1 / 16

Information Security

IBA-DSCI: 2nd Banking Security Conference 2011 Transacting within Boundaries of Security and Compliance Presentation by R.K. Saraf, Chief General Manager (IT), SBI 19 th April 2011. Information Security.

terentia-avis
Télécharger la présentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IBA-DSCI: 2nd Banking Security Conference 2011Transacting within Boundaries of Security and CompliancePresentation byR.K. Saraf, Chief General Manager (IT), SBI19th April 2011

  2. Information Security The only true secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards

  3. Operations Risk – Paradigm Shift • Banks have always dealt with Operation risks and compliance framework. • Post CBS, Virtual Banking and multiplicity of touch points, nature and impact of risks have changed. • High impact security threats, timeframe, non-home transactions, new techniques, social engineering, customer expectations, market realities. • Asymmetrical risk-reward tangle

  4. How Do We Ensure All Transactions Are Safe & Compliant? • Security cannot be achieved by technology alone, it is a core part of the culture • 100 percent security? Appropriate security?? • Threats – Internal, External, Customer facing.

  5. Dealing with Security Issues • Robust processes and compliance – first line of defence. • Maker-checker, Day Book checking • Low-tech or No-Tech Controls • Security awareness • Social-psychological traits • Old school security practices • Job rotation, segregation of duties, audit, need to know basis, whistle blowing, compulsory leave.

  6. High Tech Controls • Multi-layered approach – Network, access control, database level • Strong encryption • Biometric authentication, digital signature • User provisioning, reprovisionng, deprovisioning, integration with HRMS • Alternate Channels, 2FA, Innovative Solutions • Anti-virus Solution • Internet Gateway Security • Security Operations Centre • Underpinning all initiatives – a comprehensive Security Policy

  7. Security Policies & Practices • Enterprise-wide comprehensive security policy, Standards & Procedures approved by the Board • BS 25999 Certification – BCMS policy • ISO 27001 Certification • Integrated DR Drills • BCP Testing • Internal & External Audits • Penetration Testing, Code testing • Ethical Hacking

  8. Security Violations and Incident Reporting & Management • Incident is any event that violates the security policy • Examples of security incidents • Denial of service • External probes • Unauthorised access to data • A security violation is any attempt to breach the security of applications, network and IT devices, whether or not it results in actual damage or financial loss. • A nimble mechanism to respond to incidents.

  9. Key Elements of Security Management: • Senior Management commitment and support • Clear policies and procedures • Policies should conform to applicable laws and regulations • Well laid down policies and procedures for Incident handling and response • Security awareness and training • All employees to be appropriately trained • Updates to policies should be circulated- use of inhouse publications or Intranet • Regular Security drills and simulated security incidents to be done • Reward employees who are vigilant and demonstrate security awareness of high order • Regular monitoring and compliance audit of security systems • Customer Education

  10. Role of senior management • Ensure implementation of security controls for assets under their control • Promote security culture • Facilitate user awareness training • Implement personnel security policy in assigning roles and in dealing with security violations People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems

  11. Awareness of Security Policies & Awareness • Intranet portal with the latest information on Information Security • HRMS – answering a few IS related questions • Observing the Computer Security Day – Message by the Chairman • E-learning courses – to be made mandatory for all employees periodically • Awareness campaigns through print & digital media

  12. Are banks losing out on services, opportunities, innovations and flexibility • Most Certainly Not • Dynamic changes in IT result in continuous evolution of business processes • Evolution leads to innovation and new opportunities • E.g. Alternate Channels : • an innovative way of doing business • Opportunity – maximising reach • Revenues – reduced cost per transaction • Improved Services : • 24 x7, Online, New Markets

  13. Strategy adopted to make transaction “user friendly” to the customer • Incidentally, most security initiatives are transparent to customers. • Usability of Robust security deployment on the bank’s systems • Implementing simple and layered security initiatives like the OTP, biometric authentication, etc – making their use intuitive. • Non-intrusive security measures, baselining user and usage profiles • Educating the customers – print & digital media, SMS campaigns, customer workshops, road shows etc. • Ultimately, matter of improving customer confidence.

  14. Challenges in implementation of such strategy • Incident management and response to newer threats - Total Cycle Time needs to be shortened • Reaching out to every customer to prevent security incidents / frauds. • Information security viewed as an IT responsibility • Has been approached in accordance with the understanding of IT specialists • Paradigm Shift : Design of business oriented information security : aligning information strategy to the business strategy

  15. Computers are NOT substitute to our sixth sense, instinct or intuition !

  16. Thank You

More Related