SSA 2005—General Industries Winner
A rapidly evolving security architecture
complex infrastructure and wide-spread supply chain are just the tip of the
iceberg when the task is to secure this FMCG giant. Meet S Narayanan,
Corporate Information Security Manager, Hindustan Lever. He is the designer
and implementer of strategies that made him the Security Strategist in the General
Industries category for 2005. by Anil Patrick R
Information security is critical when your organisation is
in the FMCG business. In this context, Hindustan Lever Limiteds (HLL)
security strategies deserve praise among the elite nominees of the Security
Strategist Awards 2005. Security best practices and infrastructure have been
in place at the company since 1996. This makes the organisation one of the forerunners
and the most deserving winner.
For HLL, a turnover of more than Rs 11,000 crore in the soaps
and personal products business is the result of the combined synergies of more
than 250 third-party suppliers, 80-odd third-party factories, 55 owned factories,
70 depots or warehouses, and over 7,000 stockists. Considering that the companys
IT infrastructure reaches out to most of them, securing this infrastructure
is a major task. We have more than a million retailers and more than a
billion customers. IT touches our factories, some of our key suppliers, all
our distribution centres, and many of our customers, declares S Narayanan,
Corporate Information Security Manager at the company.
A complex challenge
Since HLL is one of the largest FMCG companies, protection
of intellectual property rights and the companys reputation is crucial
from the security point of view. Point to note: HLL has more than 6,000 desktops
According to Narayanan, the biggest challenge they face is
complexity due to the large number of locations. The variety of desktop
operating systems ranging from Windows 95 to Windows XP is a challenge from
the security point of view. Growth of IT infrastructure has also been rapid
along with requirements such as robust connectivity, legal compliance requirements
and user expectations, says Narayanan.
Over the past three years, HLL has shifted from a decentralised
approach to a centralised architecture. This has brought with it security challenges
on the networking, server and desktop infrastructure fronts. On the network
front the organisational LANs and WANs connect around 220 units of the company
with several layers of backup. Being part of the Unilever group, the company
also has six international links for global connectivity. The organisation has
around 240 servers, and its server classification is based on criticality to
the business. There are 80 very critical servers and 50 critical servers; the
rest are classified as non-critical and used for development, testing and so
The company has a shared services centre in Bangalore that
handles all its back office operations. HLL has also done a lot of outsourcing
in terms of IT and non-IT processes.
On the regulatory side, HLL has to comply with several legal
requirements. It also has to comply with Unilevers internal requirements
and the Sarbanes-Oxley (SOX) clause 49.
|What is unique?
The most unique thing about
HLLs security strategy is the active ownership from business. Assigning
unit ISO responsibility to commercial managers is a step in the right
direction to ensure active user participation. Backed by active technology
controls and a redundant DRP architecture, S Narayanans security
strategy is worth following.
Off to an early start
Till 2001, HLLs security policies focussed to a great
extent on virus protection with reviews taking place once every two or three
years. However, the company realised around 2001 that as new threats come to
the fore, policies and procedures have to be reviewed and changed frequently.
This realisation resulted in policies and procedures assuming
centre-stage. Earlier, policies and procedures used to change in two to
three years, now they change almost everyday. As you put in new equipment or
new vulnerabilities come in, policies and procedures keep changing, says
|HLLs security strategy
- Ownership of the security policy belongs
to business units
- Multifaceted security policy customised
to divisional requirements
- Head of unit is the unit ISO
- Ongoing user and annual ISO training
- Random and quarterly internal audits with
annual external audits.
- Antivirus, vulnerability, and patch management
- Access controls, and VLANs to restrict
- Monitoring of security events
- Centralised redundant DRP architecture
The perspective shifts
According to Narayanan, these changes have been the offshoot
of a new mindset that security should be comprehensive, thus moving away from
looking at IT merely to comply with legal requirements. This change has resulted
in HLLs multi-faceted information security policy.
First among these facets is physical and administration security.
Next comes information protection, which classifies information according to
its level of confidentiality. It also deals with how to handle the information
once it is classified. Third is a specific security policy, which is not relevant
for some functions. For example, in HR there is a starter-mover-leaver process,
which the normal security policy does not cover. Functions like these have been
defined and made into a separate security policy.
Capping all this is employee culture and behaviour. Employees
are provided with a detailed handbook that highlights changes required in culture
and behaviour. All new employees undergo an induction training where they are
exposed to security issues. Continuing education is through e-mailers, corporate
diaries, table calendars, in-house magazines, etc.
BS 7799 FRAMEWORK
HLLs security policy is based on the BS 7799 framework.
The required controls from the BS 7799s 127 controls are chosen depending
on the risk to the company and its units. Periodic policy reviews are performed,
and policy changes recommended to the steering committee which takes the final
Information security initiatives are led by business rather
than IT. At present, the Vice-president of HLLs HR department leads information
security initiatives for India. He is the owner of the security policy, and
leads information protection implementation and policy finalisation.
Apart from this, representatives from each of the key functions
of the company handle different aspects of implementing policy. The steering
group consists of the chairman and finance director, and meets once a quarter.
|Pearls of wisdom
- Work with CEOs to ensure that they relate to
security not as a business cost, but as a competitive marketplace advantage.
- Consider security as an element of the
larger business risk management process and embed it in core business
processes as well.
- There is no standard one size/shoe
fits all solution for security. Choosing the correct strategy
will depend on factors such as the organisation, its needs and culture.
- Create awareness that security fosters
an ethical culture. Value and promote actions that allow no compromise
of business reputation.
Policing the policies
HLLs policy implementation team structure consists
of a full-time security officer for the company supported by four full-time
officers. The team is part of the IT group, and at each company office the commercial
manager of the unit is the part-time information security officer (ISO).
The commercial manager is responsible for implementation,
positive insurance, and conducting security audits. These ISOs undergo training
annually at each of the four regions. Implementation is done through unit ISOs.
Positive confirmation of these efforts is monitored through security audits
and post-implementation audits.
Ongoing compliance monitoring is done on a quarterly basis.
Tests are conducted on HLLs intranet for the units.
Random audits are also done through the companys internal
auditing called controlled assurance. Security audits include application, network
and unit levels. HLL also does audits to check the security of the IT infrastructure.
Specialist need-based information security audits are also performed. HLL also
undergoes BS 7799-based yearly unit information security reviews conducted by
For a rainy day
Earlier, HLL had a decentralised DRP architecture. It has
since shifted to a centralised approach. DRP is done from the unit level to
the three data centres (Bangalore, Gurgaon and Mumbai). We can respond
to any disaster situation within 15 minutes, affirms Narayanan.
He says that the use of centralised communication links has
made DRP more reliable. These consist of the VSAT network from HECL with Gurgaon
as the first hub connecting around 180 locations. The network also consists
of terrestrial links (about 90) across the country backed up by ISDN links to
cover Indian offices. Network redundancy is achieved through triangulation.
HLLs application-level DRP strategy is to have the
application hosted in not less than two cities. There is one live location and
one DR location. Incremental backups are performed at specified frequencies.
Vulnerability analysis and patch management are important
at HLL. Other technologies and practices used by the company include data centre
access controls, password management for servers, backups for data and application,
antivirus for Windows-based servers, vulnerability monitoring for servers and
desktops, ethical hacking and IDS.
Information security incidents monitored include antivirus
updates, patches, backup, and server security. Apart from this, DRP, data centre
applications and the network are also monitored. Access control tests are also
Much of HLLs IT is outsourced. About 400 non-HLL employees
operate from HLL premises on tasks from server management to software development.
Security measures are enforced on these personnel through
SLAs. Whatever applies to a HLL employee applies to these people. We get
that in writing. We have also got into VLANs and restricting access, says
The next task for Narayanan and his team is the shift from
MFG PRO to SAP next year. This is a challenge that involves redefining security
rules and procedures. The company is currently evaluating biometric devices
for remote authorisation.