:: HCL Comnet Ltd. ::

ITIL | BS 7799 | ISO 9001:2000

Today’s corporate world requires the smooth transfer of information between valid parties for proper working. No wonder, the key properties of secure and useful information - CONFIDENTIALITY, INTEGRITY and AVAILABILITY has to be ensured for effective functioning and company survival. This is especially true for any service provider.

All customer organizations, before trusting sensitive data to an outside party need to have confidence in whether their data is safe from damage, theft and misuse. And the customer needs to measure the security capability against a standard to be confident.

Standards for IT Security and Information Security have emerged in the past few years. These have been aimed at providing guidelines to measure security postures against a given standard methodology of appraisal. Certifications include CISA, CISSP, and BS 7799 among others. While the first two are geared towards certifying persons who work with a standard-based approach to deliver the end objective, the last one is directed toward enabling organizations to arrive at a properly structured and verifiable Information Systems Management System.

BS 7799 is a standard that in two parts guides how to deploy a comprehensive information security system covering all aspects.

BS7799 Part 1 gives best practice recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organisation. It is intended to provide a common basis for developing effective security management practice and to provide confidence in inter-company trading agreements and business partnerships.

BS7799 Part 2 defines 127 security controls structured under 10 domains to identify the particular safeguards that are appropriate to their particular business or specific area of responsibility. These areas cover elements that can affect information security and business functioning – such as physical & environmental security or compliance to legal requirements. These domains are:


	Information Security Policy
	Organisational Security
	Asset Classification and Control
	Personnel Security
	Physical and Environmental Security
	Communications and Operations Management
	Access Control
	Systems Development and Maintenance
	Business Continuity Management
	Compliance

HCL Comnet is in the business of providing managed services to its clients in significant areas of IT, such as network management, IT infrastructure management and security management. We handle huge amounts of critical and confidential customer information, either in transit or stored in our servers.

In order to have the strongest capability to provide services to our customers and assure quality, we make our managed services a consolidated piece using the BS7799 standard. The core parts of our service providing wing – NOC, SOC, ITSM, Hub, IS – go through this process to ensure service delivery of the highest quality standards.




	Designating Organization Team: A core team works with different departments for this. Within each department, there are one or two persons developing security processes within the entity. These groups report back to the group of senior managers who are HCL Comnet’s security apex group
	Asset Classification: All assets (whether the assets are physical, software, information or of any other types of assets) in every department within the scope of the ISMS are classified in terms of their properties
	Risk Assessment: For all these assets, the departments rate the information importance on the parameters of CONFIDENTIALITY, INTEGRITY and AVAILABILITY. The group also used a common method to evaluate the vulnerabilities and threats to any of these assets – and arrive at a RISK measure for the asset
	Risk Treatment: In case the RISK measure of an asset is found to be high, additional security measures are devised and implemented to bring down the risk. These implementations require sustained effort and continuous improvement. So a lot of departments will keep experiencing changes in their processesy
	Process Documentation: As with all pushes towards certification, this too requires keeping all processes documented and up-to-date. This include all the processes and procedures followed within every department covered within the effort. At times, such procedures, logs or records exist – in which case an effort to streamline will be made
	Enforcement: We are great at solving problems and implementing fixes. Somehow the hard work put in to build the process is not sustained through regular enforcement. This is where security depends on YOU. Every person within the organization has to contribute to enhancing security. This could be by simple things – like following guidelines and records rigorously or by telling your manager about a security flaw in the processes within your department