Sify
helps the largest Telecom Service Provider in
the Middle East reduce Information Security Risks
Background
The client is the
largest service provider in the Arabian Gulf region,
with a subscriber base of 11 million. With the
market being thrown open to new service providers
in the country, the client is reorganizing its
strategy to transform themselves into an aggressive
and competitive company.
To fulfill this
target, the company embarked on a process of reorganizing
and revitalizing their business processes and
infrastructure strategy. This has resulted in
widespread changes across the organization including
the Information Security Secretariat.
Based on the principles
of Risk Management, the Information Security Secretariat
decided to analyze the Information Security Risk
Posture of the organization in a changing environment
with new business priorities, and reduce the risk
to acceptable levels.
In order to identify
a vendor with expertise and capability in providing
such a turnkey service, the client invited vendors
to conduct a pilot assessment of one of their
call centers. As a forerunner in this space with
expertise gathered across numerous countries with
a multitude of organizations, Sify outmaneuvered
the other competitors to win the deal.
The entire Risk
Management activity was split into four phases:
- High Level Risk Assessment
and Baseline Control Recommendation for all
Enterprise Systems
- Detailed Risk Assessment
of Very High Risk Systems
- Detailed Risk Assessment
of High Risk Systems
- Detailed Risk Assessment
of Medium Risk Systems
Sify's Solution
Offering
Sify, with its
expertise in Information Security, and its wide
pool of services, was able to offer a completely
customized solution to the client. The scope included
assessment of 51 Enterprise Systems, Physical
Security of the Data Center, Assessment of Network
Security Risks and Identification of Baseline
Controls.
On an average,
each system consisted of 7 to 8 components. There
were 110 direct official deliverables, and another
160 indirect official deliverables. Due to lack
of own personnel to oversee the assignment, the
client employed external auditors to provide quality
assurance for all deliverables. A team of 16 Sify
Assure Consultants interviewed nearly 70 personnel
over a period of 6 months. 90% of the Telecom
Giants' critical systems were analyzed, and detailed
Risk Management roadmaps for the next 3 phases
were provided.
During various
phases of the project, the activities included
- Development of a High Level
Risk Assessment Framework
- Methodology definition to
execute the Framework which includes questionnaires,
business impact levels, threat likelihood
levels, and a risk determination matrix.
- Standardization of Deliverables
- Identification of Systems
to be assessed from a pool of Enterprise Systems
- Identification of System
and Business Owners to be interviewed
- Determining the Risk profile
for each and every System
- Development of a Baseline
Approach
- Developing a Database of
Baseline Controls
- Gap analysis of Baseline
Controls with the Clients Policies, Standards
and Guidelines
- Identification of applicable
Baseline Controls for various groups of Systems.
- Overall Analysis of results
to build a strategic picture of the client's
security environment
- Suggesting a two-year roadmap
for the Risk Management function of the client
Conclusion
The project benefited
the client in following ways:
- Investment Information Security
controls and commensurates with business security
risks
- Rationalization of investment
in Security Controls
- Reduction of Enterprise Security
Risks to acceptable levels
- A framework for conducting
future high level risk assessments
- A detailed roadmap with realistic
targets from quarter to quarter
- Author: Mr.
Pradeep Menon |
