A Shore that's Surely Secure

Jimmy Sarbh

P&O Ports Pvt Ltd was a unique entry at the Security Strategist awards. Not just because of the technology or a particular innovation, but because the security strategy was driven by a business head and only implemented by the IT Head. Let's explore what got Jimmy Sarbh Chairman and Managing Director South Asia and Middle East of the company involved into security strategy. by Deepali Gupta

P&O Ports runs a container terminal. Which basically means it takes exported, imported packages onto the dock or yard and redirects them to their destinations. The business process therefore, is highly dependent on message exchange. And some of these messages can also be sensitive in nature.

Sleepless nights

At some point Sarbh realized that the changing technology left loopholes such that there was scope for misuse. He feared his port and business could be insecure and there was a chance his system could be hacked into.

This fear lurked within him, and was reinforced when he was transferring data. The data was not only precious to the customers but was business-critica. The last straw was when Sarbh bid for a high level project worth two million dollars, and realized that any competitor could monitor his interaction with his London office and retrieve crucial information to out bid him.

He called in his IT team. Ironically the IT team reassured him that his systems were safe. Unfortunately that was not true, because when he called in the Mahindra Special Services Group, Sarbh found that anyone could still waltz into his systems.

The Mahindras deployed a security system, but Sarbh's trust in IT people's advice had been irrevocably shaken. He thus approached the British Standards for the BS7799 certification, and it came through in May 2004.

What he's got

"No part could be less secure than another, so we covered all areas equally," says Sarbh. So P&O Ports has video access cards, biometrics, and crane simulations. A PeopleSoft database has been deployed on IBM hardware, there and several Intel-based HP serves, and radio data terminals for data entry.

To protect its setup P&O Ports uses a Checkpoint firewall at its gateway, Trend Micro's anti-virus for e-mail and exchange servers, and a spam filter. It has tie-ups with Oracle and Microsoft and a centralized monitoring systems give alerts to the administrator as soon as new patches and anti-virus updates are available for distribution.

From top to toe

"Security is an ongoing process, and the entire business process needs to be secure," says Sarbh. Perhaps that is why security at P&O Ports is driven top down.

Once every few months the IT team assembles to discuss and determines if there is need for policy changes. Every six months a security audit is conducted, and the certifying agency (BS7799) conducts an external audit every ten months. Any non-conformities are identified and complied within a given time.

Educating the masses

The company conducts security training every six months. The employees are taught Internet and e-mail etiquette and the need for passwords and security.

Even though P&O Ports does not have a help desk or workflow systems to address security queries, the incident management, Sarbh claims is efficient. Any information leak is reported to the Shift Engineer, who alerts the IT officer, who passes it to the Chief of Information Systems (CIS), who is answerable to the Executive Director.

What counts

Sarbh feels that as a Security Strategist, having a vision is critical. Furthermore, he has resolved that he shall never underestimate security and not be complacent even afterthe current security holes are plugged.

His reasons for security orientation are: "We need to secure ourselves if we want to trade with foreign countries like the US that may be prone to terrorist attacks. Security, once proved, will give us an edge over our competition. This will lead to increased business, which means more revenue, and better share holder value and at the end of the day that’s what matters."

He also believes that it is unreasonable to put a price on security. He feels that life is valuable, but it doesn't put a price on a human being. Therefore proving ROI should not even be a criterion when investing in security.

Deepali Gupta can be reached at: deepali@networkmagazineindia.com