information security

1State Bank Global IT Centre

IBA-DSCI: 2nd Banking Security Conference 2011

Transacting within Boundaries of Security and Compliance

Presentation byR.K. Saraf, Chief General Manager

(IT), SBI

19th April 2011


Information Security

The only true secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards


Operations Risk – Paradigm Shift

• Banks have always dealt with Operation risks and compliance framework.

• Post CBS, Virtual Banking and multiplicity of touch points, nature and impact of risks have changed.

• High impact security threats, timeframe, non-home transactions, new techniques, social engineering, customer expectations, market realities.

• Asymmetrical risk-reward tangle


How Do We Ensure All Transactions Are Safe &

Compliant?• Security cannot be achieved by

technology alone, it is a core part of the culture

• 100 percent security? Appropriate security??

• Threats – Internal, External, Customer facing.


Dealing with Security Issues

• Robust processes and compliance – first line of defence.

Maker-checker, Day Book checking

• Low-tech or No-Tech ControlsSecurity awarenessSocial-psychological traitsOld school security practices• Job rotation, segregation of duties, audit, need

to know basis, whistle blowing, compulsory leave.


High Tech Controls• Multi-layered approach – Network, access control,

database level• Strong encryption• Biometric authentication, digital signature• User provisioning, reprovisionng, deprovisioning,

integration with HRMS• Alternate Channels, 2FA, Innovative Solutions• Anti-virus Solution• Internet Gateway Security• Security Operations Centre• Underpinning all initiatives – a comprehensive Security

Policy


Security Policies & Practices

• Enterprise-wide comprehensive security policy, Standards & Procedures approved by the Board

• BS 25999 Certification – BCMS policy• ISO 27001 Certification• Integrated DR Drills• BCP Testing• Internal & External Audits• Penetration Testing, Code testing• Ethical Hacking


Security Violations and Incident Reporting & Management

• Incident is any event that violates the security policy• Examples of security incidents

Denial of serviceExternal probes Unauthorised access to data

• A security violation is any attempt to breach the security of applications, network and IT devices, whether or not it results in actual damage or financial loss.

• A nimble mechanism to respond to incidents.


Key Elements of Security Management:

• Senior Management commitment and support

• Clear policies and proceduresPolicies should conform to applicable laws and regulations

• Well laid down policies and procedures for Incident handling and response

• Security awareness and trainingAll employees to be appropriately trained

Updates to policies should be circulated- use of inhouse publications or Intranet

Regular Security drills and simulated security incidents to be done

Reward employees who are vigilant and demonstrate security awareness of high order

• Regular monitoring and compliance audit of security systems

• Customer Education


Role of senior management

• Ensure implementation of security controls for assets under their control

• Promote security culture• Facilitate user awareness training• Implement personnel security policy in assigning

roles and in dealing with security violations

People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems


Awareness of Security Policies & Awareness

• Intranet portal with the latest information on Information Security

• HRMS – answering a few IS related questions

• Observing the Computer Security Day – Message by the Chairman

• E-learning courses – to be made mandatory for all employees periodically

• Awareness campaigns through print & digital media


Are banks losing out on services, opportunities, innovations and

flexibility• Most Certainly Not• Dynamic changes in IT result in continuous

evolution of business processes• Evolution leads to innovation and new

opportunities• E.g. Alternate Channels :

an innovative way of doing businessOpportunity – maximising reach Revenues – reduced cost per transaction

• Improved Services : 24 x7, Online, New Markets


Strategy adopted to make transaction “user friendly” to the

customer• Incidentally, most security initiatives are transparent

to customers.• Usability of Robust security deployment on the bank’s

systems• Implementing simple and layered security initiatives

like the OTP, biometric authentication, etc – making their use intuitive.

• Non-intrusive security measures, baselining user and usage profiles

• Educating the customers – print & digital media, SMS campaigns, customer workshops, road shows etc.

• Ultimately, matter of improving customer confidence.


Challenges in implementation of such strategy

• Incident management and response to newer threats - Total Cycle Time needs to be shortened

• Reaching out to every customer to prevent security incidents / frauds.

• Information security viewed as an IT responsibility

• Has been approached in accordance with the understanding of IT specialists

• Paradigm Shift : Design of business oriented information security : aligning information strategy to the business strategy


Computers are

NOT

substitute to

our sixth sense,

instinct or intuition !

information security

Documents