The Hues of Security
Confidentiality, integrity, careful strategy, rigorous policy,
intensive education and participation, complete credibility, and perennial availability
are features of the security setup that make Rajiv Seoni, Assistant VP
and Head IT Hughes Software Systems (HSS), a winner of the SecureSynergy Security
Strategist award in the IT/ITES category. by Deepali Gupta
Breaking off from the IT department of Hughes Network Systems, Hughes Software
Systems (HSS) is today a software provider to several telecom companies. As
an offshoot company, HSS had to maintain an individual identity. The first and
most critical step for that was to establish watertight security to inspire
confidence among the clients.
"Our clients share designs and plans. And thus, confidentiality and data
security are critical," says Seoni. Therefore security requirement was
driven by customer concerns.
"In a software development organization, it is not difficult to copy and
walk away with Intellectual Property Rights (IPR), which may have been developed
at a huge cost, and with years of effort for a client," he explains.
"I feel the most important aspect is to model the information security
systems and processes on the basis of a well-structured, comprehensive standard,"
That probably explains his course of action. Seoni and his IT team interacted
with every department and drew a blueprint of all the security needs. And they
put in a full publication mechanism in place based on the information accumulated
from the departments.
"Take for example the legal department. They analyze all the clauses of
the contract and formulate certain policies, like if a person is transferred
from one project, he/she cannot work on a competitor's project for the following
six months," Seoni explains. Many times there can be slip ups on this kind
of thing. Therefore alerts against such cases are required.
After having set up an intricate security system in-house, Seonis next
concern was to generate a secure feeling among the customers.
"I had to answer detailed questionnaires from existing as well as potential
customers on our security policy and implementation. We were explaining the
firewall policies, password policies, authentication mechanisms, continuity,
and disaster recovery plans, in detail. Once we decided to get BS7799-2 certification,
the customer confidence in our systems and processes was significantly enhanced,"
The BS7799 had the detailed specifications that were by and large already a
part of HSS. The certification ensured that a formal system was in place. Besides,
with the certification the senior management got involved with the security
too. In fact they were driving the initiative.
"Hughes obtained the commitment of the top management and the involvement
of all functions in the companybusiness, marketing, sales, engineering,
finance, administration, HR and IT. We jointly prepared the security policy,
the business continuity plan, setup audit teams, carried out risk assessment,
launched employee awareness drives, and carried out other activities necessary
for certification," revels Seoni.
What's he got?
Seoni has set up anti-virus, spam filters, IPSs and IDSs to protect his 100
MBPS networks, multiple links, dedicated links and VPNs. The IDS and IPS solutions
check for signatures of abnormal activity and block them out. All e-mail passes
through an internal content filter that blocks inappropriate mail.
"Security speaks of confidentiality, integrity, and
availability," says Sanjay Gogia, Seoni's right hand man and Project Manager
Information Security, HSS. CA Unicenter was deployed to help anticipate and
prevent problems, by alerting the system administrator. It monitors the system
load and manages licenses. The alerts can also be sent on SMS, because e-mail
may fail under some circumstances.
Seoni maintains a safe password policy. Every password has
to be changed after three months, and the person cannot use any of the previous
ten passwords. The passwords are stored in an encrypted form in logs.
Secure from the start
Any new employee is acquainted with the HSS security regulations at induction.
Policies as well as incidents are put before them. They are trained in e-mail
and Internet etiquette. Moreover, every employee at this stage is made aware
that a breach of security policy can result in expulsion.
Despite the initial efforts, it is not as if security training is a one-time
thing, it is part of an ongoing education program. Seoni ensures HSS conducts
online quizzes, poster campaigns and group sessions where people are reminded
that there should be no sharing of passwords and that they should lock their
desktop when they leave their desks.
Over and above
Every six months Seoni brings together management forums to discuss security
needs of the hour. Seoni is aware that security is a continuous process, and
thus calls these meeting biannually. If required, the forum gets together at
shorter intervals. Thereafter the decisions made by the administration have
to be abided.
Recently HSS perceived that USB devices were a potential threat to the company.
A pen-drive is small and secret. Seoni's team therefore implemented a solution
to block just the pendrives on the port. The port is still functional if for
instance a keyboard needed to be plugged into it, but will not provide access
for a pen drive.
For employees HSS also has a workflow mechanism in the form of an information
security help desk. Here anyone in HSS can phone or mail to log a potential
security threat. As soon as the issue is logged the information security team
analyzes it and takes suitable action.
The most challenging part Seoni feels is the actual documentation of the policies
"IT is dynamic, and a Security Strategist has to always be on his toes
to adapt to the changing environment," says Gogia as he explains Seoni's
HSS does not have a formal disaster recovery site or setup. However, it has
offsite backup systems close to the data centers. These systems are not hot
sites, but the backups are checked at the end of the day. An automated monitoring
system gives detailed reports of every update through the day.
Skillset and background
Seoni considers it critical that a Security Strategist should be thorough with
the business needs. In addition to that he feels that
knowledge in general areas like network security, access control, authentication
technologies, data life cycle management, personnel security, and physical security
Deepali Gupta can be reached at: firstname.lastname@example.org