|
Information Security Roundtable
Ensuring information security
The roundtable was moderated by Devendra Parulekar,
Associate Director, Ernst & Young. The speakers included Satish Kumar Das,
CSO, Cognizant; Mitish Chitnavis, Group Information Security Officer, EDS Mphasis;
M V Shriram GM,IT, HPCL; and Sanjay Prasad, Head, Technology, Citigroup Financial
Services
Devendra Parulekar, Associate Director, Ernst & Young, and
Sanjay Prasad, Head, Technology, Citigroup Global Services |
Satish Das, CSO, Cognizant, Mitish Chitnavis, EDS, Mphasis
and M V Sreeram, General Manager, IT, Corporate |
| How do you integrate your overall information
security governance within your corporate governance?
 Satish
Das: Governance starts from the board. It has an enterprise risk management
policy which has four components—finance, safety, operations and
strategy. The financial part is handled by the finance department, safety
is handled by the safety department, operations are handled by the chief
operating officer, and strategy is dealt with by the CSO.
Once the policies are finalised and approved, then
the next set of policies is written depending upon factors including regulatory
requirements namely laws, customer requirements, and the culture of the
company. From the governance perspective there are a lot of policies and
procedures that people write but what is important for the IT industry
are factors such as IS policies, health and safety, compliance issues
like SOX, and the integration of governance procedures and operations.
We have an organisational structure that is clearly defined,
the roles and responsibilities are also clearly laid down and communicated
to the employees and then it depends on how you set up the operating system.
Anybody can do this, it has nothing to do with any industry, it’s
a general concept.
We’ve learnt a lot from the financial industry when
we were writing the enterprise risk management policies. Information security
has come from a technical perspective, things were written from that perspective
and slowly you’ll see technical professionals talking about risks
and how to manage them.
|
| Considering that you have a governance framework
in your organisation and it is information security governance that you
have, tell me how these policies and procedures play a role in the framework?
 Mitish
Chitnavis: I think that the most important thing here is implementing
the risk management framework. The risk, not just in terms of IT, but
also from the people perspective. Over and above this, frame policies,
procedures, guidelines, and define how you want to control a piece of
information —a kind of blueprint for the organisation to execute
its information security programme within the organisation—are important.
The basic purpose is to have a proper risk management
framework which addresses all control objectives, and then ensures that
the desired guidelines are provided to the people, and standards are implemented,
so that they tightly integrate with the enterprise.
 How
do you manage third party risks while outsourcing regarding the privacy
concerns of customers?
M V Shriram: Normally we have a non-disclosure
agreement and on frequent intervals, we keep taking the entire data back.
|
| A unique problem in the BPO industry is that the
attrition rates are high, about 20 percent, which means there is a huge
amount of churn that is happening. Also with growth there is a large number
of new joinees that keep coming in, it’s a significant number. How
do you handle this problem of awareness levels?
Mitish Chitnavis: We deal with two types
of employees—the engineers and the agents at the call centre level.
Talking about the software engineers first, most of them are fresh out
of college. They don’t know what do they have to program and how
to write secure code. Initially we have different sessions at the induction
level. For engineers, they have been given clear secure coding practices
that they need to follow as we don’t want any Trojans or bad code
within the code base that we develop for our clients.
In BPO, we integrated the security awareness programme
within the process training where they undergo specific training for the
clients that they would be servicing. During training they have to clear
an exam which has questions about information security. Until and unless
they clear this, they are not let on to the floor. So automatically awareness
is created within the training process.
|
| In a large organisation like yours, taking security
awareness to every user must be a real challenge, plus its not just the
user’s awareness, but also the technology or IT guy’s awareness.
So how do you deal with awareness as a problem as people are the weakest
link?
 M
V Shriram: A few years back, we never felt that security was a major
concern at HPCL, one that we needed to concentrate on. Gradually, we realised
the importance of security and the urge to create awareness among our
employees about security. So we divided the company into three major divisions:
the top management (board level and general manager level), senior management,
and worker level. We needed a systematic plan to create awareness and
at the same time keep in mind the business requirements. So we came up
with awareness programmes for the top and middle management. I myself
have conducted a number of sessions.
Satish Das: There are two things that you
need to be doing; firstly the employees may not have time to go through
the documents, and then they may be written in such a way that they may
not be interesting to read. Even if the person has time, he may not be
able to understand it because of the language or the way the policies
and procedures are written. So the policies and procedures are meant for
a totally different target segment in a company. For example, in our company
we have ERM (enterprise risk management), information security, privacy
policy, health and safety policies etc. We have close to 10 mandatory
policies in the company. But its difficult to enforce these policies because
people don’t go through the relevant documents or understand them
and you cannot actually enforce them because if you get into an issue,
the person concerned can say that I read the policy but I didn’t
understand what it was.
That means the company has not put in the effort to make
sure that everybody understands and takes responsibility for compliance.
So you don’t have a respectable enforcement policy. The simple way
out is to tell employees at the ground level that these are the resources
that you can use, these are the services that you need to provide using
these resources, and you need to tell them how to use those things.
For example, we have notebooks and cellphones. So we
need to tell the employees that as soon as they enter the office, they
will not have Internet access, only the intranet access will be permitted.
They may not be allowed to bring in cell phones in a BPO kind of an environment
and not be allowed to take photographs. So we post all that information
on a particular part of the intranet and after the two days of induction
when the employee joins the organisation, he needs to clear two to three
hours of awareness programme. If they don’t clear it, they don’t
get their IDs enabled.
|
| What are the roles played by the internal audit
team and external audit team at HPCL?
M V Shriram: We have a separate team known
as the systems audit team. They audit on the basis of well defined policies
and procedures. We are a procedure-oriented organisation. We have a set
of information security policies under the IT Act. Over and above that
the IT department has a quarterly assessment of how security is working.
You are a service provider, and you also have
your service providers. So do you go back and audit your service providers
to check their success?
 Sanjay
Prasad: Whoever is outsourcing, still has the risk arising from outsourcing.
When we look at our service providers, we have an information security
programme where a team of about 35 people checks that the overall thing
is secure.
“When we outsource, we don’t tell the outsourcing
agency what risks are being transferred. We only give the terms and conditions
to comply with,” adds Satish Das.
Chitnavis adds, “it is largely driven by the clients
that we should carry out due diligence with our vendors.”
|
| How do you see compliance driving information
security and regulations?
Satish Das: Two years back we had no idea
that compliance requirements can have a role in the way we do things.
Presently there are four regulations significantly driving what we are
doing. SOX (you have to comply with it if you are US based or the subsidiary
of a US-based company), health and safety compliances, privacy policies,
and local laws within different countries. Some of which were standards,
two years back are now becoming laws. If you don’t follow the standard,
you may not get certified or maybe you don’t get some customer orders
or there could be some small impact on the business. However if you don’t
follow the law, you may not even be able to operate in that country at
all.
Most companies have a problem of over-auditing.
There is an initiative in the US from BITS where the financial institutions
were outsourcing work while they were having common standards and assessment.
Now where you see this moving?
Satish Das: I think it’s a question
of how people are going to use it. Citigroup is one of our customers,
so if it uses BITS and I comply with BITS, then I know that I comply with
most of the Citigroup’s requirements. However, this is yet to catch
up.
|
| You went through a number of frauds related to
privacy. How do you take care of that and what’s your learning from
it?
 Mitish
Chitnavis: We need to differentiate between information
security and privacy. Information security is dependent on
how you classify your information based on factors such as
sensitivity with regard to learning from fraud, we carried
out a programme where we came to know that though we sign
contracts, there are limits to liability and hence our insurance
premium went up. The scenario which came up was that controls
are implemented, for instance, an agent can only transfer
up to $X, but after accessing the real systems, we came to
know that it accepts unlimited amount of transfers. Now the
question was—what else I can do with that? Can I transfer
to a third party? Can I transfer to linked accounts? After
going into this kind of activity, we went back to our client
and said this was a key learning.
The most important thing is that you have the risk management
score, that is for your information. But can an agent convert that risk
into a fraud scenario? That is the most important thing that we identified.
In one case we got a business and we rejected the business
as the client said, “we are introducing a new system and we want
agents to change passwords for online banking and when the customer calls,
he has to change it and communicate this over the phone.” So we refuse
to take the business as there was too much of risk involved.
Satish Das: We have a lot of attrition in
the IT industry and while recruiting, we find many of the resumes are
not credible. When customers come in and find out that the guy was involved
in some fraud then we get into trouble because it’s a breach of contract.
The contract says that you have to have a full background check. So it
is an IT industry issue. Hence, Nasscom decided to have national vigilance
for resumes of all the people working in the IT industry. Now, the question
is why will someone be willing to put his resume under vigilance. You
can’t force people to put their resumes into the repository and be
monitored.
|
|
