Peer-to-peer

Navigating in troubled waters

P&O Ports, a global port operator, is the first organisation in the APAC region to get certified for BS 7799. Sushma Naik studies the implications

With US maritime laws becoming more stringent about security, P&O Ports decided to take a close look at its security set-up. As shipping firms typically handle sensitive documents that involve multiple entities, there was a need to strengthen security. Breach of information in the port sector can have far-reaching consequences for the whole country. The need for a BS 7799 certification came about as the company realised that it needed to proactively anticipate the concerns of its clients.

“We handle sensitive documents for our customers. This compels us to secure terminals and processes. We decided that if we have to be counted among the best in the world, we have to do a thorough audit of our systems and networks,” says Jimmy Sarbh, chairman and managing director, South Asia & Middle East, P&O Ports.

Headquartered in London, P&O is a global container terminal and port operator for shipping lines. The company is one of the core businesses of the P&O Group, and has 27 container terminals and logistics operations at over 100 ports in 18 countries. It handles cargo services and port management in Europe, the United States, South America, Asia, Africa and Australia. Having decided to get certified, P&O started looking out for a consulting partner for the process.

After looking at a host of consultants, it selected Mahindra Special Services Group (MSSG). MSSG then conducted an internal audit after assessing the already-present infrastructure provided for this role.

Security risks and implementation

P&O used a combination of IT systems that tracked container and people movement at gates by using biometric equipment. But as the entire process was not streamlined, there were gaps in the security that could be exploited. For example, the company regularly sent information to the customs house, with data transfer typically done through e-mail or floppies. While there are laws such as the US ISPS (International Shipping and Port facility Security code) that organisations are expected to follow, no organisation can claim that it is fully secure. Says Manish Jaiswal, head, IT, P&O, “Everyone claims that they are secure. But when you invite an external consultant to scrutinise your security and certify, one has to be confident of the existing systems and see that they are up to the mark.”

MSSG assessed the risk exposure of P&O’s information assets due to loopholes in the integration of people, processes and technology.

“Based on this, proper controls were selected, customised and implemented, that seamlessly integrated with existing business processes,” says Captain Raghu Raman of MSSG. It also found that the way information was processed and handled by the staff created various business risks that could seriously hamper the business objectives of the company. The reasons were varied: vulnerabilities in the technology infrastructure, integration gaps in business processes, and low information security awareness among people who handled critical information.

Based on the audit, MSSG reconfigured the technology infrastructure components to mitigate the risk exposure due to existing vulnerabilities. It also held a series of discussions with various process owners to understand and analyse the integration gaps within critical business processes. Once the gaps were detected and residual risks were agreed upon, various process interlocks were built into the existing processes to improve security. Also drafted and implemented was the information classification and handling procedure to improve the way digital and non-digital information was handled within P&O Ports. The company spent close to Rs 40 lakh for achieving this certification.

Changing mindsets

Apart from minor technology challenges, MSSG faced a major challenge in changing the mindsets of P&O’s people. This was overcome with the strong involvement of P&O’s top management in the initiative. MSSG ensured that every employee from the top to the crane operator understood the significance of having security.

To address the low awareness levels of the employees, MSSG created customised training sessions for them. This was done in order to make them aware of the value of information as an asset, and their role as individuals in maintaining the competitive advantage of the company. These training sessions were made more effective by using visual tools such as audio-visual films customised for P&O Ports. Loopholes that existed in the areas of PC security and access control were plugged; smart card solutions were deployed to block these loopholes. All employees now carry smart ID cards that are used for access control, attendance monitoring and operator identification. Earlier, this was a time-consuming process as IDs were checked manually, a process prone to security risks.

Secure, not complacent

P&O’s achievement lies in the fact that it is the first port operator in the APAC region to have the BS 7799 certification. What’s more significant is that among the hundred-odd branches of P&O Ports globally, the Indian one is the only one to have been certified for information security.

Today, with the certification, P&O feels that it has conveyed the message that it takes security seriously, and this has increased their customers’ and other stakeholders’ trust in them. In tangible terms it has helped the company gain competitive advantage, and given its customers the confidence to trade through P&O Ports. The level of security accorded to information assets within P&O has increased, ensuring that the risk exposure is minimal.

sushma@expresscomputeronline.com