Security

Quest for excellence

Having the best security mechanisms in place is vital for any organisation that is serious about maintaining the privacy of its customer's data. VSNL opted for the BS 7799 standard

R Jayaraman

R Jayaraman, Head, Quality, is the man spearheading quality initiatives at Videsh Sanchar Nigam Limited (VSNL), one of India’s leading telecom service providers. A robust information security architecture is essential for a company that deals with data critical business such as transmission, Internet data centres, billing operations, operations and systems support, and IP operations.

Through these initiatives, VSNL can retain the trust that its customers have placed in it. “In the customer’s mind, VSNL is always the party that owns the data since it is a leased circuit that is given out from us to them. We need to be good at this because it is our bread and butter. We are handling data and property that belongs to customers,” says Jayaraman.

These factors resulted in VSNL looking for system standards and a process-driven culture. The objective was to set up as many systems as possible and not make any aspect dependent on a particular person or team. Checks and balances had to be built-in along with superior processes to ensure that a customer’s trust was not violated.

Route 7799

As part of this quest, Jayaraman came up with the challenge of securing the enterprise. BS 7799 was evaluated for putting proper information security standards and a process-driven culture in place.

The initial evaluations of BS 7799 feasibility were started in March 2004. This led to VSNL’s discussions with BSI India and the selection of BS 7799. Jayaraman explains, “BS 7799 documentation requirements are rigorous, and it has quite a comprehensive set of system standards. I normally don’t find this in other standards such as TL 9000, which are more open to interpretation and design. I found this unique, considering the kind of requirement that we wanted to address.”

Time for Analysis

A thumb rule before going in for certification is that you need to know where you stand. For this VSNL appointed Paladion as its consultant.

This evaluation was crucial since VSNL already had systems in place. To prepare for BS 7799, it was essential to know how prepared (or unprepared) they were for the certification. Paladion conducted a three-month GAP analysis, and VSNL had the report by June 2004. “The report said that we were about 40 to 60 percent okay, but that the rest had to be taken care of. We used that report and appointed Wipro Infotech as the consultant in July 2005,” says Jayaraman.

The Paladion report also highlighted areas that VSNL did not have expertise in. VSNL was aware of these issues, but it did not know how to deal with them systematically. Wipro Infotech was chosen as it had experience in handling these issues.

Documentation is vital in any certification effort. In VSNL’s case, the organisation already had initiatives like TL 9000 and the Tata Business Excellence Model. This helped Wipro Infotech start off on a sound footing. “Most of the documentation was already in place. Our job was to identify the right kind of documentation and customise that to the needs of the BS 7799 standard. Then we mapped it with the risk which we had identified in the initial phase,” says Navin Agrawal, Head, Security Governance, Wipro Infotech.

Getting off the Blocks

Since VSNL was not accustomed to the BS 7799 certification process, the perception was that it would be tough to implement. The decision was taken to begin with the critical areas of operations in the company. Another clearly defined objective was to emphasise less on merely getting certified, instead focus on the processes that would be put in place.

It was decided that the implementation would be done in phases. The first phase consisted of three sites in Mumbai (Prabhadevi and Fort) and VSNL’s Internet data centre at Navi Mumbai (Vashi), and the network centre at Ernakulam. According to Jayaraman, this covered about 70 percent of the service provider’s information security interfaces. It also covered around 1,300 of VSNL’s approximately 2,000 employees. “In phase 1 it was necessary to identify the scale of operations across the four locations,” says Agrawal.

The first phase commenced in July 2004. Planning was the principal agenda during July, and the actual implementation started in August 2004. Things went as per the plan.

Down to Brass Tacks

Wipro Infotech had interactions with business heads and key personnel in VSNL’s IT department to identify critical business functions.

This helped Wipro identify business functions and their dependency on various IT processes. Based on these processes, the assets (people, servers, routers, documents and so on) were identified. Using this information, risk assessment was conducted.

Risk assessment includes identifying technical, procedural, administrative and environmental risks. The next step is to prioritise each kind of risk. It is necessary to prioritise risk based on the impact that it has on business. Once the risks are identified, a statement of applicability is prepared based on which the required controls and implications are defined. Risk mitigation is performed after this. Once the risk is mitigated, and the plan, policies and documentation are in place, the implementation is carried out.

Change management was the biggest hurdle. Since the company was expanding at a rapid pace with newer offerings being marketed on a frequent basis, the challenge was in keeping up with them.

Next in line was getting user acceptance. Getting BS 7799 certified is a people-intensive activity. Without the right mindset, it will be difficult to bring about the discipline that putting processes in place calls for. VSNL’s success lies in the way it was able to get user acceptance.

Audit Time

BSI was appointed as the external auditor in November 2004. However, the preliminary audit could only be conducted in March 2005 due to factors such as the unavailability of auditors. “Before involving BSI as the external auditor, there were at least three rounds of internal audits,” says Agrawal.

BSI India did the milestone audit in March 2005; this went smoothly. Milestone audits are not part of the certification process, but certifying agencies normally perform this to check for readiness to get certified. It is an optional service that an organisation can look at.

The stage one audit was then performed in April 2005. This was followed by the stage two audit in May 2005.

Certified to Excel

The four sites of VSNL (of the 14 sites with information security interfaces) were BS 7799 certified as of May 2005.

VSNL is proud of the fact that it passed without non-conformity in the first two audits. “The best part was that when we got certified, there was no non-conformity during the first audit. The second and final audit was also completed without any non-conformity. We got our certificate of recommendation within 20 minutes,” says Jayaraman.

The BS 7799 certification is given for three years. This is given on the condition that the organisation is audited by the certifying authority (BSI) on a bi-annual or annual basis. VSNL has opted for a six-monthly audit frequency. This ensures that it is constantly working on its security infrastructure.

Wipro has imparted training to VSNL’s internal auditors. This was made easier by the fact that VSNL already had a system of internal audit from their TL 9000 initiative. There is an internal audit every three months, and the end of the next three, external audits are done by BSI India. Training was provided to end-users as well. These audits check implementation and documentation practices, and follow the methodology required to check implementation.

According to Jayaraman, there are many advantages of going in for BS 7799. First comes process orientation, which is important for the Tata Business Excellence Model.

Next up is performance orientation. Today, it is possible for VSNL to get the quantitative inputs to measure and define performance. The benefit is that it helps the organisation get inputs for its continuous improvement system.

Certifying the Rest

VSNL is on the next phase of certification with Wipro Infotech. In this phase VSNL plans to certify the entire company, including the 10 locations where there are information security interfaces. “We will ensure that 100 percent of our transactions with customers—where there is an infosec interface—are covered,” says Jayaraman.