Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of January 2007

Untitled Document

 Home > Cover Story
 Print Friendly Page ||  Email this story



Spanning all verticals worldwide, Cognizant has ensured that all its businesses have a secure IT infrastructure as per their requirements. By Kushal Shah

Spread around the world, Cognizant uses various tools to ensure the safety of its IT infrastructure against all possible threats. With mature business continuity management in place, its clients can rest assured of uninterrupted and seamless business. Specializing in domains such as financial services, healthcare, manufacturing and logistics, retail, telecommunication, and media and entertainment, Cognizant maintains a fine balance between business expansion and the security challenges pertaining to these industry segments.

Policy and Audit

At Cognizant, which has over 36,000 employees globally, IT security is of the utmost importance. To address this need, Cognizant has implemented various security policies and systems. The security policies include information security, business continuity, privacy policy, physical security policy, personnel security policy, and acceptable use policy. In an organisation, certain areas are more critical than others. Information security policy enjoys the highest priority as it is the core policy. Security policies are reviewed annually by the senior management.

At Cognizant, internal audits and reviews are conducted by location-specific information security committees on a quarterly basis. They use various automated auditing tools, such as dBlog for log reviews and Cisco tools for firewall logs

Cognizant spends significant resources on its security setup including educating its employees. For this, the company conducts regular e-learning programs. All employees are required to participate in these. At Cognizant, internal audits and reviews are conducted by location-specific information security committees on a quarterly basis. They use various automated auditing tools, such as dBlog for log reviews and Cisco tools for firewall logs. The CSO’s team manages and audits the access control list (ACL) and the Intrusion Detection System (IDS). The log review process is based on a person’s job role and criticality, which is rated on a scale of C1 to C4 with C1 being the highest rating wherein everything that a person does is logged and reviewed. All logs are archived as per log retention requirements. Risk management is also done based on these audit reports. A quarterly review is conducted during which the CSO reports these findings to the higher authorities.

Meet the CSO
Satish Das is the Chief Security Officer at Cognizant. With 16 years of consulting experience in the area of business and information security risk management, business continuity, disaster recovery planning, infrastructure management, and supply chain management, he leads a team responsible for protecting IP, information systems and privacy, and ensuring business continuity.


Cognizant follows consistent processes at all its global locations owing to its well-defined security policies. Enterprise-wide plans are defined for all processes. They are updated whenever significant business or technology changes occur. For every new project, business continuity planning is assessed. The CSO’s team designs various security controls based on the risk assessment carried out on all new projects. Templates used for risk modeling are based on industry standards such as COSO, ISO/IEC Guide 73 (risk management), AIRMC, and ISO 27001 standard. Cognizant has not outsourced its security operations to any third party. The company has its own 24X7 security operations center. It has a strict selection policy for this job. To be a part of the CSO’s team, an individual should have relevant professional certification and at least five years of work experience, of which a minimum of two should be in the area of information security.

About Cognizant
Cognizant (NASDAQ: CTSH) is a leading provider of IT services. Focused on delivering strategic information technology solutions that address the complex business needs of its clients, Cognizant uses its own on-site/offshore outsourcing model to provide applications management, development, integration, and re-engineering; infrastructure management; business process outsourcing; and numerous related services, such as enterprise consulting, technology architecture, program management, and change management.

Cognizant's more than 36,000 employees are committed to partnerships that sustain long-term, proven value for customers by delivering high-quality, cost-effective solutions through its development centers in India and on-site client teams. Cognizant maintains P-CMM and SEI-CMM Level 5 assessments from an independent third-party assessor, was recently named one of Forbes' Best Small Companies in America for the fourth consecutive year, and ranked among the top information technology companies in Business Week's Hot Growth Companies. Cognizant is a member of the NASDAQ-100 Index and the S&P 500 Index.


Apart from the regular anti-virus, content filters, firewalls, and intrusion detection systems, Cognizant uses VPNs and token-based or smart-card authentication devices in addition to access controls for data security and encrypted data transmission

Cognizant has all necessary security software and hardware in place across systems at all locations. Apart from the regular anti-virus, content filters, firewalls, and intrusion detection systems, Cognizant uses VPNs and token-based or smart-card authentication devices in addition to access controls for data security and encrypted data transmission. The company has dedicated printers and shredders, data scrambling and disk sanitation tools, and hardened servers in secure data centers to prevent data theft. As part of the physical security setup, Cognizant has installed sprinklers, smoke-detectors and fire-extinguishers. Customer-specific offshore development centers (ODC) are completely segregated. Cognizant has even disabled input devices to logical workstations. Microsoft System Management Server is used to apply patches and updates across systems and even to set boot-up and screensaver passwords. For securing connectivity across systems, Cognizant uses virtual LANs, dedicated firewalls and intrusion detection systems.

In case of an IDS alert, an escalation mechanism is in place wherein a call is logged with the Global Service Desk (GSD) and classified. After the classification, key people are alerted. Remote access is denied in the organisation and Internet access is restricted where it is not needed for work. All e-mails are scanned for viruses and spam. Finger-print scanners are used to regulate access to the data center and other facilities.

In Cognizant, metrics sampling takes place at least once a quarter and at the most once a month. The company has implemented a mature security framework to meet its business and customer requirements. In addition to its top management, employees are involved in ensuring security by making them a part of the company’s security policies and providing each one of them with security-related knowledge.

Data Recovery and Business Continuity

Cognizant has backup sites both in India and abroad. The company has a mature BCM (business continuity management) practice, which carries out recovery operations as per the plan. In case of a disaster, Cognizant has the ability to meet its recovery time objective almost as per the BCP requirement.


Companies looking for a business partner look out for companies that are well-recognised by various governing bodies and guaranteed to provide good service. Cognizant complies with SAS 70, BS7799 (ISO 27001), SoX (Sarbanes Oxley), and PCI. These parameters create a sense of trust. Cognizant has earned various certifications, such as ISO 9001, SEI CMM level 5, and so on.

CSO’s Viewpoint
Integration of overall information security governance

Governance starts from the board. It has an enterprise risk management policy which has four components—finance, safety, operations and strategy. The financial and safety are handled by their respective departments, operations are handled by the chief operating officer, and strategy is dealt with by the CSO.

Once the policies are finalised and approved, then the next set of policies is written depending upon factors including regulatory requirements namely laws, customer requirements, and the culture of the company. From the governance perspective there are a lot of policies and procedures that people write but what is important for the IT industry are factors such as IS policies, health and safety, compliance issues like SOX, and the integration of governance procedures and operations.

We have an organisational structure that is clearly defined, the roles and responsibilities are also clearly laid down and communicated to the employees and then it depends on how you set up the operating system. Anybody can do this, it has nothing to do with any industry, and it’s a general concept. We’ve learnt a lot from the financial industry when we were writing the enterprise risk management policies. Information security has come from a technical perspective, things were written from that perspective and slowly you’ll see technical professionals talking about risks and how to manage them.

Awareness problem within the large organisation

Apart from having learning modules, the simple way out is to tell employees at the ground level that these are the resources that you can use, these are the services that you need to provide using these resources, and you need to tell them how to use those things. For example, we have notebooks and cell phones. So we need to tell the employees that as soon as they enter the office, they will not have Internet access, only the intranet access will be permitted. They may not be allowed to bring in cell phones in a BPO kind of an environment and not be allowed to take photographs. So we post all that information on a particular part of the intranet and after the two days of induction when the employee joins

Compliance driving information security and regulations

Two years back we had no idea that compliance requirements can have a role in the way we do things. Presently there are four regulations significantly driving what we are doing. SOX (you have to comply with it if you are US based or the subsidiary of a US-based company), health and safety compliances, privacy policies, and local laws within different countries. Some of which were standards, two years back are now becoming laws. If you don’t follow the standard, you may not get certified or maybe you don’t get some customer orders or there could be some small impact on the business. However if you don’t follow the law, you may not even be able to operate in that country at all.

Service providers and auditing them for their success

Whoever is outsourcing still has the risk arising from outsourcing. When we look at our service providers, we have an information security program where a team of about 35 people checks that the overall thing is secure and when we outsource, we don’t tell the outsourcing agency what risks are being transferred. We only give the terms and conditions to comply with.

Hiring issues

We have a lot of attrition in the IT industry and while recruitments, we find many of the resumes are not credible. When customers come in and find out that the person was involved in some fraud then we get into trouble because it’s a breach of contract. The contract says that you have to have a full background check. So it is very much an IT industry issue. So NASSCOM decided to make a national vigilance for all the resumes of the people working in the IT industry. So the question is why someone will put his resume under vigilance. You can’t force people to put their resumes into the repository and be monitored.  

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.