Meeting security challenges
an FMCG giant like Hindustan Lever entailed unique design and implementation
Information security is critical when the organisation conce-rned
is in the FMCG business. Hindustan Lever Limiteds (HLL) security strategies
deserve praise as the company possesses the best security practices and infrastructure
For HLL, a turnover of more than Rs 11,000 crore in the soaps and personal products
business is the result of the combined synergies of more than 250 third-party
suppliers, 80-odd third-party factories, 55 owned factories, 70 depots or warehouses,
and over 7,000 stockists. Considering that the companys IT infrastructure
reaches out to most of them, securing this infrastructure is a major task.
A Complex Challenge
Since HLL is one of the largest FMCG companies, protection of intellectual property
rights and the companys reputation is crucial from the security point
of view. Interestingly HLL has more than 6,000 desktops and laptops.
According to S Narayanan, Corporate Information Security Manager, HLL, the biggest
challenge they face is complexity due to the large number of locations. The
variety of desktop operating systems ranging from Windows 95 to Windows XP is
a challenge from the security point of view. Growth of IT infrastructure has
been rapid along with requirements such as robust connectivity, legal compliance
requirements and user expectations, he says.
HLL has shifted from a decentralised approach to a centralised architecture.
This has brought with it security challenges on the networking, server and desktop
infrastructure fronts. On the network front the organisational LANs and WANs
connect around 220 units of the company with several layers of backup. Being
part of the Unilever group, the company has six international links for global
connectivity. The organisation has around 240 servers, and its server classification
is based on criticality to the business. There are 80 very critical servers
and 50 critical servers; the rest are classified as non-critical and used for
development, testing and so on.
The company has a shared services centre in Bangalore that handles all its back-office
operations. On the regulatory side, HLL has to comply with several legal requirements.
It also has to comply with Unilevers internal requirements and the Sarbanes-Oxley
(SOX) clause 49.
- Ownership of the security policy belongs to
- Multifaceted security policy customised to divisional requirements
- Head of the unit is the unit ISO
- Ongoing user and annual ISO training
- Random and quarterly internal audits with annual external audits
- Anti-virus, vulnerability, and patch management
- Access controls, and VLANs to restrict access
- Monitoring of security events
- Centralised redundant DRP architecture
Off to an early start
Till 2001, HLLs security policies focussed to a great extent on virus
protection with reviews taking place once every two or three years. However,
the company realised that as new threats come to the fore, policies and procedures
have to be reviewed and changed frequently. Earlier, policies and procedures
used to change in two to three years, now they change almost everyday. As you
put in new equipment or new vulnerabilities come in, policies and procedures
keep changing, says Narayanan.
The Perspective Shifts
According to Narayanan, these changes have been the offshoot of a new mindset
that security should be comprehensive, thus moving away from looking at IT merely
to comply with legal requirements. This change has resulted in HLLs multi-faceted
information security policy.
First among these facets is physical and administrative security. Next comes
information protection, which classifies information according to its level
of confidentiality. It also deals with how to handle the information once it
is classified. Third is a specific security policy, which is not relevant for
some functions. For example, in HR there is a starter-mover-leaver process,
which the normal security policy does not cover. Functions like these have been
defined and made into a separate security policy.
Capping all this is employee culture and behaviour. Employees are provided with
a detailed handbook that highlights changes required in culture and behaviour.
BS 7799 Framework
HLLs security policy is based on the BS 7799 framework. The required controls
from the BS 7799s 127 controls are chosen depending on the risk to the
company and its units. Periodic policy reviews are performed, and changes recommended
to the steering committee which takes the final decision.
Information security initiatives are led by business rather than IT. At present,
the vice-president of HLLs HR department leads information security initiatives
for India. He is the owner of the security policy, and leads information protection
implementation and policy finalisation.
Apart from this, representatives from each of the key functions of the company
handle different aspects of the implementation policy. The steering group consists
of the chairman and finance director, and meets once a quarter.
|The unique thing about HLLs security strategy
is the active ownership of the business. Assigning unit ISO responsibility
to commercial managers is a step in the right direction to ensure active
user participation. Backed by active technology controls and a redundant
DRP architecture, S Narayanans security strategy is worth following.
Policing the Policies
HLLs policy implementation team structure consists of a full-time security
officer for the company supported by four officers. The team is part of the
IT group, and at each company office the commercial manager of the unit is the
part-time information security officer (ISO).
The commercial manager is responsible for implementation, positive insurance,
and security audits. These ISOs undergo training annually at one of the four
regions. Implementation is don e through unit ISOs. Positive confirmation of
efforts is monitored through security and post-implementation audits.
Ongoing compliance monitoring is done on a quarterly basis. Tests are conducted
on HLLs intranet.
Random audits are done through the companys internal auditing called controlled
assurance. Security audits include application, network and unit levels. HLL
also does audits to check the security of the IT infrastructure. Specialist
need-based information security audits are performed. HLL also undergoes BS
7799-based yearly unit information security reviews conducted by PwC.
|Much of HLLs IT is outsourced. About 400 non-HLL
employees operate from HLL premises on tasks from server management to software
Earlier, HLL had a decentralised DR architecture. It has since shifted to a
centralised approach. DR is done from the unit level to the three data centres
(Bangalore, Gurgaon and Mumbai). We can respond to any disaster situation
within 15 minutes, affirms Narayanan.
He says that the use of centralised communication links has made DR reliable.
These consist of the VSAT network from HECL with Gurgaon as the first hub connecting
around 180 locations. The network consists of terrestrial links (about 90) across
the country backed up by ISDN links to cover Indian offices. Network redundancy
is achieved through triangulation.
HLLs application-level DR strategy is to have the application hosted in
not less than two cities. There is one live location and one DR location.
Vulnerability analysis and patch management are important at HLL. Other technologies
and practices used by the company include data centre access controls, password
management for servers, backups for data and application, anti-virus for Windows-based
servers, vulnerability monitoring for servers and desktops, ethical hacking
Information security incidents monitored include anti-virus
updates, patches, backup, and server security. DR, data centre applications
and the network are also monitored. Access control tests are performed.