NEXT100 Winner 2016 Jayakrishnan P, Associate Vice President, Muthoot Fincorp, shares his perspective on safeguarding security of data assets
We have implemented state-of-the-art datacenters and disaster recovery centers with the most modern security features around the network
At Muthoot Fincorp Limited, a RBI regulated NBFC with more than 3500 branches pan India, we look into security aspects with utmost importance. With increasing incidents of data breaches around the world, we are highly committed to ensuring the security of our data assets and interests of stakeholders.
We have implemented state-of-the-art datacenters and disaster recovery centers with the most modern security features around the network. We have two layers of security around the network. The primary protection is by using firewalls at our datacenters. At the branch level we have the UTM Box and Symantec End-point Protection solution enabled on all machines connected to the network. Using Symantec End-point Protection, we ensure that all the access to external devices are blocked. The UTM Box ensures that only whitelisted websites are accessed by users, thereby ensuring that there is no unauthorised access to other sites, and hence protecting us against malware or ransomware attacks.
I. Security Operations
a. Audit Logs and Events
The infrastructure team performs consistent monitoring of event viewer and SEP logs for any unauthorized or suspicious access to the system and configuration files.
b. Network Access Control
Only authorized users and devices gain access to our networks. Any vulnerability is proactively identified and patched immediately. Wireless networks are managed by controllers with security policies and filters put in place with predefined protocols.
c. Network Protection and Standards
The enterprises’ internal and external networks are protected from unauthorized activity. The network security team has implemented state-of-the-art network security and administration policies using Fortigate UTMs and Symantec End-point Protection Manager. Advisories from CERT-In are monitored by senior network specialists and all of them are implemented.
d. Mobile Security
All mobile devices are protected using Mobile Device Management (MDM). The MDM uses an enterprise-wide a product called Samsung Knox, which comes highly recommended. It was chosen after a thorough evaluation of competing products, and this was benchmarked as one of the most powerful products for MDM. Only application and settings defined in the MDM policies can be accessed in the device. All internal wireless access points are managed by Fortinet’s product called FortiAP and configured with security policies and filters.
e. Protection against Malicious Code
We are protected against malicious code with SEP and FSRM on servers. The network devices are patched with the latest fixes as per vendor recommendations.
f. Background Checks on all Employees
Our Human Resource department performs background checks on all our employees including outsourced employees.
II. Threat & Vulnerability Management
a. Incident Management
Security incidents are managed with consistent and effective approach responding and recovering from a disruption. A proper identification of security events is performed using SEPM & Fortianalyzer reporting.
b. Patch Management
Patch management is performed using WSUS for Microsoft applications and Operating Systems.
c. Vendor Firmware Updates for Servers & Network Devices
Technical vulnerabilities are patched as per the advisories from vendors as well as CERT-In.
d. Application Vulnerability Assessment
All applications are VAPT tested and their vulnerability is addressed accordingly.
e. Security at Branch Level
All branches are equipped with CCTV and all motion based recording into the cloud for verification and alerts.
f. Emergency Response Team for Enhanced Security at Branches
An Emergency Response team has been constituted wherein a fleet of cars with security officers are alerted of any incidents at branches including attempt at breaking in, robbery, etc. and they make physical appearance at branches in their cluster. This provides an added layer of deterrence.
III. Identity Access Management
a. Access Control
Only authorized personnel are provided access to application systems, with appropriate levels of privilege. Frequent audits are conducted to weed out inactive users.
b. Maker Checker Rule
All our financial applications have maker checker facility as a security measure.
At MFL, we have implemented a two level authentication using username and employee ID with strong passwords. External access is restricted, and is possible only through VPN client application. Emergency access is not given to unauthorized parties.
d. Operating System Security
System access is restricted with strong domain & local user credentials. All user accounts (mail, domain, VPN, application) are immediately disabled during NOC clearance.
e. Data Security
Data level security is implemented by using the hashing methodology whereby unwanted tampering of data is protected.
IV. Business Continuity Management
a. Disaster Recovery
At MFL, we have implemented state-of-the-art datacenters and disaster recovery centers with the most modern security features around the network. For Disaster Recovery (DR), we use Hyper-V replica and double-take as DR tools. DR Failover drills are carried out periodically.
b. Data Backup
We have defined backup and restore procedures. They are done using TSM and Symantec Backup Exec.
c. Physical Security
Our physical assets are in a protected environment. Our datacenter is a Tier-3 datacenter managed by SIFY at Electronic City, Bangalore. Only authorized personnel are provided access to the premises which are managed by SIFY security and their facilities management team. Being a Tier-3 Datacenter, it is also protected from environmental threats and hazards.