Embedding Security into Corporate Life
|V V R Babu
V V R Babu, CIO, ITC Limited has embedded information
security into the lifestyles of all employees at ITC. And that, he believes
is exactly the kind of importance information Security deserves. It is no surprise
that he has been awarded the SecureSynergy Security Strategist award in the
general category. by Soutiman Das Gupta
Babu has created and implemented the finest and best-documented security policy
among organizations in India. His personal efforts have also ensured that information
security is embedded into the lifestyle and mindset of all employees in the
His eye for detail, attention to even the smallest process, and insistence for
audits and checks at almost every level are qualities which only the finest
and most laudable strategist can possess. The jury thus decided to name him
the winner of the SecureSynergy Security Strategist Award 2004, in the General
At ITC Limited
For an organization that began as a cigarette manufacturer, ITC Limited was
quick to diversify into other lines of business and new products. Today ITC
boasts 300 locations connected through a VPN, 5000+ SKUs across diverse businesses.
Taking challenges head-on
Babu believes that the best way to overcome a challenge is to face it head-on.
As IT became all-pervasive in business and drove organization transformation,
stringent security measures were needed to safeguard business information. Babu
responded by framing a detailed security strategy document, which became part
of the total organization policy.
The business perspective
"Information security should be structured in cognizance of the requirements
of business," explains Babu.
Due to the diverse nature of ITCs business a central IT team (IT Shared
Services team) manages technology, application development & support, and
information security, while IT teams in the businesses focus on service delivery
Babu has taken a lot of effort to embed security into the cultural mindset of
the employees. And this was important because the deployment of ERP, use of
e-commerce, and access of information and applications through the Internet
has increased significantly.
"This calls for renewed focus on information security, and the need for
a security policy that ensures authorized access to information to allow uninterrupted
flow of business," Babu pointed out.
The company has a head of information security as part of its shared services
team with security coordinators in the businesses. This team proactively monitors
outbreaks of viruses, breaches of security in the IT infrastructure, incident
management, and focuses on containment according to the incident.
These proactive monitoring activities help in taking corrective and preventive
Babu ensured that the rollout of the security policy touched every business
division with the help of workshops and training programs. A task force was
created at each division and this task force was trained on how to follow the
policy along the lines of a clearly defined roadmap.
The task force personnel in turn went back to their respective divisions and
trained all the end users. Audits are conducted every six months to ensure compliance.
Highlights of the security policy
- The policy clearly states that a person cannot access an external and internal
network at the same time.
- The application owner, has the sole responsibility of the upkeep and sanctity
of information in the application.
- The application owner is responsible for defining and enforcing application
access to end-users.
- Procedures for IT user creation, modification, and deletion at the time
of retirement/exit are all policy-driven.
- Shared drives are not allowed in any user workstation. Regular checks through
random sampling are done to ensure compliance.
- It is mandatory for all users to store information on the network file
servers so that backup and information-sanctity can be enforced.
- Every user signs a document called 'General Terms & Conditions For
Use Of IT Services/Applications' before being given access to any IT resource
of the organization.
The security technology infrastructure
The technology aspect of the security architecture has a layered design. The
organization has two data centers, and both have three-tiered firewall architecture
to provide security in layers. Each tier uses different firewall technologies.
The company also uses Intrusion Detection Systems (IDSs), anti-viruses, desktop
firewalls, and patch management applications. The two data centers act as Disaster
Recovery (DR) sites to each other.
The security process infrastructure
"At every layer right from the business user to the IT support personnel,
each person is clearly aware of the roles and responsibilities. The policy documents
have been created as help files so that they are easy to distribute, and access,"
IT services to the businesses by the shared services team are based on agreed
"Other than security, the SLAs include uptime for network, applications,
and hardware. The SLAs are tracked and we receive reports every month which
tell us the number of incidents, downtime, or security breaches," explained
Enforcing the policy on the users was a big challenge for Babu. However, he
overcame it by allowing Internet access to certain personnel based on job roles,
and three hours of 'Happy Hours' access everyday to all others.
"It's a challenge to explain to the user that the decision to allow selective
restriction was not personal, but based upon the enterprise strategy to enable
business needs, and prevent potential security breaches," says Babu.
Strategy reviews and audits
"We have created a sub-committee called the IT Strategy Committee within
the Corporate IT Steering Committee. It regularly reviews the existing IT policies
and strategies in the company, and recommends modifications of the policy,"
Any deviation from the policy in implementing the policy is raised as an audit
point, so as to work out an action plan to rectify and mitigate any risks to
This action plan is monitored by the Audit Compliance and Review Committee (ACRC).
The ACRC independently reports to the Audit Committee of the Board of Directors
of the company.
A security strategist
An optimist at heart, Babu believes that a good security
strategist must adopt the security strategy in line with the business requirements.
The person must be process-oriented, and be able to identify the risk areas
of the business. In this way he/she can find solutions to mitigate the risk.
Soutiman Das Gupta can be reached at: firstname.lastname@example.org