- A comprehensive IT asset hardening project across 1250 branches and 8500 endpoints, followed by case-by-case audit
- End-to-end data flow analysis project and user training, covering partners and vendors
- Instrumental in driving certification bids for ISO 27001, BS 25999 and ITDR; exploring COBIT
Faraz Ahmed, the CISO at Reliance Life, is of the firm belief that every security implementation comes with two challenges — technology and people. The people component, says Ahmed, is the most important make-or-break factor. This is a fine balancing act, in which a CISO needs to innovate, meeting business requirements, while ensuring that the security posture is not compromised.
Upon joining Reliance Life three years ago in 2008, Ahmed started by synergizing with the Reliance Capital Group on security best practices. Being the biggest component company of the Reliance Capital Group with over 16,000 employees, Ahmed had his task cut out for him. Ahmed believes that Reliance Life’s robust security posture today is the result of working closely with partners and peers across all lines of business. Ahmed reports directly to the Group CTO and the Group CISO in addition to having a close informal reporting relationship with the chief risk officer. Ahmed reasons that security being an equal part of risk and technology, this arrangement works very well.
One of the first projects that Ahmed undertook was hardening the IT infrastructure. Ahmed’s team identified Reliance Life’s assets across its 1,250 branches, and ensured that every asset was compliant with a baseline hardened configuration. Excess assets were culled out of the system to further strengthen this compliant posture. This exercise was immediately followed up with case-by-case auditing. Ahmed’s team was thus able to harden over 8,500 endpoints in a short period, and bring them in line with the organization’s security best practices.
Ahmed’s second major achievement at Reliance Life has been the data flow analysis (DFA) project. Under this project, the team identified the creation and classification of data and the flow of data within systems and applications, and with vendors, followed by implementation of requisite controls.
The project also involved a fair bit of user training; employees were educated on the creation and handling of confidential data. All partner and vendor facilitating creation, processing or output of data are also covered under the DFA project. Reliance Life at present has around 20 such partners.
With a basket of over 50 applications in addition to around 150 processes, Ahmed has a comprehensive framework in place when it comes to technological controls. His team pre-hardens Reliance Life’s endpoints with endpoint management software, compliance management agents, IRM/DLP agents and encryption technologies.
Looking ahead, Ahmed has put Reliance Life on the security fast-track by bidding for an ISO 27001 certification. Ahmed has also been instrumental in Reliance Life’s bid for BS 25999 and IT/DR, both of which are already underway. Reliance Life will also be exploring a COBIT certification in 2012.
With over 17 years in the industry, Ahmed has earlier been an application developer and a network engineer, specializing in security for the last decade or so. Ahmed believes that security needs to be a facilitator rather than a show stopper. His utopian vision is to facilitate any employee to work from anywhere in the world with whatever device they have on hand, securely.