Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of May 2006 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story


Meeting security challenges

Securing an FMCG giant like Hindustan Lever entailed unique design and implementation strategies

S Narayanan

Information security is critical when the organisation conce-rned is in the FMCG business. Hindustan Lever Limited’s (HLL) security strategies deserve praise as the company possesses the best security practices and infrastructure since 1996.

For HLL, a turnover of more than Rs 11,000 crore in the soaps and personal products business is the result of the combined synergies of more than 250 third-party suppliers, 80-odd third-party factories, 55 owned factories, 70 depots or warehouses, and over 7,000 stockists. Considering that the company’s IT infrastructure reaches out to most of them, securing this infrastructure is a major task.

A Complex Challenge

Since HLL is one of the largest FMCG companies, protection of intellectual property rights and the company’s reputation is crucial from the security point of view. Interestingly HLL has more than 6,000 desktops and laptops.

According to S Narayanan, Corporate Information Security Manager, HLL, the biggest challenge they face is complexity due to the large number of locations. “The variety of desktop operating systems ranging from Windows 95 to Windows XP is a challenge from the security point of view. Growth of IT infrastructure has been rapid along with requirements such as robust connectivity, legal compliance requirements and user expectations,” he says.

HLL has shifted from a decentralised approach to a centralised architecture. This has brought with it security challenges on the networking, server and desktop infrastructure fronts. On the network front the organisational LANs and WANs connect around 220 units of the company with several layers of backup. Being part of the Unilever group, the company has six international links for global connectivity. The organisation has around 240 servers, and its server classification is based on criticality to the business. There are 80 very critical servers and 50 critical servers; the rest are classified as non-critical and used for development, testing and so on.

The company has a shared services centre in Bangalore that handles all its back-office operations. On the regulatory side, HLL has to comply with several legal requirements. It also has to comply with Unilever’s internal requirements and the Sarbanes-Oxley (SOX) clause 49.

HLL's Security Strategy


  • Ownership of the security policy belongs to business units
  • Multifaceted security policy customised to divisional requirements
  • Head of the unit is the unit ISO
  • Ongoing user and annual ISO training
  • Random and quarterly internal audits with annual external audits


  • Anti-virus, vulnerability, and patch management
  • Access controls, and VLANs to restrict access
  • Monitoring of security events
  • Centralised redundant DRP architecture

Off to an early start

Till 2001, HLL’s security policies focussed to a great extent on virus protection with reviews taking place once every two or three years. However, the company realised that as new threats come to the fore, policies and procedures have to be reviewed and changed frequently. “Earlier, policies and procedures used to change in two to three years, now they change almost everyday. As you put in new equipment or new vulnerabilities come in, policies and procedures keep changing,” says Narayanan.

The Perspective Shifts

According to Narayanan, these changes have been the offshoot of a new mindset that security should be comprehensive, thus moving away from looking at IT merely to comply with legal requirements. This change has resulted in HLL’s multi-faceted information security policy.

First among these facets is physical and administrative security. Next comes information protection, which classifies information according to its level of confidentiality. It also deals with how to handle the information once it is classified. Third is a specific security policy, which is not relevant for some functions. For example, in HR there is a starter-mover-leaver process, which the normal security policy does not cover. Functions like these have been defined and made into a separate security policy.

Capping all this is employee culture and behaviour. Employees are provided with a detailed handbook that highlights changes required in culture and behaviour.

BS 7799 Framework

HLL’s security policy is based on the BS 7799 framework. The required controls from the BS 7799’s 127 controls are chosen depending on the risk to the company and its units. Periodic policy reviews are performed, and changes recommended to the steering committee which takes the final decision.

Information security initiatives are led by business rather than IT. At present, the vice-president of HLL’s HR department leads information security initiatives for India. He is the owner of the security policy, and leads information protection implementation and policy finalisation.

Apart from this, representatives from each of the key functions of the company handle different aspects of the implementation policy. The steering group consists of the chairman and finance director, and meets once a quarter.

Unique Strategy
The unique thing about HLL’s security strategy is the active ownership of the business. Assigning unit ISO responsibility to commercial managers is a step in the right direction to ensure active user participation. Backed by active technology controls and a redundant DRP architecture, S Narayanan’s security strategy is worth following.

Policing the Policies

HLL’s policy implementation team structure consists of a full-time security officer for the company supported by four officers. The team is part of the IT group, and at each company office the commercial manager of the unit is the part-time information security officer (ISO).

The commercial manager is responsible for implementation, positive insurance, and security audits. These ISOs undergo training annually at one of the four regions. Implementation is don e through unit ISOs. Positive confirmation of efforts is monitored through security and post-implementation audits.

Ongoing compliance monitoring is done on a quarterly basis. Tests are conducted on HLL’s intranet.

Random audits are done through the company’s internal auditing called controlled assurance. Security audits include application, network and unit levels. HLL also does audits to check the security of the IT infrastructure. Specialist need-based information security audits are performed. HLL also undergoes BS 7799-based yearly unit information security reviews conducted by PwC.

External Hand
Much of HLL’s IT is outsourced. About 400 non-HLL employees operate from HLL premises on tasks from server management to software development

Centralised Approach

Earlier, HLL had a decentralised DR architecture. It has since shifted to a centralised approach. DR is done from the unit level to the three data centres (Bangalore, Gurgaon and Mumbai). “We can respond to any disaster situation within 15 minutes,” affirms Narayanan.

He says that the use of centralised communication links has made DR reliable. These consist of the VSAT network from HECL with Gurgaon as the first hub connecting around 180 locations. The network consists of terrestrial links (about 90) across the country backed up by ISDN links to cover Indian offices. Network redundancy is achieved through triangulation.

HLL’s application-level DR strategy is to have the application hosted in not less than two cities. There is one live location and one DR location.

Operational Security

Vulnerability analysis and patch management are important at HLL. Other technologies and practices used by the company include data centre access controls, password management for servers, backups for data and application, anti-virus for Windows-based servers, vulnerability monitoring for servers and desktops, ethical hacking and IDS.

Information security incidents monitored include anti-virus updates, patches, backup, and server security. DR, data centre applications and the network are also monitored. Access control tests are performed.

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.