Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of January 2007

Untitled Document

 Home > Cover Story
 Print Friendly Page ||  Email this story


Metal major's security shield

Hindalco, India's largest non-ferrous metal company is keeping pace with growth while strengthening its security strategy. The most significant aspect of which is its 1st level DR site which is synchronised to maintain Return Time Objective and Return Point Objective at zero. Every possible threat comes under the security scanner of the company's CIO, Sanjeev Goel. By Varun Aggarwal.

Hindalco’s security policy covers IT department’s infrastructure as well as operations. Areas covered under infrastructure are servers, networks, desktops, laptops and printers. The applications covered under the security policy include the Oracle eBusiness Suite (Oracle Financial, Oracle Sales, Oracle Purchasing, Oracle Inventory) and Maximo (Maintenance, Enterprise Asset Management).

The Information Security Policy is reviewed atleast twice a year. It is a part of the agenda for the ‘Management Review Meeting’ for integrated IT Management System. Depending on the business requirements, interim reviews also take place.

According to Sanjeev Goel, the top priority for Hindalco’s security policy is to understand and mitigate internal security risks. “Different security survey shows that internal factors are source of major information security risk .About 70% of information security threats are from internal users. We have focused on these internal issues and established tight control on our enterprise application, database etc.“

Integrated internal audits take place at least four times a year. The total team strength of the auditors is 19 amongst which one of the auditors is CISA certified. Apart from the internal audits, quarterly audits are conducted by independent consultants. The surveillance audit is done by M/S DNV, vulnerability analysis/penetration testing is done by M/S Highband. KPMG is responsible for US GAAP audit, atleast once a year for IT. The corporate audit department and Ernst & Young conduct audits for Enterprise Risk Management and Functional area audit (logical security, financial applications like GL, AP, AR etc and interfaces).

“We started with the basics and improved up on it following PDCA. We were more focused on risk awareness and allowed business to make investment decision. For eg. We have a manual risk assessment methodology but at the same time today we have real time synchronous DR site, which ensures zero data loss having zero RPO/RTO.”

“Most of the security logs are checked things are reviewed and monitored daily basis e.g. ‘Alter Drop Create on Production instance’. Metrics sampling is done on monthly basis and reports are prepared.

We are also planning implementation of different tools, which will do the runtime analysis and automatically send alert in case of critical security incidents occur.” he adds.

Software Applications
Software Application Purpose
HP OpenView Monitoring internal network through Hughes SIP
Oracle Password Cracker: Checkpwd 1.21 (Red-Database-Security GmbH) Initialising Oracle client library and connecting database, opening weak password list file, reading weak passwords list, checking passwords
Content Filter (Trend Micro Suite) Anti-virus, anti-spyware, mobile code security, and content filtering, site filtering at the Web gateway
IDS (RealSecure) Monitor internal user activities
Viruswall (Trend Micro) Three-in-One Internet gateway anti-virus program that detects and cleans virus infected files before they enter the Hindalco network
Scanmail (Trend Micro ScanMail for Lotus Domino) Real time scaning to prevent viruses, malicious code, unwanted content and multi-threaded in-memory scanning
PRTG (Paessler Router Traffic Grapher ) Monitors and classifies bandwidth and network usage


Different software and hardware tools are used by the company to ensure optimum security levels. The various hardware tools used include routers, firewalls, IDS, VSAT & Leased Line and Biometric (Fingerprint analysis) checks are used for attendance purposes and also in laptops.

Meet the CIO
Sanjeev Goel, CIO Hindalco, as part of the senior management team. He works towards setting IT strategy and aligning it with business.

He has a total work experience of seventeen years during which he has worked with BPL, Ballarpur Industries Limited and iBilt Technologies before joining Hindalco. He's an MTech from IIT Delhi.


Hindalco has outsourced its Network management (WAN and firewall) to HECL and HCL Comnet takes care of its Gateways.


Hindalco is certified with integrated BS7799:2002-2, BS15000:2002-1, ISO9001:2000. “We are also undergoing regular corporate audits for ‘Enterprise Risk Management’. We are planning for SOX compliance in near future.”

Disaster Recovery/Business Continuity

Company’s 1st level DR site is located at Renusagar, 35 kms away from Renukoot (eastern UP). It runs on IBM Power5 technology and ‘Enterprise Storage-DS8100’, IBM P-570 servers, Oracle 9i RAC and 2Gbps OPGW connectivity (35kms) from DR site. The Return Time Objective and Return Point Objective are zero for the 1st level DR site. ”Data is committed at DR site then committed at the primary site which ensures zero data”.

Explaining the backup situation, Goel says, “At Renukoot, one cold standby 3661 router is installed with similar hardware configuration. This router is pre-configured with exact replica of software configuration of working router. In case of failure, router cables will be moved to the new router to bring the links up. One cold standby router of 1700 series is kept for the contingency plan if both 3661 routers fail. In this router 2 WIC-2T cards are installed to make the link up of Ahura 2 Mbps leased line, Silvasa VSAT and Hub. Using this Ahura 2 Mbps leased line we can make connectivity to all branches i.e. Kolkata, Vandana Building, Century Bhavan and Bangalore.“

The second level DR site is at Silvasa, which is a cold site (BCP plan in place, Data centre has servers on same environment with power-on backup). RTO for the 2nd level DR site is 8 hours while the RPO is 24 hours.

From the conventional Anti-viruses to Biometrics.

Security Metrics
Parameter Value in percentage
Server Uptime 100
WAN Uptime Main Site 100
WAN Uptime Other Site 99.67
Percentage of audit findings that have been resolved 57(fully implemented)
Percentage of required internal and external audits completed and reviewed by the board 100
Percentage of Employees who have satisfactorily completed periodic security awareness refresher training as required by policy 94(32 out of 34)
Percentage of business continuity plans that have been reviewed, exercised/tested, and updated in accordance with policy 100
Percentage of active user IDs assigned to only one person Oracle Apps 97.66%, Maximo 76.73
Percentage of weak passwords 0%
- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.