Presentation on theme: "1 State Bank Global IT Centre IBA-DSCI: 2nd Banking Security Conference 2011 Transacting within Boundaries of Security and Compliance Presentation by R.K."— Presentation transcript:
1 State Bank Global IT Centre IBA-DSCI: 2nd Banking Security Conference 2011 Transacting within Boundaries of Security and Compliance Presentation by R.K. Saraf, Chief General Manager (IT), SBI 19 th April 2011
2 State Bank Global IT Centre Information Security The only true secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards
3 State Bank Global IT Centre Operations Risk – Paradigm Shift Banks have always dealt with Operation risks and compliance framework. Post CBS, Virtual Banking and multiplicity of touch points, nature and impact of risks have changed. High impact security threats, timeframe, non-home transactions, new techniques, social engineering, customer expectations, market realities. Asymmetrical risk-reward tangle
4 State Bank Global IT Centre How Do We Ensure All Transactions Are Safe & Compliant? Security cannot be achieved by technology alone, it is a core part of the culture 100 percent security? Appropriate security?? Threats – Internal, External, Customer facing.
5 State Bank Global IT Centre Dealing with Security Issues Robust processes and compliance – first line of defence. Maker-checker, Day Book checking Low-tech or No-Tech Controls Security awareness Social-psychological traits Old school security practices Job rotation, segregation of duties, audit, need to know basis, whistle blowing, compulsory leave.
6 State Bank Global IT Centre High Tech Controls Multi-layered approach – Network, access control, database level Strong encryption Biometric authentication, digital signature User provisioning, reprovisionng, deprovisioning, integration with HRMS Alternate Channels, 2FA, Innovative Solutions Anti-virus Solution Internet Gateway Security Security Operations Centre Underpinning all initiatives – a comprehensive Security Policy
7 State Bank Global IT Centre Security Policies & Practices Enterprise-wide comprehensive security policy, Standards & Procedures approved by the Board BS 25999 Certification – BCMS policy ISO 27001 Certification Integrated DR Drills BCP Testing Internal & External Audits Penetration Testing, Code testing Ethical Hacking
8 State Bank Global IT Centre Security Violations and Incident Reporting & Management Incident is any event that violates the security policy Examples of security incidents Denial of service External probes Unauthorised access to data A security violation is any attempt to breach the security of applications, network and IT devices, whether or not it results in actual damage or financial loss. A nimble mechanism to respond to incidents.
9 State Bank Global IT Centre Key Elements of Security Management: Senior Management commitment and support Clear policies and procedures Policies should conform to applicable laws and regulations Well laid down policies and procedures for Incident handling and response Security awareness and training All employees to be appropriately trained Updates to policies should be circulated- use of inhouse publications or Intranet Regular Security drills and simulated security incidents to be done Reward employees who are vigilant and demonstrate security awareness of high order Regular monitoring and compliance audit of security systems Customer Education
10 State Bank Global IT Centre Role of senior management Ensure implementation of security controls for assets under their control Promote security culture Facilitate user awareness training Implement personnel security policy in assigning roles and in dealing with security violations People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems
11 State Bank Global IT Centre Awareness of Security Policies & Awareness Intranet portal with the latest information on Information Security HRMS – answering a few IS related questions Observing the Computer Security Day – Message by the Chairman E-learning courses – to be made mandatory for all employees periodically Awareness campaigns through print & digital media
12 State Bank Global IT Centre Are banks losing out on services, opportunities, innovations and flexibility Most Certainly Not Dynamic changes in IT result in continuous evolution of business processes Evolution leads to innovation and new opportunities E.g. Alternate Channels : an innovative way of doing business Opportunity – maximising reach Revenues – reduced cost per transaction Improved Services : 24 x7, Online, New Markets
13 State Bank Global IT Centre Strategy adopted to make transactionuser friendly to the customer Incidentally, most security initiatives are transparent to customers. Usability of Robust security deployment on the banks systems Implementing simple and layered security initiatives like the OTP, biometric authentication, etc – making their use intuitive. Non-intrusive security measures, baselining user and usage profiles Educating the customers – print & digital media, SMS campaigns, customer workshops, road shows etc. Ultimately, matter of improving customer confidence.
14 State Bank Global IT Centre Challenges in implementation of such strategy Incident management and response to newer threats - Total Cycle Time needs to be shortened Reaching out to every customer to prevent security incidents / frauds. Information security viewed as an IT responsibility Has been approached in accordance with the understanding of IT specialists Paradigm Shift : Design of business oriented information security : aligning information strategy to the business strategy
15 State Bank Global IT Centre Computers are NOT substitute to our sixth sense, instinct or intuition !