Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of January 2007

Untitled Document

 Home > Cover Story
 Print Friendly Page ||  Email this story



Having deployed a panoply of tools and technologies, HPCL stands out as one of the most secure organisations in the country. By Kushal Shah

Starting from prioritising it's security policies to perfectly mapping the business to these policies and installing all the possible security related products , HPCL takes sufficient measures to make its IT infrastructure secure. Keeping headroom for improvement in it's data recovery policy, the company aims for a zero incident culture, which believes in dealing with attacks, rather than making a system without attacks. Living by the real world scenario, HPCL continuously tries to stay upto date with emerging technologies and implements them as and when needed by the organisation, making its security policies as one of the best in the country.

Hindustan Petroleum Corporation Limited (HPCL) is India’s second largest oil company and has one of the strongest security setup in the country.

Policy and Auditing

It has a wide range of security policies, which are reviewed annually and are continuously updated as and when needed or with the change in the technology. This broad range of security policy has five major areas like Information System Security Policy statement (ISSP), coverage and objective of the policy, roles and responsibilities of various entities in the corporation with respect of information security. Looking at ISSP in detail we get many elaborated areas like Security duties and responsibilities, access controls, software security, hardware security, communication security, business continuity planning, e-mail and Internet. All of which if not secured can prove fatal for the company. All of these provide a strict security within the organisation. Every organisation has priorities defined for its policies. For HPCL incorporating Information security at the initial stage of business development is considered as the top priority in the security policy. For any organisation audit option provides a highly flexible and extensible mechanism for evaluating the state of a system. In HPCL, auditing is performed on quarterly basis and trend analysis is done quarterly as part of the risk assessment based on audit reports. Various processes are used for risk modelling, which includes phases like asset gathering phase, Asset valuation phase and risk management phase. Qualitative value of asset is derived based on the business impact because of loss of Confidentiality, Integrity and Availability.

Software Deployed
Software Vendors
Anti-virus for access node security Trend Micro
Anti-virus for storage security Trend Micro
Anti-virus for SMTP security Trend Micro IMSS
Anti-virus for Web security SWS
Anti-virus for Domino Trend Micro Scanmail
Anti-Spam Trend Micro
Two Factor Authentication ACE Server RSA
NIDS Symantec
Firewalls Symantec
HIDS Symantec
IM Tivoli
Policy and Audit Nessus/Tivoli
WAP Defence Pro Radware


Any new business initiative has to go through the clearance of the security organisation in HPCL. It implies that every contract at the purchase requisition stage itself has to be vetted by the security team, which has a checklist for various aspects like Access, Hardware-Software requirements.

Data Recovery
  • HPCL has business continuity and disaster recovery site in Hyderabad, which is a warm site.
  • The company has plans of making Hyderabad site as the full-fledged data centre and the data centre in Mumbai as a hot site. Both sites are identical with enough room for expansion.


As a security strategist M V Sreeram aims for a zero incident culture covering the gamut of people, process and technology going beyond regulatory compliance.

HPCL has implemented various security hardware for making the entire structure less vulnerable to external attacks. HPCL has implemented firewalls, content filters, NIDS, HIDS, IM, WAP and security management hardwares, which are supplied by different vendors. Cisco and Fortinet provides Firewall and NIDS for HPCL. Syamntec (SESA) is used for Security management. Installing software for security makes the system secure from external attacks and makes information secure, keeping this in mind HPCL has installed various antivirus software for access node security, storage security, SMTP security, Web Security, Domino, all provided by different manufacturers. Apart from antivirus software it even installs antispam for better protection against phishing on Internet and to save mailboxes from overflowing overnight. These bunch of hardware and software provides sufficient security if used properly. Apart from these security tools HPCL also uses biometric access for data centre and encryption is used to secure external access to internal network and also for data storage. Even after so many security hardware and software, system can still be vulnerable. To fight with this vulnerability, vulnerability management tools like Retina and Nessus are used.


The security operation centre is running in HPCL premises, which is managed by the third-party. This job is awarded to the IBM for a period of two years and infrastructure belongs to HPCL. Security operations centre requires very highly qualified people. The team of security operations centre comprises of eight CISA/CISSP certified personnel.

  • Active Directory Services (ADS) or Software management services (SMS), Trend Micro Control Manager (TMCM) are some of the tools used to measure metrics.
  • Patch updation, Software installations are measured by metric tools and thereby validates the effectiveness of Information Security policies.
  • TMCM measures machines with AV clients installed and updated.
  • Metric sampling is done on quarterly basis.
    Biometrics, encryption, firewalls and anti-viruses, HPCL has taken almost all the measures to ensure its presence in the secure world of IT. It has all the policies in place which are being followed continuously under the leadership of M.V. Sreeram making the job of an intruder difficult.


Every organisation with various security policies has various certifications attached to them. HPCL has established Information Security Management System (ISMS) based on Plan-Do-Check-Act (PDCA) model and BSI has been appointed for BS7799/ISO27001 certification. ISO 27001 is a specification for ISMS. It is the foundation for third party audit and certification. HPCL even complies with IT act and clause 49 regulations. Clause 49 refers to the listing agreement between the company and the stock exchange on which it is listed. This agreement is identical for both the stock exchanges (NSE and BSE) in India.

About the CSO

New business initiatives need clearance from the security organisation. Every contract at the purchase requisition stage has to be vetted by the security team, which has a checklist for various aspects such as access, hardware-software requirements et al

This huge responsibility of making an organisation secure is not an ordinary man’s job. It needs tremendous domain expertise and a clear vision. M.V.Sreeram, GM-IT (corporate) is the CSO of HPCL. Varuna Mittal, Manager-IT (Information security) who is project leader for project Praharee and other activities related to Information security, supports him. Together they are trying to make their zero incident culture dream a reality. They have broken barriers of stereotyped contracts to achieve this strategic aim of an End-to-End security solution for HPCL, an approach unheard of in oil Industry. M.V. Sreeram is an M.Tech in Industrial Engineering and has got an ITIL certification to his credit. Varuna Mittal is a Master’s in Electronics, and is a certified BS7799 Lead Auditor, having also done ITIL certification. According to M V Sreeram a security strategist aims for a zero incident culture covering the entire gamut of people, process and technology and not just regulatory compliance. Zero incident culture is basically presence of complete safety and not the absence on Incidents or accidents. Accepting even a certain level of accidents is like accepting fatalities, so it is important to strive for Zero incidents. It is a culture in which safety is integrated into all the operations.

Business Continuity
  • HPCL would take about a weeks time for restoring 80 percent of its IT setup in case of a disaster.
  • Different business functions in HPCL have different Recovery Time Objectives (RTO). The Recovery Time Objective for payroll function is two weeks, where as the Recovery Time Objective for JDE processing is two days.
  • The Recovery Point Objective (RPO)also varies from application to application. The Recovery Point Objective of JDE is the end of the previous day's activity.

About the company

Hindustan Petroleum Corporation Limited (HPCL) is the second largest integrated oil refining and marketing company in India. Always innovative in its approach to business, HPCL has tied up at some of its retail outlets with FedEx for courier services and with vehicle insurance companies. It has also initiated numerous health, welfare and educational activities, as well as income-generating schemes, especially in villages, which are inhabited by the socially and economically weaker sections of the society. HPCL was also the first in the Indian oil industry to commission a retail outlet for the welfare of the dependants of the martyrs of the Kargil conflict. The primary business of HPCL is the operation of oil refineries. HPCL refineries upgrade crude petroleum into many value-added products like petrol, diesel, kerosene, liquefied petroleum gas and naphtha and over 300 grades of lubricants, specialties and greases. It markets LPG and has nearly 22 million domestic consumers. The company in Mumbai, Pune, Jaipur, Cochin, Delhi, Vizakh, Hyderabad, Kolkata and Bangalore has recently introduced piped LPG for domestic use.

The company exports fuel oils and lubricating oils to countries like Nepal, Bangladesh, Malaysia, Sri Lanka and Saudi Arabia. HPCL facilitates naphtha exports for the Oil & Natural Gas Commission (ONGC). It is also the second largest producer of bitumen in India with annual sales of over 600,000 metric tones. HPCL has technical collaboration with Colas Sa France and Total Lubrifiants. HPCL has its headquarters at Mumbai. It has two offshore refineries at Mumbai and Vishakhapatnam —and a joint venture refinery at Mangalore. The company has six lube blending plants at Mumbai, Calcutta, Chennai and Silvassa.

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.