Strengthening the weakest Link

Sunil Gujral

A proponent of zero tolerance and a believer in the need to strengthen people—the weakest link in enterprise security, Sunil Gujral, VP-IT, Wipro Spectramind likes to club technology with emphasis on user awareness. by Anil Patrick R

During an interview with Network Magazine, Sunil Gujral, VP-IT, Wipro Spectramind, stressed the importance of clubbing the latest technology with emphasis on user awareness. He believes that a security chain is only as strong as the weakest link —people. After all, security is about the effective combination of technology, people, and processes.

An uphill struggle

In the relatively nascent but fast-paced BPO industry, it's the organization's reputation that matters most and security breaches can be fatal.

"Any security breach can affect our reputation in the BPO space and lead to business loss. This can affect the lives of around 10,000 of our employees," says Gujral.

Change is a main component of Wipro Spectramind's operations, whether it is customer requirements or users. Due to requirements like BS7799, HIPAA, and SAS 70 compliance, the result is a rapidly changing infrastructure.

Meeting these requirements is not an easy job because varying customer requirements and opportunities dictate technology infrastructure changes along with new security challenges. Added to this are the high employee attrition rates that BPO companies have. So, maintaining security awareness becomes the biggest challenge.

Maintaining the people edge

"Information security can be achieved only by the proper combination of technology, people, and processes. If the people component is weak, it can make the strongest technology useless.”

At the time of joining every employee is made to understand data security, security policies, enforcement, and future accessing of security policies for reference, data classifications and handling procedures for confidential data. Plus, Wipro Spectramind's ongoing user education uses poster campaigns and popup messages to maintain the awareness level.

A Wipro group concept called ‘Security Srinivas’ is also used. "This is a character and story built around an incident. It helps people relate easier to security concepts and understand them better," said Sunil Gujral.

Sculpting the policy right

The top management drives security at Wipro Spectramind and has been involved in the effort from its inception in the year 2000.

A committee comprising management, IT, and operations personnel conducts monthly policy reviews. The organization also has a dedicated vice president to drive audits and security compliance.

The company's security policy consists of a basic framework that is shared with its customers. The policy is then modified to suit customer requirements.

The technical side

Wipro Spectramind primarily deals with accessing data from its customer's setup. This translates to minimal data storage, stringent security user level requirements; requirements like user authentication, user accessibility to information/sites, secure data storage, defined escalation procedures/matrices, and incident reporting/handling.

Each location's IT infrastructure has components like desktops, LAN, switches, Cat 6 cabling, redundant fiber connectivity, multi-layering, Kerberos, firewalls, and IDSs. Every location has its own infrastructure and a dedicated sub-infrastructure to suit varying customer requirements. The customer infrastructure may be dedicated or shared in nature as per the customer’s requirement.

The basic security features at the user level include locked down desktops, regularly updated anti-virus, curtailed administrator account access, absence of floppy/CD drives, and locked down USB ports.

For identity management, the users have to first log into the company's systems. They then have to get re-authenticated on the client's systems. Manual IDS logging is done by a dedicated team on a 24-hour basis.

On the physical security side, access is limited to employees using proximity cards. Cameras are used to constantly capture and log employee movement in the premises. The policies also include those on managing visitors, incident reporting, and escalation.

Enforcing the talk Gujral is a proponent for zero tolerance of non-compliance. So, during initial user training he makes it known that errant employees do not belong to the organization.

Enforcement procedures include regular audits along with daily checks on firewalls and anti-viruses. This is done in different stages as daily, weekly, and monthly audit checklists. Audit hierarchies are followed along with a structure for the entire process. Internal audits are done quarterly and external audits are done every six months.

Surprise checks on security compliance are also conducted. If a user is discovered to be non-compliant, his/her system access is stopped. The next level is blocking that employee's customer level access by informing the

customer. It is made sure that the employee's proximity card is surrendered and he/she is personally escorted out of the organization.

Anil Patrick R can be reached at: anilpatrick@networkmagazineindia.com