Archives || Search || About Us || Advertise || Feedback || Subscribe-
-
Issue of October 2005 
-

  -  
 
 Home > Cover Story
 Print Friendly Page ||  Email this story

SSA 2005-Nominee Profile

Bridging the security gap

Viral Raval, Vice-president, Information Technology, Kale Consultants, conducted an information security gap analysis that laid the groundwork for a tough security strategy. by Soutiman Das Gupta.

A firm believer in the need to focus on the vital assets of the business instead of building a fortress around the network, Viral Raval, Vice-president (Information Technology), Kale Consultants, suggests that one should identify critical business areas and provide only these with the highest level of security.

“The goal of the security strategy was to align our operating practices to a standard, which would offer us a single methodology,” explains Raval. He carried out a gap analysis that revealed the current state of information security affairs and what was needed to reach the desired standards. This paved the way for a tough security strategy.

Being the information security guardian and Head of IT at an IT solutions company, Raval believes that the primary approach to creating a security strategy is to carry out a gap analysis. He has also been instrumental in earning the BS 7799 Part 2 certification for the organisation.

Safeguarding the business

Kale Consultants provides solutions to the global travel and transportation industry, and offers BPO services. It has four locations in India: two in Mumbai, and one each in Pune and Noida. It also has two offices in the US and the UK. There are 600-odd employees globally, and the onus of information security rests with Raval.

The Approach taken

The primary approach to information security design was to perform a gap analysis. This was followed by the identification of information assets that needed to be safeguarded.

Raval believes that information assets in an organisation should be treated differently. “For instance, a UPS manual needs to be safe, but doesn’t need to be kept in a fire-proof cabinet. There has to be a cost-benefit analysis. So it’s necessary to identify the most critical asset and devise the appropriate strategy,” he explains. A detailed risk analysis was made, and the known risks and probabilities of their occurrence were listed. Raval identified the vulnerabilities and threats that could have large-scale effects, and devised means to mitigate these risks.

Policy highlights

“The idea is to make things simple, because it’s so simple to make things difficult,” quips Raval.

The objective of his security policy is to enhance customer confidence, ensure a secure operating environment, minimise business damage by reducing the impact of security-related incidents, and eliminate the recurrence of identified security-related incidents to the extent possible.

Some of the highlights are:

  • Guidelines for log-in access
  • Privilege-based access for personnel
  • Policies for ethical use of e-mail and the Internet
  • Server allocation policies
  • Access rights for servers
  • Log analysis and review
  • Policy for remote access and firewall configuration
  • Routing policies to facilitate global connectivity

There are also guidelines for monitoring UPSs, ACs, and telecom links. There are recommendations on how closets should be locked, and UPS operational temperature ranges.

What’s needed

Processes

  • Gap analysis
  • Identified information assets
  • Detailed risk analysis
  • Formulated security policies
  • Awareness, training and execution

Technology

  • Access control
  • Log analysis
  • Firewalls
  • Anti-virus
  • IDS

The challenges

The biggest challenge to policy implementation was to transform mindsets.

“People may wonder how an MP3 file on their PC would harm the security policy. But there may be a copyright violation issue and the company will not bear the cost of storing personal files on the network,” explains Raval.

Raval adopted a top-down approach for implementation. A mail was sent from the MD about the security policy and the ways in which personnel should implement it.

“It didn’t seem like a military regime because the policy in the draft stage was formulated after suggestions and opinions from various business heads were incorporated,” says Raval.

The uniqueness of the strategy

The unique aspect of this security strategy is that Raval does not think it is necessary to build a huge impenetrable fortress around the entire business by using a lot of financial and human resources.

He has, with the help of business heads, classified information according to its importance and attached a risk value to it. This has enabled him to focus on the vital assets first. That is not to say that other information should be left unsafe.

He has planned the audit processes in such a way that the organisation is subject to a security audit every three months.

He has also deployed a helpdesk with a CRM tool that tracks each security incident and brings it up for resolution until completion.

Policy review

The security policy is reviewed every six months by an external auditor, as a part of the BS 7799 recommendation. After three months of each audit the organisation conducts a half-yearly internal audit. In this manner, the company is subjected to an audit every quarter.

Any new risk which emerges from a review is communicated to higher authorities if necessary. New risks, when identified, are included in the purview of the policy. For example, the company recently identified Bluetooth-enabled cell phones as a potential risk.

Comprehensiveness

To give an example of the comprehensive nature of his security strategy, Raval explains the procedure carried out by his organisation when an employee resigns.

The employee has to complete the formalities in a final settlement form before he may be released. The various passwords are communicated to the manager, drawer keys are handed over, the ID card and company-provided PDAs (if any) are handed back. The final clearance is in the form of signatures from the business heads of all concerned departments.

The USPs

Raval believes that the organisation’s IT infrastructure processes have two USPs. One, a single service desk for all requests and incidents. The service desk, for instance, will entertain requests to install a new PC, or rent a car for a day’s use. Raval has deployed a smart CRM solution that tracks and escalates a request until it’s addressed.

The second is that personnel have a high sense of ownership instilled in them. The work culture is such, that if someone detects a security incident and doesn’t report it, the person is regarded an accomplice to the fact.

BC and DR

Business continuity is part of the security policy and a non-negotiable element of BS 7799. It is certified by an external auditor.

The DR operations are trigger-driven. It means that DR will kick in depending on aspects such as the type of threat, the day of the month when the event has occurred, and the completion status of the jobs.

“If there’s rain in Mumbai for four hours, we move to Pune,” explains Raval.

As a strategist

Raval feels that a security strategy needs common sense and a sense of ownership. He suggests that gap and risk analyses are essential.

He added, “If you’re an IT person, you’ll have a heart for IT, but IT alone cannot solve the information security needs. There are a lot of operational and human aspects too.”

soutimand@networkmagazine.com
 
     
- <Back to Top>-  
Untitled Document
 
Indian Express - Business Publications Division
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.