SSA 2005-General Industries
A pragmatic approach to security
Kumar Kaushik, Deputy General Manager (IS Application), BPCL, says that
be it security tools or IT applications, they have to add value to the system.
by Shivani Shinde
Bharat Petroleum Corporation Limited (BPCL) needs no introduction.
It has been a front runner in business processes and in harnessing IT to provide
better services and to diversify.
The companys operations and 5,000 desktop users are
spread over 300 locationssome beyond municipal limits. With the increased
use of technology applications and the Internet, the organisation felt the need
for a robust security system.
|The BPCL strategy
- Security policy in tandem with the HR
- User education thorough e-mail and through
ISS Net Member
- Centralising Internet access
- Separate firewalls for the Internet and
Anil Kumar Kaushik believes that being an early adopter,
the company has had an advantage in upgrading to new systems. In the late 1990s,
the organisation got on the Internet and this resulted in security concerns
raising their heads. We took the usual measures for security, such as
deploying IDS, anti-virus and firewall. Our concern was to have an environment
as secure as possible, he says.
The companys Internet access is centralised for better
control with failover through the use of an IDS. BPCL is a good example of how
phased development permits the deployment of technology. From manual data collection
to automated systems, the company had to consider these details while framing
its security policy and implementing the same.
Comments Kaushik, We documented our security policy.
At the same time, we realised that even if we did publish it or put it on the
Internet, it would not be feasible for others to go through it. We decided that
whatever was related to the user should be included in a booklet. The
booklet, known as the code of practice for users, has details that a user requires
for the daily routine. Again the policy rollout was done in tandem with the
HR policy, and violations in the former were linked to the latter.
Apart from this, they made use of Web site filtering; users
get alert messages if they try to access unwanted sites. Action taken depends
on the severity of a violation, which may be as simple as a warning memo. In
some cases, they might not allow certain facilities to the person and if the
violation is serious then the person may be sacked.
Education is a tool
BPCL realised that just having a policy doesnt help,
but awareness and thorough user education are important. Again, due to the vast
area over which its operations were spread and the diverse user profile, the
organisation had to take a different approach. Since the users came from
both management and non-management segments, the approach to spread awareness
had to be different. We realised that controlling or monitoring behaviour from
a central location would be difficult, Kaushik explains.
When SAP was rolled out in the second phase, those who would
be accessing the systems were trained with regard to security. Each location
has a user group and is known as ISS Net Member. According to Kaushik, Whatever
knowledge needs to be shared with the users is communicated through these members
at their respective locations, for which they are adequately trained. The idea
is to let the knowledge spread. The organisation has 3,100 users using
SAP operating from 300 locations. These locations are on the WAN with over 100
partners connected through VPNs.
|What's unique about this project?
The uniqueness of this project lies in the area
of coverage and varied user requirements. According to Kaushik, security
is an issue that must be handled by an in-house team due to its criticality;
they have managed to do so at BPCL. He is a firm believer in investing
on training people and believing in them to solve any problem. He also
feels that everything cannot be done in one go. Plan and let business
critical systems be given priority.
Putting systems in place
the SAP rollout, there was only one level of IDS and firewalls. Now they have
two levelsone at the Internet level and the other at the LAN. For this,
they use solutions from multiple vendors. Kaushik believes that this reduces
system vulnerability, as there is always another solution to stop the problem.
They use Cisco Pix and IDS for the Internet and checkpoint firewall, Nortel
switches and Real Secure IDS for the internal security. Standard mechanisms
include firewalls, IDS and IBM Tivolis Software Distribution module for
With such an initiative taking place, continuous assistance
from the management was also important. Says Kaushik, We are fortunate
to have a management that understands the need of security within the IT framework.
Their only criterion is that whatever the IT deployment, it has to bring value
to the company and it should serve its purpose rather than be deployed because
others are doing it.
The role of audits
Security audits are the important part of its security initiative.
As Kaushik explains, Security audits are done at the IT level for which
we take third-party assistance. Though it was to happen every six months, it
is being conducted annually now because of infrastructure issues. Penetration
testing and other issues are taken care of by an internal team. Apart from this,
the company has a strong internal audit team that looks after various audit
Kaushik says that the challenges faced include educating
the users about the risks involved, systems required collection of data from
various centres to a central base, and hacking. He is of the opinion that instead
of going for large deployments, one should deploy systems on a smaller scale
and then based on performance decide about implementing the same.