Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of October 2005 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story

SSA 2005-Winner

With an MphasiS on security

Only those with mettle recover and learn from their bad experiences to emerge stronger. It is this quality that has helped Mitish Chitnavis, Associate Vice-president, Information Security, Mphasis, win the SecureSynergy Security Strategist 2005 (SSA 2005) Award in the IT/ITeS category. by Anil Patrick R

Mphasis’ BPO operations have been in the news for all the wrong reasons. It takes a strong security strategist to learn from a negative experience and prepare for the future. It was Mitish Chitnavis who helped Mphasis recover from its security lapse of April 2005.

Does this mean that information security was not top priority at Mphasis until April 2005? That is not the case. The organisation has had strong information security initiatives aided by a BS 7799 certification since 2002. However, as anyone who has worked hands-on at implementing information security will testify—a 100 percent secure infrastructure is only as real as the mythical Utopia.

The BPO suffered a security lapse, but the important thing is that the company was able to weather the storm. Today, it is strong enough and has risen above the most secure Indian organisations to win the SSA 2005 award in the IT/ITeS category. So yes, it is time that Mphasis should be in the news once again—for the right reasons.

Worldwide skillset management

Mphasis specialises in multi-channel solutions to optimise sales and service processes. The company also has an extensive offshore infrastructure for IT development and BPO with centres in India, China and Mexico.

Mphasis is headquartered both in India and the US. The employee distribution is India-centric since most of its offshoring is done in India. Mphasis has centres in India at Bangalore, Mumbai, Pune, Mangalore, with Noida being the most recent addition. The organisation employs about 9,400 people across the globe (about 6,000 employees in the BPO business) across 23 offices. “On the BPO side, we have around 25 clients. In IT services the number of active clients is 100,” says Chitnavis.

Mphasis’ security strategy


  • Information Security Risk Management (ISRM) to identify, prioritise and mitigate risk.
  • Risk scorecard to prioritise risk mitigation plans at the organisation level and at the client program level.
  • Employees undergo reference checks and background checks (dependent on client mandates). They also have to sign an NDA and accepted use policy.
  • 100 percent of frisking for all employees for different types of media including tape and USB drives. Visitors and contractors are also screened and frisked.
  • Audits—internal, client, and external.
  • BS 7799 certification
  • Anti-fraud policy which has resulted from Mphasis’ experience with a security lapse (April 2005) in one of its client programs.


  • VLANs, internal firewalls and perimeter firewalls, intrusion prevention and detection systems, desktop and server hardening procedures, anti-virus, anti-spyware, URL filtering server, anti-spam solutions and gateway-antivirus, patch management etc
  • Encryption of links with 3DES encryption, Citrix-based encryption directly from the client, and encrypted VoIP traffic.
  • Data centres and Global Network Operations Centre (GNOC) have biometric access controls and smart cards for access control.
  • Door-long open alarm to prevent piggybacking.

An early start

Building High Trust Environments (BHTE) for their client information is a key objective of the Mphasis corporate information security team. With this objective in mind, Mphasis started on its present Mphasis Information Assurance Program (MIAP) in 2002.

This is an early start for a nascent industry such as the BPO that traces its birth to as late as the year 2000. “At that time (2002), we took a look at standards and based on our needs such as business integrity, security, privacy, and reliability as well as after taking a look at the clientele we cater to, decided to go in for BS 7799 Part II: 2002,” says Chitnavis.

The basic mindset towards security at Mphasis is a top-down approach combined with awareness. All security initiatives are driven by the top management. “It is taken seriously right from our Chairman Jerry Rao onwards. I don’t think any other company takes it as seriously as we do. It is an irony again that a mishap of the sort that we had earlier happened to us,” says Chitnavis.

Mphasis has a dedicated information security organisation. The security organisation is a separate team and is not aligned to the CIO’s department. The team includes BS 7799 audit and compliance, network security, physical security, personnel security, identity management, and business continuity/disaster recovery.

The team reports to the presidents of the individual businesses and Jerry Rao, the Chairman of the company.

More than a policy

Mphasis has an information security management system (ISMS) rather than an information security policy as such. According to Chitnavis, looking at security as a management system is an advantage since it gets audited on a monthly and a quarterly basis.

All instances of non-compliance or reports are brought to the management’s notice. This helps detail how the management system performs within the organisation as well as to make the required changes. Mission-critical changes or system modifications are usually made within a week. Non-mission critical changes are implemented in about a month.

Cordoned off

On the physical side, each client area at Mphasis is separated. Colour coding of lanyards and ID cards for employees, contractors, vendors, guest and visitors coexist with CCTV surveillance.

100 percent frisking for all employees, visitors and contractors for different types of media including tape and USB drives is carried out. Within the data centres and Global Network Operations Centre (GNOC), access control is achieved using biometric access controls and smart cards. “Door-long open alarms are in place to prevent piggybacking. In addition, we are also implementing turnstiles across all our BPO operation floors and have completed about 25 percent to avoid tail-gating,” says Chitnavis.

On the personnel security side, two reference checks are in place for every employee. Third-party background checks covering education, employment, criminal and address verifications are also performed depending on client mandates due to costs involved and high attrition rates. If a person is absent for two consecutive days, his or her IDs and access to the building are suspended. All Mphasis employees have to sign an non-disclosure agreement (NDA) and an accepted use policy which has a substantial amount of information security components.

A code of conduct and whistle-blower policy are also in place. “There is an anti-fraud policy which has resulted from our experience with the incident that happened in April in one of our client programs. We felt at that time that we need to document clearly as to what constitutes a fraud,” says Chitnavis.

Pearls of wisdom

  • Security cannot be a closed-door function involving just IT or the information security team.
  • Inculcate awareness about information security among the user community.
  • Engage business actively in information security initiatives at all levels—right from the lowest employee level to the highest management level from a hierarchy perspective.
  • Have frank discussions and share best practices, knowledge, ideas, thoughts, concerns and mitigation strategies with peers in the industry.

The technology angle

Access to IT environments is controlled via VLANs, internal firewalls and perimeter firewalls, intrusion prevention and detection systems, desktop and server hardening procedures.

Audit IT

Mphasis has undergone over 100 audits in the last financial year. These include 65 internal and 25 client audits.

An internal audit calendar manages the schedule for these audits. Surprise audits are also carried out to ensure adherence to policies and procedures. Mphasis has also been audited by regulatory authorities such as OCC/OTS and FSA.

Mphasis and its clients also engage external auditors such as Ernst & Young or KPMG to do third-party audits. Chitnavis has also implemented an innovative mechanism to ensure a higher number of internal auditors. In addition to the ten-odd BS 7799 auditors that Mphasis has within the infosec team, the organisation has client programs to provide two single points of contact (SPOC) from their respective programs. “The SPOCs undergo a two-day training in BS 7799 and do internal audits in addition to the ten members of the BS 7799 team. This has increased our total number of internal auditors to 75,” says Chitnavis.

Towards an aware user

A key challenge faced by Chitnavis is to ensure that information security ownership rests in the right hands. Chitnavis believes that this can be achieved only by working on the creation of a proactive security-oriented mindset.

“Properly-trained employees and contractors, not technology, is the best tool for protecting us against attacks on sensitive information. Hence, the most important security tool is security awareness. The objective of our awareness programs is to build a security conscious culture within the organisation,” says Chitnavis.

To create a security conscious culture within the organisation, Mphasis has an accelerated Information Security Awareness Program for all its employees. This is achieved through various methods such as briefings, discussions, newsletters, staff bulletins, reminder notices, posters, etc.

The organisation is now working on an upgrade from the current BS7799-2:2002 certification to ISO 27001.

Ongoing enhancements and strategies at Mphasis also include plans for implementation of identity management, remote access VPNs, a paperless office, event correlation tools and an upgrade from IDS to inline prevention systems. Enhancing physical security infrastructure by implementing turnstiles and biometric access is also on the security roadmap.

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.