Nominee

Apollo Tyres takes a BIA approach

At Apollo Tyres the expected loss value and inherent risk is calculated by finding out the probability and impact that the threat has upon critical assets. Based on the severity of the residual risk, a risk mitigation plan is created. In this way the company follows a well defined business process mapped on to the security framework. By Vinita Gupta

Apollo Tyres Ltd. is a leading tyre manufacturing company in India. SAP is a very critical application for a manufacturing sector and hence makes necessary to secure it. At Apollo Tyres SAP is covered under information security both functionally and technically to ensure that all the critical business processes are taken care of..

Information Security Policy

Apollo Tyres follows the BS 7799 Information security policy where in all the 10 domains are covered and implemented within the organisation.

The coverage of the security policy is right from the end user desktop till the network and data centre services which caters to the business processes across the organisation. The coverage includes the third party outsourcing services, physical and environmental controls, logical access controls, business continuity and disaster recovery plans and all other areas which are facilitated by information services.

Chandrasekhar Velagapudi, Divisional Head - IT says, “Apollo Tyres will ensure that appropriate information security controls are applied and integrated to ensure information protection from threats to confidentiality, integrity and availability thereby enhancing confidence of and adding value to all its stakeholders. This will be continual monitored to ensure compliance at the management level.”

All the security policies and procedures at Apollo Tyres are reviewed once in a year or at the time of any major change in existing IS environment affecting the policies and procedures, whichever is earlier.

As a part of information security policy of the organisation, the company conducts internal and external audits once in every six months which in turn makes the information security audit to happen at least once in every quarter.

Risk mitigation plan

The risk assessment of the company is based on the critical business process like Sales and Distribution (S&D), finance, and production planning. All these processes are completely mapped in SAP which is their core business transaction application. In turn SAP is covered under information security both functionally (If SAP is not available then how to serve the users) and technically (Uptime, password controls). This ensures that all the critical business processes are covered.

“Based on the business processes criticality we do the criticality rating of any information asset and then finds out the probability & impact of any threat on the asset. From this we calculate the inherent risk on the asset,” says Velagapudi.

He further adds, “From the audits, Vulnerability Assessment (VA) and Penetration Test (PT), we arrive at the current control rating and then arrive at the residual risk from inherent risk and criticality of the asset. Later based on the severity of the residual risk, we create a risk mitigation plan and improve the controls.”

In the risk mitigation plan they find out solutions towards the problems like how to reduce the risk. For all the threats they have a risk mitigation plan, for instance they have off site tape management so that there is no data loss even in case the local data is corrupted or lost.

This risk assessment is carried out every year to arrive at the new risk rating and then risk mitigation plan is proposed and implemented for all the risks associated.

The BIA approach

Apollo Tyres follows BIA (Business Impact Analysis) approach to map the information security. In this approach the process followed is as follows:

All the functions participate and give detailed inputs on each process they perform and the impact on the same in the event that all or part of its IT operations or computer services rendered are unusable.

In the process they give a rating (1-5) against certain parameters such as employee impact, external customer, internal customer, vendor impact, legal impact, productivity, revenue and reputation for each of IT service along with the affordable down time for each.

For instance if the finance module is not working then they would not be able to pay the vendor on time and this would have an impact on the supply of the raw material and in turn would affect the business.

Based on this rating they find out the critical IT Information assets. For these critical assets, they arrive at the weighted average of CIA (Confidentiality, Integrity and Availability) rating. From CIA rating using complex formulae they arrive at the criticality rating of the asset.

For each critical asset they come out with various threats and for each threat arrive at the probability and impact. From these values (Criticality value, probability and Impact), they calculate the ELV (Expected Loss Value) and then inherent risk.

“In the process Apollo Tyres also arrives at the RPO and RTO values from each function for each information asset. This formed the basis for our Disaster Recovery Plan and Business Continuity Plan,” says Velagapudi.

Security tools in place

Apart from the standard firewall, DMZ, Apollo Tyres has the following security tools deployed:

SSL Access from Portwise for accessing Apollo Network from outside world. It helps in secured and encrypted access to the organisation and hence leads to low risk of hacking or unauthorised access.

Token based Access from Portwise for dual factor authentication. It is fully secured as it involves token generated OTP (one time password) which is random and complicated.

Active Directory (AD) based Group Policy Object (GPO) for desktop level end user security. It helps in centralised deployment of policies and security parameters. For instance according to the policy and security parameters in every 45 days the user needs to change its password and if the user does not do that then the system can track the individual.

ISA server for Internet access control and access log as it helps to control access from internal to the external world with multi level policies deployed within the system.

WSUS (Windows Server Update Services) for automatic patch management. With the help of these tool all desktop patches are updated automatically and server patches are updated upon approvals from the administrator to ensure the patches applied are relevant and tested before being deployed.

Dual protection for data centre magnetic card and fingerprint biometrics id\s deployed to ensure that only employees and only finger print authenticated employees are allowed to enter the data centre.

Physical access control of the building premises using magnetic cards as it ensures that no one other than employee can get into the building without escorting.

Conformity in IS

Apollo has received BS7799 certification in July 2005 and surveillance audit clearance in August 2006.

Apollo follows Indian Acts as applicable to manufacturers including circulars, notifications and directives issued by Govt of India. It also complies with IT Act 2000, Indian Companies Act, Income Tax Act, Employees related acts and rules e.g. Employees Provident Fund Act. It is engaged in obtaining the Clause 49 certification which is in the advanced stage of completion.