- Achieved enterprise-wide Level 1 PCI DSS compliance in 2007, making WNS first BPO in India to do so
- Instrumental in SIEM and integrated SOC implementation at WNS
- Successfully managed CSR initiative to provide infosec training to Mumbai police
- Effective management of multiple compliance standards including ISO27001, PCI DSS, SOX and ISAE 3402/SSAE 16
Arup Chatterjee, the chief information security officer at WNS Global Services, has seen security metamorphose over the last decade from something organizations paid attention to merely for compliance requirements, to the hygiene factor it is today. Chatterjee moved into the information security sphere at WNS Global Services in 2003, and, as an integral part of the risk management team, was one of the pioneers who kicked off the company’s BS 7799 initiative back then. Chatterjee took over as CISO at WNS in 2006, and now manages information security for over 23,000 employees at nearly 20 delivery locations of WNS across the globe.
Under Chatterjee, WNS Global Services was the first third-party BPO in India to attain PCI DSS certification, in the year 2007. WNS achieved a Level 1 PCI DSS certification for its entire business, which was a first for its segment at the time. While it was not mandated, Chatterjee has always viewed credit-related data security to be an extremely significant area of risk.
WNS is also certified under ISO 27001 and ISAE 3402/SSAE 16 (previously SAS 70). WNS undergoes the SAS 70 type-2 exercise every year, over and above its ISO and PCI certification, giving customers based in international locations the additional comfort of SOX compliance. In addition, as an NYSE-listed company, WNS is SOX compliant on its own.
The risk management team that Chatterjee heads is 17 strong, operating within the risk management and audit function. Chatterjee reports to the senior VP for audit and risk, a position equivalent to that of CRO. The risk management function reports to the CFO, a fact which Chatterjee points to as an indication of the importance given to infosec in the organization.
Chatterjee identifies people as the number one risk. The demographics change depending on age groups, cultures and geographies, he says, adding that people in India, for instance, behave differently from Russians or Filipinos. He reasons that different people have varying values and importance associated with information security, so the subsequent commitment to infosec also changes accordingly. Information security at WNS has been incorporated into the business code of ethics, he says, which is promoted internally as an organizational value.
Chatterjee was instrumental in implementing WNS’ SIEM solution and a 24x7 SOC providing convergence of multiple security monitoring systems under one umbrella. This has given WNS the benefit of improved resource utilization and incident management standards, and better visibility.
According to Chatterjee, there is a clear line of segregation between the IT and risk management functions at WNS. While implementation is left to IT, specific functions such as SIEM, DLP and log management are managed and controlled by Chatterjee’s team for the purpose of independence. Additionally, Chatterjee has a gateway level active, a Web applications firewall, and controls such as profile purging. Chatterjee and his team manage over 200 critical apps.
Under the leadership of Chatterjee, WNS has been involved in a CSR initiative through which the organization conducted an information security program for the Mumbai police to train 600 personnel in information security best practices. In addition, WNS also created a bilingual cyber security booklet, available at every police station in Mumbai and Thane. Chatterjee treasures this as a significant personal achievement that has provided him with immense satisfaction.