House of cards

Card manufacturing giant Cupola Plastics recently completed an extensive ISO 27001 certification of its information security practices and processes, with the aim of providing a more secure product for its customers.

Tags: Cupola TeleservicesISO StandardsUnited Arab Emirates
  • E-Mail
House of cards KATHAWALA: It’s extremely difficult to put an exact value on the return on investment with these kinds of projects.
More pics ›
By  Imthishan Giado Published  September 6, 2009 Arabian Computer News Logo

You always get the feeling you're not entirely welcome in Cupola Plastics. From the outside, the plastic card manufacturing facility is an imposing sight - high walls edged with barbed wire, while two immense black gates prevent access to the uninvited.

Once inside, the sense of hostility is undiminished. Access is prevented by another gate which only opens once you get a special security pass from the security officer - whom you have to speak to through bulletproof glass. If you manage to get past that gate, you'll find that your newly-acquired card severely restricts access to most areas of the plant.

If you bother to look up at any point, you'll find security cameras following your every move. For that matter, each time you swipe the card, the action is logged to study your motions through the plant.

Sound a little draconian? A little, perhaps, but completely necessary when you consider the business Cupola is in - manufacturing identification, credit and debit cards, to give just a small sample of their portfolio. In the wrong hands, these little pieces of plastic could be used for identity theft or worse yet, financial gain. So it's safe to say that Cupola is paranoid about security, but in a good way.

It's also one of the reasons why the firm has recently completed an extensive ISO 27001 certification, with the help of consultants Paramount Computer Systems, which confirms that the facility and its employees conform to the highest stands of information security management. As the company deals almost exclusively with sensitive data, certification can only be one further source of assurance to Cupola's many customers from the financial and government spheres.

Sabir KV, Cupola's IT manager, details the firm's basic structure: "We can divide our IT infrastructure into three parts - back office IT, scratch-card personalisation and the personalisation department. Scratch-card personalisation looks after the prepaid printing cards. Personalisation network deals with credit and debit card personalisation of financial and non-financial cards. Back office supports users as well as the production department."

Iftikhar Kathawala, the firm's chief   financial officer, modestly classifies the manufacturer as a small-to-medium enterprise, with a total IT user base of 100, supported by nine IT staff. Through it is not a very large organisation, its impact is huge - Kathawala claims that the firm provides credit cards for 80% of regional banks and telephone scratch cards for some of the biggest telcos in the region, including such well-known names as Batelco, Zain and Nawras.

Sabir says these customers prioritise security above all else: "For us, a good product is a secure product. A card is considered a good card only if the data along with it is secured. That's how the business is. If you look at the physical security of the facility, we have at least 60-70 security cameras all over the place. We have dedicated access controls, motion detectors and it is connected to the Dubai Police control room in the event of an emergency."

It may seem like overkill to some, especially in a region which has not experienced any reported thefts from manufacturing facilities, but incidents in Europe have left Sabir wary.

"The last reported credit card theft was in Russia from the manufacturing units. Otherwise, in this region, the most reports are from the ATM machines. If you know the card specifications, you can replicate it easily. There are hidden security mechanisms attached to the card in terms of UV lights, holograms, tracking information, encryption keys. If you get all this information, you can replicate it outside," he explains.

But with all this extensive security already in place at Cupola, why did Cupola need the extra fillip of certification? Sabir explains.

"We are accredited to Visa and Mastercard. The set of requirements are huge - you should have interlocking gates and doors, bulletproof security reception in the physical side of it, to start. Information security-wise, they look at, what are the data transmission mechanism that you are using? What are the intrusion detection system that you are using? How much level of data is protected? How is it classified and how are you protecting your information assets? Who are the data owners or custodians?" he asks.

On top of this, each customer - from Visa and MasterCard to individual banks - have their own sets of regulations to secure data. Sabir adds that many customers require frequent audits to ensure compliance and as he puts it, it has become a tedious task to comply with all these standards.

"What we have decided is to have a common standard which will suffice all the requirements. ISO 27001 certification stands on the top and includes the Visa and MasterCard client requirements under that. That will enable us to manage the information and physical security at a central location with common documentation, common reporting, resources and management and a common executive committee," details Sabir.

Kathawala describes the change within the company as being a move from corporate governance to IT governance: "We're trying to create a culture here. Ours is a very secure unit. Considerable information is being handled over here, not only internally, but also external information. So it's a movement from having just a compliance-advantage to competitive advantage. By doing these kinds of certifications, we not only gain continuous process improvements but also create a culture of governance internally, which has helped us considerably," he continues.

Sabir explains that changes in global Visa procedures prompted the firm decision to move to ISO 27001: "Visa and MasterCard has revised their security standards in 2005 and based their requirements based on ISO 27001 standards. When we started filling up the questionnaire as a preparation to their 2005 audit, we found that we are halfway to it. The things are in there but we are not meeting the complete documentation side of it. So we thought of taking ISO 27001 and adding the remaining bits to it. If you look at the documentation, you can see the standard 24 policies and procedures plus personalisation-specific procedures which we add onto ISO 27001."

Initial planning for the project started two years ago, but the major constraints turned out to be - as often occurs in projects of this type - timing related. But the intervening period was put to good use, ensuring that Cupola could eventually complete the certification much faster.

"Considering the constraints of the cost and everything involved, the timing was important for deciding when we would begin. While we were thinking about it, we went through an entire cultural change, brought in proper processes and so on. That's one of the reasons why when Paramount came in, we could finish the entire implementation within 90 days," notes Kathawala.

The business was the main driver for the projectwith clear directive that it had to add overall value to the organisation. Part of the result of the certification process is that the company now has an information security management forum - comprising Kathawala and his CEO - governing the overall security direction of the firm. He remembers them being quite confident about their internal mechanisms.

"The speed at which decisions are taken and the involvement of people - these things really mattered. The way we function here - once the decision is taken, everybody comes on board and it's quite easy to get people involved. That quite helped the 90 days timeframe," he comments.

The word ‘culture' is thrown around quite a few times by both Sabir and Kathawala. Indeed, the latter says it's the key to making the most of an ISO certification.

"It's not a culture - it's a religion, when you're handling so much external data. For example, example with the telecom companies, we generate the data like the scratch numbers and so on in the IT department. We have to handle it very securely and in a very professional manner, having all the processes and checks and balances in place. Constant monitoring goes on by all these customers that we deal with, especially the banks, who come and approve us," confirms Kathawala.

The complete certification for Cupola plastics cost $70,000, including certification by independent auditor Lloyd's Register Quality Assurance (LRQA) at a cost of $12,000. Kathawala admits that return on investment on a project like this is always tricky to calculate.

"On a lot of occasions, I've been asked this question - what kind of ROI do you look at? Frankly, it's difficult to put a value to it! Rather than just the physical benefits of our investment into certification or any of these IT-related matters, we look at it primarily from the business objective of value addition and what kind of customer comforts we derive out of it," he says.

Within Cupola, Sabir acts as the chief information security officer (CISO), while the steering committee consists of representatives from every department within the company, who gather monthly to discuss security problems. Once a decision is taken, it is submitted to management, who have the option of signing off on the acceptance of the risk, mitigating it, or discussing it further.

When it comes to selecting the vendors for a project like this, Sabir has certain factors to consider: "As a general policy, we select the best among at least three. There are two considerations to that. One is the services that they offer, second is the monetary benefits. We then take customer references to evaluate the services. We negotiate the prices - that's how we decide people. Basically, it's good service for an optimum value."

 Apart from Paramount, auditors KPMG and PriceWaterhouseCoopers also submitted bids for the project in May 2008. KPMG has a prior association with Cupola - the firm is the statutory auditors for the group of companies - but Kathawala was assured that there would be no conflict of interest.

One might assume that the well-known auditors might have a higher chance of bagging the project, but Kathawala and Sabir eventually selected local consultants Paramount in June primarily on their prior experience with the banking sector, faster delivery and better pricing.

"One of the winning points was that Paramount was the fastest turnaround time in terms of project acceptance and implementation. We got a timeframe from all the consultants, but the initial start-off point was very critical for us, because when they came in was when we normally have our lean period of business. The other consultants we looked at [KPMG and PWC] quoted a very late initial start point - five or six months down the road, and the price was also 40% higher," recalls Kathawala.

The project officially kicked off in October. LRQA completed the official audit of Cupola on December 14, and the firm received the official certification in the second week of January. Sabir lists the changes the organisation had to make to receive compliance from the LRQA.

"One change is the complete documentation. Second was a bit of changes in the network infrastructure. The major part was documentation, user awareness, meetings. The other major part was for the consultants to understand the process and identify the risks and gaps in each process, then analyse the processes and risk mitigation plans and covering all this issues. We then had to prepare policy and procedures in place," he accounts.

Now that ISO 27001 is complete, next up for Cupola is an implementation of the Payment Card Industry Data Security Standard (PCIDSS), which mandates rules for data storage security. It's scheduled for the following financial year but Sabir discloses that it's still at a very early stage, although more applicable to his particular business.

"It is a security requirement specific to the payment card industry. ISO 27001 can be structured into any business and can be built into the information security as per that standard, but PCIDSS is a certification body which certifies the manufacturing and services bureau. Any organisation that handles credit card information has got it. Compliance is not yet a must in this region, it's coming up at this moment of time. In US and Europe, it's mandatory," he says.

Sabir provides an example of how ISO certification has changed processes at Cupola: "Recently, one person asked me to give his department access to both sites. I told him that we would discuss that in the next Information security steering committee meeting. If everybody is in agreement, we will do that. Nobody is deciding anything on their own."

Kathawala agrees, saying the object was not to create further complications for the business, but rather improve the existing processes: "Don't get us wrong, it's not creating any bureaucratic lines here. It's primarily risk-driven. Whatever we have done, the processes and the people following them and the documentation required, it's absolutely business driven. We did not want to create unnecessary tiers in the management, or try to block anybody's goodwill towards doing something for the business. "

What it has done is bring about more discipline. In an organisation like ours with so much of certification, and reviews and such going on, it's always been there. It's a matter of making it more systematic, having documentation in place, the processes recognised by people and since it's a requirement now, people are more disciplined to do it. We know that if we don't do it, the certification is at stake," he concludes.

Testing penetration

With any advanced audit of this nature, it's crucial to cover every aspect of security, including physical access. Cupola Plastics IT Manager, Sabir KV, explains the tests he did. "There are two kinds of penetration tests that we have done. One is as part of ISO 27001, we have done one penetration and vulnerability assessment by the consultant themselves. Secondly, as per Visa and Mastercard requirements, we should have a quarterly penetration test.

Any major network change should also be followed by a penetration test. It has to be done by a Payment Card Industry (PCI) scanning vendor," he explains. As many security experts know , the easiest method of gaining access to a facility is often to simply use social engineering to pretend to be a member of staff, and then plug a device into a open network socket. Sabir has put measures to prevent these forms of unauthorised ac cess: "We have IPSEC enabled node-to-node and work on static IP so somebody coming in and plugging in a device will not be getting an IP. We also have an interlocked gate and passes are different - if you intend to go to the production area, you will not be able to go because that access is different.

If you want to go in there, you'll have to get an authorisation from the production manager of that area. The cards required for every area is different. The access is registered and every card movement is monitored by security. Each department has CCTV monitoring on their PCs."

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code