Presentation is loading. Please wait.

Presentation is loading. Please wait.

A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,

Published byFranklin Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,"— Presentation transcript:

1 A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection, DSCI 19 th April, 2011

2 A NASSCOM ® Initiative State of Data Security and Privacy in the Banking Industry Coverage:PSU, Private and Foreign Banks Areas of Survey: Contemporary to Industry need |Current Challenges| Practices |Technology Trends |Compliance Expectations Objective of Survey: In-depth assessment of the area under coverage Insights into the state of security and privacy Understand characteristics and structure of the initiatives Evaluation of maturity of practices and approach Benchmarking with security and privacy trends Execution:Comprehensive questionnaire Industry consultation | Project Advisory Group | Interaction with Professionals Interview- Personal, Email and Telephonic

3 A NASSCOM ® Initiative Executive Director (ED) Chief Risk Officer (CRO) Chief Financial Officer (CFO) Chief Information Officer (CIO) / Chief Technology Officer (CTO) Chief Operating Officer (COO) Reporting to Top Management - 45% 9:30 Review security reports coming from different tools, solutions& operational groups 10:30 Participate in business strategy meetings for security implication of new initiatives 11:30 Interact with lines-of-business on their security requirements 12:00 Interact with IT teams for installation, admin & maintenance of security devices 12:30 Interact with support functions like HR, Finance and Admin for enforcing measures in their respective departments 14:00 Review state of security in Lines-of-business, their applications and systems 15:00 Oversee undergoing security projects 15:30 Review & approve change requests 16:00 Check for new issues, threats and vulnerabilities 17:00 Take review of operational teams 17:30 Issue guidelines to enterprise units on specific or general security measures CISO Role & Time Spent Operational Tactical Strategic Security Organization

4 A NASSCOM ® Initiative Security TasksCISOComplianceIT Security IT Infra Exter nal Security strategy plan Preparing security policies & procedures Implementation of the policies & procedures Defining & managing the security architecture Security solutions evaluation and procurement Install security solutions, products and tools Administration of security technologies- Application security testing, code review, etc Security monitoring Report, investigate and close security incidents Keep track of the evolving regulatory requirements Security Organization Task Distribution

5 A NASSCOM ® Initiative Maturity – Security and Privacy Practices Constant review to assess security posture in the wake of new threats & vulnerabilities Significant efforts are dedicated to ensure collaboration with external sources & internal functions Focus given to innovation in the security initiatives Security Solutions are provided with an architectural treatment Techniques such as threat modeling, threat tree, and principles such as embedding ‘security in design’ are proactively adopted 90 % 65% 60 % 40 % 35 % An understanding of different roles, entities (data subject, Controller, etc) PIA is performed for new initiatives & change Understanding about Privacy Principles and their applicability Technology, solutions and processes are deployed for privacy A dedicated policy initiative for privacy Processes reviewed regularly from privacy perspective Scope of audit charter is extended to include privacy Embedding privacy in the design 58 % 53% 47 % 43 % 32 % 26 % 16% SecurityPrivacy

6 A NASSCOM ® Initiative Customer notification for change in the policy The policy clearly spells the restriction in disclosure of the information to third party Users are given access to their information & provision to correct/update their data The links to the policy is available on all important user centric data forms Customer acceptance on privacy policy is taken before providing banking services. Limitation imposed for collection and usage of the PI 53 % 47% 37 % 26 % 11 % Providing demo for secure usage of banking services Real time security messages while executing transactions Publishing security messages on different communications channels Spreading awareness through public media Conducting dedicated customer awareness programs 53 % 47% 37 % 26 % 11 % SecurityPrivacy Customer Awareness

7 A NASSCOM ® Initiative Masking the card number (PAN ) in all user communication & transaction notification The scope of card security is extended to the designated merchants also Card expiry date is not printed and stored at the merchant side Storing the card data in logs files in encrypted form Encryption of stored authorization information 53 % 47% 40 % 27 % Involvement of process owners and lines of business is ensured in the data security initiatives For each of the partner/third-party relationships or processes, the awareness exists of how the data is managed in its life cycle Data classification techniques have been deployed and followed rigorously Uniformity of controls is maintained when data is moving in different environments A granular level visibility exists over the financial and sensitive data 80 % 75% 65 % 55 % 50 % Data Security Card Data Data & Card Security

8 A NASSCOM ® Initiative Transaction Security

9 A NASSCOM ® Initiative Security testing of application includes code review A mechanism to identify criticality of each application Application Security (AS) is derived out of well defined security architecture Lines of businesses are involved in AS initiatives AS is integrated with incident management Compliance requirements mapped to in scope applications Dedicated application security function exists Techniques such as Threat modeling & threat tree are adopted Developers community involved in AS initiatives AS is integral part of Application lifecycle management 65 % 60 % 55 % 40 % 35 % 15 % Enterprise tools to integrate security in application lifecycle Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) 30 % 25% 10 % Application Security Subscribing to Analysts reports Security research reports Mandating the vendors / third parties Security forums on the Internet Subscribing to vuln, exploits databases. 65 % 60% 50 % 40 % Application Security Program Tool Adoption Threat Tracking

10 A NASSCOM ® Initiative Inventory of all the possible scenarios that lead to incident and fraud Collaborate with CERT-IN Support forensic capabilities Integrated with organization IT processes for remedial actions Collaboration with external knowledge sources Scope has been extended to third parties Real time monitoring mechanisms exist that can proactively detect anomalies Mechanism that generate incident based on patterns and business rule exceptions Mechanism to define detective and investigative requirements 74 % 68 % 58 % 53 % 47 % Developing a strong forensic investigation capabilities Identify the personal information flow to the organization Revising organization’s security policy Identifying and making an inventory of scenarios Creating awareness amongst contractors/third-party employees Incident & Fraud Management Response to IT (Amendment) Act, 2008 50 % 35 % 20 % 15 % Incident, Fraud and Compliance

11 A NASSCOM ® Initiative Bench Marking

12 A NASSCOM ® Initiative Bench Marking Bank XYZ

13 A NASSCOM ® Initiative THANK YOU

Download ppt "A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,"

Similar presentations

Confidential & Proprietary to Cooper Compliance Corporation Revised September 8, 2014 AUDiT-READY TM.

Confidential & Proprietary to Cooper Compliance Corporation Revised September 8, 2014 AUDiT-READY TM.
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
The Future of the IT Department Exploring the impact of Cloud on IT Roles and Responsibilities.

The Future of the IT Department Exploring the impact of Cloud on IT Roles and Responsibilities.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
Security and Personnel

Security and Personnel
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.

Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Network security policy: best practices

Network security policy: best practices
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Information Technology Audit

Information Technology Audit
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.

Similar presentations

Ads by Google