|
SSA 2005—Nominee Profile
Security’s essential to the
business
 According to Ajay Soni, Senior
Manager, IT, IMD, Patni Computer Systems, security is in
the details and errors there are fatal. The team
involved with security should therefore work with
dedication and mutual understanding. by Shivani
Shinde
At Patni Computer Systems, security is
not considered a one-time effort but an ongoing process,
which has unconditional support from the management and
participation from end-users and customers.
With a global presence and almost
11,000 employees (including onshore and offshore
employees), the company is as committed to security as
it is to any other business process. All its development
centres are inter-connected and globally connected to
multiple customers. Their entire LAN, WAN, security
firewall arena are being taken care of by an in-house IT
team.
| Unique
Features
Soni
feels that a company may have the best of security
systems in place but it can still be infected. “At
Patni we are not only looking at reactive systems
or preventive solutions but also a proactive
solution,” says Soni. The other aspect is that
security is not the sole responsibility of the IT
team or the security officer but is a team effort
and must have the involvement of the users. He
also feels that knowledge of IT processes and
customer needs must be merged to harness its
benefits. |
Taking a methodical
approach
|
It is
absolutely necessary to create an operating
environment which would not only help to guarantee
total IT security through an ongoing integrated
management of policies, procedures and personnel
training, but also result in improved customer
confidence and a competitive
edge |
The company’s security framework has
been divided into physical and application security. The
security infrastructure is based upon four pillars i.e.
end point defence, network defence, identity management
and security information management. According to Ajay
Soni, Senior Manager, IT, IMD, Patni, under these four
pillars, whatever technology is required has been
incorporated.
A few technologies that fall under
these four pillars are IPS, IDS, deep inspection
firewalls, content filters, spam firewalls, single
sign-on (SSO), role-based access control (RBAC),
authentication, authorisation and accounting (AAA),
network quarantine, user provisioning, network change
audit and configuration management.
For the company, security has been a
journey rather than a destination. Soni says, “Given the
kind of business we are in, it is absolutely necessary
to create an operating environment which would not only
help to guarantee total IT ecurity through an ongoing
integrated management of policies, procedures and
personnel training but also result in improved customer
confidence and a competitive edge.”
As Soni explains, “Patni has
intrinsically been a strong believer in standards of
ISO, methodologies like Six Sigma and Capability
Maturity Model Integration (CMMi) framework.” Hence,
Soni believes that Patni’s security framework built on
BS 7799 proved to be a true amalgamation of the
company’s existing processes, methodologies and
standards. That included finding out the risks, security
issues, what needs to be secured and what is important
for the customer etc.
Team effort
Unlike other organisations where
security needs to be hard sold to the management, it was
smooth sailing at Patni as it is an IT company. Soni
says that one of the core components of its security is
management support in all security efforts. Since this
is an ongoing effort the budgeting process is more like
investment than spending.
Once the management is on board, the
second step is to enforce the policy at the user level.
The policy not only encompasses users in the
organisation but also the requirements of their
customers. Soni explains that the company’s people
policy is developed around the People Capability
Maturity Model (PCMM). Right at the time of induction,
employees are made aware of the policy. The company has
a specific section on what information people need to
access. He believes that awareness is the key to a
successful security process and there have to be rewards
and some kind of action. Hence, information is more of a
push rather than a pull service. This is done through
the use of e-mail, newsletters etc.
| The
Patni strategy
Processes
- User education is
stressed upon
- Information as a
push service
- Security policy is
part of the induction programme
- Awareness through
e-mail and newsletters
Technology:
- IPS, IDS,
firewalls
- Anti-virus
- Network change
audit and configuration
|
Holistic approach
However, he feels that the objective
of the policy is not to penalise someone but to
understand the rationale behind it. “Sometimes it might
happen that they did not understand the policy. Once the
analysis is complete, the ISMS (Information Security
Management System) steering committee will sit and
finalise on the impact of the particular incident,” says
Soni.
A crucial aspect of Patni’s security
policy is risk assessment, based on changes and risk of
changing technology, new threats etc. “We plan to have a
real-time assessment of the various risk factors and in
having systems that are proactive rather than reactive,”
says Soni. Security audits take place every six months
and the company has also carried out BS 7799 audits at
some of its centres and the rest will be audited in the
next two years.
Patni has opted for qualitative risk
assessment, which is performed every six months or with
the advent of any new threat or asset class. A gap
analysis is performed on the basis of risk assessment
and presented to the steering committee comprising
stakeholders, HR, Legal, ITIM (IT Infrastructure
Management) and QDI (Quality and delivery Initiative)
who are the final authorities. Their long-term plan is
to have a real-time dashboard on the assessment of
various risk factors and having systems that are highly
proactive.
Soni feels that the IT policy should
be intrinsic to the business process of the
organisation. Since the organisation caters to global
customers, it has a security set up to accommodate
customer requirements. As Soni says, “I would like to
reiterate that though we have a stringent framework we
are not rigid. This is what gives us the agility to
incorporate our long-term view with an eye on the
present day. We ensure that security is imbibed into all
employees right from the time they join Patni. It is
made possible via town hall meetings and employee
awareness programmes.”
shivani@expresscomputeronline.com
|
|| Feedback
|| Subscribe-
