Apollo Tyres takes a BIA approach
At Apollo Tyres the expected loss value and inherent risk
is calculated by finding out the probability and impact that the threat has
upon critical assets. Based on the severity of the residual risk, a risk mitigation
plan is created. In this way the company follows a well defined business process
mapped on to the security framework. By Vinita Gupta
Apollo Tyres Ltd. is a leading tyre manufacturing company in India. SAP is
a very critical application for a manufacturing sector and hence makes necessary
to secure it. At Apollo Tyres SAP is covered under information security both
functionally and technically to ensure that all the critical business processes
are taken care of..
Information Security Policy
Apollo Tyres follows the BS 7799 Information security policy where in all the
10 domains are covered and implemented within the organisation.
The coverage of the security policy is right from the end
user desktop till the network and data centre services which caters to the business
processes across the organisation. The coverage includes the third party outsourcing
services, physical and environmental controls, logical access controls, business
continuity and disaster recovery plans and all other areas which are facilitated
by information services.
Chandrasekhar Velagapudi, Divisional Head - IT says, Apollo Tyres will
ensure that appropriate information security controls are applied and integrated
to ensure information protection from threats to confidentiality, integrity
and availability thereby enhancing confidence of and adding value to all its
stakeholders. This will be continual monitored to ensure compliance at the management
All the security policies and procedures at Apollo Tyres are reviewed once in
a year or at the time of any major change in existing IS environment affecting
the policies and procedures, whichever is earlier.
As a part of information security policy of the organisation, the company conducts
internal and external audits once in every six months which in turn makes the
information security audit to happen at least once in every quarter.
|Apollo has a cold DR site located at Gurgaon.
The company is planning to implement hot disaster
recovery system at a location which is in a different seismic zone than
Gurgaon (where their Primary Data Centre is located)
Risk mitigation plan
The risk assessment of the company is based on the critical business process
like Sales and Distribution (S&D), finance, and production planning. All
these processes are completely mapped in SAP which is their core business transaction
application. In turn SAP is covered under information security both functionally
(If SAP is not available then how to serve the users) and technically (Uptime,
password controls). This ensures that all the critical business processes are
Based on the business processes criticality we do the criticality rating
of any information asset and then finds out the probability & impact of
any threat on the asset. From this we calculate the inherent risk on the asset,
He further adds, From the audits, Vulnerability Assessment (VA) and Penetration
Test (PT), we arrive at the current control rating and then arrive at the residual
risk from inherent risk and criticality of the asset. Later based on the severity
of the residual risk, we create a risk mitigation plan and improve the controls.
In the risk mitigation plan they find out solutions towards the problems like
how to reduce the risk. For all the threats they have a risk mitigation plan,
for instance they have off site tape management so that there is no data loss
even in case the local data is corrupted or lost.
This risk assessment is carried out every year to arrive at the new risk rating
and then risk mitigation plan is proposed and implemented for all the risks
- SAP solution manager for SAP.
- NetView for networking.
- OpManager for Windows Server.
- Windows Server Update Services (WSUS)
for Patch management.
- Trend Micro Neatsuite solution for anti
- The SLAs for metric is 99 percent. They
achieve more than 99.5 percent of uptime for all information services.
- Frequency of metric sampling: Done online
everyday and reports are consolidated every month.
The BIA approach
Apollo Tyres follows BIA (Business Impact Analysis) approach to map the information
security. In this approach the process followed is as follows:
All the functions participate and give detailed inputs on each process they
perform and the impact on the same in the event that all or part of its IT operations
or computer services rendered are unusable.
In the process they give a rating (1-5) against certain parameters such as employee
impact, external customer, internal customer, vendor impact, legal impact, productivity,
revenue and reputation for each of IT service along with the affordable down
time for each.
For instance if the finance module is not working then they would not be able
to pay the vendor on time and this would have an impact on the supply of the
raw material and in turn would affect the business.
Based on this rating they find out the critical IT Information assets. For these
critical assets, they arrive at the weighted average of CIA (Confidentiality,
Integrity and Availability) rating. From CIA rating using complex formulae they
arrive at the criticality rating of the asset.
For each critical asset they come out with various threats and for each threat
arrive at the probability and impact. From these values (Criticality value,
probability and Impact), they calculate the ELV (Expected Loss Value) and then
In the process Apollo Tyres also arrives at the RPO and RTO values from
each function for each information asset. This formed the basis for our Disaster
Recovery Plan and Business Continuity Plan, says Velagapudi.
|Apollo Tyres is having its corporate office at Gurgaon.
It's a three decade old company and has four manufacturing plantsone
at Baroda, two at Cochin and one at Pune. It has 143 sales offices across
India and 6000 shop floor employees.
It has obtained an ISO 9001 certification for its
manufacturing facilities. Apollo Tyres Ltd. is the first tyre manufacturing
company in the world to achieve the BS7799 Information Security certification.
Apollo Tyres has recently acquired Dunlop Tyres International
a South African company having its base at South Africa and Zimbabwe.
Security tools in place
Apart from the standard firewall, DMZ, Apollo Tyres has the following security
SSL Access from Portwise for accessing Apollo Network from outside world. It
helps in secured and encrypted access to the organisation and hence leads to
low risk of hacking or unauthorised access.
Token based Access from Portwise for dual factor authentication.
It is fully secured as it involves token generated OTP (one time password) which
is random and complicated.
Active Directory (AD) based Group Policy Object (GPO) for desktop level end
user security. It helps in centralised deployment of policies and security parameters.
For instance according to the policy and security parameters in every 45 days
the user needs to change its password and if the user does not do that then
the system can track the individual.
ISA server for Internet access control and access log as
it helps to control access from internal to the external world with multi level
policies deployed within the system.
WSUS (Windows Server Update Services) for automatic patch management. With the
help of these tool all desktop patches are updated automatically and server
patches are updated upon approvals from the administrator to ensure the patches
applied are relevant and tested before being deployed.
Dual protection for data centre magnetic card and fingerprint biometrics id\s
deployed to ensure that only employees and only finger print authenticated employees
are allowed to enter the data centre.
Physical access control of the building premises using magnetic cards as it
ensures that no one other than employee can get into the building without escorting.
|Chandrasekhar Velagapudi is the Divisional Head of
the IT department at Apollo Tyres. He is a Post Graduate in Science and
Conformity in IS
Apollo has received BS7799 certification in July 2005 and surveillance audit
clearance in August 2006.
Apollo follows Indian Acts as applicable to manufacturers
including circulars, notifications and directives issued by Govt of India. It
also complies with IT Act 2000, Indian Companies Act, Income Tax Act, Employees
related acts and rules e.g. Employees Provident Fund Act. It is engaged in obtaining
the Clause 49 certification which is in the advanced stage of completion.