SSA 2005—General Industries Winner

A rapidly evolving security architecture

A complex infrastructure and wide-spread supply chain are just the tip of the iceberg when the task is to secure this FMCG giant. Meet S Narayanan, Corporate Information Security Manager, Hindustan Lever. He is the designer and implementer of strategies that made him the Security Strategist in the General Industries category for 2005. by Anil Patrick R

Information security is critical when your organisation is in the FMCG business. In this context, Hindustan Lever Limited’s (HLL) security strategies deserve praise among the elite nominees of the Security Strategist Awards 2005. Security best practices and infrastructure have been in place at the company since 1996. This makes the organisation one of the forerunners and the most deserving winner.

For HLL, a turnover of more than Rs 11,000 crore in the soaps and personal products business is the result of the combined synergies of more than 250 third-party suppliers, 80-odd third-party factories, 55 owned factories, 70 depots or warehouses, and over 7,000 stockists. Considering that the company’s IT infrastructure reaches out to most of them, securing this infrastructure is a major task. “We have more than a million retailers and more than a billion customers. IT touches our factories, some of our key suppliers, all our distribution centres, and many of our customers,” declares S Narayanan, Corporate Information Security Manager at the company.

A complex challenge

Since HLL is one of the largest FMCG companies, protection of intellectual property rights and the company’s reputation is crucial from the security point of view. Point to note: HLL has more than 6,000 desktops and laptops.

According to Narayanan, the biggest challenge they face is complexity due to the large number of locations. “The variety of desktop operating systems ranging from Windows 95 to Windows XP is a challenge from the security point of view. Growth of IT infrastructure has also been rapid along with requirements such as robust connectivity, legal compliance requirements and user expectations,” says Narayanan.

Over the past three years, HLL has shifted from a decentralised approach to a centralised architecture. This has brought with it security challenges on the networking, server and desktop infrastructure fronts. On the network front the organisational LANs and WANs connect around 220 units of the company with several layers of backup. Being part of the Unilever group, the company also has six international links for global connectivity. The organisation has around 240 servers, and its server classification is based on criticality to the business. There are 80 very critical servers and 50 critical servers; the rest are classified as non-critical and used for development, testing and so on.

The company has a shared services centre in Bangalore that handles all its back office operations. HLL has also done a lot of outsourcing in terms of IT and non-IT processes.

On the regulatory side, HLL has to comply with several legal requirements. It also has to comply with Unilever’s internal requirements and the Sarbanes-Oxley (SOX) clause 49.

Off to an early start

Till 2001, HLL’s security policies focussed to a great extent on virus protection with reviews taking place once every two or three years. However, the company realised around 2001 that as new threats come to the fore, policies and procedures have to be reviewed and changed frequently.

This realisation resulted in policies and procedures assuming centre-stage. “Earlier, policies and procedures used to change in two to three years, now they change almost everyday. As you put in new equipment or new vulnerabilities come in, policies and procedures keep changing,” says Narayanan.

The perspective shifts

According to Narayanan, these changes have been the offshoot of a new mindset that security should be comprehensive, thus moving away from looking at IT merely to comply with legal requirements. This change has resulted in HLL’s multi-faceted information security policy.

First among these facets is physical and administration security. Next comes information protection, which classifies information according to its level of confidentiality. It also deals with how to handle the information once it is classified. Third is a specific security policy, which is not relevant for some functions. For example, in HR there is a starter-mover-leaver process, which the normal security policy does not cover. Functions like these have been defined and made into a separate security policy.

Capping all this is employee culture and behaviour. Employees are provided with a detailed handbook that highlights changes required in culture and behaviour. All new employees undergo an induction training where they are exposed to security issues. Continuing education is through e-mailers, corporate diaries, table calendars, in-house magazines, etc.

BS 7799 FRAMEWORK

HLL’s security policy is based on the BS 7799 framework. The required controls from the BS 7799’s 127 controls are chosen depending on the risk to the company and its units. Periodic policy reviews are performed, and policy changes recommended to the steering committee which takes the final decision.

Information security initiatives are led by business rather than IT. At present, the Vice-president of HLL’s HR department leads information security initiatives for India. He is the owner of the security policy, and leads information protection implementation and policy finalisation.

Apart from this, representatives from each of the key functions of the company handle different aspects of implementing policy. The steering group consists of the chairman and finance director, and meets once a quarter.

Policing the policies

HLL’s policy implementation team structure consists of a full-time security officer for the company supported by four full-time officers. The team is part of the IT group, and at each company office the commercial manager of the unit is the part-time information security officer (ISO).

The commercial manager is responsible for implementation, positive insurance, and conducting security audits. These ISOs undergo training annually at each of the four regions. Implementation is done through unit ISOs. Positive confirmation of these efforts is monitored through security audits and post-implementation audits.

Ongoing compliance monitoring is done on a quarterly basis. Tests are conducted on HLL’s intranet for the units.

Random audits are also done through the company’s internal auditing called controlled assurance. Security audits include application, network and unit levels. HLL also does audits to check the security of the IT infrastructure. Specialist need-based information security audits are also performed. HLL also undergoes BS 7799-based yearly unit information security reviews conducted by PwC.

For a rainy day

Earlier, HLL had a decentralised DRP architecture. It has since shifted to a centralised approach. DRP is done from the unit level to the three data centres (Bangalore, Gurgaon and Mumbai). “We can respond to any disaster situation within 15 minutes,” affirms Narayanan.

He says that the use of centralised communication links has made DRP more reliable. These consist of the VSAT network from HECL with Gurgaon as the first hub connecting around 180 locations. The network also consists of terrestrial links (about 90) across the country backed up by ISDN links to cover Indian offices. Network redundancy is achieved through triangulation.

HLL’s application-level DRP strategy is to have the application hosted in not less than two cities. There is one live location and one DR location. Incremental backups are performed at specified frequencies.

Operational security

Vulnerability analysis and patch management are important at HLL. Other technologies and practices used by the company include data centre access controls, password management for servers, backups for data and application, antivirus for Windows-based servers, vulnerability monitoring for servers and desktops, ethical hacking and IDS.

Information security incidents monitored include antivirus updates, patches, backup, and server security. Apart from this, DRP, data centre applications and the network are also monitored. Access control tests are also performed.

External hand

Much of HLL’s IT is outsourced. About 400 non-HLL employees operate from HLL premises on tasks from server management to software development.

Security measures are enforced on these personnel through SLAs. “Whatever applies to a HLL employee applies to these people. We get that in writing. We have also got into VLANs and restricting access,” says Narayanan.

The next task for Narayanan and his team is the shift from MFG PRO to SAP next year. This is a challenge that involves redefining security rules and procedures. The company is currently evaluating biometric devices for remote authorisation.

anilpatrick@networkmagazineindia.com