Having deployed a panoply of tools and technologies, HPCL
stands out as one of the most secure organisations in the country. By Kushal
from prioritising it's security policies to perfectly mapping the business to
these policies and installing all the possible security related products , HPCL
takes sufficient measures to make its IT infrastructure secure. Keeping headroom
for improvement in it's data recovery policy, the company aims for a zero incident
culture, which believes in dealing with attacks, rather than making a system
without attacks. Living by the real world scenario, HPCL continuously tries
to stay upto date with emerging technologies and implements them as and when
needed by the organisation, making its security policies as one of the best
in the country.
Hindustan Petroleum Corporation Limited (HPCL) is Indias second largest
oil company and has one of the strongest security setup in the country.
Policy and Auditing
It has a wide range of security policies, which are reviewed annually and are
continuously updated as and when needed or with the change in the technology.
This broad range of security policy has five major areas like Information System
Security Policy statement (ISSP), coverage and objective of the policy, roles
and responsibilities of various entities in the corporation with respect of
information security. Looking at ISSP in detail we get many elaborated areas
like Security duties and responsibilities, access controls, software security,
hardware security, communication security, business continuity planning, e-mail
and Internet. All of which if not secured can prove fatal for the company. All
of these provide a strict security within the organisation. Every organisation
has priorities defined for its policies. For HPCL incorporating Information
security at the initial stage of business development is considered as the top
priority in the security policy. For any organisation audit option provides
a highly flexible and extensible mechanism for evaluating the state of a system.
In HPCL, auditing is performed on quarterly basis and trend analysis is done
quarterly as part of the risk assessment based on audit reports. Various processes
are used for risk modelling, which includes phases like asset gathering phase,
Asset valuation phase and risk management phase. Qualitative value of asset
is derived based on the business impact because of loss of Confidentiality,
Integrity and Availability.
|Anti-virus for access node security
|Anti-virus for storage
|Anti-virus for SMTP security
||Trend Micro IMSS
|Anti-virus for Web
|Anti-virus for Domino
||Trend Micro Scanmail
|Two Factor Authentication ACE Server
|Policy and Audit
|WAP Defence Pro
Any new business initiative has to go through the clearance of the security
organisation in HPCL. It implies that every contract at the purchase requisition
stage itself has to be vetted by the security team, which has a checklist for
various aspects like Access, Hardware-Software requirements.
- HPCL has business continuity and disaster
recovery site in Hyderabad, which is a warm site.
- The company has plans of making Hyderabad
site as the full-fledged data centre and the data centre in Mumbai as
a hot site. Both sites are identical with enough room for expansion.
As a security strategist M V Sreeram
aims for a zero incident culture covering the gamut of people, process
and technology going beyond regulatory compliance.
HPCL has implemented various security hardware for making the entire structure
less vulnerable to external attacks. HPCL has implemented firewalls, content
filters, NIDS, HIDS, IM, WAP and security management hardwares, which are supplied
by different vendors. Cisco and Fortinet provides Firewall and NIDS for HPCL.
Syamntec (SESA) is used for Security management. Installing software for security
makes the system secure from external attacks and makes information secure,
keeping this in mind HPCL has installed various antivirus software for access
node security, storage security, SMTP security, Web Security, Domino, all provided
by different manufacturers. Apart from antivirus software it even installs antispam
for better protection against phishing on Internet and to save mailboxes from
overflowing overnight. These bunch of hardware and software provides sufficient
security if used properly. Apart from these security tools HPCL also uses biometric
access for data centre and encryption is used to secure external access to internal
network and also for data storage. Even after so many security hardware and
software, system can still be vulnerable. To fight with this vulnerability,
vulnerability management tools like Retina and Nessus are used.
The security operation centre is running in HPCL premises,
which is managed by the third-party. This job is awarded to the IBM for a period
of two years and infrastructure belongs to HPCL. Security operations centre
requires very highly qualified people. The team of security operations centre
comprises of eight CISA/CISSP certified personnel.
- Active Directory Services (ADS) or Software
management services (SMS), Trend Micro Control Manager (TMCM) are some
of the tools used to measure metrics.
- Patch updation, Software installations
are measured by metric tools and thereby validates the effectiveness
of Information Security policies.
- TMCM measures machines with AV clients
installed and updated.
- Metric sampling is done on quarterly basis.
Biometrics, encryption, firewalls and anti-viruses, HPCL has taken almost
all the measures to ensure its presence in the secure world of IT. It
has all the policies in place which are being followed continuously
under the leadership of M.V. Sreeram making the job of an intruder difficult.
Every organisation with various security policies has various certifications
attached to them. HPCL has established Information Security Management System
(ISMS) based on Plan-Do-Check-Act (PDCA) model and BSI has been appointed for
BS7799/ISO27001 certification. ISO 27001 is a specification for ISMS. It is
the foundation for third party audit and certification. HPCL even complies with
IT act and clause 49 regulations. Clause 49 refers to the listing agreement
between the company and the stock exchange on which it is listed. This agreement
is identical for both the stock exchanges (NSE and BSE) in India.
About the CSO
New business initiatives need clearance
from the security organisation. Every contract at the purchase requisition
stage has to be vetted by the security team, which has a checklist for
various aspects such as access, hardware-software requirements et al
This huge responsibility of making an organisation secure
is not an ordinary mans job. It needs tremendous domain expertise and
a clear vision. M.V.Sreeram, GM-IT (corporate) is the CSO of HPCL. Varuna Mittal,
Manager-IT (Information security) who is project leader for project Praharee
and other activities related to Information security, supports him. Together
they are trying to make their zero incident culture dream a reality. They have
broken barriers of stereotyped contracts to achieve this strategic aim of an
End-to-End security solution for HPCL, an approach unheard of in oil Industry.
M.V. Sreeram is an M.Tech in Industrial Engineering and has got an ITIL certification
to his credit. Varuna Mittal is a Masters in Electronics, and is a certified
BS7799 Lead Auditor, having also done ITIL certification. According to M V Sreeram
a security strategist aims for a zero incident culture covering the entire gamut
of people, process and technology and not just regulatory compliance. Zero incident
culture is basically presence of complete safety and not the absence on Incidents
or accidents. Accepting even a certain level of accidents is like accepting
fatalities, so it is important to strive for Zero incidents. It is a culture
in which safety is integrated into all the operations.
- HPCL would take about a weeks time for
restoring 80 percent of its IT setup in case of a disaster.
- Different business functions in HPCL have
different Recovery Time Objectives (RTO). The Recovery Time Objective
for payroll function is two weeks, where as the Recovery Time Objective
for JDE processing is two days.
- The Recovery Point Objective (RPO)also
varies from application to application. The Recovery Point Objective
of JDE is the end of the previous day's activity.
About the company
Hindustan Petroleum Corporation Limited (HPCL) is the second
largest integrated oil refining and marketing company in India. Always innovative
in its approach to business, HPCL has tied up at some of its retail outlets
with FedEx for courier services and with vehicle insurance companies. It has
also initiated numerous health, welfare and educational activities, as well
as income-generating schemes, especially in villages, which are inhabited by
the socially and economically weaker sections of the society. HPCL was also
the first in the Indian oil industry to commission a retail outlet for the welfare
of the dependants of the martyrs of the Kargil conflict. The primary business
of HPCL is the operation of oil refineries. HPCL refineries upgrade crude petroleum
into many value-added products like petrol, diesel, kerosene, liquefied petroleum
gas and naphtha and over 300 grades of lubricants, specialties and greases.
It markets LPG and has nearly 22 million domestic consumers. The company in
Mumbai, Pune, Jaipur, Cochin, Delhi, Vizakh, Hyderabad, Kolkata and Bangalore
has recently introduced piped LPG for domestic use.
The company exports fuel oils and lubricating oils to countries
like Nepal, Bangladesh, Malaysia, Sri Lanka and Saudi Arabia. HPCL facilitates
naphtha exports for the Oil & Natural Gas Commission (ONGC). It is also
the second largest producer of bitumen in India with annual sales of over 600,000
metric tones. HPCL has technical collaboration with Colas Sa France and Total
Lubrifiants. HPCL has its headquarters at Mumbai. It has two offshore refineries
at Mumbai and Vishakhapatnam and a joint venture refinery at Mangalore.
The company has six lube blending plants at Mumbai, Calcutta, Chennai and Silvassa.