Business Process Secured
Voice and information form an integral part of any BPO ,
CGSL takes care of these critical areas of security in well defined ways. By
Being a BPO, CitiGroup Global Services (CGSL) has beefed up
its information security by giving it the utmost importance. From voice security
to 100 Mbps connectivity across all locations to installation of security hardware
across the organisation, it has taken measures to secure its IT infrastructure.
A company which deals in multiple domains needs to take care of security from
various points of view, which CGSL is doing successfully.
Policy and Audit
Citigroup Global Services Limited (CGSL) formerly known as e-Serve is one of
Indias business process outsourcing giants. When one handles outsourcing
business from clients across the world, said clients expect their information
to be secure from tampering. CGSL knows the importance of security and it takes
all possible steps to ensure a secure organisation. It has a security strategy,
which is consistent and binding across business units, locations and corporate
entities. They have unique security policies for various business segments.
Its principle business is process outsourcing. Therefore the data security policy
is critical in this organisation and they take sufficient measures to deal with
it. Apart from data, the organisation also handles voice as an integral part
of its security policy. Security standards are consistently deployed across
the board and tested regularly for compliance. It has an information security
structure that is customised according to the country. After following all these
policies, CGSL has an enterprise wide risk management framework in place.
Laws are converted to policies,
and then standards are developed, which in turn become processes for the
company. Risk assessment is considered as a process by itself. They have
informal and manual processes, which are used to identify and deploy hardware
In CGSL risk assessment has developed to a stage where a structured,
organisation-wide process is enforced and followed. For risk assessment, the
enterprise is periodically audited and reviewed by UK and US federal regulators.
A formal program exists to perform security audits. The audit program includes
self-assessment and audits by business units outside IT. The risk management
framework is mature. In any organisation, just framing policies does not help
if employees are unaware of the same or do not know how to follow them. In order
to solve this problem, CGSL employees have access to the material on companys
web site or employee handbook. Completion of security awareness training is
tracked and monitored for all employees.
Enterprise-wide messaging, CRM and core-banking applications are a few of the
IT solutions implemented at CGSL. Every new business goes through a risk assessment
model. This model is well documented and includes components such as threat,
vulnerability and impact. It is integrated into other processes and is validated
against actual events as they occur and is updated regularly. In this organisation
laws are converted to policies and then standards are developed, which in turn
become processes for the company. Risk assessment is considered as a process
by itself. They have informal and manual processes, which are used to identify
and deploy hardware and software.
In CGSL after the processes are defined, the business impact of the same is
analysed and then control assessment is done. After control assessment, issues
are identified and residual risks come into the picture and thus security is
maintained for all processes. In case of application development and design,
security requirements are documented and a formal technology selection process
with security evaluation is considered as one of the sub-processes. As business
takes place, periodic reviews and refreshing of designs are done for security
- The security metrics are defined by the
organisation in two categoriesvolume threat measurement (VTM)
and Volume point (VOP)
- Metrics measures the effectiveness and
efficiency of implemented security controls and implementation of controls
documented in policies and procedures.
- The defined metrics are measured on a
- Metrics data is available from automated
sources and with some manual intervention.
CGSL has taken all possible measures to install the best possible software and
hardware to secure systems. They have McAfee anti-virus loaded on all systems.
Firewalls and intrusion detection systems are deployed on Citigroup GRN and
managed by global teams out of CGSL. Entrust Entelligence, WinZip 9.0, Secure
PDF and PGP are the encryption and cryptography solutions being used. Token
based or smart card authentication systems are installed in the form of SafeWord
for remote access and user authentication for applications classified as high
risk. Verinet Software electronic access cards are used for access control.
Systems have been deployed to archive all voice transactions and they can be
retrieved on the fly. Security tools are deployed online and ePolicy Orchestra
has been deployed. In terms of connectivity, they were one of the first BPOs
to have bandwidth of more than 100 Mbps. CGSL only deploys secure OS on all
systems. By doing so they can restrict unauthorised access to systems like usage
of a USB flash drive. As part of security they have restricted the use of the
Internet. e-mails are scanned before they reach the personal mailboxes of each
user. Use of mobile phones is restricted within the organisation.
- The business continuity and disaster recovery
set-up are based in Mumbai and Chennai.
- The primary and secondary sites are almost
- Data recovery and business continuity
plans are updated when significant business or technology changes occur.
- Deployed security policies assures business
continuity in case of a disaster.The company has successfully implemented
and taken care of its IT infrastructure.
- Being a BPO it cannot lose or leak information
or afford downtime, CGSL understands that and is working towards being
a fully secured organisation.
Clients look out for various certifications. CGSL has Customer Operations Performance
Centre (COPC) certification in its bag, which focuses on improving contact centre
operations, monitoring best practices in contact centres, as well as training
contact centres and vendors for contact centre certification. Apart from this
BPO certification, they have received BS 7799-2-2005 and ISO 9001,2000 certifications.
About the CSO
Heading this huge security operation in CGSL across 13 locations in India are
Sanjay Prasad, Head- Technology and Rajiv Vaid, Management Assurance Services
in Citigroup Global Services. Sanjay Prasad reports directly to the CEO and
About the Company
Citigroup Global Services is the Global Processing Centre for Citigroup entities
across the globe. They are servicing Citigroup in India since 1992 and globally
since 1999. They specialise in providing clients with all the benefits of outsourcing
while effectively managing and mitigating risks associated with offshoring.
CGSL services the entire gamut of consumer and corporate banking solutions and
provides end-to-end support across the product life-cycle.
They provide IT-enabled services out of India, including captive BPOs and call
centres, supported by cutting-edge technology and robust infrastructure. They
have direct touch-points across 40 countries and multiple entities in US. With
over 8,000 employees, with nearly 4,000 servicing international business they
have two large business process outsourcing hubs in India for international
business. CGSL deals in multiple domains like trades, cash, mortgage, retail
banking, cards and capital market giving various solutions, such as customer
engagement solution, information processing, transaction solutions, decision
support UAT and solution identification.