|
SSA 2005-Winner
With an MphasiS on security
 Only those with mettle recover and learn from
their bad experiences to emerge stronger. It is this
quality that has helped Mitish Chitnavis,
Associate Vice-president, Information Security, Mphasis,
win the SecureSynergy Security Strategist 2005 (SSA
2005) Award in the IT/ITeS category. by Anil Patrick
R
Mphasis’ BPO operations have been in
the news for all the wrong reasons. It takes a strong
security strategist to learn from a negative experience
and prepare for the future. It was Mitish Chitnavis who
helped Mphasis recover from its security lapse of April
2005.
Does this mean that information
security was not top priority at Mphasis until April
2005? That is not the case. The organisation has had
strong information security initiatives aided by a BS
7799 certification since 2002. However, as anyone who
has worked hands-on at implementing information security
will testify—a 100 percent secure infrastructure is only
as real as the mythical Utopia.
The BPO suffered a security lapse, but
the important thing is that the company was able to
weather the storm. Today, it is strong enough and has
risen above the most secure Indian organisations to win
the SSA 2005 award in the IT/ITeS category. So yes, it
is time that Mphasis should be in the news once
again—for the right reasons.
Worldwide skillset management
Mphasis specialises in multi-channel
solutions to optimise sales and service processes. The
company also has an extensive offshore infrastructure
for IT development and BPO with centres in India, China
and Mexico.
Mphasis is headquartered both in India
and the US. The employee distribution is India-centric
since most of its offshoring is done in India. Mphasis
has centres in India at Bangalore, Mumbai, Pune,
Mangalore, with Noida being the most recent addition.
The organisation employs about 9,400 people across the
globe (about 6,000 employees in the BPO business) across
23 offices. “On the BPO side, we have around 25 clients.
In IT services the number of active clients is 100,”
says Chitnavis.
| Mphasis’ security strategy
Processes
- Information
Security Risk Management (ISRM) to identify,
prioritise and mitigate risk.
- Risk scorecard to
prioritise risk mitigation plans at the
organisation level and at the client program
level.
- Employees undergo
reference checks and background checks
(dependent on client mandates). They also have
to sign an NDA and accepted use policy.
- 100 percent of
frisking for all employees for different types
of media including tape and USB drives. Visitors
and contractors are also screened and
frisked.
- Audits—internal,
client, and external.
- BS 7799
certification
- Anti-fraud policy
which has resulted from Mphasis’ experience with
a security lapse (April 2005) in one of its
client programs.
Technology
- VLANs, internal
firewalls and perimeter firewalls, intrusion
prevention and detection systems, desktop and
server hardening procedures, anti-virus,
anti-spyware, URL filtering server, anti-spam
solutions and gateway-antivirus, patch
management etc
- Encryption of links
with 3DES encryption, Citrix-based encryption
directly from the client, and encrypted VoIP
traffic.
- Data centres and
Global Network Operations Centre (GNOC) have
biometric access controls and smart cards for
access control.
- Door-long open
alarm to prevent piggybacking.
|
An early start
Building High Trust Environments
(BHTE) for their client information is a key objective
of the Mphasis corporate information security team. With
this objective in mind, Mphasis started on its present
Mphasis Information Assurance Program (MIAP) in 2002.
This is an early start for a nascent
industry such as the BPO that traces its birth to as
late as the year 2000. “At that time (2002), we took a
look at standards and based on our needs such as
business integrity, security, privacy, and reliability
as well as after taking a look at the clientele we cater
to, decided to go in for BS 7799 Part II: 2002,” says
Chitnavis.
The basic mindset towards security at
Mphasis is a top-down approach combined with awareness.
All security initiatives are driven by the top
management. “It is taken seriously right from our
Chairman Jerry Rao onwards. I don’t think any other
company takes it as seriously as we do. It is an irony
again that a mishap of the sort that we had earlier
happened to us,” says Chitnavis.
Mphasis has a dedicated information
security organisation. The security organisation is a
separate team and is not aligned to the CIO’s
department. The team includes BS 7799 audit and
compliance, network security, physical security,
personnel security, identity management, and business
continuity/disaster recovery.
The team reports to the presidents of
the individual businesses and Jerry Rao, the Chairman of
the company.
More than a policy
Mphasis has an information security
management system (ISMS) rather than an information
security policy as such. According to Chitnavis, looking
at security as a management system is an advantage since
it gets audited on a monthly and a quarterly basis.
All instances of non-compliance or
reports are brought to the management’s notice. This
helps detail how the management system performs within
the organisation as well as to make the required
changes. Mission-critical changes or system
modifications are usually made within a week.
Non-mission critical changes are implemented in about a
month.
Cordoned off
On the physical side, each client area
at Mphasis is separated. Colour coding of lanyards and
ID cards for employees, contractors, vendors, guest and
visitors coexist with CCTV surveillance.
100 percent frisking for all
employees, visitors and contractors for different types
of media including tape and USB drives is carried out.
Within the data centres and Global Network Operations
Centre (GNOC), access control is achieved using
biometric access controls and smart cards. “Door-long
open alarms are in place to prevent piggybacking. In
addition, we are also implementing turnstiles across all
our BPO operation floors and have completed about 25
percent to avoid tail-gating,” says Chitnavis.
On the personnel security side, two
reference checks are in place for every employee.
Third-party background checks covering education,
employment, criminal and address verifications are also
performed depending on client mandates due to costs
involved and high attrition rates. If a person is absent
for two consecutive days, his or her IDs and access to
the building are suspended. All Mphasis employees have
to sign an non-disclosure agreement (NDA) and an
accepted use policy which has a substantial amount of
information security components.
A code of conduct and whistle-blower
policy are also in place. “There is an anti-fraud policy
which has resulted from our experience with the incident
that happened in April in one of our client programs. We
felt at that time that we need to document clearly as to
what constitutes a fraud,” says Chitnavis.
Pearls
of wisdom
- Security cannot be
a closed-door function involving just IT or the
information security team.
- Inculcate awareness
about information security among the user
community.
- Engage business
actively in information security initiatives at
all levels—right from the lowest employee level
to the highest management level from a hierarchy
perspective.
- Have frank
discussions and share best practices, knowledge,
ideas, thoughts, concerns and mitigation
strategies with peers in the industry.
|
The technology angle
Access to IT environments is
controlled via VLANs, internal firewalls and perimeter
firewalls, intrusion prevention and detection systems,
desktop and server hardening procedures.
Audit IT
Mphasis has undergone over 100 audits
in the last financial year. These include 65 internal
and 25 client audits.
An internal audit calendar manages the
schedule for these audits. Surprise audits are also
carried out to ensure adherence to policies and
procedures. Mphasis has also been audited by regulatory
authorities such as OCC/OTS and FSA.
Mphasis and its clients also engage
external auditors such as Ernst & Young or KPMG to
do third-party audits. Chitnavis has also implemented an
innovative mechanism to ensure a higher number of
internal auditors. In addition to the ten-odd BS 7799
auditors that Mphasis has within the infosec team, the
organisation has client programs to provide two single
points of contact (SPOC) from their respective programs.
“The SPOCs undergo a two-day training in BS 7799 and do
internal audits in addition to the ten members of the BS
7799 team. This has increased our total number of
internal auditors to 75,” says Chitnavis.
Towards an aware user
A key challenge faced by Chitnavis is
to ensure that information security ownership rests in
the right hands. Chitnavis believes that this can be
achieved only by working on the creation of a proactive
security-oriented mindset.
“Properly-trained employees and
contractors, not technology, is the best tool for
protecting us against attacks on sensitive information.
Hence, the most important security tool is security
awareness. The objective of our awareness programs is to
build a security conscious culture within the
organisation,” says Chitnavis.
To create a security conscious culture
within the organisation, Mphasis has an accelerated
Information Security Awareness Program for all its
employees. This is achieved through various methods such
as briefings, discussions, newsletters, staff bulletins,
reminder notices, posters, etc.
Future@MphasiS.in
The organisation is now working on an
upgrade from the current BS7799-2:2002 certification to
ISO 27001.
Ongoing enhancements and strategies at
Mphasis also include plans for implementation of
identity management, remote access VPNs, a paperless
office, event correlation tools and an upgrade from IDS
to inline prevention systems. Enhancing physical
security infrastructure by implementing turnstiles and
biometric access is also on the security roadmap.
anilpatrick@networkmagazineindia.com
| 
|| Feedback
|| Subscribe-
