|
SSA 2005-Nominee Profile
Putting availability first
 Vijay Mahajan, Head, IT Infrastructure
and Facilities Management, Mahindra & Mahindra, puts
availability before integrity and confidentiality as the
vital enabler of his security strategy. by Soutiman
Das Gupta
“W e believe that information
availability is the most important goal of a security
strategy, followed by integrity and confidentiality.
Other organisations have it the other way round and put
confidentiality first,” explains Vijay S Mahajan, Head,
IT Infrastructure and Facilities Management of Mahindra
& Mahindra.
This concept has acted as the enabler
of security strategy that he has crafted for his
company.
Availability is king
The reason that Mahajan puts
availability of information over everything else is a
reflection of the nature of business at M&M.
The principal activity of the group is
to manufacture, distribute, and sell farm equipment and
utility vehicles. Its automotive division manufactures
utility vehicles and SUVs—popular brands are Scorpio and
Bolero.
The company’s automotive and farm
utility divisions have eight manufacturing plants with
the head office in Colaba, Mumbai. There are 20 area
offices for the auto division and 20 for the tractor
division. These area offices control the nationwide
dealer network.
Add these 40 area offices to 10
company locations and you have 50 enterprise locations
and 42,000 users on the network.
Involving the entire business
In order to create a security strategy
across this geographically dispersed organisation,
Mahajan’s approach was to involve the entire business
while formulating the strategy.
“We spoke to the heads of different
business areas and asked them to identify the
information that they felt was critical. They had to
identify and classify their information assets according
to the guidelines, and the ownership was theirs,”
explains Mahajan.
This was the most effective way to go
about ensuring information security because the process
ensured the required level of commitment from the
business. After the business heads classified their
assets, they had to define the risks they perceived.
The information security team headed
by Mahajan then devised means to reduce risks in
accordance with BS 7799 standards (since the company had
already achieved BS 7799 compliance earlier). This gave
birth to a risk treatment plan which is now periodically
updated and signed by every business unit head.
Everybody’s Business
Mahajan has documented a security
policy for his organisation, which is released by the
company’s Vice-chairman. The policy essentially states
that information security is everybody’s business and
that business heads are the owners of the information
and consequently responsible for its security.
The process of implementing this
policy takes place in a layered manner. At the top
there’s an apex council, consisting of people such as
the chairman, controllers of operations of the business
divisions, and the CIO.
Below this comes the information
security council whose 12 members are unit or plant
heads. The responsibility of implementing information
security in their domains is theirs. These members have
nominated representatives in their departments to take
the responsibilities forward.
In this way, information security
percolates down to the departmental level.
| Checklist:
M&M’s security strategy
Process level
- Availability of
information
- Identification and
classification of information assets
- Risk assessment
- Policy
reviews
- Internal and
external audits
Technology
- Anti-virus (desktop
and server level)
- Firewalls
- IDS
|
Training and policy reviews
Training with regard to complying with
the information security policy is imparted to all the
employees. All possible areas of failure and the extent
of consequent damage to the organisation is explained to
all concerned.
The policy is reviewed in two ways. An
internal audit is performed every quarter, a task that
is outsourced to Mahindra SSG. The findings are then
presented to the apex committee as a part of policy
adherence. In addition to this, there are regular BS
7799 security audits.
A help desk and incident response team
capture IT and non-IT incidents. If necessary, the
incident is escalated to the apex council for
resolution. Disciplinary action is taken jointly by the
HR head, business heads, or by apex council members. The
help desk uses HP OpenView as a decision-making
tool.
| The Strategy
Illustrated
The
unique aspect of the security strategy at M&M
was the creation of an apex council by Mahajan.
Members of this body were experts on enterprise
information security. This council was headed by
the Chairman and all the security directives were
sent out by him. All the information security
incidents and risks were escalated to this council
for resolution.
Mahajan
also believes in an approach where he places
availability of information above integrity and
confidentiality. This, he believes, is where the
uniqueness of his strategy lies.
Although he uses IT to solve
the organisation’s information security needs, he
always makes it a point that communicating the
enterprise’s information security policy is the
onus of the business, and not of the IT
department. |
The security strategist
As a security strategist, Mahajan
believes that a person should have strong knowledge of
the business and be able to handle change management.
“Successful information security
management does not happen overnight, and you have to
ask people to go along with you. Sometimes you have to
be friendly and at times firm.”
He feels that it’s also important to
garner support from the top management and business
leaders throughout the organisation. Ownership of
security should percolate all the way down to personnel
at the bottom of the organisation.
Soutimand@networkmagazineindia.com
| 
|| Feedback
|| Subscribe-
