Archives || Search || About Us || Advertise || Feedback || Subscribe-
-
Issue of October 2005 
-

[an error occurred while processing this directive]

  -  
 
 Home > Cover Story
 Print Friendly Page ||  Email this story

SSA 2005-Nominee Profile

Putting availability first

Vijay Mahajan, Head, IT Infrastructure and Facilities Management, Mahindra & Mahindra, puts availability before integrity and confidentiality as the vital enabler of his security strategy. by Soutiman Das Gupta

“W e believe that information availability is the most important goal of a security strategy, followed by integrity and confidentiality. Other organisations have it the other way round and put confidentiality first,” explains Vijay S Mahajan, Head, IT Infrastructure and Facilities Management of Mahindra & Mahindra.

This concept has acted as the enabler of security strategy that he has crafted for his company.

Availability is king

The reason that Mahajan puts availability of information over everything else is a reflection of the nature of business at M&M.

The principal activity of the group is to manufacture, distribute, and sell farm equipment and utility vehicles. Its automotive division manufactures utility vehicles and SUVs—popular brands are Scorpio and Bolero.

The company’s automotive and farm utility divisions have eight manufacturing plants with the head office in Colaba, Mumbai. There are 20 area offices for the auto division and 20 for the tractor division. These area offices control the nationwide dealer network.

Add these 40 area offices to 10 company locations and you have 50 enterprise locations and 42,000 users on the network.

Involving the entire business

In order to create a security strategy across this geographically dispersed organisation, Mahajan’s approach was to involve the entire business while formulating the strategy.

“We spoke to the heads of different business areas and asked them to identify the information that they felt was critical. They had to identify and classify their information assets according to the guidelines, and the ownership was theirs,” explains Mahajan.

This was the most effective way to go about ensuring information security because the process ensured the required level of commitment from the business. After the business heads classified their assets, they had to define the risks they perceived.

The information security team headed by Mahajan then devised means to reduce risks in accordance with BS 7799 standards (since the company had already achieved BS 7799 compliance earlier). This gave birth to a risk treatment plan which is now periodically updated and signed by every business unit head.

Everybody’s Business

Mahajan has documented a security policy for his organisation, which is released by the company’s Vice-chairman. The policy essentially states that information security is everybody’s business and that business heads are the owners of the information and consequently responsible for its security.

The process of implementing this policy takes place in a layered manner. At the top there’s an apex council, consisting of people such as the chairman, controllers of operations of the business divisions, and the CIO.

Below this comes the information security council whose 12 members are unit or plant heads. The responsibility of implementing information security in their domains is theirs. These members have nominated representatives in their departments to take the responsibilities forward.

In this way, information security percolates down to the departmental level.

Checklist: M&M’s security strategy

Process level

  • Availability of information
  • Identification and classification of information assets
  • Risk assessment
  • Policy reviews
  • Internal and external audits

Technology

  • Anti-virus (desktop and server level)
  • Firewalls
  • IDS

Training and policy reviews

Training with regard to complying with the information security policy is imparted to all the employees. All possible areas of failure and the extent of consequent damage to the organisation is explained to all concerned.

The policy is reviewed in two ways. An internal audit is performed every quarter, a task that is outsourced to Mahindra SSG. The findings are then presented to the apex committee as a part of policy adherence. In addition to this, there are regular BS 7799 security audits.

A help desk and incident response team capture IT and non-IT incidents. If necessary, the incident is escalated to the apex council for resolution. Disciplinary action is taken jointly by the HR head, business heads, or by apex council members. The help desk uses HP OpenView as a decision-making tool.

The Strategy Illustrated

The unique aspect of the security strategy at M&M was the creation of an apex council by Mahajan. Members of this body were experts on enterprise information security. This council was headed by the Chairman and all the security directives were sent out by him. All the information security incidents and risks were escalated to this council for resolution.

Mahajan also believes in an approach where he places availability of information above integrity and confidentiality. This, he believes, is where the uniqueness of his strategy lies.

Although he uses IT to solve the organisation’s information security needs, he always makes it a point that communicating the enterprise’s information security policy is the onus of the business, and not of the IT department.

The security strategist

As a security strategist, Mahajan believes that a person should have strong knowledge of the business and be able to handle change management.

“Successful information security management does not happen overnight, and you have to ask people to go along with you. Sometimes you have to be friendly and at times firm.”

He feels that it’s also important to garner support from the top management and business leaders throughout the organisation. Ownership of security should percolate all the way down to personnel at the bottom of the organisation.

Soutimand@networkmagazineindia.com

 
     
- <Back to Top>-  
Untitled Document
 
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.