SSA 2005-Nominee Profile
Bridging the security gap
Raval, Vice-president, Information Technology, Kale Consultants, conducted
an information security gap analysis that laid the groundwork for a tough security
strategy. by Soutiman Das Gupta.
A firm believer in the need to focus on the vital assets of the business instead
of building a fortress around the network, Viral Raval, Vice-president (Information
Technology), Kale Consultants, suggests that one should identify critical business
areas and provide only these with the highest level of security.
The goal of the security strategy was to align our operating practices
to a standard, which would offer us a single methodology, explains Raval.
He carried out a gap analysis that revealed the current state of information
security affairs and what was needed to reach the desired standards. This paved
the way for a tough security strategy.
Being the information security guardian and Head of IT at an IT solutions company,
Raval believes that the primary approach to creating a security strategy is
to carry out a gap analysis. He has also been instrumental in earning the BS
7799 Part 2 certification for the organisation.
Safeguarding the business
Kale Consultants provides solutions to the global travel and transportation
industry, and offers BPO services. It has four locations in India: two in Mumbai,
and one each in Pune and Noida. It also has two offices in the US and the UK.
There are 600-odd employees globally, and the onus of information security rests
The Approach taken
The primary approach to information security design was to perform a gap analysis.
This was followed by the identification of information assets that needed to
Raval believes that information assets in an organisation should be treated
differently. For instance, a UPS manual needs to be safe, but doesnt
need to be kept in a fire-proof cabinet. There has to be a cost-benefit analysis.
So its necessary to identify the most critical asset and devise the appropriate
strategy, he explains. A detailed risk analysis was made, and the known
risks and probabilities of their occurrence were listed. Raval identified the
vulnerabilities and threats that could have large-scale effects, and devised
means to mitigate these risks.
The idea is to make things simple, because its so simple to make
things difficult, quips Raval.
The objective of his security policy is to enhance customer confidence, ensure
a secure operating environment, minimise business damage by reducing the impact
of security-related incidents, and eliminate the recurrence of identified security-related
incidents to the extent possible.
Some of the highlights are:
- Guidelines for log-in access
- Privilege-based access for personnel
- Policies for ethical use of e-mail and the Internet
- Server allocation policies
- Access rights for servers
- Log analysis and review
- Policy for remote access and firewall configuration
- Routing policies to facilitate global connectivity
There are also guidelines for monitoring UPSs, ACs, and telecom links. There
are recommendations on how closets should be locked, and UPS operational temperature
- Gap analysis
- Identified information assets
- Detailed risk analysis
- Formulated security policies
- Awareness, training and execution
- Access control
- Log analysis
The biggest challenge to policy implementation was to transform mindsets.
People may wonder how an MP3 file on their PC would harm the security
policy. But there may be a copyright violation issue and the company will not
bear the cost of storing personal files on the network, explains Raval.
Raval adopted a top-down approach for implementation. A mail was sent from the
MD about the security policy and the ways in which personnel should implement
It didnt seem like a military regime because
the policy in the draft stage was formulated after suggestions and opinions
from various business heads were incorporated, says Raval.
|The uniqueness of the strategy
The unique aspect of this
security strategy is that Raval does not think it is necessary to build
a huge impenetrable fortress around the entire business by using a lot
of financial and human resources.
He has, with the help of
business heads, classified information according to its importance and
attached a risk value to it. This has enabled him to focus on the vital
assets first. That is not to say that other information should be left
He has planned the audit
processes in such a way that the organisation is subject to a security
audit every three months.
He has also deployed a helpdesk
with a CRM tool that tracks each security incident and brings it up for
resolution until completion.
The security policy is reviewed every six months by an external auditor, as
a part of the BS 7799 recommendation. After three months of each audit the organisation
conducts a half-yearly internal audit. In this manner, the company is subjected
to an audit every quarter.
Any new risk which emerges from a review is communicated to higher authorities
if necessary. New risks, when identified, are included in the purview of the
policy. For example, the company recently identified Bluetooth-enabled cell
phones as a potential risk.
To give an example of the comprehensive nature of his security strategy, Raval
explains the procedure carried out by his organisation when an employee resigns.
The employee has to complete the formalities in a final settlement form before
he may be released. The various passwords are communicated to the manager, drawer
keys are handed over, the ID card and company-provided PDAs (if any) are handed
back. The final clearance is in the form of signatures from the business heads
of all concerned departments.
Raval believes that the organisations IT infrastructure processes have
two USPs. One, a single service desk for all requests and incidents. The service
desk, for instance, will entertain requests to install a new PC, or rent a car
for a days use. Raval has deployed a smart CRM solution that tracks and
escalates a request until its addressed.
The second is that personnel have a high sense of ownership instilled in them.
The work culture is such, that if someone detects a security incident and doesnt
report it, the person is regarded an accomplice to the fact.
BC and DR
Business continuity is part of the security policy and a non-negotiable element
of BS 7799. It is certified by an external auditor.
The DR operations are trigger-driven. It means that DR will kick in depending
on aspects such as the type of threat, the day of the month when the event has
occurred, and the completion status of the jobs.
If theres rain in Mumbai for four hours, we move to Pune,
As a strategist
Raval feels that a security strategy needs common sense and a sense of ownership.
He suggests that gap and risk analyses are essential.
He added, If youre an IT person, youll have a heart for IT,
but IT alone cannot solve the information security needs. There are a lot of
operational and human aspects too.