Integrating Security with Business

Sanjay Prasad

Sanjay Prasad, Head - Technology Services, e-Serve International Ltd. (e-Serve) believes that in his company's line of work, information security is paramount, and has made security an intrinsic part of the work culture. by Soutiman Das Gupta

In the company, information security is owned at all levels in the organization. The cause is championed at the Managing Director's level, and is by all means a boardroom priority. Prasad provides strategic and operational priority to IT security in the organization. His ability to make security an integral and secure part of the technology deliverables to business comes from processes like mandatory training, evidence-based preventive and corrective actions, policy reviews, and intricate fail-over measures within the function speak of an exemplary Security Strategist. At e-Serve As a service provider in the BPO space, the company provides IT-enabled back-office and call center operations to the financial services sector globally. Supported by a robust IT and telecom infrastructure, it services Citigroup entities across the globe. While the group information security policy addresses the financial services sector, the information security function has imbibed the tenets of this policy and adapted it to suit the technology operations environment of a BPO service provider. Organized responsibilities Two empowered officers manage security-related responsibilities in the company. One takes care of the technology and IT-related issues of security infrastructure (Tech ISO), and the other looks after information security issues related to business and operations (Business ISO). "This doesn't mean that the two teams work in silos. There is a common information security policy for components related to technology and operations. The two work jointly to create strategies, train, communicate, reinforce changes, and help business and support units assess and review compliance," explains Prasad. Information is key Since information is key, e-Serve adheres to a well-documented security policy. This assures clients and they can in turn make the end-customer comfortable that the organization uses a robust security infrastructure. Personnel at various levels of responsibility are provided restricted access to data on a need-to-know basis. Prasad believes in maintaining evidence of security implementation. So, an administrator installs a patch into a server or workstation, there must be a system log or screenshot as evidence of the work completed. Preventive and corrective "As a preventive step we ensure that the patches and upgrades are not man-dependant, and work on a push mode. It is not left to an individual user," explains Prasad. A monitoring tool captures the information from every workstation and reports on its updation status. "Enforcement of the policy is facilitated since every employee has been given the wherewithal to ensure that whatever asset he/she is using, is secure," explains Prasad. Every personnel has to ensure quality assurance at the workstation level. To supplement the above, the IT team performs periodic sweeps and checks workstations and PCs at random, and any deviation is reported to the unit head. Appropriate disciplinary steps are taken in case of anomalies. Policy reviews Security policy reviews are done both on a periodic, and on a needed basis. The reviews are broadly of three types, which are over and above statutory audits. The first is enforced periodically, like self-assessment, and is performed within the operating unit. The second, comprises peer reviews, like internal audits, performed outside the unit but within the organization. And the third are group audits, which are conducted by audit review teams from outside the organization. The gaps and the corrective action plans are all reported to the MD. Risk management A risk review committee chaired by the MD looks at overall risk management. The Technology and Business ISOs use a well-proven incident response mechanism in which, incidents are reported through the business and the technology chains. Business continuity Prasad has ensured that the basic technology and its infrastructure services are bound by SLAs. Every business unit manages continuity through responses agreed with clients and support units (Technology, Human resources) for different scenarios of disruptions. Business continuity can be at a component, site, city, or country level. The company has major operations in two national cities, and they provide as failover support to each other. A group of personnel at each location are trained and periodically tested on the business processes of the other site. In case of a contingency, this team at the remote site can take over. Whose business? "Information security and compliance-related training is mandatory for all new recruits. To repeat and it's not a cliché—information security is everyone's business," explains Prasad.
Soutiman Das Gupta can be reached at: soutimand@networkmagazinindia.com