Information Security Management in Indian IT Industry

8/3/2019 Information Security Management in Indian IT Industry

1/36

Information SecurityManagement in

Indian IT Industry

Presented By:

Naureen Broca-1030141112

Pranav Kataria- 10030141114

Malcolm DSouza- 10030141115


2/36

IT & ITES INDUSTRY IN INDIA

Over the past decade, information technology industry has

become one of the fastest growing industries in India.

Strong demand over the past few years has placed Indiaamongst the fastest growing IT markets in the Asia- Pacificregion.

The Indian software and information technology enabledservices (ITES) industry has grown at a compounded annualgrowth rate (CAGR) of 28 percent during the lastfive years.

Global software product giants such as Microsoft, Oracle,SAP, etc., have established their captive development centresin India.


3/36

Organizational Structure of

Indian IT


4/36

IT/ITeS industry: Steady

growth track Direct employment for four

million and indirectemployment for 10 to 12million by 2015

Expected to earn revenues ofUS$ 64 billion in FY2008,recording a CAGR of 31 per centover the last five years

Domestic market compriseshardware, software and IT-BPOservices


5/36

India maintains lead in

IT/ITeS Indian IT/ITeS sector has matured considerably

with its

- expansion into varied verticals

- well differentiated service offerings

- increasing geographic penetration Indias importance among emerging economies,both as a supply and demand centre, is fuelling furthergrowth of the sector

India maintains its position as a strategic off-shoring

destination for MNCs worldwideIT/ITeS sector contributed to over 5.4 per cent ofIndias GDP in 2006-07, an increase from 4.8 percentin 2005-06


6/36

CURRENT STATUS:


7/36

IT Services

Banking, Financial Servicesand Insurance (BFSI) verticalcontinues to account for thelargest share of exports at 31

per cent Telecom vertical accountsfor second-largest share ofthe pie at 19 per cent

Other verticals such as

manufacturing, retail, mediaand healthcare are rapidlygaining pace


8/36

ITES-BPO

Industry has graduated to

providing a high proportion ofvoice-based services and a widerange of back-office processing

activities Scope of services has

expanded in the last(three tofour) years, to includeincreasingly complex processes

involving rule-based decisionmaking and research servicesrequiring informed individualjudgment


9/36

IT/ITeS sector: Moving up

the value chain India, earlier the primary global offshoringdestination for low-end back-office services,

is now emerging as an innovation and

research hub

India is estimated to continue attractingsubstantial investments in the sector, with

the cost-arbitrage factor expected to prevail

for another 10 to 15 years

The ITeS segment is expected to leverage thepenetration of the IT segment;complementing and completing end-to-endcustomer requirements with the aid ofoffshore and onshore service offerings


10/36

Major IT & ITES Companies

in India


11/36

Why Information Securityis important in IT Industry


12/36

The Value of Information

The businesses will hold sensitive information on theiremployees, salary information, financial results, and businessplans for the year ahead.

They may also hold trade secrets, research and other

information that gives them a competitive edge. Individuals usually hold sensitive personal information on their

home computers and typically perform online functions such asbanking, shopping and social networking; sharing their sensitiveinformation with others over the internet.

As more and more of this information is stored and processedelectronically and transmitted across company networks or theinternet, the risk of unauthorised access increases.


13/36

Security Threats &Measures


14/36

Threats & Measures Conduct Employee Security

AwarenessTraining: Raising theawareness level of employeesthrough mandatory, monthly

online courses is a terrificway to remind them thatsecurity is everyonesresponsibility. Choose atraining program that offersup-to-date courses, ensures

users understand policiesand procedures, andprovides reporting tomanagement.

Malicious Insiders (Rising

Threat): Employees withmalicious intent have alwaysbeen the biggest threat to

their organizations.


15/36

Threats & Measures

URL Filtering, PatchManagement and OtherProtections. Proactivelymanage the sites where

employees are allowed tosurf by limiting them tosafe, approved sites fromreputable web publishers.Employ Patch

Management and systemAV & spyware protectionto combat the malwarethreat.

Malware (Steady

Threat): Malicious softwarecan include viruses, worms,Trojan horse programs, etc.

but most importantlywebsites that host malware,which has become the mostprolific distribution method.


16/36

Threats & Measures

Implement Comprehensive PatchManagement: Often some of themost sensitive data are on non-Microsoft systems such as Linux,UNIX or Macintosh.

Invest in a patch management

solution offering full visibility intoyour network and covering alloperating systems and vendors, notjust Microsoft.

Consider host-based intrusionprevention (HIPS) which can monitoryour system looking for anomalousbehavior, applications attempting tobe installed, user escalation, andother non-standard events.

Exploited

Vulnerabilities

(Weakening Threat):Hackers find a weaknessin a commonly used

system or softwareproduct and exploit it fortheir gain.


17/36

Threats & Measures

Social Engineering Testing: Inaddition to employee training toraise awareness you can hire afirm to come in and test youremployees for their resilience tosocial engineering. A 3rd party

can use mock scenarios toassess your vulnerability to areal attack.

Social Engineering (RisingThreat): With hacking you arecompromising a computer, butwith social engineering youcompromise a human by

tricking him/her into supplyingpersonal information andpasswords. Any method ofcommunication will be used toperpetrate this fraud includingtelephones, mobile phones, text

messaging, instant messaging,impersonation ofsupport/vendor staff and socialnetworking sites


18/36


19/36

Threats & Measures

Conduct Employee SecurityAwarenessTraining: Raising theawareness level of employeesthrough mandatory, monthly

online courses is a terrificway to remind them thatsecurity is everyonesresponsibility. Choose atraining program that offersup-to-date courses, ensures

users understand policiesand procedures, andprovides reporting tomanagement.

Careless Employees (RisingThreat): Mistakes made bycareless or untrained employeescan lead to a significant securitycompromise. A poor economicclimate puts strains on

employees causing them to cutcorners or important duties. Itcan also lead to less formalemployee training.


20/36

Threats & Measures

Consider Opting for aSoftware-as-a-Service(SaaS) Solution to CutCosts. A company that hastraditionally kept their

security management andmonitoring in-house may usethis as an opportunity to lookat the cost benefits ofoutsourcing it to a leadingsecurity firm. Choose a

provider that offers a broadrange of services, isfinancially, viable and isaudited by multipleindependent 3rd parties.

Reduced Budgets (RisingThreat): A weak economyleads companies to tightentheir budgets, which

results in less headcountand less money forupgrades and newsystems.


21/36

Threats & Measures

Use The Same Systems ForTelecommuters As For On-SiteEmployees. Dont forget toinstall security on your remoteVPNs. Make sure that remoteusers use company issued

systems with updated securitypatches and web contentfiltering. Provide easilyaccessible on-call tech supportso that employees dont resortto fixing things themselves andpossibly disabling necessarysecurity measures. Isolate workcomputers at home from thekids who can download threatsalong with their games.

Remote Workers & Road

Warriors (Steady Threat):Telecommuting and mobileworkers are on the upswing.


22/36

Threats & Measures Limit Download and System

Update Administration to aTrained IT Professional. Dontallow users to download andinstall software on theirdesktops. Regularly updatesystem AV & Spyware

Protection. Consider host-basedintrusion prevention (HIPS)which can monitor your systemlooking for anomalous behavior,applications attempting to beinstalled, user escalation, andother non-standard events butmake sure that only ITmanagers have access to this.

Downloaded Software

Including Open Source

and P2P files (Steady

Threat): IT administratorsmay download and install

open source software orfreeware in an attempt tosave money, which canlead to a huge waste oftime in softwareconfiguration in and finetuning or a data breach.


23/36

Most Times: Threat Comes

Like


24/36

What is needed for

Prevention


25/36

Privacy?


26/36

Insiders Threat


27/36

Comfort Zone for Prevention


28/36

Eg- Data Leakage Prevention


29/36

Case StudyWipro Technologies implements Websense to help manage

Web threats and improve policy management


30/36

Overview

Wipro Technologies is aglobal service provider in ITservices and other servicessuch as technology

infrastructure, consultingand Business ProcessOutsourcing (BPO).

It has approximately 95,000employees (US, Europe,

Canada and Japan and 54development centresworldwide.


31/36

Problem StatementAll the offices of Wipro Technologies across the globe are connected byLAN points, which link approximately 60,000 desktops and laptops and1,900 servers. The companys internal IT team of approximately 700professionals centrally manage their IT infrastructure from Bangalore.This team caters to all of Wipro employees as well as customers IT needs,for all locations across the globe. While the implementation of variouspolicies has been taken care of by the different locations themselves, thepolicies are managed from Bangalore.

One of the main challenges faced by Wipro in terms of security was theaccidental access to malware and spyware by employees. Employeeswould inadvertently allow in malware which could put the entire business

at risk, or cripple the systems. We needed to ensure that malware andspyware did not get entry into our systems and that employees were notaccidentally accessing inappropriate sites, says J Pazhamalai,GMInformation Risk Management, Wipro.


32/36

Solution

Websense Integration

Websense Web SecuritySuite installation on 3gateways

Awareness regarding therisks associated with freeInternet access wascreated and data security

was given top priority.


33/36


34/36

The Results

Categorising Websites is now far simpler, making it easierto set down policies for access

Regular updates of blacklisted websites helps in ensuring

better information security risk management

Decrease in the access of unwanted and unauthorised sites

Improved network bandwidth usage


35/36


36/36

Information Security Management in Indian IT Industry

Documents