Good policy makes for good security

Inergy Automotive shares strategies for creating policies that apply across the globe

Almost everyone agrees that proper security stems as much from good policy as it does from technology, but you don’t hear much about creating great policies. Arun DeSouza is responsible for policy and a whole lot more at Inergy Automotive Systems, a manufacturer of plastic fuel systems that sells to automakers around the world. With some 4,500 employees in 18 countries, it’s not possible to create policy by consensus. DeSouza explains the strategy he used to shape Inergy’s security policies and shares his view on how proper identity management can make security a business enabler rather than a burden.

Almost everyone agrees that proper security stems as much from good policy as it does from technology, but you don’t hear much about how to create great policies. Arun DeSouza is responsible for policy and a whole lot more at Inergy Automotive Systems, a manufacturer of plastic fuel systems that sells to automakers around the world. With some 4,500 employees in 18 countries, it’s not possible to create policy by consensus. DeSouza explains the strategy he used to shape Inergy’s security policies and shares his view on how proper identity management can make security a business enabler rather than a burden.

What is your role within the Inergy organization?

I head a global group called Strategic Planning and Information Security, which is a division of Information Systems and Services, what we call IS&S. I report to Inergy CIO Francois Fromange, with a dual role: I manage IS&S governance initiatives, such as Budget and Risk Management. I also serve as Inergy’s CISO.

Why did Inergy combine the strategic planning role with security?

The central themes interconnecting these areas are governance and process. Strategy, of course, is an ongoing process, and it helps promote alignment between IS&S and the organization to ensure IS&S is addressing current and future needs. But as we engage in new technology projects to enable the business, the impact of security should not be forgotten. Another key consideration is prioritizing new investments and managing the IT project portfolio.

What do you mean by governance?

Governance is the process and discipline to make sure that enterprise objectives are aligned in a proper discipline framework. There are several different angles, including accounting and financial controls. Then there’s governance centered on portfolio management: making sure projects come in under budget, deliver the value they promised and align with enterprise objectives. There’s also a compliance tier to it. Governance is actually a catch-all role for the idea of important business management disciplines. It’s not just IT, it’s really a business function. I focus on governance for IT, but governance can be extended to the whole business itself.

Who was involved in shaping security policies at Inergy?

We had a cross-functional team involving human resources and IS&S, as well as the legal department. The team had a variety of representatives, but the objective was to come up with a core set of policies based on industry best practices and [International Standards Organization] guidelines.

We created a straw-man policy using our parent company policies and industry best practices. Then we worked section by section and just refined it through [Microsoft’s] NetMeeting and conference calls. In certain instances, we’d have in-person meetings with people from the legal department from both our corporate Inergy location and the parent company as well to make sure the policy didn’t conflict with any privacy or other regulations in any specific region.

Getting personal:Arun DeSouza
Title:Manager, global service assurance, and CISO
Company:Inergy Automotive Systems
Responsibilities:About 1.5% of annual revenue
Number of IT staff:75 worldwide
Education:Doctorate in chemical engineering, specializing in computer-aided process control, Vanderbilt University; M.S. in chemical engineering, Vanderbilt University; bachelor of technology in chemical engineering, Indian Institute of Technology.
Previous job:Served as engineering and IT manager at Guspro in Ontario, Canada.
First PC:Zenith IBM-compatible x86, in 1988
First Internet experience:Using Netscape Navigator and AOL Webcrawler to check out sports and financial sites.
Words to live by:"I have three principles that I live by: Relationships are everything. Be true to yourself. Don't expect more from others than you're willing to give."

Were any departmental-level employees involved?

No, just a core team nominated by the executive sponsors, who at the time were the vice president of human resources and the vice president of IS&S.

Ultimately, employees have to live with these policies, so how do you get their buy-in?

Inergy is a company that’s in 40-plus locations, with 4,500 employees and there’s no way you can really satisfy everybody. The approach we took was to get buy-in first from our executive sponsors — the VPs of HR and IT. Then we had a management committee made up of the top executives of the company. They talked to their line managers, the people underneath them, about any questions, comments or concerns. In a couple of instances we made some revisions. That worked pretty well. I think people accepted it much better than us asking so many people for input and then not being able to accomplish anything in a timely fashion. Plus, we did look at our parent company’s security policy and other places, too, so we had a pretty good idea as to what was physically possible, rather than just doing a pie-in-the-sky policy.

When did all this take place?

This security policy was originally released in 2003.

Do you make revisions over time?

We have not had to make many revisions to the core policy because it was pretty comprehensive. It has four sections in it for computer usage, e-mail and voice mail usage, Internet usage, and compliance and disciplinary action. That is a simple English policy that the average employee can understand. From time to time, we have ancillary policies developed to address a certain circumstance. For example, the acceptable-Internet-content policy that says what Web sites you cannot go to, or the wireless-access policy and the supplier-access policy. We have specific policies that blow out how we address a specific, niche security need.

How do you gauge the level of risk you face in any given area, so you can write the policy accordingly?

The classic one is the supplier-access policy because we want to have good mechanisms to allow secure access for external suppliers or customers. The trick is to assess the level of risk based on the resources that you want to grant access to. If we determine it’s a rather low-value resource, such as maybe just a product list, we could use HTTPS-based FTP. For more high-value resources, we might use integrated authentication with your Active Directory.

Who makes the assessment as to what value your various resources have?

This is always a decision taken in tandem with our key internal business partners, including finance and human resources. Today we do it on an as-needed basis. In the future we will do it within the context of an Enterprise Architecture Council, which is now being formed and will meet quarterly starting in October.

What are some of the cornerstones of your policy with respect to what employees are and are not allowed to do?

We do not allow employees to access Web sites that are in violation of acceptable-content policy. Nor are they allowed to have questionable pornographic content on their desktops or laptops. This is managed via our SurfControl implementation.

Remote access to the Inergy network must be specifically authorized and is available only to approved owners of company laptops. Even if you have consultants that need to extensively access our network, they must be provided a laptop or desktop with the company-standard antivirus and things like that. Employees also must not place confidential company material on any publicly accessible Internet computer system unless the posting has first been approved by management. In the same theme, wireless access is permitted only from company-sanctioned laptops equipped with standard safety controls. There are other areas we’re considering, like instant messaging policies. But there’s a practicality there: until we find a good solution, we’re not going to just lock it down. We try to balance controls with solutions, rather than just put out policies that kill business collaboration.

How do you monitor for compliance with all these policies?

We use the honor system for the most part. We don’t want to overcontrol, but we do take certain precautions. For example, we have periodic audits that administrators run to see if people have tried to hack into domain controllers or our proxy servers, maybe look at our logs. That alerts us to certain things and if we need to take action, we do. So really it’s a combination of selective technical auditing balanced with discovery and letting employees help us with the security process. And people have come forward in certain instances [to alert us to violations].

What are some instances where an employee will come forward?

For example, if they see somebody trying to look at objectionable content on their computer.

How do you educate your employees about your policies?

In most countries, employees go through a standard orientation session. As part of that, there’s a checklist of things that need to be done. One is, they are introduced to the security policy by the local HR group. In some countries they have to sign that they’ve read it, and if they have any questions they can contact me or the local IT staff. Two to three times per year we also publish newsletters or point publications on security. If there’s an emergency that people need to know about, such a virus outbreak, then we publish that on an emergency basis using e-mail and our Internet portal. We tend to use our portal to cascade these communications.

What are the consequences for employees of noncompliance?

Typically, incidents are reported to local human resources and to me. We work together with the appropriate chain of command to address the matter and take the appropriate action. Consequences could range from a note in the personnel file or a reprimand or other disciplinary action, up to and including termination. It’s fairly straightforward.

How do you implement your policies on production systems?

The main approach is to have a multitiered defense, including firewalls, proxy servers, antivirus and QoS appliances, all working together to make sure at every point there’s some sort of a backup. As far as access control goes, we have rules on the corporate firewalls and proxy servers. On the proxy servers we have the SurfControl content filtering system to ensure people cannot go to nonbusiness sites that are not sanctioned. We also have spam filtering for all of our Internet-facing e-mail, to make sure we don’t get viruses and malware.

Inergy is based in France and has offices in 18 countries. What challenges does that create in coming up with a global security policy?

Each country has its own specific challenges. Therefore, during policy development we always rely heavily on advice and guidance from the legal departments within Inergy or our parent companies, depending on the region. For example, in France there’s an organization called the CNIL [Commission Nationale de l’Informatique et des Libertés], which is like the consumer security watchdog. It has very strict guidelines on privacy protection. So, especially in France, where our parent company and our corporate headquarters are based, we have to balance these kinds of mandates.

Who is responsible for keeping track of new regulations?

In the United States, I read up on it. In any other country, we have corporate legal departments in each region that advise us if they come across something we need to do.

But we have a little bit of breathing room at Inergy because we’re a private company and so we don’t have to follow all regulations as strictly as publicly traded companies.

With such a huge workforce, how do you educate people about the various threats out there, especially new forms of social engineering attacks that arrive daily via e-mail?

We have best practices that are tied to the security policy. Guidance on passwords, e-mail do’s and don’ts, things like that. Obviously we try to educate them, but with the passage of time, people forget. So we keep reiterating the message. We have to use a combination of orientations, newsletters and periodic online seminars. In the future we’ll be doing Webinars to educate them.

In what ways do you think security can be a business enabler, as opposed to just a burden on employees and the business?

The best example I can give is the area of identity management, because good identity management provides a host of benefits. You can increase productivity at reduced cost by minimizing the need for multiple passwords while increasing security. That reduces the password-reset burden on the help desk staff, so they can focus on more productive work, and keeps employees from getting locked out of their systems for long periods of time. And if people have to log into 50 different systems using 50 different passwords, they’re not productive, they’re not efficient, and security can be compromised because they start sticking sticky notes under their laptops and things like that.

1 2 Page 1
Page 1 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)