Archives || Search || About Us || Advertise || Feedback || Subscribe-
-
Issue of October 2005 
-

[an error occurred while processing this directive]

  -  
 
 Home > Cover Story
 Print Friendly Page ||  Email this story

SSA 2005—Nominee Profile

Security’s essential to the business

According to Ajay Soni, Senior Manager, IT, IMD, Patni Computer Systems, security is in the details and errors there are fatal. The team involved with security should therefore work with dedication and mutual understanding. by Shivani Shinde

At Patni Computer Systems, security is not considered a one-time effort but an ongoing process, which has unconditional support from the management and participation from end-users and customers.

With a global presence and almost 11,000 employees (including onshore and offshore employees), the company is as committed to security as it is to any other business process. All its development centres are inter-connected and globally connected to multiple customers. Their entire LAN, WAN, security firewall arena are being taken care of by an in-house IT team.

Unique Features

Soni feels that a company may have the best of security systems in place but it can still be infected. “At Patni we are not only looking at reactive systems or preventive solutions but also a proactive solution,” says Soni. The other aspect is that security is not the sole responsibility of the IT team or the security officer but is a team effort and must have the involvement of the users. He also feels that knowledge of IT processes and customer needs must be merged to harness its benefits.

Taking a methodical approach

It is absolutely necessary to create an operating environment which would not only help to guarantee total IT security through an ongoing integrated management of policies, procedures and personnel training, but also result in improved customer confidence and a competitive edge

The company’s security framework has been divided into physical and application security. The security infrastructure is based upon four pillars i.e. end point defence, network defence, identity management and security information management. According to Ajay Soni, Senior Manager, IT, IMD, Patni, under these four pillars, whatever technology is required has been incorporated.

A few technologies that fall under these four pillars are IPS, IDS, deep inspection firewalls, content filters, spam firewalls, single sign-on (SSO), role-based access control (RBAC), authentication, authorisation and accounting (AAA), network quarantine, user provisioning, network change audit and configuration management.

For the company, security has been a journey rather than a destination. Soni says, “Given the kind of business we are in, it is absolutely necessary to create an operating environment which would not only help to guarantee total IT ecurity through an ongoing integrated management of policies, procedures and personnel training but also result in improved customer confidence and a competitive edge.”

As Soni explains, “Patni has intrinsically been a strong believer in standards of ISO, methodologies like Six Sigma and Capability Maturity Model Integration (CMMi) framework.” Hence, Soni believes that Patni’s security framework built on BS 7799 proved to be a true amalgamation of the company’s existing processes, methodologies and standards. That included finding out the risks, security issues, what needs to be secured and what is important for the customer etc.

Team effort

Unlike other organisations where security needs to be hard sold to the management, it was smooth sailing at Patni as it is an IT company. Soni says that one of the core components of its security is management support in all security efforts. Since this is an ongoing effort the budgeting process is more like investment than spending.

Once the management is on board, the second step is to enforce the policy at the user level. The policy not only encompasses users in the organisation but also the requirements of their customers. Soni explains that the company’s people policy is developed around the People Capability Maturity Model (PCMM). Right at the time of induction, employees are made aware of the policy. The company has a specific section on what information people need to access. He believes that awareness is the key to a successful security process and there have to be rewards and some kind of action. Hence, information is more of a push rather than a pull service. This is done through the use of e-mail, newsletters etc.

The Patni strategy

Processes

  • User education is stressed upon
  • Information as a push service
  • Security policy is part of the induction programme
  • Awareness through e-mail and newsletters

Technology:

  • IPS, IDS, firewalls
  • Anti-virus
  • Network change audit and configuration

Holistic approach

However, he feels that the objective of the policy is not to penalise someone but to understand the rationale behind it. “Sometimes it might happen that they did not understand the policy. Once the analysis is complete, the ISMS (Information Security Management System) steering committee will sit and finalise on the impact of the particular incident,” says Soni.

A crucial aspect of Patni’s security policy is risk assessment, based on changes and risk of changing technology, new threats etc. “We plan to have a real-time assessment of the various risk factors and in having systems that are proactive rather than reactive,” says Soni. Security audits take place every six months and the company has also carried out BS 7799 audits at some of its centres and the rest will be audited in the next two years.

Patni has opted for qualitative risk assessment, which is performed every six months or with the advent of any new threat or asset class. A gap analysis is performed on the basis of risk assessment and presented to the steering committee comprising stakeholders, HR, Legal, ITIM (IT Infrastructure Management) and QDI (Quality and delivery Initiative) who are the final authorities. Their long-term plan is to have a real-time dashboard on the assessment of various risk factors and having systems that are highly proactive.

Soni feels that the IT policy should be intrinsic to the business process of the organisation. Since the organisation caters to global customers, it has a security set up to accommodate customer requirements. As Soni says, “I would like to reiterate that though we have a stringent framework we are not rigid. This is what gives us the agility to incorporate our long-term view with an eye on the present day. We ensure that security is imbibed into all employees right from the time they join Patni. It is made possible via town hall meetings and employee awareness programmes.”

shivani@expresscomputeronline.com

 
     
- <Back to Top>-  
Untitled Document
 
Indian Express - Business Publications Division

© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.