Metal major's security shield
Hindalco, India's largest non-ferrous metal company is keeping
pace with growth while strengthening its security strategy. The most significant
aspect of which is its 1st level DR site which is synchronised to maintain Return
Time Objective and Return Point Objective at zero. Every possible threat comes
under the security scanner of the company's CIO, Sanjeev Goel. By Varun
Hindalcos security policy covers IT departments infrastructure
as well as operations. Areas covered under infrastructure are servers, networks,
desktops, laptops and printers. The applications covered under the security
policy include the Oracle eBusiness Suite (Oracle Financial, Oracle Sales, Oracle
Purchasing, Oracle Inventory) and Maximo (Maintenance, Enterprise Asset Management).
The Information Security Policy is reviewed atleast twice
a year. It is a part of the agenda for the Management Review Meeting
for integrated IT Management System. Depending on the business requirements,
interim reviews also take place.
According to Sanjeev Goel, the top priority for Hindalcos security policy
is to understand and mitigate internal security risks. Different security
survey shows that internal factors are source of major information security
risk .About 70% of information security threats are from internal users. We
have focused on these internal issues and established tight control on our enterprise
application, database etc.
Integrated internal audits take place at least four times a year. The total
team strength of the auditors is 19 amongst which one of the auditors is CISA
certified. Apart from the internal audits, quarterly audits are conducted by
independent consultants. The surveillance audit is done by M/S DNV, vulnerability
analysis/penetration testing is done by M/S Highband. KPMG is responsible for
US GAAP audit, atleast once a year for IT. The corporate audit department and
Ernst & Young conduct audits for Enterprise Risk Management and Functional
area audit (logical security, financial applications like GL, AP, AR etc and
We started with the basics and improved up on it following PDCA. We were
more focused on risk awareness and allowed business to make investment decision.
For eg. We have a manual risk assessment methodology but at the same time today
we have real time synchronous DR site, which ensures zero data loss having zero
Most of the security logs are checked things are reviewed and monitored
daily basis e.g. Alter Drop Create on Production instance. Metrics
sampling is done on monthly basis and reports are prepared.
We are also planning implementation of different tools, which
will do the runtime analysis and automatically send alert in case of critical
security incidents occur. he adds.
||Monitoring internal network through Hughes
|Oracle Password Cracker: Checkpwd 1.21
||Initialising Oracle client library and
connecting database, opening weak password list file, reading weak passwords
list, checking passwords
|Content Filter (Trend Micro Suite)
||Anti-virus, anti-spyware, mobile code
security, and content filtering, site filtering at the Web gateway
||Monitor internal user activities
|Viruswall (Trend Micro)
||Three-in-One Internet gateway anti-virus
program that detects and cleans virus infected files before they enter the
|Scanmail (Trend Micro ScanMail for Lotus
||Real time scaning to prevent viruses,
malicious code, unwanted content and multi-threaded in-memory scanning
|PRTG (Paessler Router Traffic Grapher
||Monitors and classifies bandwidth and
Different software and hardware tools are used by the company to ensure optimum
security levels. The various hardware tools used include routers, firewalls,
IDS, VSAT & Leased Line and Biometric (Fingerprint analysis) checks are
used for attendance purposes and also in laptops.
|Sanjeev Goel, CIO Hindalco, as part of the senior
management team. He works towards setting IT strategy and aligning it with
He has a total work experience of seventeen years
during which he has worked with BPL, Ballarpur Industries Limited and
iBilt Technologies before joining Hindalco. He's an MTech from IIT Delhi.
Hindalco has outsourced its Network management (WAN and firewall) to HECL and
HCL Comnet takes care of its Gateways.
Hindalco is certified with integrated BS7799:2002-2, BS15000:2002-1, ISO9001:2000.
We are also undergoing regular corporate audits for Enterprise Risk
Management. We are planning for SOX compliance in near future.
Disaster Recovery/Business Continuity
Companys 1st level DR site is located at Renusagar, 35 kms away from Renukoot
(eastern UP). It runs on IBM Power5 technology and Enterprise Storage-DS8100,
IBM P-570 servers, Oracle 9i RAC and 2Gbps OPGW connectivity (35kms) from DR
site. The Return Time Objective and Return Point Objective are zero for the
1st level DR site. Data is committed at DR site then committed at the
primary site which ensures zero data.
Explaining the backup situation, Goel says, At Renukoot, one cold standby
3661 router is installed with similar hardware configuration. This router is
pre-configured with exact replica of software configuration of working router.
In case of failure, router cables will be moved to the new router to bring the
links up. One cold standby router of 1700 series is kept for the contingency
plan if both 3661 routers fail. In this router 2 WIC-2T cards are installed
to make the link up of Ahura 2 Mbps leased line, Silvasa VSAT and Hub. Using
this Ahura 2 Mbps leased line we can make connectivity to all branches i.e.
Kolkata, Vandana Building, Century Bhavan and Bangalore.
The second level DR site is at Silvasa, which is a cold site (BCP plan in place,
Data centre has servers on same environment with power-on backup). RTO for the
2nd level DR site is 8 hours while the RPO is 24 hours.
From the conventional Anti-viruses to Biometrics.
||Value in percentage
|WAN Uptime Main Site
|WAN Uptime Other Site
|Percentage of audit findings that have
|Percentage of required internal and external
audits completed and reviewed by the board
|Percentage of Employees who have satisfactorily
completed periodic security awareness refresher training as required by
||94(32 out of 34)
|Percentage of business continuity plans
that have been reviewed, exercised/tested, and updated in accordance with
|Percentage of active user IDs assigned
to only one person
||Oracle Apps 97.66%, Maximo 76.73
|Percentage of weak passwords