SSA 2005—Nominee Profile
Securitys essential to the business
to Ajay Soni, Senior Manager, IT, IMD, Patni Computer Systems, security
is in the details and errors there are fatal. The team involved with security
should therefore work with dedication and mutual understanding. by Shivani
At Patni Computer Systems, security is not considered a one-time
effort but an ongoing process, which has unconditional support from the management
and participation from end-users and customers.
With a global presence and almost 11,000 employees (including
onshore and offshore employees), the company is as committed to security as
it is to any other business process. All its development centres are inter-connected
and globally connected to multiple customers. Their entire LAN, WAN, security
firewall arena are being taken care of by an in-house IT team.
Soni feels that a company
may have the best of security systems in place but it can still be infected.
At Patni we are not only looking at reactive systems or preventive
solutions but also a proactive solution, says Soni. The other aspect
is that security is not the sole responsibility of the IT team or the
security officer but is a team effort and must have the involvement of
the users. He also feels that knowledge of IT processes and customer needs
must be merged to harness its benefits.
Taking a methodical approach
It is absolutely necessary to create
an operating environment which would not only help to guarantee total
IT security through an ongoing integrated management of policies, procedures
and personnel training, but also result in improved customer confidence
and a competitive edge
The companys security framework has been divided into
physical and application security. The security infrastructure is based upon
four pillars i.e. end point defence, network defence, identity management and
security information management. According to Ajay Soni, Senior Manager, IT,
IMD, Patni, under these four pillars, whatever technology is required has been
A few technologies that fall under these four pillars are
IPS, IDS, deep inspection firewalls, content filters, spam firewalls, single
sign-on (SSO), role-based access control (RBAC), authentication, authorisation
and accounting (AAA), network quarantine, user provisioning, network change
audit and configuration management.
For the company, security has been a journey rather than
a destination. Soni says, Given the kind of business we are in, it is
absolutely necessary to create an operating environment which would not only
help to guarantee total IT ecurity through an ongoing integrated management
of policies, procedures and personnel training but also result in improved customer
confidence and a competitive edge.
As Soni explains, Patni has intrinsically been a strong
believer in standards of ISO, methodologies like Six Sigma and Capability Maturity
Model Integration (CMMi) framework. Hence, Soni believes that Patnis
security framework built on BS 7799 proved to be a true amalgamation of the
companys existing processes, methodologies and standards. That included
finding out the risks, security issues, what needs to be secured and what is
important for the customer etc.
Unlike other organisations where security needs to be hard
sold to the management, it was smooth sailing at Patni as it is an IT company.
Soni says that one of the core components of its security is management support
in all security efforts. Since this is an ongoing effort the budgeting process
is more like investment than spending.
Once the management is on board, the second step is to enforce
the policy at the user level. The policy not only encompasses users in the organisation
but also the requirements of their customers. Soni explains that the companys
people policy is developed around the People Capability Maturity Model (PCMM).
Right at the time of induction, employees are made aware of the policy. The
company has a specific section on what information people need to access. He
believes that awareness is the key to a successful security process and there
have to be rewards and some kind of action. Hence, information is more of a
push rather than a pull service. This is done through the use of e-mail, newsletters
|The Patni strategy
- User education is stressed upon
- Information as a push service
- Security policy is part of the induction
- Awareness through e-mail and newsletters
- IPS, IDS, firewalls
- Network change audit and configuration
However, he feels that the objective of the policy is not
to penalise someone but to understand the rationale behind it. Sometimes
it might happen that they did not understand the policy. Once the analysis is
complete, the ISMS (Information Security Management System) steering committee
will sit and finalise on the impact of the particular incident, says Soni.
A crucial aspect of Patnis security policy is risk
assessment, based on changes and risk of changing technology, new threats etc.
We plan to have a real-time assessment of the various risk factors and
in having systems that are proactive rather than reactive, says Soni.
Security audits take place every six months and the company has also carried
out BS 7799 audits at some of its centres and the rest will be audited in the
next two years.
Patni has opted for qualitative risk assessment, which is
performed every six months or with the advent of any new threat or asset class.
A gap analysis is performed on the basis of risk assessment and presented to
the steering committee comprising stakeholders, HR, Legal, ITIM (IT Infrastructure
Management) and QDI (Quality and delivery Initiative) who are the final authorities.
Their long-term plan is to have a real-time dashboard on the assessment of various
risk factors and having systems that are highly proactive.
Soni feels that the IT policy should be intrinsic to the
business process of the organisation. Since the organisation caters to global
customers, it has a security set up to accommodate customer requirements. As
Soni says, I would like to reiterate that though we have a stringent framework
we are not rigid. This is what gives us the agility to incorporate our long-term
view with an eye on the present day. We ensure that security is imbibed into
all employees right from the time they join Patni. It is made possible via town
hall meetings and employee awareness programmes.