A Shore that's Surely Secure
| Jimmy Sarbh
P&O Ports Pvt Ltd was a unique entry at the Security
Strategist awards. Not just because of the technology or a particular innovation,
but because the security strategy was driven by a business head and only implemented
by the IT Head. Let's explore what got Jimmy Sarbh Chairman and Managing
Director South Asia and Middle East of the company involved into security strategy.
by Deepali Gupta
P&O Ports runs a container terminal. Which basically means
it takes exported, imported packages onto the dock or yard and redirects them
to their destinations. The business process therefore, is highly dependent on
message exchange. And some of these messages can also be sensitive in nature.
At some point Sarbh realized that the changing technology left loopholes such
that there was scope for misuse. He feared his port and business could be insecure
and there was a chance his system could be hacked into.
This fear lurked within him, and was reinforced when he was transferring data.
The data was not only precious to the customers but was business-critica. The
last straw was when Sarbh bid for a high level project worth two million dollars,
and realized that any competitor could monitor his interaction with his London
office and retrieve crucial information to out bid him.
He called in his IT team. Ironically the IT team reassured him that his systems
were safe. Unfortunately that was not true, because when he called in the Mahindra
Special Services Group, Sarbh found that anyone could still waltz into his systems.
The Mahindras deployed a security system, but Sarbh's trust in IT people's advice
had been irrevocably shaken. He thus approached the British Standards for the
BS7799 certification, and it came through in May 2004.
What he's got
"No part could be less secure than another, so we covered all areas equally,"
says Sarbh. So P&O Ports has video access cards, biometrics, and crane simulations.
A PeopleSoft database has been deployed on IBM hardware, there and several Intel-based
HP serves, and radio data terminals for data entry.
To protect its setup P&O Ports uses a Checkpoint firewall at its gateway,
Trend Micro's anti-virus for e-mail and exchange servers, and a spam filter.
It has tie-ups with Oracle and Microsoft and a centralized monitoring systems
give alerts to the administrator as soon as new patches and anti-virus updates
are available for distribution.
From top to toe
"Security is an ongoing process, and the entire business process needs
to be secure," says Sarbh. Perhaps that is why security at P&O Ports
is driven top down.
Once every few months the IT team assembles to discuss and determines if there
is need for policy changes. Every six months a security audit is conducted,
and the certifying agency (BS7799) conducts an external audit every ten months.
Any non-conformities are identified and complied within a given time.
Educating the masses
The company conducts security training every six months. The employees are taught
Internet and e-mail etiquette and the need for passwords and security.
Even though P&O Ports does not have a help desk or workflow systems to address
security queries, the incident management, Sarbh claims is efficient. Any information
leak is reported to the Shift Engineer, who alerts the IT officer, who passes
it to the Chief of Information Systems (CIS), who is answerable to the Executive
Sarbh feels that as a Security Strategist, having a vision is critical. Furthermore,
he has resolved that he shall never underestimate security and not be complacent
even afterthe current security holes are plugged.
His reasons for security orientation are: "We need to secure ourselves
if we want to trade with foreign countries like the US that may be prone to
terrorist attacks. Security, once proved, will give us an edge over our competition.
This will lead to increased business, which means more revenue, and better share
holder value and at the end of the day thats what matters."
He also believes that it is unreasonable to put a price on security. He feels
that life is valuable, but it doesn't put a price on a human being. Therefore
proving ROI should not even be a criterion when investing in security.
Deepali Gupta can be reached at: firstname.lastname@example.org