|
SSA 2005-Nominee Profile
Bridging the security gap
 Viral Raval, Vice-president, Information
Technology, Kale Consultants, conducted an information
security gap analysis that laid the groundwork for a
tough security strategy. by Soutiman Das
Gupta.
A firm believer in the need to focus
on the vital assets of the business instead of building
a fortress around the network, Viral Raval,
Vice-president (Information Technology), Kale
Consultants, suggests that one should identify critical
business areas and provide only these with the highest
level of security.
“The goal of the security strategy was
to align our operating practices to a standard, which
would offer us a single methodology,” explains Raval. He
carried out a gap analysis that revealed the current
state of information security affairs and what was
needed to reach the desired standards. This paved the
way for a tough security strategy.
Being the information security
guardian and Head of IT at an IT solutions company,
Raval believes that the primary approach to creating a
security strategy is to carry out a gap analysis. He has
also been instrumental in earning the BS 7799 Part 2
certification for the organisation.
Safeguarding the business
Kale Consultants provides solutions to
the global travel and transportation industry, and
offers BPO services. It has four locations in India: two
in Mumbai, and one each in Pune and Noida. It also has
two offices in the US and the UK. There are 600-odd
employees globally, and the onus of information security
rests with Raval.
The Approach taken
The primary approach to information
security design was to perform a gap analysis. This was
followed by the identification of information assets
that needed to be safeguarded.
Raval believes that information assets
in an organisation should be treated differently. “For
instance, a UPS manual needs to be safe, but doesn’t
need to be kept in a fire-proof cabinet. There has to be
a cost-benefit analysis. So it’s necessary to identify
the most critical asset and devise the appropriate
strategy,” he explains. A detailed risk analysis was
made, and the known risks and probabilities of their
occurrence were listed. Raval identified the
vulnerabilities and threats that could have large-scale
effects, and devised means to mitigate these risks.
Policy highlights
“The idea is to make things simple,
because it’s so simple to make things difficult,” quips
Raval.
The objective of his security policy
is to enhance customer confidence, ensure a secure
operating environment, minimise business damage by
reducing the impact of security-related incidents, and
eliminate the recurrence of identified security-related
incidents to the extent possible.
Some of the highlights are:
- Guidelines for log-in
access
- Privilege-based access for
personnel
- Policies for ethical use of
e-mail and the Internet
- Server allocation
policies
- Access rights for
servers
- Log analysis and
review
- Policy for remote access and
firewall configuration
- Routing policies to
facilitate global connectivity
There are also guidelines for
monitoring UPSs, ACs, and telecom links. There are
recommendations on how closets should be locked, and UPS
operational temperature ranges.
| What’s needed
Processes
- Gap analysis
- Identified
information assets
- Detailed risk
analysis
- Formulated security
policies
- Awareness, training
and execution
Technology
- Access
control
- Log analysis
- Firewalls
- Anti-virus
- IDS
|
The challenges
The biggest challenge to policy
implementation was to transform mindsets.
“People may wonder how an MP3 file on
their PC would harm the security policy. But there may
be a copyright violation issue and the company will not
bear the cost of storing personal files on the network,”
explains Raval.
Raval adopted a top-down approach for
implementation. A mail was sent from the MD about the
security policy and the ways in which personnel should
implement it.
“It didn’t seem like a military regime
because the policy in the draft stage was formulated
after suggestions and opinions from various business
heads were incorporated,” says Raval.
| The
uniqueness of the strategy
The
unique aspect of this security strategy is that
Raval does not think it is necessary to build a
huge impenetrable fortress around the entire
business by using a lot of financial and human
resources.
He has,
with the help of business heads, classified
information according to its importance and
attached a risk value to it. This has enabled him
to focus on the vital assets first. That is not to
say that other information should be left
unsafe.
He has
planned the audit processes in such a way that the
organisation is subject to a security audit every
three months.
He has
also deployed a helpdesk with a CRM tool that
tracks each security incident and brings it up for
resolution until completion.
|
Policy review
The security policy is reviewed every
six months by an external auditor, as a part of the BS
7799 recommendation. After three months of each audit
the organisation conducts a half-yearly internal audit.
In this manner, the company is subjected to an audit
every quarter.
Any new risk which emerges from a
review is communicated to higher authorities if
necessary. New risks, when identified, are included in
the purview of the policy. For example, the company
recently identified Bluetooth-enabled cell phones as a
potential risk.
Comprehensiveness
To give an example of the
comprehensive nature of his security strategy, Raval
explains the procedure carried out by his organisation
when an employee resigns.
The employee has to complete the
formalities in a final settlement form before he may be
released. The various passwords are communicated to the
manager, drawer keys are handed over, the ID card and
company-provided PDAs (if any) are handed back. The
final clearance is in the form of signatures from the
business heads of all concerned departments.
The USPs
Raval believes that the organisation’s
IT infrastructure processes have two USPs. One, a single
service desk for all requests and incidents. The service
desk, for instance, will entertain requests to install a
new PC, or rent a car for a day’s use. Raval has
deployed a smart CRM solution that tracks and escalates
a request until it’s addressed.
The second is that personnel have a
high sense of ownership instilled in them. The work
culture is such, that if someone detects a security
incident and doesn’t report it, the person is regarded
an accomplice to the fact.
BC and DR
Business continuity is part of the
security policy and a non-negotiable element of BS 7799.
It is certified by an external auditor.
The DR operations are trigger-driven.
It means that DR will kick in depending on aspects such
as the type of threat, the day of the month when the
event has occurred, and the completion status of the
jobs.
“If there’s rain in Mumbai for four
hours, we move to Pune,” explains Raval.
As a strategist
Raval feels that a security strategy
needs common sense and a sense of ownership. He suggests
that gap and risk analyses are essential.
He added, “If you’re an IT person,
you’ll have a heart for IT, but IT alone cannot solve
the information security needs. There are a lot of
operational and human aspects too.”
soutimand@networkmagazine.com
| 
|| Feedback
|| Subscribe-
