hero motocorp
TRANSCRIPT
A
Report on
Management Information System of
Hero MotoCorp
Submitted To: Dr. Susheel Chhabra
DATE OF SUBMISSION:
November 25, 2011
SUBMITTED BY:
Group 11
Section B
SONAM AHUJA – 104/11
ANKITA AGARWAL – 106/11
KUMAR SOMIL – 108/11
N.VENKATA RAMANA REDDY – 110/11
NISHANT SRIVASTAVA – 112/11
MANISH THAKUR – 114/11
2
Lal Bahadur Shastri Institute of Management, Delhi
Table of Contents
S.No. Topics Pg. No.
1 Acknowledgement 3
2 Research Methodology 4
3 Introduction 5
4 Company Profile 6
Supplier and Customer Relationship Management 12
5 eHR Implementation 15
6 TPS and MIS 16
7 Decision Support System 18
8 Expert support System 19
10 System Analysis and Design 21
11 Virtual Private Network 22
12 Information and IT Security Management 23
13 Bibliography 31
3
ACKNOWLEDGEMENT
We would like to express our deepest sense of gratitude to our project guide Dr. Susheel Chhabra for his
invaluable guidance, inspiration and encouragement that we received from him throughout the project. Our
efforts in accomplishing this project are a result of constant motivation and invaluable learning imparted by
him.
Group 11/ Section – B
Trimester II
4
RESEARCH METHODOLOGY
The project entitled as “management information system at HERO MOTOCORP” was
undertaken and the research was conducted in two phases:
1. Primary survey
2. Secondary survey
Secondary survey: - We have collected some literature reviews and also some kind of
relevant data for the project through internet and by using some books.
Primary survey: - Primary survey was conducted by visiting the company. We asked about
their management information system.
The data provided by them was analysed by us.
5
INTRODUCTION
Management Information Systems (MIS) is the term given to the discipline focused on the
integration of computer systems with the aims and objectives on an organization.
The development and management of information technology tools assists executives and the
general workforce in performing any tasks related to the processing of information. MIS and
business systems are especially useful in the collection of business data and the production of
reports to be used as tools for decision making.
Deconstructing the term MIS enables us to define each word in a business context:
– Management - being managed or people managing a business. Over recent years
management has become more scientific and system-oriented.
– Information - knowledge made available to people within an organization.
– Systems - sets of connected things or parts within an organization which tie the
planning and control by managers to the various operations.
6
COMPANY PROFILE
One of the biggest success stories in the Indian two wheeler segment, Hero MotoCorp is a
household name today. What’s not so well known is the fact that the company has successfully
used IT to help it reach the top.
Hero MotoCorp formerly Hero Honda is a motorcycle and scooter manufacturer based
in India. Hero Honda started in 1984 as a joint venture between Hero Cycles of India and Honda
of Japan. The company is the largest two wheeler manufacturer in India. In 2010, When Honda
decided to move out of the joint venture, Hero Group bought the shares held by Honda.
Subsequently, in August 2011 the company was renamed Hero MotoCorp with a new corporate
identity.
For New Delhi–based Hero MotoCorp, success has brought significant rewards – and
some daunting challenges. The company, established in 1985 as a joint venture between Hero
Group of India and Honda of Japan, holds a 57% market share in India and has grown to become
the world’s largest two-wheeler manufacturer. In the last six years Hero MotoCorp’s sales
volume grew by 400%, and this year the company expects to manufacture and sell more than 3
million motorcycles. It’s no wonder that Hero MotoCorp has won accolades in the New Delhi
business press. In fact, in 2001 Hero MotoCorp’s chairman Brijmohan Lall Munjal received the
“Ernst & Young Entrepreneur of the Year” award for India, and in 2005 he was presented with
the “Padma Bhushan,” a prestigious award from the Indian government. But growth has brought
unique challenges, too. Hero MotoCorp now supplies motorcycles through more than 500 dealers
and 700 service points, institutions, and overseas customers. In addition, the company calls on
more than 240 suppliers for its parts and subassemblies. The challenge for Hero MotoCorp: cut
time and waste out of its supply chain and add more flexibility in meeting the fast-changing
dynamics of the modern market in India
Hero MotoCorp is a leader in the two wheeler segment in the country, and even claims to be the
world’s largest two wheeler company in its advertising. To reach the heights that it has, Hero
MotoCorp has successfully leveraged the IT advantage, especially in recent times.
7
PRE SAP SCENARIO
The company has a highly efficient and reliable network today. But till 1998 Hero MotoCorp
depended on legacy systems, which had a high failure rate. The set up was not in a position to
cater to the expansion that Hero MotoCorp went through and was not suitably updated. Because
it was obsolete, the management decided to revamp the entire IT set up according to S R
Balasubramanian, vice president, Information Systems, Hero MotoCorp. MotoCorp had legacy
systems working on different platforms, which were developed in-house and tailor-made to their
method of working. Since the legacy systems took care of data processing, only some operational
reports got generated by the system. Real MIS resided on Excel sheets along with different kinds
of analysis. Information, therefore, was fragmented and the authenticity was questionable. Over a
period of time, the systems underwent changes and represented a patchwork of several additions
and modifications. They were loosely integrated across functional areas. There was duplication
and information inconsistency as happens with most legacy applications. It was therefore
important to migrate from this platform to something more stable and futuristic.
MOTIVATION FOR CHANGE
At that point of time the management perception about IT was also changing and they decided IT
would be part and parcel of Hero MotoCorp. This helped in modernizing the information
systems at the company. Apart from this, competition in business and deployment of bandwidth
hungry applications forced the company to migrate from a slower legacy network to the new
faster and more reliable network. The management’s vision was to align IT with business. IT
was to be used as a strategic business tool rather than for a limited purpose of data processing.
An information systems plan was drawn up, which besides other things, stated that the
organization would go for common systems across the organization. It would also achieve
integration between all systems; emphasis would be on improving business processes, to adopt
best practices and to cover the entire supply chain. MotoCorp wanted to consider only state-of-
the-art systems and one which had a clear road map for the future including conduct of business
over the net. Tired of in-house developed systems, they wanted a standard solution and in
particular, an ERP. Their idea was to partner with a technology vendor capable of taking them
forward as the business expectations increase.
8
THE IT INFRASTRUCTURE
The IT infrastructure of the company is connected over three major Local Area Networks
(LANs). These connect the corporate office in New Delhi with three manufacturing plants
(Gurgaon, Dharuhera and Haridwar), and other zonal and marketing offices. 21 locations are
connected through its Wide Area Network (WAN) set-up. Most of these locations are connected
with the corporate office through VPNs, leased lines, and at few places through VSAT
connectivity. The motorbike major has a total of seven TDM/TDMA VSATs and two PAMA
VSATs. As far as the VPN set-up is concerned, it is still a closed-user group. For connectivity
between its Dharuhera, Gurgaon and Haridwar facilities the company uses a very fast radio link.
The company has installed the PAMA VSATs from Comsat Max as a backup facility. The Hero
MotoCorp network spans 750 nodes across the country.
Hero MotoCorp uses 10/100 Mbps Ethernet switched technology for data transmission and is
connected with both optic fiber and Cat 5 cables. Optic fiber is used for the backbone, which will
also solve the future bandwidth requirements of the company. The company has three Cisco
routers. The company also uses a mix of switches from three vendors: Cisco, IBM and 3Com.
For non-critical applications, the company has opted for 3Com switches. “As IBM switches are
cheaper than Cisco ones, we will be going in for more and more IBM switches in the future,”
says Balasubramanian. All the switches and hubs at the company are managed devices. Apart
from this the company also uses an IBM RS 6000 server for running SAP applications, and other
midrange servers for running Ingres and Oracle. For Lotus Notes applications the company has
opted for IBM’s Netfinity servers. As far as other networking hardware is concerned, the
Gurgaon plant has two Cisco routers, which are connected to an IBM LAN Route Switch, and
the storage box is connected to the RS 6000 server. The company is also using a tape library,
which works as a backup device.
One of the key features of Hero MotoCorp’s networks is that most sites enjoy excellent backup
facilities. For instance, Dharuhera is connected directly to Comsat Max’s PAMA VSAT main
hub. The IT facilities at Gurgaon are connected with two electrical sources, two MCBs, and two
UPSes. The company has also installed an extra server as a backup. It possesses a Network
Attached Storage system, with plans to shift to a Storage Area Network. For this Hero MotoCorp
has gone in for an IBM Trivoli solution. The whole idea was that information systems should be
9
able to cater to 99 percent of availability. Even if a LAN or a switch fails it should just take 10
minutes to switch to another LAN or switch.
ENTERPRISE APPLICATIONS
A good and reliable messaging system was a long-standing need at Hero MotoCorp. When they
first introduced messaging, it took off very well. To ensure its success the management arranged
training programmes at all the three major areas and also invited the regional offices to join in.
The success of the messaging system was so good that people started overlooking the VSAT
network. The company messaging set up evolved around Lotus Notes. They evaluated both
Microsoft Exchange and Lotus Notes, and finally decided to go in for Lotus Notes. The Lotus
Notes application at Hero MotoCorp evolved around those applications that users are familiar
with. This is done as a part of the information systems plan along with the business plan to
integrate information systems in the organization, integrate all the departments. As the
management knew that the implementation of ERP would take some time, they wanted to use
that time to introduce an IT culture in the company.
After the successful implementation of this system, the IT set-up faced some problems during the
first Diwali after the introduction of the messaging system. This happened because of huge
number of greeting messages and card attachments. This prompted the company to introduce a
new greetings system on the lines of Bluemountain.com. They opened up a car4.809 cmd’s
library system and asked the users to go to the card library and select a card and send it across.
By this, no attachment would go, but only the link. After this they were able to avoid a
considerable amount of traffic. And users were quite excited about having a card application.
People started enjoying the use of IT applications. Subsequently, the company put up an intranet
and workflow applications.
ERP IMPLEMENTATION
The next move was to implement ERP in order to integrate various functions and control its
operations. The company went live with SAP R3 on February 1, 2001. It uses modules like
production, materials, finance, marketing, assets, quality sales and distribution. Siemens
Information Systems was the implementation partner for this rollout. The ERP implementation
10
presented a high level of data integration. “ERP has helped the company immensely. Today
nobody asks any other department for information. One can log in and see reports online,” says
Mukesh Malhotra, deputy general manager, Hero MotoCorp. They were able to implement better
cost control measures. This had helped them in calculating the cost of consumables, tool
inventory cost, power and fuel costs, and plant overheads. Because of this they also became
ready for future SCM and CRM implementations.
SAP’S ROLE
Hero MotoCorp evaluated BAaN and Oracle. The overwhelming presence of SAP in the
automotive sector was one of the important reasons for selection. The customer references spoke
strongly about SAPs ability to address the needs. The project took off with a great start. It
imparted one-day awareness training sessions to around 135 managers and key users explaining
the project and roles of core team members and users.
There were hiccups in between because of staff turnover at the implementation partners’ end
because of which the project had to be extended by a month. However, they kept various
activities on schedule. They were one week behind at the last stage of Go-Live preparation but
made that up in the last month. The Steering Committee played a useful role and wherever some
policy issues could not be decided, the CEO intervened to resolve. End users were involved at
various stages and hence they adapted to the new systems well. The first few days saw several
problems but the help desk (available 24 hrs) attended to them promptly. Every day thereafter
saw lesser problems and the operations got streamlined in 15 days. The yearly closing ended on
the 31st March 2001, (2 months from Go Live) and was completed in 24 days. Year closing for
the following year was achieved in 11 days and Hero MotoCorp was the second company in
India to declare results. This indicated the stability of systems and the efficiencies achieved.
IMPLEMENTATION PARTNERS
Siemens Information Systems Ltd (SISL) was the implementation partners. They imparted initial
training to the users and core team members. They also helped in redefining various processes
based on their experience. They gave valuable suggestions for improvement at various
11
stages. In the Steering Committee meetings they clarified various issues and helped in
convincing the management to make various changes.
RECORD-BREAKING IMPLEMENTATION TIME
Hero MotoCorp also profited from services delivered remotely by SAP consultants in Singapore
and software developers in Walldorf, Germany. This international approach ensured that any
issues were dealt with rapidly and effectively. The speed with which technical issues were
resolved was impressing. In some cases, SAP’s German developers found answers overnight.
Thanks to close collaboration between SAP and Hero MotoCorp, the project was completed in a
record three months. Implementing the latest mySAP SRM and mySAP CRM capabilities in
such a tight time frame was an ambitious goal.
12
SUPPLIER & CUSTOMER RELATIONSHIP MANAGEMENT
Automotive – Motorcycles
Processing Orders Manually They have a large supply chain and they needed accuracy and speed in the deliveries of raw
material and components. Their suppliers were given a plan for the month but changes are often
necessitated by market conditions – like changes in the mix of models and colors. And there
could also be increase or decrease in demand. They wanted the ability to respond to these
changes by aligning the production plan, supply schedule of components, and other resources to
handle this efficiently. Hero MotoCorp had already been using the mySAP™ ERP solution for
its core applications but until January of 2004, the company continued to enter its customer
orders manually – using a portal to communicate with suppliers. They used to receive orders
from dealers in the form of spreadsheets, e-mail, and phone calls. It took a few days to bring in
the customer orders and consolidate them. Then they would get our material requirements plan
from the ERP [enterprise resource planning] system and post the information on their portal.
This was done through periodic updates – twice a day – and hence did not consistently give the
latest information to their partners. They had no visibility of materials in transit and a lot of time
was wasted on follow-ups. They also had to deal with incorrect deliveries from vendors when
they sent either less or more than the scheduled quantity. For example, they might have ordered
100 units but the supplier delivered 110. This kind of error would slow down the receiving
station while their people would seek approval for receiving the extra quantity. Also, mismatches
like this meant that either they carried more inventory than needed or caused production holdups
if the quantity supplied was less than ordered.
Automating Supplier Transactions
In February 2004, Hero MotoCorp began a pilot test, bringing in mySAP Supplier Relationship
Management (mySAP SRM) as well as mySAP Customer Relationship Management (mySAP
CRM), both solutions in the mySAP Business Suite family of business solutions. For the rollout
of its supplier portal, Hero MotoCorp chose its top 125 suppliers – together, they account for
95% of the company’s supplies. Most of these suppliers now perform their transactions with
Hero MotoCorp through the Web-based self-service portal, in real time. Suppliers can now see
the status of their orders, shipments, and invoices, and they can see new delivery schedules as
13
soon as they’re processed by the Hero MotoCorp production plan. They can also use the portal to
make confirmations along the way – for example, to confirm that they can handle a certain
variation and to confirm that they’ll meet the delivery schedule.
SAP® Consulting It took three months to complete the rollout. Helping Hero MotoCorp speed up the process – and
helping implement some of the newest features in mySAP SRM – was SAP® Consulting.
mySAP SRM experts, from both the Asia-Pacific region and SAP headquarters in Walldorf,
Germany, worked on the project and helped Hero MotoCorp develop some of its most
complicated direct materials processes. They assisted them during the entire implementation
process and transferred knowledge to them. Also, they unlocked some software features that
were not known even to be existing by people at Hero MotoCorp. For instance, they helped them
implement instant messaging, which was helpful in contacting the suppliers quickly in the event
of a production scheduling change – say, one that might occur because of an upcoming holiday.
SAP Consulting and the Asia-Pacific solutions team also helped Hero MotoCorp integrate a bar
code– reading function into the system, according to Balasubramanian. The bar code feature is
used by those local suppliers who make just-in-time deliveries several times each day. For them,
it’s faster and easier to process their deliveries via a bar code reader on the delivery dock than it
is to make constant updates to the self-service portal.
End-to-End Process Integration Hero MotoCorp also implemented a customer portal, as a feature of mySAP CRM. With the two
portals now in place, the company benefits from end-to-end process integration. “Our dealers
place their orders once a month,” he says. “Typically, a dealer might order several hundred
motorcycles, as well as spare parts. So every Friday we get our orders in, we consolidate them on
Saturday, and on Monday morning our suppliers are all receiving our delivery schedules, directly
from our production planning system.”
Because the ordering process is now fully automated, Hero MotoCorp saves approximately three
days over the time it used to take to complete this process. That translates into an inventory
savings of about 10%, which in turn translates into a substantial cost savings. The automation
14
also increases Hero MotoCorp’s own ability to be responsive to its dealers. Even though dealers
normally place their orders on a monthly basis, there are many times when they want to revise an
order that’s already in process. They might do this to account for a sudden change in customer
demand – for instance, their customers might start asking for a new color or a different model.
“For these revisions, we can get the change in on Friday and be pretty sure that the entire
shipment will go out, as scheduled, the following week,” says Balasubramanian. The customers
appreciate this kind of responsiveness and it’s just what they, and they, need in order to continue
to take advantage of this fast growing market.” The system’s end-to-end integration pays
dividends in maximizing order accuracy, as well. They’ve greatly reduced the chances of
mismatched orders too. For one thing, it’s easier for suppliers to check their orders on the portal
and they know that the portal’s information is both accurate and up to the minute. Since the
advance shipping notification created by the supplier is derived from the purchase order, the
chance of a delivery mismatch with the order is almost zero.”
15
eHR IMPLEMENTATION
With technology touching all aspects of today’s business, there is increasing usage of IT and
Internet technologies in a company’s HR department. Suddenly HR managers are finding
themselves in a whirlwind of technological changes, with adoption of IT (both as process and
tool) becoming a necessity for them. The past one year has seen IT playing a key role in the
Personnel/ People Development/ HR departments of companies, which are trying to make the
best use of their systems for storing, organizing or disseminating information to their employees.
All this has resulted in HR professionals doing away with costly, time-consuming and redundant
processes and opting for IT-enabled HR systems, which according to industry experts, marks the
beginning of a new era in the functioning of HR professionals
Hero MotoCorp has opted for a SAP HR module. S K Balasubramaniam, vice president-
information systems, Hero MotoCorp, informs that the company is in the process of starting an
ESS system which will enable employees to assess all information about their salary, tax, leave
loan, etc. For its knowledge management requirements, the company is planning to set up a
portal where employees can access information, exchange ideas freely and read articles compiled
by the HR department and all employees. Later, they also plan to use the intranet for external and
internal recruitment, assessment and appraisal purposes
16
TRANSACTION PROCESSING SYSTEMS (TPS)
Basic business systems that serve the operational level. A computerized system that performs
and records the daily routine transactions necessary to the conduct of the business. Includes set
of procedures for handling transaction activities – calculation, classification, sorting, storage,
summarization. High volume but similar with few exceptions.
MANAGEMENT INFORMATION SYSTEMS (MIS)
Management level
• Inputs: High volume transaction level data
• Processing: Simple models
• Outputs: Summary reports (Types)
• Users: Middle managers for Structured & Semi-structured Decisions
17
INTERRELATIONSHIPS AMONG SYSTEMS
18
DECISION SUPPORT SYSTEM
Management level
• Inputs: Transaction level data & MIS Reports
• Processing: Interactive
• Outputs: Decision analysis
• Users: Middle & Top-Level Managers
Typical information that a decision support application might gather and present are:
• inventories of information assets (including legacy and relational data sources, cubes,
data warehouses, and data marts),
• comparative sales figures between one period and the next,
• Projected revenue figures based on product sales assumptions.
19
EXECUTIVE SUPPORT SYSTEM
� Supply the necessary tools to senior management.
� The decisions at this level of the company are usually never structured and could be
described as "educated guesses. “
� Executives rely as much, if not more so, on external data than they do on data internal to
their organization.
� Decisions must be made in the context of the world outside the organization. The
problems and situations senior executives face are very fluid, always changing, so the
system must be flexible and easy to manipulate.
� Executives often face information overload and must be able to separate the chaff from
the wheat in order to make the right decision.
� On the other hand, if the information they have, is not detailed enough they may not be
able to make the best decision.
� An ESS can supply the summarized information; executives need and yet provide the
opportunity to drill down to more detail if necessary.
20
DATA FLOW DIAGRAM
The below diagram shows the zero level data flow diagram of a sales department. It is made for
the material procurement procedure. It also mentions all the other different entities like stores
department, finance department etc. that are involved when a user placed a material purchase
request.
21
SYSTEMS ANALYSIS AND DESIGN
Hero MotoCorp being a two wheeler giant follows the prototyping model for analyzing and
designing the system. Considering a process of launching a new bike in the market, after
identifying the target consumer section, company makes a prototype or test bike and studies its
performance. The consumers give their insights and the process of design and prototyping is
repeated again till the company is satisfied that it should go for mass production.
22
VIRTUAL PRIVATE NETWORK
A Virtual Private Network (VPN) uses the infrastructure of the public Internet to provide secure
access to applications and corporate network resources for remote employees, trading partners,
suppliers, and customers.
A network that, as much as possible, acts like an extension of the private corporate network on a
service provider's shared network infrastructure
The head office of Hero MotoCorp has the main server located there for VPN. This VPN is
connected with the 7507 routers and two L4 switches which are protected trough firewall.
Through this network they can interact with their sales and branch office through ISEC3000
devices. Through this network the company can easily come into contact with remote worker
through internet.
23
INFORMATION AND IT SECURITY MANAGEMENT
Enterprise security may not be as critical in a manufacturing organization as in the banking,
financial services and insurance (BFSI) sector. Nonetheless, it is important, especially when it
comes to a manufacturing company like Hero MotoCorp, which is extremely dependent on its
computer systems and networks for its operations. A disruption in IT infrastructure could spell
disruption in business operations. Taking all this into consideration, the company has been
constantly evolving its information security set-up to keep pace with its expanding IT
infrastructure. Today enterprise security at Hero MotoCorp has reached one of the most critical
junctures as the bike major has recently created a comprehensive information security policy.
Enterprise security at Hero MotoCorp goes beyond IT security to encompass complete
information security. The company identified the need for complete information security with IT
security as one of the aspects within this whole concept. IT security will take care of only some
intrusions. But for any organization there is a need to have a clear identification of authorizations
through information classification. The need was to find out what type of information was there,
who should access it and who should not in order to ensure complete data integrity
Along with business growth, Hero MotoCorp has also grown on all fronts. It has set up two
manufacturing facilities at Dharuhera and Gurgaon in Haryana. These facilities now churn out
over 3.5 million motorbikes per year. This growth is also applicable to the company’s employees
and their business needs. As is the case with any other large organization, Hero MotoCorp has
nearly 1,600 desktop users. E-mail is a backbone of today’s business and justifying that the
company has created approximately 2,000 email ids for its users.
Security set-up so far
The year 1999 was the inflection point for the entire IT set-up at Hero MotoCorp, including
information security. The company undertook a complete revamp of its IT infrastructure with a
new architecture, expansion of its network, IT assets and applications. The security approach has
been evolutionary, in line with these growing requirements. Connecting the entire organization
during 1999, the company put its mailing system into place. This, however also led to the import
of viruses into the system, thereby warranting the need for a complete anti-virus solution. Before
24
this, there was anti-virus software installed only on a few desktops. The company chose McAfee
for its comprehensive features and good installed base. Hero MotoCorp has now implemented
the complete suite, covering the desktop, servers and mail gateway.
The company first deployed the Total Virus Defence (TVD) system, which was later upgraded to
the Active Virus Defence (AVD) system around two years ago. Under AVD, Hero MotoCorp is
using Group Shield for Lotus Notes mailing system, Netshield for NT and Window 2000 servers
and Virus Scan for end-user desktops. The AVD works under the ePolicy Orchestrator agent,
which is an agent installed on each and every desktop and delivers the means to control the anti-
virus applications. According to Balasubramanian, it gives the company power to enforce its
anti-virus policy, to update the policy on end-user desktops and to monitor update progress
through graphical reports. ePolicy has made it easier to enforce any anti-virus policy in the
company in just two hours in all the offices.
As part of the AVD architecture, Hero MotoCorp has three AVD servers at the head office in
Delhi, and the Gurgaon and Dharuhera plant. The AVD server at Delhi takes care of all head
office-based servers, desktops and all zonal and area office desktops. Likewise, with the Gurgaon
and the Dharuhera AVD servers. All the three servers are connected to the McAfee Internet site
through the Net. As a result, whenever McAfee releases any new anti-virus DAT files, all three
AVD servers get synchronized with McAfee server and download the DAT file (incremented)
immediately, which are then distributed to all the servers and desktops. In case of a virus attack
on any of the servers and desktops, the ePolicy agent updates the AVD server about this new
virus.
CORE CRISIS
Messaging systems form the frontline for any organization. The external mail server forwards
corporate mail to the internal mail server that is deployed on our LAN over SMTP. The internal
mail server is a central mail repository from where all the employees pop their individual mails.
All the employees based in New Delhi, Dharuhera and Gurgaon plant, POP their mails from the
local mail server. They have ISP level security which consists of a firewall, spam filter and anti-
virus. However, they soon realized that ISP level security was inadequate for the task at hand.
25
The company was facing difficulties vis-à-vis messaging and there were Internet access and
security issues related to spam, online and spam-related malware attacks and choked bandwidth.
Moreover, the company wanted to filter Web access.
The company receives an average of 26,000 e-mail messages per day, which translates to almost
1 GB of storage space. Of these at least 70 percent were spam. That used to work out to around
18,500 pieces of spam per day. The ISP was able to filter out about 50 percent of this. Still,
almost 9,000 messages hit our internal mail server every day. They tried out a few standalone,
software-based spam filters with little success.
Apart from a vast number of employees, Hero MotoCorp also has a vast chain of dealers and
service stations spread across the country. So mails exchanged between these offices often got
lost in the maze of spam and the business suffered. Often business correspondence was
incorrectly classified as spam, a case of false positives, and deleted while spam continued to pour
in. Mailboxes were clogged with spam. Having close to 9,000 spam messages hitting the local
mail server on a daily basis was something that was not acceptable as, downloading legitimate
mail along with the torrent of spam that dodged the ISP’s filters from the external mail server to
the local one was a painfully slow and, quite often, frustrating process.
Emphasizing another side of this crisis, Bandwidth consumption did not just increase, it shot
through the roof and to keep adding bandwidth was not a viable solution. Once the messages
reached an individual’s mailboxes, they had to be checked and deleted manually. Many a times
the recipients were tempted to read the spam and the mail processing time kept increasing at the
cost of productivity. Legitimate e-mail messages were often lost in the maze of spam.
The management began questioning the IT department regarding the extent of spam, which was
mostly unanswerable, despite the IT team’s best efforts. Employees stationed at remote locations
such as Gurgaon and Dharuhera were worst hit. For them, the mail was first downloaded to the
local mail server and then had to be POPped to their remote individual mail boxes. The
download time of an individual message was very high and this was particularly frustrating since
at least 50 percent of the mail was spam.
26
Need for firewall
The need for further beefing up the security set-up beyond an anti-virus solution was felt as the
company further opened up its systems to external access. Around a year-and-a-half ago, apart
from providing Internet access through the proxy server, the company also decided to provide
connectivity with dealers and vendors for information sharing, i.e. they could directly log in to
the Web server. This required the deployment of a firewall to guard the systems from possible
hackers and virus attacks. This was the first time that they were really connected to their
partners. Earlier they only had a mail gateway through which they exchanged mail. So, there
really wasn’t a need for a firewall at that time. But now, since they are allowing people to log in
and with people accessing the Internet there is the need for a firewall.
Firewalls deployed at Comsat Max: Hero MotoCorp has a perimeter firewall that serves as the
Internet gateway for both the plants and head office. It has chosen Checkpoint as its firewall,
which runs on a Nokia box and is managed and monitored by the service provider, Comsat Max.
The company’s IT security architecture divides the network into zones, based on the function of
the infrastructure contained therein. The zones created are:
• DMZ zone
• Third-party zone
• Application servers zone
• Critical servers zone
• Security management zone
• Network and system management zone
• LAN & WAN zone
Unauthorized Internet access
Restriction of access to unauthorized sites is taken care through the proxy server, which was
deployed around two years ago for Internet access to internal users. The rules for access control
have been defined in the server itself. It defines factors like which PCs have access to the
27
Internet, the sites that can be accessed, time period during which only certain users can access
the Internet, etc.
The company has taken various measures to ensure data integrity during internal access as well.
It has deployed PGP software on the critical desktops and notebooks within the organization for
encrypting data. While the software was deployed around two-and-a-half years ago, it keeps on
identifying and adding critical notebooks and desktops. The information on the desktops and
notebooks is kept in a folder and is encrypted, which requires a user name and password to
access it.
Furthermore, Hero MotoCorp has built in integrity in the application itself, which is well
documented with profiles for each user. Depending on his/her profile, the user gets the rights for
accessing the data. The authentication is done through passwords.
And the answer was…
The spam included a good smidgen of Phishing which slipped through the primary security layer
at the ISP’s end. Malware entering through the messages and Internet browsing was also a major
source of concern. Several messages contained a malicious payload of viruses, spyware and
Trojans. Once these entered the network, they promptly began consuming bandwidth and
causing system crashes. Unprotected and unrestricted Internet browsing also left gaping security
holes. The lack of filters on browsing left the organization wide open to attack from malware,
tracking cookies, spyware and key loggers.
Digvijaysinh Chudasama, Vice President, Sales, Cyberoam said that Enterprises are replacing
best-of-breed security solutions in their networks with Unified Threat Management solutions.
Cyberoam’s all-in-one security platform aids the transition without compromising the feature
granularity of standalone solutions. Cyberoam’s identity-based security empowers administrators
to proactively defend the enterprise network against both internal and external threats.”
While considering the core problem and sensitivity of the issue for Hero MotoCorp, Tarak
Technologies, business partner of Cyberoam, suggested a plan to secure the company’s e-mail.
Jose Kurian, COO of Tarak Technologies said after examining the problem they understood that
28
response time was crucial. The messaging application cannot go down for a long period of time
at a company such as Hero MotoCorp. They offered them Cyberoam’s anti-spam software.
Rather than going out for point-to-point solutions we suggested that the company go in for
Unified Threat Management (UTM).”
Kurian added that the Cyberoam UTM solution sits at the gateway level. It is an appliance
through which mail gets routed, filtered and forwarded to the local mail server. In the absence of
Web filtering and access accountability, the little bandwidth that was left was consumed through
unrestricted surfing. This proved detrimental to organizational productivity. Lack of Internet
usage accountability led to malicious sites being surfed, which in turn infected the network with
a host of spyware.
As a remedy to slow browsing and other bandwidth problems, the company was forced to
upgrade its initial 64 Kbps Internet connection to a 4 Mbps pipe. Yet, the complaints persisted
even after this quantum leap in bandwidth availability. They purchased four Cyberoam
appliances, three 250is and one 100i. One 250i appliance is deployed at our corporate office in
New Delhi, and one each at production plants in Dharuhera and Gurgaon. A 100i appliance is
deployed at their upcoming facility at Haridwar. All Cyberoam appliances have been deployed in
bridge mode. The entire mail and Web traffic passes through Cyberoam.
The changed scenario
Post-implementation, Internet access is productively focused. This is amply reflected in the
bandwidth usage. Once insufficient, bandwidth availability is now quite satisfactory. Total
bandwidth consumption fell sharply and the ISP bills also took a nose dive. A clean network,
safe and responsible surfing and spam free mail boxes have all culminated in a drastic reduction
in calls to the IT helpdesk.
29
Information security policy
While the company had some documented policies relating to various aspects, including IT
security post-1999, they were not comprehensive enough to cover all areas. Increasingly
expanding connectivity warranted the need for a complete policy, defining the security issues
both from within and outside the organization. The company’s plans for connectivity with
business partners included rolling out the second phase of its supply chain solution, allowing
dealers and vendors to interactively do transactions with the company on the Net. (It already
provides dealers and vendors one-way access to the Web server). Furthermore, it is also trying to
allow employees access to applications like instant messaging and SAP, especially for field staff
and mobile workers. In such a scenario, which required opening up its systems to partners, the
need for a robust policy was imminent.
A few months ago, Hero MotoCorp started working on its new information security policy with
HCL Comnet as the consultant. The policy broadly covers around 17 domains. These domains
include networking and telecommunication, back-up, software purchase, use and maintenance,
incident management, e-mail, Internet, access control, password control, anti-virus, notebooks,
information disposal, acceptable use, system development, desktop, information classification,
training and physical security. HCL Comnet carried out the vulnerability assessments and
outlined the areas requiring improvement. These included recommendations for patch
upgradation on various operating systems and for networking devices as well as physical
security—specifically for the server room. The consultant also recommended the removal of
modems provided to users for directly accessing the Net from their PCs. Though the connections
had been removed, the modems were left behind, which, the consultants pointed out, created
vulnerability as the users could plug them in and start using them. According to
Balasubramanian, based on the recommendations of the consultants, the company fixed up the
loopholes in its security set-up, including some recommendations regarding the firewalls and the
protection of servers. The company has already carried out pre-vulnerability assessments, fixed
the vulnerabilities and then conducted post-vulnerability assessments.
On the other side, Hero MotoCorp also worked on the information classification part of its
information security policy, which didn’t exist earlier. This involves participation from the top
30
management with user representation from all the functional areas. The present exercise of
classification of information is being done depending on confidentiality, criticality and
availability. Apart from information classification, the access rights to various classes of people
are also being defined in the policy. The functional heads are made responsible for their
departments and endorse the classification of information being done.
31
BIBLIOGRAPHY
• www.wikipedia.org
• www.herohonda.com
• www.images.google.com