Strengthening the weakest Link
A proponent of zero tolerance and a believer in the need
to strengthen peoplethe weakest link in enterprise security,
Sunil Gujral, VP-IT, Wipro Spectramind likes to club technology with emphasis
on user awareness. by Anil Patrick R
During an interview with Network Magazine, Sunil Gujral, VP-IT, Wipro Spectramind,
stressed the importance of clubbing the latest technology with emphasis on user
awareness. He believes that a security chain is only as strong as the weakest
link people. After all, security is about the effective combination of
technology, people, and processes.
An uphill struggle
In the relatively nascent but fast-paced BPO industry, it's the organization's
reputation that matters most and security breaches can be fatal.
"Any security breach can affect our reputation in the BPO space and lead
to business loss. This can affect the lives of around 10,000 of our employees,"
Change is a main component of Wipro Spectramind's operations, whether it is
customer requirements or users. Due to requirements like BS7799, HIPAA, and
SAS 70 compliance, the result is a rapidly changing infrastructure.
Meeting these requirements is not an easy job because varying customer requirements
and opportunities dictate technology infrastructure changes along with new security
challenges. Added to this are the high employee attrition rates that BPO companies
have. So, maintaining security awareness becomes the biggest challenge.
Maintaining the people edge
"Information security can be achieved only by the proper
combination of technology, people, and processes. If the people component is
weak, it can make the strongest technology useless.
At the time of joining every employee is made to understand data security, security
policies, enforcement, and future accessing of security policies for reference,
data classifications and handling procedures for confidential data. Plus, Wipro
Spectramind's ongoing user education uses poster campaigns and popup messages
to maintain the awareness level.
A Wipro group concept called Security Srinivas is also used. "This
is a character and story built around an incident. It helps people relate easier
to security concepts and understand them better," said Sunil Gujral.
Sculpting the policy right
The top management drives security at Wipro Spectramind and has been involved
in the effort from its inception in the year 2000.
A committee comprising management, IT, and operations personnel conducts monthly
policy reviews. The organization also has a dedicated vice president to drive
audits and security compliance.
The company's security policy consists of a basic framework that is shared with
its customers. The policy is then modified to suit customer requirements.
The technical side
Wipro Spectramind primarily deals with accessing data from its customer's setup.
This translates to minimal data storage, stringent security user level requirements;
requirements like user authentication, user accessibility to information/sites,
secure data storage, defined escalation procedures/matrices, and incident reporting/handling.
Each location's IT infrastructure has components like desktops,
LAN, switches, Cat 6 cabling, redundant fiber connectivity, multi-layering,
Kerberos, firewalls, and IDSs. Every location has its own infrastructure and
a dedicated sub-infrastructure to suit varying customer requirements. The customer
infrastructure may be dedicated or shared in nature as per the customers
The basic security features at the user level include locked
down desktops, regularly updated anti-virus, curtailed administrator account
access, absence of floppy/CD drives, and locked down USB ports.
For identity management, the users have to first log into
the company's systems. They then have to get re-authenticated on the client's
systems. Manual IDS logging is done by a dedicated team on a 24-hour basis.
On the physical security side, access is limited to employees using proximity
cards. Cameras are used to constantly capture and log employee movement in the
premises. The policies also include those on managing visitors, incident reporting,
Enforcing the talk Gujral is a proponent for zero tolerance
of non-compliance. So, during initial user training he makes it known that errant
employees do not belong to the organization.
Enforcement procedures include regular audits along with daily checks on firewalls
and anti-viruses. This is done in different stages as daily, weekly, and monthly
audit checklists. Audit hierarchies are followed along with a structure for
the entire process. Internal audits are done quarterly and external audits are
done every six months.
Surprise checks on security compliance are also conducted. If a user is discovered
to be non-compliant, his/her system access is stopped. The next level is blocking
that employee's customer level access by informing the
customer. It is made sure that the employee's proximity card is surrendered
and he/she is personally escorted out of the organization.
Anil Patrick R can be reached at: firstname.lastname@example.org