficult to copy and walk away with Intellectual Property Rights (IPR), which may have been developed at a huge cost, and with years of effort for a client," he explains.

What Counts

"I feel the most important aspect is to model the information security systems and processes on the basis of a well-structured, comprehensive standard," he continues.

That probably explains his course of action. Seoni and his IT team interacted with every department and drew a blueprint of all the security needs. And they put in a full publication mechanism in place based on the information accumulated from the departments.

"Take for example the legal department. They analyze all the clauses of the contract and formulate certain policies, like if a person is transferred from one project, he/she cannot work on a competitor's project for the following six months," Seoni explains. Many times there can be slip ups on this kind of thing. Therefore alerts against such cases are required.

What's next

After having set up an intricate security system in-house, Seoni’s next concern was to generate a secure feeling among the customers.

"I had to answer detailed questionnaires from existing as well as potential customers on our security policy and implementation. We were explaining the firewall policies, password policies, authentication mechanisms, continuity, and disaster recovery plans, in detail. Once we decided to get BS7799-2 certification, the customer confidence in our systems and processes was significantly enhanced," remembers Seoni.

The BS7799 had the detailed specifications that were by and large already a part of HSS. The certification ensured that a formal system was in place. Besides, with the certification the senior management got involved with the security too. In fact they were driving the initiative.

"Hughes obtained the commitment of the top management and the involvement of all functions in the company—business, marketing, sales, engineering, finance, administration, HR and IT. We jointly prepared the security policy, the business continuity plan, setup audit teams, carried out risk assessment, launched employee awareness drives, and carried out other activities necessary for certification," revels Seoni.

What's he got?

Seoni has set up anti-virus, spam filters, IPSs and IDSs to protect his 100 MBPS networks, multiple links, dedicated links and VPNs. The IDS and IPS solutions check for signatures of abnormal activity and block them out. All e-mail passes through an internal content filter that blocks inappropriate mail.

"Security speaks of confidentiality, integrity, and availability," says Sanjay Gogia, Seoni's right hand man and Project Manager Information Security, HSS. CA Unicenter was deployed to help anticipate and prevent problems, by alerting the system administrator. It monitors the system load and manages licenses. The alerts can also be sent on SMS, because e-mail may fail under some circumstances.

Seoni maintains a safe password policy. Every password has to be changed after three months, and the person cannot use any of the previous ten passwords. The passwords are stored in an encrypted form in logs.

Secure from the start

Any new employee is acquainted with the HSS security regulations at induction. Policies as well as incidents are put before them. They are trained in e-mail and Internet etiquette. Moreover, every employee at this stage is made aware that a breach of security policy can result in expulsion.

Despite the initial efforts, it is not as if security training is a one-time thing, it is part of an ongoing education program. Seoni ensures HSS conducts online quizzes, poster campaigns and group sessions where people are reminded that there should be no sharing of passwords and that they should lock their desktop when they leave their desks.

Over and above

Every six months Seoni brings together management forums to discuss security needs of the hour. Seoni is aware that security is a continuous process, and thus calls these meeting biannually. If required, the forum gets together at shorter intervals. Thereafter the decisions made by the administration have to be abided.

Recently HSS perceived that USB devices were a potential threat to the company. A pen-drive is small and secret. Seoni's team therefore implemented a solution to block just the pendrives on the port. The port is still functional if for instance a keyboard needed to be plugged into it, but will not provide access for a pen drive.

For employees HSS also has a workflow mechanism in the form of an information security help desk. Here anyone in HSS can phone or mail to log a potential security threat. As soon as the issue is logged the information security team analyzes it and takes suitable action.

The most challenging part Seoni feels is the actual documentation of the policies and changes.

"IT is dynamic, and a Security Strategist has to always be on his toes to adapt to the changing environment," says Gogia as he explains Seoni's position.

Disaster Recovery

HSS does not have a formal disaster recovery site or setup. However, it has offsite backup systems close to the data centers. These systems are not hot sites, but the backups are checked at the end of the day. An automated monitoring system gives detailed reports of every update through the day.

Skillset and background

Seoni considers it critical that a Security Strategist should be thorough with the business needs. In addition to that he feels that

knowledge in general areas like network security, access control, authentication technologies, data life cycle management, personnel security, and physical security is essential.

Deepali Gupta can be reached at: deepali@networkmagazineindia.com

Tips of the trade

Stop thinking like an IT person. Security is a business issue and it will not work if you have excellent IT security alone.
Get the commitment and active involvement of the top
management, the business groups, and other functions. In fact all employees in the organization.
Work with a business perspective; understand what requires
protection for the line of business of the company.
Focus on the processes, the technical details will fall into place.
Consider a long-term approach, how the system will ensure regular audits, reviews, continuous improvement, and employee awareness.

-	<Back to Top>-

© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.