|
SSA 2005-General Industries
A pragmatic approach to security
 Anil Kumar Kaushik, Deputy General
Manager (IS Application), BPCL, says that be it security
tools or IT applications, they have to add value to the
system. by Shivani Shinde
Bharat Petroleum Corporation Limited
(BPCL) needs no introduction. It has been a front runner
in business processes and in harnessing IT to provide
better services and to diversify.
The company’s operations and 5,000
desktop users are spread over 300 locations—some beyond
municipal limits. With the increased use of technology
applications and the Internet, the organisation felt the
need for a robust security system.
| The BPCL
strategy
Processes
- Security policy in
tandem with the HR policy
- User education
thorough e-mail and through ISS Net
Member
- Centralising
Internet access
Technology
- Separate firewalls
for the Internet and LAN
- IDS
- Anti-virus
|
Anil Kumar Kaushik believes that being
an early adopter, the company has had an advantage in
upgrading to new systems. In the late 1990s, the
organisation got on the Internet and this resulted in
security concerns raising their heads. “We took the
usual measures for security, such as deploying IDS,
anti-virus and firewall. Our concern was to have an
environment as secure as possible,” he says.
The company’s Internet access is
centralised for better control with failover through the
use of an IDS. BPCL is a good example of how phased
development permits the deployment of technology. From
manual data collection to automated systems, the company
had to consider these details while framing its security
policy and implementing the same.
Comments Kaushik, “We documented our
security policy. At the same time, we realised that even
if we did publish it or put it on the Internet, it would
not be feasible for others to go through it. We decided
that whatever was related to the user should be included
in a booklet.” The booklet, known as the code of
practice for users, has details that a user requires for
the daily routine. Again the policy rollout was done in
tandem with the HR policy, and violations in the former
were linked to the latter.
Apart from this, they made use of Web
site filtering; users get alert messages if they try to
access unwanted sites. Action taken depends on the
severity of a violation, which may be as simple as a
warning memo. In some cases, they might not allow
certain facilities to the person and if the violation is
serious then the person may be sacked.
Education is a tool
BPCL realised that just having a
policy doesn’t help, but awareness and thorough user
education are important. Again, due to the vast area
over which its operations were spread and the diverse
user profile, the organisation had to take a different
approach. “Since the users came from both management and
non-management segments, the approach to spread
awareness had to be different. We realised that
controlling or monitoring behaviour from a central
location would be difficult,” Kaushik explains.
When SAP was rolled out in the second
phase, those who would be accessing the systems were
trained with regard to security. Each location has a
user group and is known as ISS Net Member. According to
Kaushik, “Whatever knowledge needs to be shared with the
users is communicated through these members at their
respective locations, for which they are adequately
trained. The idea is to let the knowledge spread.” The
organisation has 3,100 users using SAP operating from
300 locations. These locations are on the WAN with over
100 partners connected through VPNs.
| What's unique about this project?
The uniqueness of this
project lies in the area of coverage and varied
user requirements. According to Kaushik, security
is an issue that must be handled by an in-house
team due to its criticality; they have managed to
do so at BPCL. He is a firm believer in investing
on training people and believing in them to solve
any problem. He also feels that everything cannot
be done in one go. Plan and let business critical
systems be given priority.
|
Putting systems in place
 Before the SAP rollout, there was only one
level of IDS and firewalls. Now they have two levels—one
at the Internet level and the other at the LAN. For
this, they use solutions from multiple vendors. Kaushik
believes that this reduces system vulnerability, as
there is always another solution to stop the problem.
They use Cisco Pix and IDS for the Internet and
checkpoint firewall, Nortel switches and Real Secure IDS
for the internal security. Standard mechanisms include
firewalls, IDS and IBM Tivoli’s Software Distribution
module for patching.
With such an initiative taking place,
continuous assistance from the management was also
important. Says Kaushik, “We are fortunate to have a
management that understands the need of security within
the IT framework. Their only criterion is that whatever
the IT deployment, it has to bring value to the company
and it should serve its purpose rather than be deployed
because others are doing it.”
The role of audits
Security audits are the important part
of its security initiative. As Kaushik explains,
“Security audits are done at the IT level for which we
take third-party assistance. Though it was to happen
every six months, it is being conducted annually now
because of infrastructure issues. Penetration testing
and other issues are taken care of by an internal team.
Apart from this, the company has a strong internal audit
team that looks after various audit issues.”
Kaushik says that the challenges faced
include educating the users about the risks involved,
systems required collection of data from various centres
to a central base, and hacking. He is of the opinion
that instead of going for large deployments, one should
deploy systems on a smaller scale and then based on
performance decide about implementing the same.
shivani@expresscomputeronline.com
| 
|| Feedback
|| Subscribe-
