Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of November 2004 

[an error occurred while processing this directive]

 Home > Security Strategist 2004
 Print Friendly Page ||  Email this story

Embedding Security into Corporate Life

V V R Babu

V V R Babu, CIO, ITC Limited has embedded information security into the lifestyles of all employees at ITC. And that, he believes is exactly the kind of importance information Security deserves. It is no surprise that he has been awarded the SecureSynergy Security Strategist award in the general category. by Soutiman Das Gupta

Babu has created and implemented the finest and best-documented security policy among organizations in India. His personal efforts have also ensured that information security is embedded into the lifestyle and mindset of all employees in the organization.

His eye for detail, attention to even the smallest process, and insistence for audits and checks at almost every level are qualities which only the finest and most laudable strategist can possess. The jury thus decided to name him the winner of the SecureSynergy Security Strategist Award 2004, in the General Industry category.

At ITC Limited

For an organization that began as a cigarette manufacturer, ITC Limited was quick to diversify into other lines of business and new products. Today ITC boasts 300 locations connected through a VPN, 5000+ SKUs across diverse businesses.

Taking challenges head-on

Babu believes that the best way to overcome a challenge is to face it head-on. As IT became all-pervasive in business and drove organization transformation, stringent security measures were needed to safeguard business information. Babu responded by framing a detailed security strategy document, which became part of the total organization policy.

The business perspective

"Information security should be structured in cognizance of the requirements of business," explains Babu.

Due to the diverse nature of ITC’s business a central IT team (IT Shared Services team) manages technology, application development & support, and information security, while IT teams in the businesses focus on service delivery through IT.

The principles

Babu has taken a lot of effort to embed security into the cultural mindset of the employees. And this was important because the deployment of ERP, use of e-commerce, and access of information and applications through the Internet has increased significantly.

"This calls for renewed focus on information security, and the need for a security policy that ensures authorized access to information to allow uninterrupted flow of business," Babu pointed out.

The company has a head of information security as part of its shared services team with security coordinators in the businesses. This team proactively monitors outbreaks of viruses, breaches of security in the IT infrastructure, incident management, and focuses on containment according to the incident.

These proactive monitoring activities help in taking corrective and preventive action.

Policy rollout

Babu ensured that the rollout of the security policy touched every business division with the help of workshops and training programs. A task force was created at each division and this task force was trained on how to follow the policy along the lines of a clearly defined roadmap.

The task force personnel in turn went back to their respective divisions and trained all the end users. Audits are conducted every six months to ensure compliance.

Highlights of the security policy

  • The policy clearly states that a person cannot access an external and internal network at the same time.
  • The application owner, has the sole responsibility of the upkeep and sanctity of information in the application.
  • The application owner is responsible for defining and enforcing application access to end-users.
  • Procedures for IT user creation, modification, and deletion at the time of retirement/exit are all policy-driven.
  • Shared drives are not allowed in any user workstation. Regular checks through random sampling are done to ensure compliance.
  • It is mandatory for all users to store information on the network file servers so that backup and information-sanctity can be enforced.
  • Every user signs a document called 'General Terms & Conditions For Use Of IT Services/Applications' before being given access to any IT resource of the organization.

The security technology infrastructure

The technology aspect of the security architecture has a layered design. The organization has two data centers, and both have three-tiered firewall architecture to provide security in layers. Each tier uses different firewall technologies.

The company also uses Intrusion Detection Systems (IDSs), anti-viruses, desktop firewalls, and patch management applications. The two data centers act as Disaster Recovery (DR) sites to each other.

The security process infrastructure

"At every layer right from the business user to the IT support personnel, each person is clearly aware of the roles and responsibilities. The policy documents have been created as help files so that they are easy to distribute, and access," said Babu.

IT services to the businesses by the shared services team are based on agreed SLAs.

"Other than security, the SLAs include uptime for network, applications, and hardware. The SLAs are tracked and we receive reports every month which tell us the number of incidents, downtime, or security breaches," explained Babu.

Enforcement challenges

Enforcing the policy on the users was a big challenge for Babu. However, he overcame it by allowing Internet access to certain personnel based on job roles, and three hours of 'Happy Hours' access everyday to all others.

"It's a challenge to explain to the user that the decision to allow selective restriction was not personal, but based upon the enterprise strategy to enable business needs, and prevent potential security breaches," says Babu.

Strategy reviews and audits

"We have created a sub-committee called the IT Strategy Committee within the Corporate IT Steering Committee. It regularly reviews the existing IT policies and strategies in the company, and recommends modifications of the policy," explains Babu.

Any deviation from the policy in implementing the policy is raised as an audit point, so as to work out an action plan to rectify and mitigate any risks to the business.

This action plan is monitored by the Audit Compliance and Review Committee (ACRC). The ACRC independently reports to the Audit Committee of the Board of Directors of the company.

A security strategist

An optimist at heart, Babu believes that a good security strategist must adopt the security strategy in line with the business requirements. The person must be process-oriented, and be able to identify the risk areas of the business. In this way he/she can find solutions to mitigate the risk.

Soutiman Das Gupta can be reached at:

Tips of the trade

  • An organization should have a clearly defined, business oriented security policy.
  • The policies have to be supplemented by technology to automate and remove dependency on people.
  • User awareness programs are very critical for the success, and require careful planning and execution.
  • A specialized team is required to audit the policy for compliance.
  • Policing together with training and awareness programs is necessary on an ongoing basis to ensure internalization of the security.
- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.