Dawnay Day AV India's information security risk management mantras

Information security is an operational risk that can ruin a financial services firm. Here's a look at how Dawnay Day AV India Advisors mitigates these threats.

Dipesh Thakar
Dipesh Thakar, Dawnay Day AV's CTO

Dipesh Thakar, the chief technology officer of Dawnay Day AV India Advisors Pvt Ltd., has a major responsibility -- guarding the financial firm's bastions against security threats. This is an ongoing challenge, since the organization's business model involves stockbroking and online trading, which brings Indian markets and regulators into the picture. With regular mandatory audits by exchanges like Bombay Stock Exchange (BSE) and National Stock Exchange (NSE), it's imperative that the organization's security infrastructure provide secure trading experiences for customers in India's booming markets.

Formed in 2006, Dawnay Day AV India has four businesses: Dawnay Day AV Financial Services (portfolio management services), Dawnay Day AV India Advisors (financial advisory services to individuals), Dawnay Day AV Securities (brokering stocks and shares) and Dawnay Day AV Analytics (global research outsourcing). Dawnay Day AV has been acquired by New Silk Route, and integration (as well as a rebranding exercise) is in process.

Tailor security policies

According to Dawnay Day AV India's IT team members, the definitive guide for securing their business has been the information security policy. Drafted in 2006 at Dawnay Day AV India's launch, the security policy has the sign-off from all business stakeholders, including the top management. It has seen two revisions so far.

"Keeping our business objectives of stockbroking and online broking in mind, we drafted an information security policy which helps us define secure access for our users and business partners," Thakar says. Dawnay Day AV India's formalized security policy details aspects such as change management, mobile device usage, email, web browsing, network access and certain human resources (HR) policies. It's a standalone document available on the intranet.

Ensure user awareness

Dawnay Day AV India is very clear that users should be aware of the security policy's importance. "At the time of induction, we educate users on the basic security policy. This includes aspects such as how to securely use infrastructure and access networks," Thakar says.

A dedicated training department (part of HR) conducts the training sessions. Users are then directed to the information security policy, and the IT team resolves any further user queries. Follow-up training sessions are conducted on an as-needed basis.

Get layered security

Dawnay Day AV India operates out of two data centers. The first data center is located in the organization's Mumbai office premises. Netmagic Solutions' Mumbai data center hosts Dawnay Day AV India's online trading infrastructure. These two data centers cater to 45 Dawnay Day AV India locations and 100 indirect channels.

"Our entire online trading application portfolio is hosted with Netmagic, since that's our core business, where I cannot afford any downtime. Netmagic manages our entire setup hosted in their data center, including security. In our in-house data center, HCL manages the entire show. Applications are managed by our in-house team," Thakar says.

Other than this, Dawnay Day AV India has multiple levels of network protection. These include protection at the router, an entry-level firewall, internal content filtering and a spam filter. An intrusion detection system (IDS) and an intrusion prevention system (IPS), with IPS/IDS log monitoring performed by HCL, provide yet another protection level.

For client-level access control and protection, Dawnay Day AV India uses McAfee Inc.'s Total Protection (ToPS) hosted service, which provides antivirus, antispyware and personal firewall capabilities. It also takes care of aspects such as desktop, patch and inventory management. ToPS also ensures that desktop-level access to USB devices, CD/DVD drives and network settings is granted, as per the defined access rights.

At the network level, in addition to the standard LAN authorization, internal wireless LAN (WLAN) access is secured using 128-bit encryption. Dawnay Day AV India also has SSL virtual private network (VPN) connectivity for remote users. Third-party business partners such as traders are allowed SSL VPN access based on static IPs. Dawnay Day AV India's intranet is accessible only from the internal network or through SSL VPN.

When employees leave the network perimeter, separate policies are enforced using McAfee ePolicy Orchestrator. The roaming user's laptop undergoes a thorough scan on his return and is granted access only if it has the latest updates. When it comes to BlackBerry devices, users have only corporate email access.

A strong password management policy is also in place, where VPN, WLAN and PC passwords for internal employees and business associates are changed every 15 days. Password strength is managed through Active Directory policies. Passwords are also changed when a roaming laptop user re-enters the network. To reduce financial risk on the website, Dawnay Day AV India has measures such as SSL with 256-bit encryption.

On the physical security front, CCTV s closed-circuit televisions are complemented by a dedicated building management team monitoring the premises on a 24/7 basis, and visitor passes with photo identification.

Audit IT right

As a financial institution, Dawnay Day AV India undergoes regular information security audits by BSE and NSE. The organization also undergoes regular security audits by external auditors like KPMG.

Dawnay Day AV India conducts weekly internal security audits managed by HCL, with departments being checked on a random basis. "The systems are thoroughly audited to determine usage patterns, password strength, etc.," Thakar says.

Get certified

Information security certifications are a good way to benchmark your organization's security preparedness on a global scale. This is why an ISO 27001 certification for the entire business (post-merger) is high on Dawnay Day AV India's security to-do list.

At present, Dawnay Day AV Analytics is ISO 27001-certified. Thakar says he's waiting for the merger to be over to get the other three companies certified. In the meanwhile, the team is working on getting Hacker Safe certification for the business.

Read more on IT risk management