Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of January 2007

Untitled Document

 Home > Cover Story
 Print Friendly Page ||  Email this story


Business Process Secured

Voice and information form an integral part of any BPO , CGSL takes care of these critical areas of security in well defined ways. By Kushal Shah

Sanjay Prasad

Being a BPO, CitiGroup Global Services (CGSL) has beefed up its information security by giving it the utmost importance. From voice security to 100 Mbps connectivity across all locations to installation of security hardware across the organisation, it has taken measures to secure its IT infrastructure. A company which deals in multiple domains needs to take care of security from various points of view, which CGSL is doing successfully.

Policy and Audit

Citigroup Global Services Limited (CGSL) formerly known as e-Serve is one of India’s business process outsourcing giants. When one handles outsourcing business from clients across the world, said clients expect their information to be secure from tampering. CGSL knows the importance of security and it takes all possible steps to ensure a secure organisation. It has a security strategy, which is consistent and binding across business units, locations and corporate entities. They have unique security policies for various business segments. Its principle business is process outsourcing. Therefore the data security policy is critical in this organisation and they take sufficient measures to deal with it. Apart from data, the organisation also handles voice as an integral part of its security policy. Security standards are consistently deployed across the board and tested regularly for compliance. It has an information security structure that is customised according to the country. After following all these policies, CGSL has an enterprise wide risk management framework in place.

Laws are converted to policies, and then standards are developed, which in turn become processes for the company. Risk assessment is considered as a process by itself. They have informal and manual processes, which are used to identify and deploy hardware and software

In CGSL risk assessment has developed to a stage where a structured, organisation-wide process is enforced and followed. For risk assessment, the enterprise is periodically audited and reviewed by UK and US federal regulators. A formal program exists to perform security audits. The audit program includes self-assessment and audits by business units outside IT. The risk management framework is mature. In any organisation, just framing policies does not help if employees are unaware of the same or do not know how to follow them. In order to solve this problem, CGSL employees have access to the material on company’s web site or employee handbook. Completion of security awareness training is tracked and monitored for all employees.


Enterprise-wide messaging, CRM and core-banking applications are a few of the IT solutions implemented at CGSL. Every new business goes through a risk assessment model. This model is well documented and includes components such as threat, vulnerability and impact. It is integrated into other processes and is validated against actual events as they occur and is updated regularly. In this organisation laws are converted to policies and then standards are developed, which in turn become processes for the company. Risk assessment is considered as a process by itself. They have informal and manual processes, which are used to identify and deploy hardware and software.

In CGSL after the processes are defined, the business impact of the same is analysed and then control assessment is done. After control assessment, issues are identified and residual risks come into the picture and thus security is maintained for all processes. In case of application development and design, security requirements are documented and a formal technology selection process with security evaluation is considered as one of the sub-processes. As business takes place, periodic reviews and refreshing of designs are done for security purposes.

  • The security metrics are defined by the organisation in two categories—volume threat measurement (VTM) and Volume point (VOP)
  • Metrics measures the effectiveness and efficiency of implemented security controls and implementation of controls documented in policies and procedures.
  • The defined metrics are measured on a weekly basis.
  • Metrics data is available from automated sources and with some manual intervention.


CGSL has taken all possible measures to install the best possible software and hardware to secure systems. They have McAfee anti-virus loaded on all systems. Firewalls and intrusion detection systems are deployed on Citigroup GRN and managed by global teams out of CGSL. Entrust Entelligence, WinZip 9.0, Secure PDF and PGP are the encryption and cryptography solutions being used. Token based or smart card authentication systems are installed in the form of SafeWord for remote access and user authentication for applications classified as “high risk”. Verinet Software electronic access cards are used for access control. Systems have been deployed to archive all voice transactions and they can be retrieved on the fly. Security tools are deployed online and ePolicy Orchestra has been deployed. In terms of connectivity, they were one of the first BPOs to have bandwidth of more than 100 Mbps. CGSL only deploys secure OS on all systems. By doing so they can restrict unauthorised access to systems like usage of a USB flash drive. As part of security they have restricted the use of the Internet. e-mails are scanned before they reach the personal mailboxes of each user. Use of mobile phones is restricted within the organisation.

Data Recovery and Business Continuity
  • The business continuity and disaster recovery set-up are based in Mumbai and Chennai.
  • The primary and secondary sites are almost identical.
  • Data recovery and business continuity plans are updated when significant business or technology changes occur.
  • Deployed security policies assures business continuity in case of a disaster.The company has successfully implemented and taken care of its IT infrastructure.
  • Being a BPO it cannot lose or leak information or afford downtime, CGSL understands that and is working towards being a fully secured organisation.


Clients look out for various certifications. CGSL has Customer Operations Performance Centre (COPC) certification in its bag, which focuses on improving contact centre operations, monitoring best practices in contact centres, as well as training contact centres and vendors for contact centre certification. Apart from this BPO certification, they have received BS 7799-2-2005 and ISO 9001,2000 certifications.

About the CSO

Heading this huge security operation in CGSL across 13 locations in India are Sanjay Prasad, Head- Technology and Rajiv Vaid, Management Assurance Services in Citigroup Global Services. Sanjay Prasad reports directly to the CEO and Managing Director.

About the Company

Citigroup Global Services is the Global Processing Centre for Citigroup entities across the globe. They are servicing Citigroup in India since 1992 and globally since 1999. They specialise in providing clients with all the benefits of outsourcing while effectively managing and mitigating risks associated with offshoring. CGSL services the entire gamut of consumer and corporate banking solutions and provides end-to-end support across the product life-cycle.

They provide IT-enabled services out of India, including captive BPOs and call centres, supported by cutting-edge technology and robust infrastructure. They have direct touch-points across 40 countries and multiple entities in US. With over 8,000 employees, with nearly 4,000 servicing international business they have two large business process outsourcing hubs in India for international business. CGSL deals in multiple domains like trades, cash, mortgage, retail banking, cards and capital market giving various solutions, such as customer engagement solution, information processing, transaction solutions, decision support UAT and solution identification.

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.