SSA 2005-Nominee Profile
Putting availability first
Mahajan, Head, IT Infrastructure and Facilities Management, Mahindra &
Mahindra, puts availability before integrity and confidentiality as the vital
enabler of his security strategy. by Soutiman Das Gupta
W e believe that information availability is the most
important goal of a security strategy, followed by integrity and confidentiality.
Other organisations have it the other way round and put confidentiality first,
explains Vijay S Mahajan, Head, IT Infrastructure and Facilities Management
of Mahindra & Mahindra.
This concept has acted as the enabler of security strategy
that he has crafted for his company.
Availability is king
The reason that Mahajan puts availability of information
over everything else is a reflection of the nature of business at M&M.
The principal activity of the group is to manufacture, distribute,
and sell farm equipment and utility vehicles. Its automotive division manufactures
utility vehicles and SUVspopular brands are Scorpio and Bolero.
The companys automotive and farm utility divisions
have eight manufacturing plants with the head office in Colaba, Mumbai. There
are 20 area offices for the auto division and 20 for the tractor division. These
area offices control the nationwide dealer network.
Add these 40 area offices to 10 company locations and you
have 50 enterprise locations and 42,000 users on the network.
Involving the entire business
In order to create a security strategy across this geographically
dispersed organisation, Mahajans approach was to involve the entire business
while formulating the strategy.
We spoke to the heads of different business areas and
asked them to identify the information that they felt was critical. They had
to identify and classify their information assets according to the guidelines,
and the ownership was theirs, explains Mahajan.
This was the most effective way to go about ensuring information
security because the process ensured the required level of commitment from the
business. After the business heads classified their assets, they had to define
the risks they perceived.
The information security team headed by Mahajan then devised
means to reduce risks in accordance with BS 7799 standards (since the company
had already achieved BS 7799 compliance earlier). This gave birth to a risk
treatment plan which is now periodically updated and signed by every business
Mahajan has documented a security policy for his organisation,
which is released by the companys Vice-chairman. The policy essentially
states that information security is everybodys business and that business
heads are the owners of the information and consequently responsible for its
The process of implementing this policy takes place in a
layered manner. At the top theres an apex council, consisting of people
such as the chairman, controllers of operations of the business divisions, and
Below this comes the information security council whose 12
members are unit or plant heads. The responsibility of implementing information
security in their domains is theirs. These members have nominated representatives
in their departments to take the responsibilities forward.
In this way, information security percolates down to the
|Checklist: M&Ms security
- Availability of information
- Identification and classification of information
- Risk assessment
- Policy reviews
- Internal and external audits
- Anti-virus (desktop and server level)
Training and policy reviews
Training with regard to complying with the information security
policy is imparted to all the employees. All possible areas of failure and the
extent of consequent damage to the organisation is explained to all concerned.
The policy is reviewed in two ways. An internal audit is
performed every quarter, a task that is outsourced to Mahindra SSG. The findings
are then presented to the apex committee as a part of policy adherence. In addition
to this, there are regular BS 7799 security audits.
A help desk and incident response team capture IT and non-IT
incidents. If necessary, the incident is escalated to the apex council for resolution.
Disciplinary action is taken jointly by the HR head, business heads, or by apex
council members. The help desk uses HP OpenView as a decision-making tool.
|The Strategy Illustrated
The unique aspect of the
security strategy at M&M was the creation of an apex council by Mahajan.
Members of this body were experts on enterprise information security.
This council was headed by the Chairman and all the security directives
were sent out by him. All the information security incidents and risks
were escalated to this council for resolution.
Mahajan also believes in
an approach where he places availability of information above integrity
and confidentiality. This, he believes, is where the uniqueness of his
Although he uses IT to solve
the organisations information security needs, he always makes it
a point that communicating the enterprises information security
policy is the onus of the business, and not of the IT department.
The security strategist
As a security strategist, Mahajan believes that a person
should have strong knowledge of the business and be able to handle change management.
Successful information security management does not
happen overnight, and you have to ask people to go along with you. Sometimes
you have to be friendly and at times firm.
He feels that its also important to garner support
from the top management and business leaders throughout the organisation. Ownership
of security should percolate all the way down to personnel at the bottom of