Spanning all verticals worldwide, Cognizant has ensured that
all its businesses have a secure IT infrastructure as per their requirements.
By Kushal Shah
around the world, Cognizant uses various tools to ensure the safety of its IT
infrastructure against all possible threats. With mature business continuity
management in place, its clients can rest assured of uninterrupted and seamless
business. Specializing in domains such as financial services, healthcare, manufacturing
and logistics, retail, telecommunication, and media and entertainment, Cognizant
maintains a fine balance between business expansion and the security challenges
pertaining to these industry segments.
Policy and Audit
At Cognizant, which has over 36,000 employees globally, IT security is of the
utmost importance. To address this need, Cognizant has implemented various security
policies and systems. The security policies include information security, business
and acceptable use policy. In an organisation, certain areas are more critical
than others. Information security policy enjoys the highest priority as it is
the core policy. Security policies are reviewed annually by the senior management.
At Cognizant, internal audits and
reviews are conducted by location-specific information security committees
on a quarterly basis. They use various automated auditing tools, such
as dBlog for log reviews and Cisco tools for firewall logs
Cognizant spends significant resources on its security setup including educating
its employees. For this, the company conducts regular e-learning programs. All
employees are required to participate in these. At Cognizant, internal audits
and reviews are conducted by location-specific information security committees
on a quarterly basis. They use various automated auditing tools, such as dBlog
for log reviews and Cisco tools for firewall logs. The CSOs team manages
and audits the access control list (ACL) and the Intrusion Detection System
(IDS). The log review process is based on a persons job role and criticality,
which is rated on a scale of C1 to C4 with C1 being the highest rating wherein
everything that a person does is logged and reviewed. All logs are archived
as per log retention requirements. Risk management is also done based on these
audit reports. A quarterly review is conducted during which the CSO reports
these findings to the higher authorities.
|Satish Das is the Chief Security Officer at Cognizant.
With 16 years of consulting experience in the area of business and information
security risk management, business continuity, disaster recovery planning,
infrastructure management, and supply chain management, he leads a team
responsible for protecting IP, information systems and privacy, and ensuring
Cognizant follows consistent processes at all its global locations owing to
its well-defined security policies. Enterprise-wide plans are defined for all
processes. They are updated whenever significant business or technology changes
occur. For every new project, business continuity planning is assessed. The
CSOs team designs various security controls based on the risk assessment
carried out on all new projects. Templates used for risk modeling are based
on industry standards such as COSO, ISO/IEC Guide 73 (risk management), AIRMC,
and ISO 27001 standard. Cognizant has not outsourced its security operations
to any third party. The company has its own 24X7 security operations center.
It has a strict selection policy for this job. To be a part of the CSOs
team, an individual should have relevant professional certification and at least
five years of work experience, of which a minimum of two should be in the area
of information security.
|Cognizant (NASDAQ: CTSH) is a leading provider of
IT services. Focused on delivering strategic information technology solutions
that address the complex business needs of its clients, Cognizant uses its
own on-site/offshore outsourcing model to provide applications management,
development, integration, and re-engineering; infrastructure management;
business process outsourcing; and numerous related services, such as enterprise
consulting, technology architecture, program management, and change management.
Cognizant's more than 36,000 employees are committed
to partnerships that sustain long-term, proven value for customers by
delivering high-quality, cost-effective solutions through its development
centers in India and on-site client teams. Cognizant maintains P-CMM and
SEI-CMM Level 5 assessments from an independent third-party assessor,
was recently named one of Forbes' Best Small Companies in America for
the fourth consecutive year, and ranked among the top information technology
companies in Business Week's Hot Growth Companies. Cognizant is a member
of the NASDAQ-100 Index and the S&P 500 Index.
Apart from the regular anti-virus,
content filters, firewalls, and intrusion detection systems, Cognizant
uses VPNs and token-based or smart-card authentication devices in addition
to access controls for data security and encrypted data transmission
Cognizant has all necessary security software and hardware in place across
systems at all locations. Apart from the regular anti-virus, content filters,
firewalls, and intrusion detection systems, Cognizant uses VPNs and token-based
or smart-card authentication devices in addition to access controls for data
security and encrypted data transmission. The company has dedicated printers
and shredders, data scrambling and disk sanitation tools, and hardened servers
in secure data centers to prevent data theft. As part of the physical security
setup, Cognizant has installed sprinklers, smoke-detectors and fire-extinguishers.
Customer-specific offshore development centers (ODC) are completely segregated.
Cognizant has even disabled input devices to logical workstations. Microsoft
System Management Server is used to apply patches and updates across systems
and even to set boot-up and screensaver passwords. For securing connectivity
across systems, Cognizant uses virtual LANs, dedicated firewalls and intrusion
In case of an IDS alert, an escalation mechanism is in place wherein a call
is logged with the Global Service Desk (GSD) and classified. After the classification,
key people are alerted. Remote access is denied in the organisation and Internet
access is restricted where it is not needed for work. All e-mails are scanned
for viruses and spam. Finger-print scanners are used to regulate access to the
data center and other facilities.
In Cognizant, metrics sampling takes place at least once a quarter and at the
most once a month. The company has implemented a mature security framework to
meet its business and customer requirements. In addition to its top management,
employees are involved in ensuring security by making them a part of the companys
security policies and providing each one of them with security-related knowledge.
Data Recovery and Business Continuity
Cognizant has backup sites both in India and abroad. The company has a mature
BCM (business continuity management) practice, which carries out recovery operations
as per the plan. In case of a disaster, Cognizant has the ability to meet its
recovery time objective almost as per the BCP requirement.
Companies looking for a business partner look out for companies
that are well-recognised by various governing bodies and guaranteed to provide
good service. Cognizant complies with SAS 70, BS7799 (ISO 27001), SoX (Sarbanes
Oxley), and PCI. These parameters create a sense of trust. Cognizant has earned
various certifications, such as ISO 9001, SEI CMM level 5, and so on.
|Integration of overall information security governance
Governance starts from the board. It has an enterprise
risk management policy which has four componentsfinance, safety,
operations and strategy. The financial and safety are handled by their
respective departments, operations are handled by the chief operating
officer, and strategy is dealt with by the CSO.
Once the policies are finalised and approved, then
the next set of policies is written depending upon factors including regulatory
requirements namely laws, customer requirements, and the culture of the
company. From the governance perspective there are a lot of policies and
procedures that people write but what is important for the IT industry
are factors such as IS policies, health and safety, compliance issues
like SOX, and the integration of governance procedures and operations.
We have an organisational structure that is clearly
defined, the roles and responsibilities are also clearly laid down and
communicated to the employees and then it depends on how you set up the
operating system. Anybody can do this, it has nothing to do with any industry,
and its a general concept. Weve learnt a lot from the financial
industry when we were writing the enterprise risk management policies.
Information security has come from a technical perspective, things were
written from that perspective and slowly youll see technical professionals
talking about risks and how to manage them.
Awareness problem within the large organisation
Apart from having learning modules, the simple
way out is to tell employees at the ground level that these are the resources
that you can use, these are the services that you need to provide using
these resources, and you need to tell them how to use those things. For
example, we have notebooks and cell phones. So we need to tell the employees
that as soon as they enter the office, they will not have Internet access,
only the intranet access will be permitted. They may not be allowed to
bring in cell phones in a BPO kind of an environment and not be allowed
to take photographs. So we post all that information on a particular part
of the intranet and after the two days of induction when the employee
Compliance driving information security and regulations
Two years back we had no idea that compliance requirements
can have a role in the way we do things. Presently
there are four regulations significantly driving
what we are doing. SOX (you have to comply with
it if you are US based or the subsidiary of a
US-based company), health and safety compliances,
privacy policies, and local laws within different
countries. Some of which were standards, two years
back are now becoming laws. If you dont
follow the standard, you may not get certified
or maybe you dont get some customer orders
or there could be some small impact on the business.
However if you dont follow the law, you
may not even be able to operate in that country
Service providers and auditing them for their
Whoever is outsourcing still has the risk arising from
outsourcing. When we look at our service providers, we have an information
security program where a team of about 35 people checks that the overall
thing is secure and when we outsource, we dont tell the outsourcing
agency what risks are being transferred. We only give the terms and conditions
to comply with.
We have a lot of attrition in the IT industry and
while recruitments, we find many of the resumes are not credible. When
customers come in and find out that the person was involved in some fraud
then we get into trouble because its a breach of contract. The contract
says that you have to have a full background check. So it is very much
an IT industry issue. So NASSCOM decided to make a national vigilance
for all the resumes of the people working in the IT industry. So the question
is why someone will put his resume under vigilance. You cant force
people to put their resumes into the repository and be monitored.