Process excellence at VSNL
When your biggest business asset is guiding and protecting
customer data, it is vital to have the best possible security mechanisms. VSNL
is on the BS 7799 certification path to this end. by Anil Patrick R
R Jayaraman, Head, Quality, is the man spearheading quality initiatives at
Videsh Sanchar Nigam Limited (VSNL), one of Indias leading telecom service
providers. A robust information security architecture is essential for a company
that deals with data critical business such as transmission, Internet data centres,
billing operations, operations & systems support, and IP operations.
Through these initiatives, VSNL can retain the trust that its customers have
placed in it. In the customers mind, VSNL is always the party that
owns the data since it is a leased circuit that is given out from us to them.
We need to be good at this because it our bread and butter. We are handling
data and property that belongs to customers, says Jayaraman.
These factors resulted in VSNL looking for system standards
and a process-driven culture. The objective was to set up as many systems as
possible and not make any aspect dependent on a particular person or team. Checks
and balances had to be built-in along with superior processes to ensure that
a customers trust was not violated.
VSNL is a leading telecom company which deals with data critical business
such as transmission, Internet data centres, billing operations, operations
& systems support, and IP operations.
A proper information security architecture that used system standards
along with a process-driven culture.
VSNL decided to go in for BS 7799 certification. Four sites of VSNL
(out of the 14 sites with information security interfaces) are BS 7799
certified as of May 2005 with help from Wipro Infotech and Paladion.
According to VSNL, the benefits achieved are process and
performance orientation. It also helps VSNL get inputs for continuous
As part of this quest, Jayaraman came up with the challenge of securing the
enterprise. BS 7799 was evaluated for putting proper information security standards
and a process-driven culture in place.
The initial evaluations of BS 7799 feasibility were started in March 2004. This
led to VSNLs discussions with BSI India and the selection of BS 7799.
BS 7799 documentation requirements are rigorous, and it has quite a comprehensive
set of system standards. I normally dont find this in other standards
such as TL 9000, which are a bit more open to interpretation and design. I found
this unique, considering the kind of requirement that we wanted to address,
Time For A SWOT
A thumb rule before going in for certification is that you need to know where
you stand. For this VSNL appointed Paladion as its consultant.
This evaluation was crucial since VSNL already had systems in place. To prepare
for BS 7799, it was essential to know how prepared (or unprepared) they were
for the certification. Paladion conducted a three-month GAP analysis, and VSNL
had the report by June 2004. The report said that we were about 40-60
percent okay, but that the rest had to be taken care of. We used that report
and appointed Wipro Infotech as the consultant in July 2005, says Jayaraman.
The Paladion report also highlighted areas that VSNL did not have expertise
in. VSNL was aware of these issues, but it did not know how to deal with them
systematically. Wipro Infotech was chosen as it had experience in handling these
Documentation is vital in any certification effort. In VSNLs case, the
organisation already had initiatives like TL 9000 and the Tata Business Excellence
Model. This helped Wipro Infotech start off on a sound footing. Most of
the documentation was already in place. Our job was to identify the right kind
of documentation and customise that to the needs of the BS 7799 standard. Then
we mapped it with the risk which we had identified in the initial phase,
says Navin Agrawal, Head, Security Governance, Wipro Infotech.
Getting Off The Blocks
Since VSNL was not accustomed to the BS 7799 certification
process, the perception was that it would be tough to implement it. The decision
was taken to begin by dealing with the most critical areas of operations in
the company. Another clearly defined objective was to place less emphasis on
merely getting certified and more on the processes that would be put in place.
It was decided that the implementation would be done in phases. The first phase
consisted of three sites in Mumbai (Prabhadevi and Fort), VSNLs Internet
Data centre at Navi Mumbai (Vashi), and the network centre at Ernakulam. According
to Jayaraman, this covered about 70 percent of the service providers information
security interfaces. It also covered around 1,300 of VSNLs approximately
2,000 employees. In phase 1 it was necessary to identify the scale of
operations across the four locations, says Agrawal.
The first phase commenced in July 2004. Planning was the principal agenda during
July, and the actual implementation started in August 2004. Things went as per
Down To Brass Tacks
Head, Security Governance
Wipro Infotech had interactions with business heads and key
personnel in VSNLs IT department to identify critical business functions.
This helped Wipro identify business functions and their dependency on various
IT processes. Based on these processes, the assets (people, servers, routers,
documents, etc) were identified. Using this information, risk assessment was
Risk assessment includes identifying risks such as technical, procedural, administrative
and environmental. The next step is to prioritise each kind of risk. It is necessary
to prioritise risk based on the impact that it has on business. Once the risks
are identified, an SOA (Statement of Applicability) is prepared based on which
the required controls and implications are defined. Risk mitigation is performed
after this. Once the risk is mitigated, and the plan, policies and documentation
are in place, the implementation is carried out.
Change management was the biggest hurdle. Since the company was expanding at
a rapid pace with newer offerings being marketed on a frequent basis, the challenge
was in keeping up with them.
Next in line was getting user acceptance. Getting BS 7799 certified is a people-intensive
activity. Without the right mindset, it will be difficult to bring about the
discipline that putting processes in place calls for. VSNLs success lies
in the way it was able to get user acceptance.
BSI was appointed as the external auditor in November 2004. However, the preliminary
audit could only be conducted in March 2005 due to factors such as the unavailability
of auditors. Before involving BSI as the external auditor, there were
at least three rounds of internal audits, says Agrawal.
BSI India did the milestone audit in March 2005; this went smoothly. Milestone
audits are not part of the certification process, but certifying agencies normally
perform this to check for readiness to get certified. It is an optional service
that an organisation can look at.
The stage one audit was then performed in April 2005. This
was followed by the stage two audit in May 2005.
| BS 7799 has 127 controls. However, the number of
required controls depends on the concerned sections statement of applicability
(SOA). From the business perspective, the required controls had to be selected
depending on factors such as scope of engagement and certification.
In VSNLs case, this meant that each department
had to identify the applicable and non-applicable controls from among
a list of controls. Once the asset identification was done, it was mapped
to the list of controls.
The process helped VSNL realise that there were
many controls which were already in place.
According to Wipro Infotech, their job consisted of finding out how adequate
its existing controls were. If they were sufficient, no changes were made.
In cases of insufficient or non-existent ones, controls were put in place.
Wipro also performed ethical hacking and vulnerability assessment.
Certified To Excel
The four sites of VSNL (of the 14 sites with information security interfaces)
were BS 7799 certified as of May 2005.
VSNL is proud of the fact that it passed without non-conformity in the first
two audits. The best part was that when we got certified, there was no
non-conformity during the first audit. The second and final audit was also completed
without any non-conformity. We got our certificate of recommendation within
20 minutes, says Jayaraman.
BS 7799 documentation requirements are rigorous, and
it has quite a comprehensive set of specifications, whereas other standards
such as TL 9000 are a bit more open to interpretation and design
The BS 7799 certification is given for three years. This is
given on the condition that the organisation is audited by the certifying authority
(BSI) on a bi-annual or annual basis. VSNL has opted for a six-monthly audit
frequency. This ensures that it is constantly working on its security infrastructure.
Wipro has imparted training to VSNLs internal auditors. This was made
easier by the fact that VSNL already had a system of internal audit from their
TL 9000 initiative. There is an internal audit every three months, and the end
of the next three, external audits are done by BSI India. Training was provided
to end-users as well. These audits check implementation and documentation practices,
and follow the methodology required to check implementation.
We identified the right kind of documentation and customised
that to the need of the BS 7799 standard. Then we mapped it with the risk
which we had identified in the initial phase
According to Jayaraman, there are many advantages of going
in for BS 7799. First comes process orientation, which is very important for
the Tata Business Excellence Model.
Next up is performance orientation. Today, it is possible for VSNL to get the
quantitative inputs to measure and define performance. The benefit is that it
helps the organisation get inputs for its continuous improvement system.
Certifying The Rest
VSNL is planning to start the next phase of certification with Wipro Infotech.
In this phase VSNL plans to certify the entire company, including the 10 locations
where there are information security interfaces. We will ensure that 100
percent of our transactions with customerswhere there is an infosec interfaceare
covered. According to our internal targets, the date of completion is March
2006, but we will complete it by December 2005, says Jayaraman.
Anil Patrick can be reached at firstname.lastname@example.org