Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of October 2005 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story

SSA 2005-General Industries

A pragmatic approach to security

Anil Kumar Kaushik, Deputy General Manager (IS Application), BPCL, says that be it security tools or IT applications, they have to add value to the system. by Shivani Shinde

Bharat Petroleum Corporation Limited (BPCL) needs no introduction. It has been a front runner in business processes and in harnessing IT to provide better services and to diversify.

The company’s operations and 5,000 desktop users are spread over 300 locations—some beyond municipal limits. With the increased use of technology applications and the Internet, the organisation felt the need for a robust security system.

The BPCL strategy


  • Security policy in tandem with the HR policy
  • User education thorough e-mail and through ISS Net Member
  • Centralising Internet access


  • Separate firewalls for the Internet and LAN
  • IDS
  • Anti-virus

Anil Kumar Kaushik believes that being an early adopter, the company has had an advantage in upgrading to new systems. In the late 1990s, the organisation got on the Internet and this resulted in security concerns raising their heads. “We took the usual measures for security, such as deploying IDS, anti-virus and firewall. Our concern was to have an environment as secure as possible,” he says.

The company’s Internet access is centralised for better control with failover through the use of an IDS. BPCL is a good example of how phased development permits the deployment of technology. From manual data collection to automated systems, the company had to consider these details while framing its security policy and implementing the same.

Comments Kaushik, “We documented our security policy. At the same time, we realised that even if we did publish it or put it on the Internet, it would not be feasible for others to go through it. We decided that whatever was related to the user should be included in a booklet.” The booklet, known as the code of practice for users, has details that a user requires for the daily routine. Again the policy rollout was done in tandem with the HR policy, and violations in the former were linked to the latter.

Apart from this, they made use of Web site filtering; users get alert messages if they try to access unwanted sites. Action taken depends on the severity of a violation, which may be as simple as a warning memo. In some cases, they might not allow certain facilities to the person and if the violation is serious then the person may be sacked.

Education is a tool

BPCL realised that just having a policy doesn’t help, but awareness and thorough user education are important. Again, due to the vast area over which its operations were spread and the diverse user profile, the organisation had to take a different approach. “Since the users came from both management and non-management segments, the approach to spread awareness had to be different. We realised that controlling or monitoring behaviour from a central location would be difficult,” Kaushik explains.

When SAP was rolled out in the second phase, those who would be accessing the systems were trained with regard to security. Each location has a user group and is known as ISS Net Member. According to Kaushik, “Whatever knowledge needs to be shared with the users is communicated through these members at their respective locations, for which they are adequately trained. The idea is to let the knowledge spread.” The organisation has 3,100 users using SAP operating from 300 locations. These locations are on the WAN with over 100 partners connected through VPNs.

What's unique about this project?

The uniqueness of this project lies in the area of coverage and varied user requirements. According to Kaushik, security is an issue that must be handled by an in-house team due to its criticality; they have managed to do so at BPCL. He is a firm believer in investing on training people and believing in them to solve any problem. He also feels that everything cannot be done in one go. Plan and let business critical systems be given priority.

Putting systems in place

Before the SAP rollout, there was only one level of IDS and firewalls. Now they have two levels—one at the Internet level and the other at the LAN. For this, they use solutions from multiple vendors. Kaushik believes that this reduces system vulnerability, as there is always another solution to stop the problem. They use Cisco Pix and IDS for the Internet and checkpoint firewall, Nortel switches and Real Secure IDS for the internal security. Standard mechanisms include firewalls, IDS and IBM Tivoli’s Software Distribution module for patching.

With such an initiative taking place, continuous assistance from the management was also important. Says Kaushik, “We are fortunate to have a management that understands the need of security within the IT framework. Their only criterion is that whatever the IT deployment, it has to bring value to the company and it should serve its purpose rather than be deployed because others are doing it.”

The role of audits

Security audits are the important part of its security initiative. As Kaushik explains, “Security audits are done at the IT level for which we take third-party assistance. Though it was to happen every six months, it is being conducted annually now because of infrastructure issues. Penetration testing and other issues are taken care of by an internal team. Apart from this, the company has a strong internal audit team that looks after various audit issues.”

Kaushik says that the challenges faced include educating the users about the risks involved, systems required collection of data from various centres to a central base, and hacking. He is of the opinion that instead of going for large deployments, one should deploy systems on a smaller scale and then based on performance decide about implementing the same.

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.