CSO100 Award 2019

CSO100 Award 2018

CSO100 Award 2017

Amar H Shah has over 18 years of experience in internal audit, information security, and enterprise risk management, and is currently heading the information security and risk management portfolios in Ashok Leyland. He is also a Chartered Accountant and Certified Information System Auditor (CISA), and an honored member of The Institute of Chartered Accountants of India (ICAI) and The Information Systems Audit and Control Association (ISACA). He played a key role in the implementation of the BS7799 standard in Ashok Leyland--which has become the first automobile company to get the certification in India, and its migration to ISO27001 standard.


Enhancing employee productivity through mobility, required provisioning seamless access to business information for timely decision making. Information on-the-go drove the theme for mobility as Ashok Leyland moved towards employee empowerment. With this business need, the challenge upon the information Security team of Ashok Leyland was to ensure that adequate controls are built-in such that confidentiality, integrity and availability of information is maintained. The need to provide information to users 'anywhere' and from 'any device' called for sound security policies to be defined keeping in mind the flexibility to be offered to the business. The team devised a Mobile Security Solution with the ability to implement geographic, device and user based security policies such that relevant controls were implemented to safeguard the organization's information. The key controls deployed included providing seamless access to trusted systems, restricted access for untrusted systems, multi-factor authentication for access from untrusted systems, implementation of mobile device management policy and mobile application management policy to protect the organization's information from being misused. This has empowered Ashok Leyland's workforce to access business information to enhance their productivity, whilst ensuring that adequate controls are built-in for the security of organization's information.