With an MphasiS on security
those with mettle recover and learn from their bad experiences to emerge stronger.
It is this quality that has helped Mitish Chitnavis, Associate Vice-president,
Information Security, Mphasis, win the SecureSynergy Security Strategist 2005
(SSA 2005) Award in the IT/ITeS category. by Anil Patrick R
Mphasis BPO operations have been in the news for all
the wrong reasons. It takes a strong security strategist to learn from a negative
experience and prepare for the future. It was Mitish Chitnavis who helped Mphasis
recover from its security lapse of April 2005.
Does this mean that information security was not top priority
at Mphasis until April 2005? That is not the case. The organisation has had
strong information security initiatives aided by a BS 7799 certification since
2002. However, as anyone who has worked hands-on at implementing information
security will testifya 100 percent secure infrastructure is only as real
as the mythical Utopia.
The BPO suffered a security lapse, but the important thing
is that the company was able to weather the storm. Today, it is strong enough
and has risen above the most secure Indian organisations to win the SSA 2005
award in the IT/ITeS category. So yes, it is time that Mphasis should be in
the news once againfor the right reasons.
Worldwide skillset management
Mphasis specialises in multi-channel solutions to optimise
sales and service processes. The company also has an extensive offshore infrastructure
for IT development and BPO with centres in India, China and Mexico.
Mphasis is headquartered both in India and the US. The employee
distribution is India-centric since most of its offshoring is done in India.
Mphasis has centres in India at Bangalore, Mumbai, Pune, Mangalore, with Noida
being the most recent addition. The organisation employs about 9,400 people
across the globe (about 6,000 employees in the BPO business) across 23 offices.
On the BPO side, we have around 25 clients. In IT services the number
of active clients is 100, says Chitnavis.
|Mphasis security strategy
- Information Security Risk Management (ISRM)
to identify, prioritise and mitigate risk.
- Risk scorecard to prioritise risk mitigation
plans at the organisation level and at the client program level.
- Employees undergo reference checks and
background checks (dependent on client mandates). They also have to
sign an NDA and accepted use policy.
- 100 percent of frisking for all employees
for different types of media including tape and USB drives. Visitors
and contractors are also screened and frisked.
- Auditsinternal, client, and external.
- BS 7799 certification
- Anti-fraud policy which has resulted from
Mphasis experience with a security lapse (April 2005) in one of
its client programs.
- VLANs, internal firewalls and perimeter
firewalls, intrusion prevention and detection systems, desktop and server
hardening procedures, anti-virus, anti-spyware, URL filtering server,
anti-spam solutions and gateway-antivirus, patch management etc
- Encryption of links with 3DES encryption,
Citrix-based encryption directly from the client, and encrypted VoIP
- Data centres and Global Network Operations
Centre (GNOC) have biometric access controls and smart cards for access
- Door-long open alarm to prevent piggybacking.
An early start
Building High Trust Environments (BHTE) for their client
information is a key objective of the Mphasis corporate information security
team. With this objective in mind, Mphasis started on its present Mphasis Information
Assurance Program (MIAP) in 2002.
This is an early start for a nascent industry such as the
BPO that traces its birth to as late as the year 2000. At that time (2002),
we took a look at standards and based on our needs such as business integrity,
security, privacy, and reliability as well as after taking a look at the clientele
we cater to, decided to go in for BS 7799 Part II: 2002, says Chitnavis.
The basic mindset towards security at Mphasis is a top-down
approach combined with awareness. All security initiatives are driven by the
top management. It is taken seriously right from our Chairman Jerry Rao
onwards. I dont think any other company takes it as seriously as we do.
It is an irony again that a mishap of the sort that we had earlier happened
to us, says Chitnavis.
Mphasis has a dedicated information security organisation.
The security organisation is a separate team and is not aligned to the CIOs
department. The team includes BS 7799 audit and compliance, network security,
physical security, personnel security, identity management, and business continuity/disaster
The team reports to the presidents of the individual businesses
and Jerry Rao, the Chairman of the company.
More than a policy
Mphasis has an information security management system (ISMS)
rather than an information security policy as such. According to Chitnavis,
looking at security as a management system is an advantage since it gets audited
on a monthly and a quarterly basis.
All instances of non-compliance or reports are brought to
the managements notice. This helps detail how the management system performs
within the organisation as well as to make the required changes. Mission-critical
changes or system modifications are usually made within a week. Non-mission
critical changes are implemented in about a month.
On the physical side, each client area at Mphasis is separated.
Colour coding of lanyards and ID cards for employees, contractors, vendors,
guest and visitors coexist with CCTV surveillance.
100 percent frisking for all employees, visitors and contractors
for different types of media including tape and USB drives is carried out. Within
the data centres and Global Network Operations Centre (GNOC), access control
is achieved using biometric access controls and smart cards. Door-long
open alarms are in place to prevent piggybacking. In addition, we are also implementing
turnstiles across all our BPO operation floors and have completed about 25 percent
to avoid tail-gating, says Chitnavis.
On the personnel security side, two reference checks are
in place for every employee. Third-party background checks covering education,
employment, criminal and address verifications are also performed depending
on client mandates due to costs involved and high attrition rates. If a person
is absent for two consecutive days, his or her IDs and access to the building
are suspended. All Mphasis employees have to sign an non-disclosure agreement
(NDA) and an accepted use policy which has a substantial amount of information
A code of conduct and whistle-blower policy are also in place.
There is an anti-fraud policy which has resulted from our experience with
the incident that happened in April in one of our client programs. We felt at
that time that we need to document clearly as to what constitutes a fraud,
|Pearls of wisdom
- Security cannot be a closed-door function
involving just IT or the information security team.
- Inculcate awareness about information
security among the user community.
- Engage business actively in information
security initiatives at all levelsright from the lowest employee
level to the highest management level from a hierarchy perspective.
- Have frank discussions and share best
practices, knowledge, ideas, thoughts, concerns and mitigation strategies
with peers in the industry.
The technology angle
Access to IT environments is controlled via VLANs, internal
firewalls and perimeter firewalls, intrusion prevention and detection systems,
desktop and server hardening procedures.
Mphasis has undergone over 100 audits in the last financial
year. These include 65 internal and 25 client audits.
An internal audit calendar manages the schedule for these
audits. Surprise audits are also carried out to ensure adherence to policies
and procedures. Mphasis has also been audited by regulatory authorities such
as OCC/OTS and FSA.
Mphasis and its clients also engage external auditors such
as Ernst & Young or KPMG to do third-party audits. Chitnavis has also implemented
an innovative mechanism to ensure a higher number of internal auditors. In addition
to the ten-odd BS 7799 auditors that Mphasis has within the infosec team, the
organisation has client programs to provide two single points of contact (SPOC)
from their respective programs. The SPOCs undergo a two-day training in
BS 7799 and do internal audits in addition to the ten members of the BS 7799
team. This has increased our total number of internal auditors to 75,
Towards an aware user
A key challenge faced by Chitnavis is to ensure that information
security ownership rests in the right hands. Chitnavis believes that this can
be achieved only by working on the creation of a proactive security-oriented
Properly-trained employees and contractors, not technology,
is the best tool for protecting us against attacks on sensitive information.
Hence, the most important security tool is security awareness. The objective
of our awareness programs is to build a security conscious culture within the
organisation, says Chitnavis.
To create a security conscious culture within the organisation,
Mphasis has an accelerated Information Security Awareness Program for all its
employees. This is achieved through various methods such as briefings, discussions,
newsletters, staff bulletins, reminder notices, posters, etc.
The organisation is now working on an upgrade from the current
BS7799-2:2002 certification to ISO 27001.
Ongoing enhancements and strategies at Mphasis also include
plans for implementation of identity management, remote access VPNs, a paperless
office, event correlation tools and an upgrade from IDS to inline prevention
systems. Enhancing physical security infrastructure by implementing turnstiles
and biometric access is also on the security roadmap.