informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
Post on 14-Apr-2018
220 Views
Preview:
TRANSCRIPT
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
1/101
INFORMATION SECURITY RISK
MANAGEMENT IN BANKS
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
2/101
TABLE OF CONTENTS
SR.NO. CONTENTS PAGE (S)
DECLARATION i
LIST OF TABLES ii
LIST OF FIGURES iii
EXECUTIVE SUMMARY 1
1 CHAPTER:1 INTRODUCTION 3 11
1.1 Background 3
1.2 Purpose Of The Study 5
1.3 Importance Of The Study 6
1.4 Statement Of The Problem 9
1.5 Research Questions 9
1.6 Hypotheses 9
1.7 Research Methodology 10
1.8 Limitations 10
1.9 Overview of the Study 11
2 CHAPTER : 2 - LITERATURE REVIEW 12 46
2.1 History of Information Security and Risk Management 13
2.2 Scope of IS 14
2.3 How is IS applicable in Banks 15
2.4 The IS Scenario in India 37
2.5 Understanding Information Security (IS) 42
2.6 Spending Patterns (Technologically and Financially) 43
2.7 CTO / CIOs view point 45
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
3/101
2.8 Summary 47
3 Chapter : 3 METHODOLOGY 48 54
3.1 Introduction 48
3.2 Research Questions and Research Hypotheses 48 49
3.3 Data Collection / Collected 49
3.4 Location of the Data 52
3.5 Pilot Test 53
3.6 Method of Inquiry 54
3.7 Analysis performed on the data 55
3.8 Summary 55
4 Chapter : 4 ANALYSIS 56 734.1 Introduction 56
4.2 Key Findings 57
4.3 Detailed Survey Results 58
5 Chapter : 5 CONCLUSION 75 93
5.1 General Password Guidelines 84
5.2 Password Protection 86
5.3 Changing Passwords 87
5.4 Security Breach Examples 87
5.5 Bank Procedures 88
5.6 Downloading Software 88
5.7 Laptop Security 89
5.8 Fax Machines 89
5.9 Internet Security Concerns 90
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
4/101
5.10 Physical Security 90
5.11 Monitoring and Inspections 90
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
5/101
List of Figures
SR.NO. CONTENTS PAGE (S)
CHAPTER:1 INTRODUCTION
1.3 Figure No. 1 IS Risks 7
CHAPTER : 2 - LITERATURE REVIEW
2.2 Figure No. 2: Security Management process 14
2.3 Figure No. 3 Occupations of Computer Crime
Defendants
23
2.3 Figure No. 4 Types of Computer Crimes 24
2.3 Figure No. 5 Average Computer Crime Losses 24
2.3 Figure No. 6 Victims of Computer Crimes 25
2.3 Figure No. 7 Computer Crime Cases in Courts 26
2.3 Figure No.8: TCO Analysis 31
2.6 Figure No. 9: IT Spending Patterns 43
Chapter : 3 METHODOLOGY
3.3 Figure No.10: Selection of Data Collection Method 50
Chapter : 4 ANALYSIS
4.3 Figure No.11:- Respondents based on the type of organisation 58
4.3 Figure No.12:- Respondents based on the location of the
organisation
59
4.3 Figure No.13:- Respondents by Job Description 60
4.3 Figure No.14:- IT spending as a part of budget 61
4.3 Figure No.15:-Percentage of IS functions outsourced 63
4.3 Figure No.16:-Risk Mitigation Policies 64
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
6/101
4.3 Figure No.17:-Unauthorised access in the recent past 65
4.3 Figure No.18:-Security Technologies used 66
4.3 Figure No.19:-Security Audits 68
4.3 Figure No.19:- IS Awareness Training 69
4.3 Figure No.20:- Critical Issues 71
4.3 Figure No.21:- Responses based on the Age Groups 73
4.3 Figure No.22:- Respondents based on Income group. 74
Chapter : 5 CONCLUSION
5.1 Figure No.23:- Suspicious Activity Investigation Report 81
5.1 Figure No.23:- ATM / Debit card Fraud Claim Format 83
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
7/101
List of Tables
SR.NO. CONTENTS PAGE (S)
CHAPTER : 2 - LITERATURE REVIEW
2.3 Table No.1: Types of Attacks 16
2.7 Table No.2: Risk Mitigation Strategy 45
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
8/101
Executive Summary
The Environmental Challenges
Most organisations recognize the critical role that information technology (IT)
plays in supporting their business objectives. But today's highly connected IT
infrastructures exist in an environment that is increasingly hostileattacks are being
mounted with increasing frequency and are demanding ever shorter reaction times. Often,
organisations are unable to react to new security threats before their business is impacted.
Managing the security of their infrastructuresand the business value that those
infrastructures deliverhas become a primary concern for IT departments.
Furthermore, new legislation that stems from privacy concerns, financial obligations, and
corporate governance is forcing organisations to manage their IT infrastructures more
closely and effectively than in the past. Many government agencies and organisations that
do business with those agencies are mandated by law to maintain a minimum level of
security oversight. Failure to proactively manage security may put executives and whole
organisations at risk due to breaches in fiduciary and legal responsibilities.
A Better Way
The holistic roadmap to security risk management provides a proactive approach
that can assist organisations of all sizes with their response to the requirements presented
by these environmental and legal challenges. A formal security risk management process
enables enterprises to operate in the most cost efficient manner with a known and
acceptable level of business risk. It also gives organisations a consistent, clear path toorganise and prioritise limited resources in order to manage risk. The benefits of using
security risk management would be realised when the cost-effective controls that lower
risk to an acceptable level are implemented.
The definition of acceptable risk, and the approach to manage risk, varies for every
organisation. There is no right or wrong answer; there are many risk management models
in use today. Each model has tradeoffs that balance accuracy, resources, time,
complexity, and subjectivity. Investing in a risk management processwith a solid
framework and clearly defined roles and responsibilitiesprepares the organisation to
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
9/101
articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to
the business. Additionally, an effective risk management program will help the
organisation to make significant progress toward meeting new legislative requirements.
During a risk assessment process, qualitative steps identify the most important risks
quickly. A quantitative process based on carefully defined roles and responsibilities
follows next. Together, the qualitative and quantitative steps in the risk assessment
process provide the basis on which you can make solid decisions about risk and
mitigation, following an intelligent business process.
Critical Success Factors
There are many keys to successful implementation of a security risk management
program throughout an organization.
First, security risk management will fail without executive support and
commitment. When security risk management is led from the top, organizations can
articulate security in terms of value to the business. Next, a clear definition of roles and
responsibilities is fundamental to success. The Information Security Group owns
identifying the probability that the risk will occur by taking current and proposed controls
into account. The Information Technology group is responsible for implementing
controls that the Security Steering Committee has selected when the probability of an
exploit presents an unacceptable risk.
Investing in a security risk management programwith a solid, achievable
process and defined roles and responsibilitiesprepares an organization to
articulate priorities, plan to mitigate threats, and address critical business threats
and vulnerabilities.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
10/101
Executive Summary
The Environmental Challenges
Most organisations recognise the critical role that Information Technology (IT)
plays in supporting their business objectives. But today's highly connected IT
infrastructures exist in an environment that is increasingly hostile where attacks are being
mounted with increasing frequency and are demanding ever shorter reaction times. Often,
organisations are unable to react to new security threats prior to their business being
impacted. Managing the security of their infrastructures and the business value that those
infrastructures deliver, has become a primary concern for IT departments.
Furthermore, new legislation that stems from privacy concerns, financial obligations, and
corporate governance is forcing organisations to manage their IT infrastructures more
closely and more effectively than in the past. Many government agencies and
organisations that do business with those agencies are mandated by law to maintain aminimum level of security oversight. Failure to proactively manage security may put
executives and entire organisations at risk due to breaches in fiduciary and legal
responsibilities.
A Better Way
The holistic roadmap to security risk management provides a proactive approach
that can assist organisations of all sizes with their response to the requirements presented
by these environmental and legal challenges. A formal security risk management process
enables enterprises to operate in the most cost efficient manner with a known and
acceptable level of business risk. It also gives organisations a consistent, clear path to
organise and prioritise limited resources in order to manage risk. The benefits of using
security risk management would be realised when the cost-effective controls that lower
risk to an acceptable level are implemented.
The definition of acceptable risk, and the approach to manage risk, varies for every
organisation. Even so, there is no absolute right or wrong answers, inspite of the various
risk management models in use today. Each model has tradeoffs that balance accuracy,
resources, time, complexity, and subjectivity. Investing in a risk management process,
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
11/101
with a solid framework and clearly defined roles and responsibilities, prepares the
organisation to articulate priorities, mitigate threats, and address the next threat or
vulnerability to the business. Additionally, an effective risk management program will
help the organisation to make significant progress toward meeting new legislative
requirements. During a risk assessment process, qualitative steps identify the most
important risks quickly. A quantitative process based on carefully defined roles and
responsibilities follows next. Together, the qualitative and quantitative steps in the risk
assessment process provide the basis on which you can make solid decisions regarding
risk and its mitigation, following an intelligent business process.
Critical Success Factors
There are many keys to the successful implementation of a security risk
management program throughout an organisation.
First, security risk management will fail without executive support and
commitment. When security risk management is led from the top, organizations can
articulate security in terms of value to the business. Next, a clear definition of roles and
responsibilities is fundamental to its success. The IS Group acknowledges and identifies
the risk - probability factor that the risk will occur by taking into account the current
and proposed controls. The Information Technology group is responsible for
implementing controls that the Security Steering Committee has selected when the
probability of an exploit presents an unacceptable risk.
Investing in a security risk management program that translates into a solid,
achievable process with defined roles and responsibilities prepares an organisation to
articulate priorities, mitigate threats, and address critical business threats and
vulnerabilities.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
12/101
CHAPTER 1
INTRODUCTION
1.1 Background
Information is an asset that, like other important business assets, is essential to an
organisations business and therefore needs to be updated regularly and suitably
protected. Since most of the businesses in the present and recent past have been
electronically connected in networks, the IS and its management plays a major
role. As a result of this existing and ever-increasing interconnectivity, information
is now exposed to a growing number and a wide variety of threats and
vulnerabilities.
Businesses are vulnerable to various kinds of information risks inflicting
varied damage and resulting in significant losses. This damage can range fromerrors harming database integrity to fires destroying entire computer centers or
facilities. To controlIS risks, the management needs to anticipate and be aware of
the potential threats, risks and resultant loss and accordingly deploy the necessary
controls across the environment.
IS is the protection of information from a wide range of threats in order to
ensure business continuity, minimise business risk, and maximise the return on
investment (ROI) and thereby extend the business opportunities.
Security is like oxygen; when you have it, you take it for granted,
But when you dont, getting it becomes the immediate and pressing priority
----- Joseph Nye, Harvard University.
An IS Risk can be defined as any activity or event which threatens the
achievement of identified business objectives by compromising
Confidentiality, Integrity, Availability of the business information1.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
13/101
It is essential for the organisations to observe, review and analyse their
electronic systems, due to the advent of the Internet era, such that any malicious
activity which occurs becomes predictable. Keeping this in mind, IS Risk
Management in large corporations such as Banks is essential since they are
reliant on Information Technology (IT) and IT systems in the processing, storage
and transmission of company and customer data. As a consequence, in the event
of an IT System failure, be it through the malicious or technical event of system
failure or information loss, it would not be feasible to use manual processing as an
alternative or solution to the problems. There are also a number of security issues
surroundingIS like the increased mobility of banks has resulted in remote access
from wireless and through the internet. Access to a banks information assets are
no longer limited to its internal employees, working from a fixed known location
or fixed environment. The value of the computers and hardware may be valued in
thousands of dollars, however the information which may be contained as data,
could be more in value.
There's probably not a business owner out there who doesn't make sure
with some regularity that the locks intended to keep intruders off the premises are
doing their job. But owners of small and medium-size businesses tend to be much
less vigilant when it comes to IS Management even though the potential risks
of an IS breach can be far more staggering than those posed by a burglar.
Destructive viruses, worms and hackers don't discriminate by the size of an
organisation. Data loss, lost productivity, decreased profits, opportunity costs,
privacy concerns and corporate liability are some of the areas where companies
are vulnerable. Publicly held companies have an additional accountability for the
integrity of their financial reporting dataand systems under laws and acts such as
the Sarbanes-Oxley Act, etc.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
14/101
1.2 Purpose of the Study
IS is a continual imperative for banks as vulnerabilities inIS / Information
Availability are continuously being exploited in new ways. Security of new
technologies / channels need to be focused, for e.g., E-commerce, online banking
and debit cards. This becomes even more essential in the light of increase in fraud
related losses in these areas along with the existing technologies and manual
transaction processing risks.
Banks have always been and are one of the most important targets for hackers,
crackers and cyber criminals, as IS breach may lead to potential losses. These
losses may lead to downfall of the banking industry and thus have its impact on
the economy.
The actual losses on account ofIS issues are difficult to estimate. However, 639companies that responded to the 2005 CSI/FBI Computer Crime and Security
Survey ,reported total losses of $130 million with viruses, unauthorised access
and theft of proprietary information accounting for 80% of it. Given the risks, IS
should be a top priority of any organisation and not just for its IT department.
That's where a formalIS ManagementProgram comes in.
Comment [s1]: Was it a countrspecific survey? If so, please mentcountry
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
15/101
It is important to recognise that all organisations acceptsome level of risk.
Risk is, after all, a trade off between the amount of money you wish to spend on
counter-measures, against the perceived level of threat and vulnerability, to
protect the estimated value of your assets. The important thing is that risk is
identified, and either a) mitigated, b) transferred, c) insured, or d) clearly
documented as a risk acceptance.
Figure No. 1 IS Risks
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
16/101
Security risk is also heavily influenced by time. For example, if a new
virus is released, for which no patch is available, then the rate of infection is
critical. All organisations are subject to security threats, as these expose their
vulnerabilities. For this increases significantly with factors, such as their need to
do business over the Internet, the profile of the organisation, and the value of their
assets. High profile corporations are under constant threat because of the possible
infamy associated with security breaches.
Some of the key threats to organisations include:
Virus, Trojans and Worms
Phishing
Pharming
Email SPAM
Web Site Defacements Denial of Service Attacks (DoS)
Spoofing
Identity theft
War walking, War driving, etc., (Wireless Network Threats)
Theft of information (e.g. credit card details, source code, biotechnology
secrets), etc.,
Hence, this study may prove important and extremely significant as it
would provide better in-sights with regards to updating security personnel. This
would definitely enable them to handle any kind of security issues at any given
point of time.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
17/101
1.4 Statement of the Problem
Based on the problem definition, the objectives of the research will be:
To identify and examine the current IS landscape prevailing in various
Banks.
To identify the information risks and security concerns threatening the
Banks.
To determine the loss of revenue because of the information loss due to
various reasons such as virus attacks, unauthorised access, theft, pilferage,
security breach or by calamity / disaster.
To determine the cost in theIRSMS implementation.
1.5 Research Questions
The research will address the questions such as:
What are the information risks and security threats involved in the Banks?
What benefits will be derived by implementing these systems in the
existing scenario?
What should be the ideal characteristics of theIRSMS?
What functions in security and risk management must be accomplished by
an IRSMS to support Banks?
What would be the Total Cost of Ownership (TCO) for the institution?
1.6 Hypotheses
The security policies in the same organisation (Bank) may differ based on
the geographic location.
Many Banks prefer accepting the security risk rather than mitigating,
transferring or avoiding it.
IRSMS policies show wide variations across all types of financial
institutions (here the type of bank would be considered, i.e. Apex / Public
Comment [ R2]: Kindly suggescan be done here. Are there any mfor the same?
Comment [s3]: Will you quanthis is amount? If not, what is the used to measure loss?
Comment [s4]: In my opinion,should b
Comment [ R5]: Would it ok ifnot include questions 2 and 8 marked in red. OR kindly suggest
amendments can be done?
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
18/101
Sector Commercial / Private Commercial / Co-operative / Foreign bank.)
1.7 Research Methodology
The method of inquiry involved both primary as well as secondary data
collection. Questionnaire was prepared taking into account the necessity of
qualitative as well as quantitative analysis. Primary data collection is done by
inviting responses through means of a questionnaire, from the IS Officers/ IT
officers, Certified Information Systems Auditors, Certified Information Systems
Managers, Compliance officers, etc., with a minimum of 1-3 years of experience
in the IS Risk Management field. Secondary data was gathered from various
published sources, authentic journals, past research papers, newspapers,
magazines and articles.
1.8 Limitations
The findings are based entirely upon the research conducted in India and
hence may not be applicable to other countries of the world on counts of
technological diversity and contextual forces.
These kind of researches need to be done periodically to gauge the
authenticity of the security risk management program designed in an
organisation such as banks, due to the constant changing technology and
its vulnerabilities.
To prove the hypotheses The security policies in the same organisation(Bank) may differ based on the geographic location, the research may
not have considered several banks of similar type. It may be limited to
same bank with different locations.
The research may not be able to provide the exact financial figures or the
financial impact due to the occurrence of the IS Threats and the Risk that
is followed because of the reputation risk involved in it. The respondents
might not provide complete, incomplete, partial or authentic information
regarding the questions posed for the survey.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
19/101
1.9 Overview of the Paper
An introduction to the topic of research IS Risk Management is provided in
Chapter 1. The introduction focuses on aspects such as:
Background of the Research Study,
Purpose and Importance of the Study,
Problem Statement,
Research Questions With Certain Assumptions,
Research Methodology.
It also throws light on the limitations of the study research.
In the Literature Review, the research provides a close look and feel of the
similar incidents in the past and in the present amongst various banks across the
country and the globe. The basic intention of this academic report is to spread
awareness regardingIS Threats and the Risk which follows them. The researcher
has tried to collect several examples from within the country or across the globe
which are on similar lines.
Chapter 3 is dedicated to the methodology of the research. It points
towards to sources of the data and information collection through surveys,
questionnaires, personal interviews, authentic articles on the web, magazines, etc.
This chapter re-visits the research questions, research hypotheses, etc. mentioned
in Chapter 1. This chapter also highlights the method of inquiry and the method of
analysis when the data is collected.
Chapter 4 illustrates the analysis performed on the data to obtain the
desired results. The analysis also throws more light on the key findings which I
came across while performing the analysis.
Chapter 5 provides the overall findings and the conclusions based on the
survey, the analysis and also from the management perspective. This chapter also
mentions, what needs to be done in order to prevent the IS Threats from recurring
and the steps taken to prevent them. Infact, the steps need to be incorporated in
the initial procedures of both, personnel management, and sourcing and change
management decisions. The bottom-line being Prevention is always better than
cure.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
20/101
CHAPTER 2
LITERATURE REVIEW
Introduction
The chapter provides further insights regarding the traditional definition of
IS and Risk Management along with its historical background. This also puts light
on the makeover or the phase shift which has occurred in the field of IT. The
chapter also defines the scope of Information Systems andIS.
The literature review shows how theIS and Risk Management is applicable to the
banks. Why is it essential to take the responsibility and subdue the threats causing
the financial losses to the business sector as well as to the national and world
economies? In order to achieve this feat it becomes even more important to
understand what kinds of attacks are possible and the manner in which they
should be dealt with? Due to the scope and limited constraint, this academic
research is unable to throw light on all the threats or mention the remedies for
them. But, even so, a wide range of threats have been mentioned below with some
actual facts.
The literature review also attempts to focus on the computer frauds that
have occurred and their repercussions. It also points out the reason why computer
crimes are difficult to prove in a court of law. The types of computer crimes, their
impacts or effects and the victims are explained in the review. The review also
focuses on drawing the readers attention towards the understanding ofIS atlength. The focus area for all the organisations, including banks, is the IT
spending pattern, which is already considered and explained in the review.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
21/101
2.1 History ofIS and Risk Management
IS Management A Concept
IS Management is the process used to identify and understand risks
to the Confidentiality, Integrity, and Availability of Information and
Information Systems.
Phase Shift ofIS
The role of IS has changed during the past few years. The
Traditional definition of protecting networks and the datacenters has
undergone a shift in focus resulting in the enablement of the businesses
with security solutions actually moving the business forward or even to
the next step. Security is now a way of life and a must-do for businesses inorder to survive. Hence, it has become obvious that, wherever the
information goes, security follows.
No longer can IS be an afterthought. An increased need for
efficiency and productivity, reducing costs, reaching multiple markets and
faster time- to- market are few business benefits which are driving
organisations to makeIS a part of the organisational DNA.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
22/101
2.2 Scope ofIS
IS Management defines the controls we must implement to ensure
we sensibly manage computer related risk3
Figure No. 2: Security Management process
IS is the protection of information from a wide range of threats in
order to ensure business continuity, minimise business risk, and maximise
return on investments and business opportunities.
Source: Deloitte Touche Tohmatsu
Not just technology, but people and
processes too defense in depth.
An ongoing, continuous activity ~ you
dont just do security as a one-off
event.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
23/101
A basic IS model should encompass Confidentiality, Integrity and
Availability; however there are also additions such as Accountability and
Auditability.2
In other words, The objective and focus of the IS Management is
to protect and manage the Information assets.
2.3 How isIS Applicable to Banks?
"IS is definitely a journey, not a destination--there are always new challenges
to meet."
-- ChiefIS officer at a major financial services corporation
Banking Institutions have become critical centers of gravity. A collapse
in the banking institution can lead to collapse in the banking sector and cause a
huge setback to economy of the nation, which would also concern world at large.
This makes them more attractive targets for potential adversaries.
Potential adversaries could be either malicious or non-malicious. Among the
malicious adversaries would be hackers (including phreakers, crackers, trashers
and pirates), terrorists/ cyber terrorists, organised crime, other criminal elements,
competitors and disgruntled employees. On the other hand, careless or poorly
trained employees would be non-malicious adversaries, who, either through lack
of training, lack of concern, or lack of attentiveness, poses a threat to the
Information Systems.
Adversaries would employ attack techniques that could be classified as
passive or active, insider, close-in or distribution attacks. Some of them explained
below. Passive attacks involve passive monitoring of communications sent over
public media and include monitoring plaintext, decrypting weakly encrypted
traffic, and password sniffing and traffic analysis.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
24/101
Active attacks would include attempts to:
Serial No. Type of attack
1 Circumvent or break security features
2 Introduce malicious code (such as computer viruses, trojans or worms)
3 Subvert data or system integrity
4 Modify data in transit
5 Replay (insertion of data)
6 Hijack sessions
7 Masquerade as authorised user
8 Exploit vulnerabilities in software that runs with system privileges
9 Exploit network trust
10 Set in denial of service
Table No.1: Type of Attacks
In Close-in attacks an unauthorised individual gains close physical
proximity to the networks, systems, or facilities for the purpose of modifying,
gathering, or denying access to, information. Gaining such proximity is
accomplished through surreptitious entry, open access, or both. Close-in attacks
include modification of data, information gathering, system tampering, and
physical destruction of the local system. A person who is either authorised to
be within the physical boundaries of theIS processing system or has direct accessto the IS processing system can be responsible for the insider attacks. Insider
attacks are usually difficult to detect and to defend against.
Distribution attacks maliciously modify hardware or software between
the time of its production by a developer and its installation, or when it is in
transit from one site to another.
The risks of seriousIS failures are all around us. Breaches, such as teenage
hackers and e-mail viruses which were once a nuisance only for information
technology professionals now pose a significant risk for executives and can
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
25/101
threaten intellectual property and brand equity. Each new lapse in security is
highlighted by glaring media coverage, amplifies consumer awareness and
concern.
The disclosure by Master-Card that 40million of its credit and debit card
account details had been exposed is yet another more indication of the magnitude
scale of the problem. Certainly, the growing fear of identity theft is a matter of
concern for executives in industries that interact directly with consumers. A recent
survey conducted in conjunction with the Merchant Risk Council, in the US,
revealed that over 90 per cent of retailers agreed that consumers make purchasing
or transaction decisions based on their trust in the companys ability to secure
their data. Also, almost 90 per cent felt that IS is or will become a point of
competition in the retail sector.IS is not just an issue for retailers and banks all
companies face new risks, ranging from industrial espionage to sabotage.
Compounding these concerns, compliance fears generated by Sarbanes- Oxley
and the forthcoming Basel II accord have fostered an environment of risk aversion
inside many organisations. Of course, there are plenty of risks to fear. The process
of opening companies to the internet has exposed a multitude of software
vulnerabilities, especially as many older systems were not developed with this
security in mind. Building stronger walls around enterprise systems can help to
keep out some unwanted visitors, but those clever invaders or disloyal insiders
who find their way into the fortress discover a treasure trove of information once
they have gained access.
To make matters worse, many risks lie deeply hidden within the extended
enterprise. While most large companies have taken significant actions to beef up
their own internal security, their smaller partners often harbour risks that open the
entire enterprise to vulnerability. Every day, business partners take unseen risks
and, when partners experience security failures, it has the same devastating
impact. In the case of MasterCard, the loss arose out of a security breach at the
Card Systems Solutions a small, private payment processor with only about 100
employees. Card Systems quickly felt the pain of the mistake as both Visa and
American Express promptly withdrew their business, pushing Card Systems into a
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
26/101
financial crisis. Yet the fact that the problem was not within Visa or MasterCard
made little difference to consumers, who rightly saw the problem as the
responsibility of the credit card companies.
The escalation of security breaches and the painful surprise many
executives feel when a failure occurs in their business have brewed a culture of
fear within many organisations. Vendors within the security industry have quickly
capitalised on this fear along with the confusion around new compliance
measures, such as Sarbanes-Oxley. But before tossing money at a cure in the hope
that it will eliminate these new risks, managers should first work to incorporate
information risk into an overall enterprise risk management strategy. Like any
other risk within the company, security risks must be identified and balanced
against the benefits and costs of mitigation. Unfortunately, in contrast to many
other business risks, the discussion about IS risk has focused solely on the
negative experiences. Of course, no one likes a bad outcome. A hurricane, like a
security failure that exposes sensitive customer information, results in damage
and cost. However, in other areas of business, risk is associated with return
higher risks yield higher returns. This is also true for IS risk. Very often, IT risks
arise from sloppiness or corner-cutting, such as the failure to follow best software
development practice or to test and audit new systems. In some instances, this
notion is true. However, many IT risks occur within the context of a larger
business strategy with associated rewards.
For example:
Working with a small innovative start-up company whose promising
software solution could generate significant returns, but could also
harbour the associated risk of the small companys IT environment
Starting or acquiring operations in low-cost countries where the
infrastructure is less secure
Outsourcing business processes to suppliers with lower-cost structures
but unknown or hard-to-monitor security practices
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
27/101
Exposing internal business data to customers and partners to help with
the creation of new services or reduce operating costs.
All of these create security risk, even with the best practices. Becoming
aware of the risks is just the first step in building an effective management
strategy. In our survey of retailers, over 85 per cent said that the level ofIS
offered by their suppliers was important to them. Yet we find that companies in
each industry are struggling to develop effective ways to measure and manage
security risks across their extended enterprise.
A simple way to reduce security risk is to limit business innovation to
avoid partnering, pull systems offline and lock down the fort. This is a serious
mistake. Instead, risk should be balanced with reward. Embedding IT risk into
your overall enterprise risk management strategy implies establishing a risk
posture that does not seek to eliminate security risk, but rather manages it. The
key is first to understand the vulnerabilities, threats and consequences.
Vulnerabilities are areas that can be exploited by malicious individuals or
organisations.
Examples could include poorly maintained software (such as failing to
patch known security holes), poor security practices (such as inadequate password
and identity management), or the exposure of older systems with an unknown
security to the internet. Given these vulnerabilities, what are the threats? Are there
outsiders who are motivated and capable of exploiting the vulnerability? Or are
there insiders who may be tempted to steal intellectual property? Finally, if the
security was breached, what are the consequences? Would they be primarily
internally observed or would they impact external groups, such as customers or
business partners?
Internal failures, like viruses, generate real operational costs for the IT
department but rarely put the company into a catastrophic tailspin. On the other
hand, external failures, such as a breach of customer information, can be much
more painful, warranting far greater attention. To manage risk in the most
effective way possible, companies should includeIS in the broader perspective of
business risk management, where the board of directors governs the companys
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
28/101
overall risk posture. This same perspective must also be applied to business
partners. For many companies, measuring supplier risk will require new tools for
supplier security qualification. Like those tools used to assess a suppliers product
quality, supply chain reliability, or its long-term financial viability, suppliers
should be qualified using a technical assessment of security and an assessment of
the suppliers information risk management practices. Risks of working with a
new partner can then be balanced against the benefit that the partner delivers.
Most importantly, managing information risk is everyones responsibility
not simply the job of IT executives. Rather than viewing IT executives as
security guards, technology- savvy executives from corporate directors to line
managers should act as consultants to the entire organisation. CIOs with strong
business and technical skills are uniquely qualified to help educate the
organisation and chart a course to bring IT risk into the overall risk management
strategy. Bringing IT into the enterprise risk management strategy will not only
protect against catastrophic operational surprises, but will empower managers to
seize the exciting opportunities before them.
Computers have been in existence in European and American countries for
a long time. Consequently, frauds associated with the computer environment have
also been in existence for a long time. The American Institute of Certified Public
Accountants (AICPA) was commissioned to conduct a study of EDP- related
frauds in the banking and insurance sectors. The study, Report on the Study of
EDP-Related Fraud in the Banking and Insurance Industries, revealed many
shocking findings, the more significant of which are:
In some cases, fraud occurred during normal transaction process
cycle;
Many took advantage of the weaknesses in the system of internal
controls;
Most frauds were in input area;
Input was either unauthorised or proper input was manipulated;
File maintenance was common method;
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
29/101
Manipulation involved extending due dates on loans / or changing
names and addresses;
Loss from reported cases worked up to several million US dollars;
In all cases, perpetrators were employees.
Dawn P. Parker, Senior Management Systems Consultant and
Researcher on computer crime and security in a report for the National
Institute of Justice, US Department of Justice, identified 17 crime
techniques, the more significant of which are
Eavesdropping or Spying: This involves wire-tapping and
monitoring radio frequency emissions.
Scanning: Scanning prevents sequential change of information to
automated system to identify those items that receive a positive
response, such as: Telephone Numbers
User IDs
Passwords
Credit Cards
Masquerading: In this, the perpetrator assumes the identity of an
authorised computer user.
Piggy - backing: This can occur when the user signs off or a
session terminates improperly. The terminal is left in an active
state or in a state where it is assumed that the user is still active.
Data Diddling: It involves changing data before or during their
input into the computer.
Trojan horse: It is a convert placement or alteration of computer
instructions or data in a program so that the computer performs
unauthorised functions. It is primary method for inserting abusive
acts, as in salami techniques.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
30/101
Logic Bomb: It is an unauthorised act of program instructions
inserted into a regular program such that an unauthorised or
malicious act is perpetrated at a predetermined time.
Data Leakage: It involves removal of data from a computer system
or facility.
The National Center for Computer Crime Data, a Los Angeles-based
research organisation, has been providing information on computer
crimes.
The statistics relate to:
Average computer crime losses;
Victims of the computer crimes;
Occupations of the computer crime defendants;
Types of computer crime;
Computer crime cases in courts.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
31/101
1
6 6 6
10
19
26 26
0
5
10
15
20
25
30
No. of Cases
Miscellaneous
Ex-employeesof
Victims
Accomplic
es
Law
Enforc
ers
Compute
r
Professionals
Unemployeedor
Criminals
Stude
nts
Employees(Acc.
To
Comp.)
Sources of Crimes
Occupations of Computer Crime Defendants
Figure No. 3 Occupations of Computer Crime Defendants
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
32/101
Extortion
Theft of services
Theft of money
Damage of
Hardware
Alternation of
Data
Harrasment
Theft of
information
Damage to
software
Figure No. 4 Types of Computer Crimes
It was seen that computer crime losses were very high, with theft of
services and money contributing the maximum. Commercial users topped the list
of computer crime victims.
$10,517
$55,166
$93,600
$0
$20,000
$40,000
$60,000
$80,000
$100,000
Thef t of money Theft ofprogram / data
Damage tosystem /data
Figure No. 5 Average Computer Crime Losses
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
33/101
24
12 12
17 17
36
0
5
10
15
20
25
30
35
40
% of cases
Miscellaneous
Universities
Banks
Individuals
Government
T
elecommunications
Commercialusers
Victims of Computer Crimes
Figure No. 6 Victims of Computer Crimes
Technology improvements provide greater sophistication for users.
However, they also create significant security and control concerns. It is also of
great concern that a computer criminal is less likely to be caught than a bank
robber. Parker conducted two studies on general and computer bank frauds and
embezzlement respectively in 1976. The two studies revealed that average losses
from computer bank frauds and embezzlement were approximately six times
higher than those from general bank frauds.
Computer crimes in India
In India, although computers made an entry much later, we are catching up
fast in the area of computer frauds, too. However, most of the crimes do not
get reported as the organisations are hesitant to file a report as it might affect
their credibility.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
34/101
Pleaded Guilty,
76%
Found Guilty, 8%Found not guilty,
16%
Figure No. 7 Computer Crime Cases in Courts
Few of the reported cases in the press are mentioned below
The Hindu, on March 7, 1996 carried a report,
Quantum jump in the number of bank frauds, according to which Mr. R
Janakiraman, former deputy governor, Reserve Bank of India, whileaddressing a session on frauds in banks and other financial institutions
prevention and detection organised by the Institute of Criminological
Research, Education and Services (ICRES), observed that the frauds
committed by the bank employees in collusion with outsiders accounted for
the largest number of frauds rather than those committed single-handedly
either by the bank employees or outsiders.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
35/101
India today, in its February 28, 1999 issue carried a report,
High-tech frauds Thieving with technology
The Economic Times report,
Banks feel techno-crime byte dated December 19, 1996 mentioned how
Sanjay Subharwal and his accomplice who cracked the Automatic Teller
Machine (ATM) code of his sister-in-laws account after 99 attempts and
siphoned off Rs. 1.52 lakh.
The Economic Times dated January 12, 1997 stated
The days of Nagarwallas using VVIP names to withdraw millions from a
bank are old hat.
India Today in one of its issues reported, Hacking New Frontiers wrote
R. Srinivasans employers, a stock broking firm in Chennai, were very happywith him and his proficiency in their new computers. He brought in new
clients and increased the volume of shares traded. But the company was losing
heavily on share transactions. A few months later, the managers found out
why: Srinivasans clients were no more than electronic entities, existing
only on the pathways of their computers. Losses: Rs. 50 lakh.
Giving another example, the report says:
No one knew when account no. 20456 became active. The Bank of Indias
computer at Mumbais Mulund branch only recorded that its owner Ganesh
Rao had drawn Rs. 76,700 since February. So when Rao was overdrawing on
April 3, they took a second look at him. Before them was Sanjay Rajbhar, a
computer professional who ran a network controlling accounts. In a bank that
still maintains huge, yellowing ledgers. Rajbhar had found a defunct account
and resurrected it with a few key-strokes.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
36/101
Technology is a strategic resource available at a cost albeit with an altered
risk-benefit matrix.
--- Ashok Bhattacharya
General Manager Technology, State Bank of Mysore.
Technology has become the backbone of human civilisation. Technology,
its concepts, gadgets and formulations are matters of common use spanning
drawing rooms of our residences to board rooms of corporates, to halls of
deliberations at the United Nations (UN). Though technology and its applications
have remained the subject of debates from time to time, contribution of
technology in the field of business, health, education, entertainment, information
and communication and , of course, banking are growing day by day. For most of
us, it is no more a question of whether to use technology or not, it is more a
question of how to exercise our options in using technology. Which, when and
what-if are some of the major questions that banks and financial services industry
have to consider to roll out technology, maintain it and upgrade the same. Indeed,
strategic use of IT is the vital part of business intelligence that banks are relying
upon for growth and viability to face the competition, and this reliance will be
sharpened in the days to come in order to handle Customer Relationship
Management (CRM) issues effectively.
Public Sector Banks (PSBs), which have large portfolios in terms of
business and employment, are in various stages of migrating to new systems. As a
matter of fact, this new strategic system may generally be identified with Core
Banking aided by ATM networks and other e-process. Some of the important
features of such migration / upgradation are:
From distributed / stand alone banking to core baking / anywhere banking.
Alternative delivery channels like ATMs, Internet Banking, Credit Cards,
Smart Cards and Kiosks.
Cross-selling products like insurance, money market and other financial
products.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
37/101
Use of multimedia, online help and assistance.
Electronic Fund Transfers (EFT).
Digitisation of data, online encryption and straight-through processing.
Business Continuity and Risk Mitigation including KYC (Know Your
Customers) and AML (Anti-Money Laundering) implementation.
Online trading, settlement, treasury, domestic and cross-border
transactions.
Data Warehousing, MIS and Business Intelligence Decision Support
System.
Intra-Bank email systems, which incidentally revolutionised banks
internal communications, introducing online knowledge repository, training /
applicable instructions / job cards, etc.
Considering that technology is a risk multiplier both in operations and
business, properly manned, and a sophisticated disaster recovery process are
in place.
These quanta jump in technology, envelopes the whole organisational
entity, its activities, interfaces and all stakeholders. For a large organisation like a
PSB, on the backdrop of which the present article is based, having about 650
retail branches, business transactions exceeding Rs. 30,000 cr., providing direct
employment to about 10,000 persons, automation decisions are size-oriented.
Sizes of operations have a critical bearing on choice, cost and consequences of the
IT projects.
The general method adopted by PSBs is to make a preliminary survey of
actual functional systems in various other banks, appoint consultants and arrive at
desired specifications of the system to be procured and then go for tendering for a
suitable software/ hardware and related services. All PSBs follow Central
Vigilance Commissions (CVC) guidelines in selecting the final vendor for
software, hardware accessories and maintenance thereof. It may be mentioned
here that a precise cost benefit analysis may not be always feasible as
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
38/101
technological upgradation, new technology, etc. are mostly required to remain in
the market and / or to retain the market share.
Notwithstanding the same, while selecting technology and finalizing roll
out plan, PSBs do take care of the following factors
New technology will bring in new risks and accordingly, the cost
benefit and risks of the new technology need to be considered and
optimised for maximum productivity,
The life of the technology is also becoming shorter and shorter. For
this reason banks / financial institutions also need to be ready with
resources and plough back of revenue enhancements so that systems
can be replaced before they become totally obsolete,
The agreement to purchase / hire services level agreements; each must
be legal besides technologically feasible so that buyers can use the
system as required by them and vendor failures are avoided. At this stage, banks / financial institutions may also finalise the
process of User Acceptance Test (UAT) that they would like to follow
before commercial roll out of the system at the branches / offices. This
is very important and must be developed with a professional approach
as otherwise banks will suffer avoidable pangs and costs of
customisation with high risk situations.
If the system purchased is on a turnkey basis, then confidence level of
such UAT should be very high.
It would also be appropriately pragmatic for the bank to prepare an
action plan of converting fixed costs to take full advantage of new
technology / upgradation. Suitable steps to remove road blocks which
prevent such conversion / replacement be tackled.
Based on the above components, below are the schematic triangles of
concerns that bankers / financial institutions would do well to keep in mind while
selecting / rolling out expensive and all encompassing technologies.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
39/101
Figure No. 8: - TCO Analysis
Figure No.8: TCO Analysis
No doubt, the implementation of a new system, say, Core Banking
Solutions (CBS), that is now being set up in most of the banks will enhance
banking services in a visible manner. The customers of a branch now become the
customers of the whole bank. Speed and accuracy of the transaction processing,
money transfers, remittances, local and national clearing, all get enhanced
enabling the bank to handle more transactions with the cost of transactions with
the cost of transaction coming down to a great extent. Thus, CBS coupled with
ATM network and Internet Banking and Real Time Gross Settlement (RTGS)
gives the customer the facility of doing business with the bank round the clock
without visiting the banks branch. Internet Banking is very popular with young
clientele as utility payments, travel arrangements, bill payments and even
purchase of cinema tickets can be done sitting at home or at office.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
40/101
As RTGS has also been enabled in many commercial bank branches, the
reach of Electronic Funds Transfers System (EFTS) now stand highly enhanced.
It is clearly visible that technology is a strategic resource available at a cost, albeit
with an altered risk benefit matrix. As a matter of fact, every upgradation of
technology may become a risk multiplier if appropriate risk mitigation steps have
not been embedded in the system and provided in the handling procedure itself.
One of the risk areas is outsourcing, in which because of consideration of core
competency and costs, outsourcing all technological inputs including hiring of
hardware, software livewire are resorted. Business Process Outsourcing (BPO)
has become a mantra in most of the private enterprises, which have high
adaptability to new technologies. Even there, appropriate levels of agreement are
reached and roadblocks set up to prevent control of the business passing on from
hands of management to hands of BPO.
In commercial banks, outsourcing is mainly done to obtain assistance
wherever they lack core competency to handle highly technological jobs including
troubleshooting of IT systems. Here also, many banks have tried to use in-house
people to maintain their systems, but this mostly resulted in legacy of problems
creating handicaps for the bank to move speedily to new technology platforms.
Outsourcings of technological services, at least to launch an IT project, are quite
common in todays banking industry. Banks have asked by regulators to finalise a
policy of outsourcing so that risks of outsourcing critical basic applications are
managed properly.
Further, the salary structures of PSBs also do not permit employment of
highly qualified experts in the area of technology. Recently, SBI and TCS have
joined hands to float a separate company, which presumably will not have such
salary and perquisites / constraints and would, therefore, be able to retain the
technical experts for a reasonable time. It may also be noted that new technologies
invariably give rise to new opportunities, which can be harnessed under the
general expression of Business Process Re-engineering (BPR). The CBS, which is
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
41/101
operating on a centralized data and information reservoir, has the ability to
convert a branch customer into a bank customer and, thereby, make it possible to
process many hitherto distributed banking activities into centralized activity.
Banks are coming up with outlets, Centralised Processing Units (CPUs), where all
loan processing, renewal, and documentation for all branches are done, leaving
branches free for marketing and business of cross-selling. Banks that have rolled
out CBS find a grand by product opportunity to take such B2C initiatives, which
have vastly improved credit appraisal, disbursement, documentation, deposit
mobilization, cheque and customer instruction processing.
As an example, it may be elaborated that, previously, all cheques in
clearing would come to the branches for verification of signature, balances and
payment thereof. But now, service branches are having all this information on the
screen itself and cheques need out travel to the branches, thus, eliminating time
and ensuring quality. This new technology or new system is highly successful
when it meets the following criteria:
Increase in revenue / volume of business
Reduction of cost of operations
Reduction in delivery time for most B2C transactions.
Improving general customer service and loyalty of customers.
Most of the banks and financial institutions and even insurance companies
that are using high level of IT are endeavoring to measure success of their
investment decisions by actual movement of the above factors. The beneficial
impact of modern day technology has ushered in a new era in services available to
bank customers. Some such features are: Transacting from any branch;
specialised collections, remittances and fund transfers; 24 / 7; banking through
ATMs and Internet banking; Automated payments; Automated Standing
Instructions (ASIs); Using banks Web portals for latest rates, new products and
terms; Submission of stock and other statements for loan account customers; with
RTGS facility, funds transfer to accounts with other banks has also become
possible.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
42/101
While technology (to be more precise information and Internet
technology) has brought in metamorphic changes in the area of banking and
financial services, problems do persist in various areas some are new, some also
suffer from aggregation of risk owing to change in technology. Having rolled out
CBS latest in banking technology in 100% of our branches along with a
network of ATMs, Internet Banking, RTGS, etc., we find many problems, if
handled either before installation or immediately on roll out, would strengthen the
banks delivery, customer satisfaction and bottom line. Some such problem areas
are as under:
Biometric Access Control
In spite of decades of history of full computerisation in banks even under
CBS, most banks internal access control is based on individual ID and password.
Abuse of this system in a large organisation is well- known and difficult to
combat; thus, it needs to replace the system by biometric system preferably, the
ID of individual employee of the bank should be replaced by his / her fingerprints.
It would then be easier to track and eliminate all possible abuses or mistakes.
UAT
We have mentioned the importance of UAT earlier. It is reiterated that
through PSBs know fully well their inputs and the required outputs, data for
testing comprehensively new systems are not generally available. Banks are
depending on the vendors expertise in these matters and generally mistakes are
rectified through trial and error. In this context, Auditability of systems assumes
considerable importance.
MIS Data Warehousing
Generally, CBS available in the market may not come with a full blow
MIS or data warehousing capability. These need to be developed or the existing
one has to be integrated.
Input Control / Output Reports
The CBS is a platform mainly for handling Bank to Customer (B2C)
transactions. Normally, no problem is envisaged from transactions to reporting
level which has gone through a proper UAT. But large banks always find it quite
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
43/101
difficult to ensure full accuracy at the input levels. An error of input, mapping and
legacy problems at the granular level creates data integrity problems.
Variability of Cost
The success of new technology lies in harnessing its ability to cut down
transaction cost, as also replacing fixed cost b variable cost. But this is not
happening at the required place and time and often new technology represent
additional cost without reduction of fixed cost already existing.
Captive users
Some of the major problems have come up in the fact that banks that have
selected, and installed new technology have become captive users of the vendors.
This problem may further accentuate in the absence of proper service level
agreements.
Attrition
Many of the bank staff members who have adopted and quickly masternew technology may be leaving the bank with better offers, creating gaps for day
- to - day management.
Service Level Agreements (SLAs)
However, many of these problems are not insurmountable, but definitely
controllable. With appropriate planning and consultation they can be managed,
subject to the existence of appropriate agreement of hiring / purchasing /
outsourcing and SLAs. A professional arrangement in this area will ensure
continuity of vendors stake, which is important.
Systems and operation, Documentation / Manuals
In the new system, fully developed documentation should be available.
Online help generally does not meet the requirement of users. Sometimes, these
are not available and vendors themselves suffer from the attrition, thus creating a
somewhat a chaotic situation during commercial run of the system, which may
degenerate unless appropriate control and administration is exercised. Prevention
is always better than cure.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
44/101
B2B / Government Business, etc.
A large part of a banks business is treasury management, and bank to
bank transactions, including multi- currency transactions. Some of the PSBs are
also entrusted to do government business. Most of these core banking systems do
not have proper modules where such transactions and transactional MIS can be
processed simultaneously. The additional requirements need to be anticipated and
negotiated with the vendors at the opportune time. Suitable middleware can be
used in this regard.
India is a software powerhouse. But its IT security practices are
pathetic and consumers should beware
--- Sucheta Dalal Consulting Editor of MONEYLIFE
Last June an employee with Hong Kong Bank in Bangalore was arrested
following an investigation into a theft of pound sterling 230,000 from a British
customers account. Earlier this month, Channel 4 of London controversially
claimed that credit card data, along with the passport and driving license
numbers, are being stolen from call centers in India and sold to the highest
bidder.
A survey on the Global State of the
made little or no progress
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
45/101
While things are pretty bad on the global IT security front, things are
worse in India. The study says: Our of the most unsettling findings in this years
study is the sad state of security in India, by a wide margin the worlds primary
locus for IT outsourcing. India lags far behind the rest of the biggest IT
powerhouses in the world; these findings should cause considerable concern.
Many survey respondents in India admitted to not adhering to the most routine
security practices. Extortion, fraud and intellectual property theft occurred last
year are double and even quadruple those of the rest of the world. Nearly one in
three Indian organisations suffered some financial loss because of a cyber attack
last year, compared with one of five worldwide and one out of eight in the United
States.
According to CSOonline.com, The problem is obvious, but right now its
apparently easier to ignore than to address. Harder to ignore is the constant news
of large organisations losing laptops packed with unencrypted personal data on
millions of customers. Every report that such incidents should motivate
companies to tighten security, but every year the survey indicates thats not
happening.
2.4 TheIS Scenario in India
Banking institutions are getting more and more conscious about the IS
taking into consideration the scams that have occurred in the past and continued
to do so even today. A flood of new security attacks targeting banking customers
over the last twelve months has forced organisation or regulatory bodies to
introduce new directives and methodologies such as the recommended use of two-
factor authentication by online banks by the end of 2006. These groups believe
that single-factor authentication (the use of a username and password) is now
inadequate to protect users against recent internet scams such as Phishing,
Pharming and RAT attacks. By the end of 2006, many Asian online banks will be
required to implement the new directives covering two-factor authentication,
which relies on something the consumer has, such as a token or smartcard. This
would help identify the individual more specifically. Introducing the methodology
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
46/101
in relatively short span of time would be the next big challenge faced by the
banks. This would also have to ensure that the chosen method is convenient
enough for broad consumer adoption while keeping costs down.
Banks in India need to be complimented on the inculcation of technology
in a large way in their day-to-day operations. In a short span of less than two
decades, customers of the banks have felt the positive impact of technological
solutions implemented by banks. The customer in a bank has a virtual menu of
options as far as delivery channels are concerned and all these are the benefits of
technology, with the most visible benefits happening in the areas of payments for
retail transactions. A variety of Cards, Automated Teller Machines (ATMs),
Electronic Based Fund Transfers (EFT), Internet Banking, Mobile Banking are all
some of the latest technology based payment solutions, which have gained large
acceptance amongst Indian Banking arena.
While addressing a critical topic such as technology which has today
become a basic necessity rather than a luxury in the banking sector, the various
components must be examined which comprise the building blocks on which the
banking would be functioning in the morrow. I would, therefore, enlist some of the
major aspects which appear to be the corner stones in the road that we are
paving so that the highway would ensure free, safe and secure conduct of the
banking services and business.
Technology implementation comes with its attendant requirements too. A
few major aspects which need to be reckoned relate to the
Need for standardization across hardware, operating systems,
system software and application software to facilitate inter-
connectivity of systems across branches.
Need for high levels of security in an environment which requires
high levels of confidentiality; IS is an important requirement.
Need for a technology plan which has to be periodically monitored
and also upgraded consequent upon changes in the technology
itself.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
47/101
Need for business process re-engineering with a large scale usage
of computers the objective is not merely mechanise activities but
to result in holistic benefits of computerization for both the
customer and the staff at the branches.
Sharing of technology experiences and expertise so as to reap the
benefits of the technology implementation across a wider
community.
With technological solutions rapidly evolving, more new products and
services may soon become the order of the day. This technology evolution needs
to be thoroughly supported by the IS practices and procedures in order to avoid
the chaotic situation otherwise.
Prominent among the attendant challenges is the paradigm shift in the
concept of security. With the delivery of channels relating to funds based services,such as, movement of funds electronically between different accounts of
customers taking place with the use of technology, the requirements relating to
security also need to undergo metamorphosis at a rapid pace.
Various concepts, such as, digital signatures, certification, storage of
information in a secure and tamper- proof manner all assume significance and
have to be a futuristic part of the practices and procedures in the day-to-day
functioning of banks of tomorrow.
Security requirements have to be provided from a two pronged perspective
- first for the internal requirements of the banks themselves and the second
relating to the legal precincts of the laws of the land. It is indeed a matter of
satisfaction that the INFINET (Indian Financial Network) is a safe, secure and
efficient communications network for the exclusive use of the banking sector,
which provides for the inter-bank communication.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
48/101
The key advantage of INFINET is its own security framework in the
form of the PUBLIC KEY INFRASTRUCTURE (PKI), which is in conformity to
the provisions of the Information Technology Act, 2000. Several large financial
institutions are now starting to implement two-factor authentication, to re-
establish trust with their users, fearing that if nothing is done profits will be lost,
customer confidence will drop, and the leading to a loss of brand image in a long
run.
At YES BANK, our priority is delivering solutions that take into account
present and future customer needs, said H. Srikrishnan, CIO and Executive
Director, YES BANK. We identified that current and prospective customers have
access to a PC with a reliable bandwidth connection, but a key concern was the
ability for us to guarantee a high level of security, giving them the confidence to
use Internet banking without the worry of fraud or theft. Thus, our priority was
addressing this issue and identifying a solution, which would improve customer
confidence and provide a reliable and user-friendly experience.
According to recent surveys conducted by various IS organisations,
identity theft has seen looms over any other kind of crime worldwide.
Currently the IS implementation in banks suffers from deficiencies such as:
A comprehensive Security Risk Assessment is not being
conducted before drafting a security policy for the bank.
The Acceptable Usage Policy (AUP) is not communicated to all
staff of the bank.
The scope of Information Systems Audit at branches is restricted
to checklist audits.
Defined Vulnerability Assessment Policy has not been set out for
the data centers of banks.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
49/101
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
50/101
2.5 UnderstandingInformation Security (IS)
In view of the critical implications of Information Security (IS) for banks
and financial institutions, it is necessary to emphasise that the management of the
bank should have a good understanding of the IS risks.
IS is not only the concern of the Information Technology Department
but for the entire organisation. It is said that Security in an
organisation is as strong as its weakest link. Hence, each and every
user of information, right from the senior management to the clerk in
the branch has to be involved in any security initiative taken by the
bank. This will mean that they have to be aware of the security threats
and should practice the laid down policies and procedures.
IS Policy has to be aligned to the business objectives by a proper ISRisk Assessment. This means that the risks identified and measured
during structured IS Risk Assessment should be mitigated with
effective security policy and procedures.
IS Policy cannot be the same for all banks despite there being
similarities in their business function. This is due to the reason that
each bank has its unique risks which might be multidimensional
considering their locations, their services, their business goals and
their technical infrastructure.
Banks can optimize their resource spending in IS by strategising their
security spending to mitigate their high impact risks identified during
thereIS Risk Assessment. Hence,IS should be seen as an investment.
Security Audits at branches need to be conducted by qualified
personnel as it needs to encompass an audit through the computer.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
51/101
IS consists of CIA principle. Hence in every decision, the security
requirement of CIA has to be observed.
IS Risk Assessment is not only restricted to Vulnerability Assessment
of technical infrastructure but extends to identifying critical assets,
their threats and organisational vulnerabilities. It also includes
Business Impact Analysis (BIA), measuring risks and suggesting
appropriate controls.
2.6 Spending patterns (Technologically and Financially)
According to the Gartner report on IT spending of financial services, the
worldwide financial sector spends about US$ 129 billion annually on IT services.
Figure No. 9: IT Spending Patterns
154145
136
114
129123
WORLDWIDE FINANCIAL SERVICES IT SERVICESSPENDING ($ Billion)
The Worldwide Financial Services Industry Spendsabout $129 billion Annually on IT Services
Source Gartner
FY 02 FY 04 FY 06FY 03 FY 05 FY 07
CAGR
FFiinnaanncciiaall SSeerrvviicceess IITT SSeerrvviicceess KKeeyy FFaaccttss
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
52/101
According to a report from Indian Institute of Information Technology -
The application of Information and Communication technology to the banking
sector has been growing in the recent past. IT spending by the BFSI segment,
jumped by a healthy 18 percent during 2002-03 to touch Rs. 60 billion (US $1.24
billion).
Indian Banks on an average spend an estimated amount of Rs. 1.5 billion
on software and hardware for core and internet banking services, on an average.
According to industry estimates, the BFSI segment accounts for around 10
percent of the total IT industry and about 28 percent of the domestic IT market.
Spending by the BFSI segment is expected to jump to Rs. 98 billion during 2004-
05 fiscal. The main driver for the increasing use of IT in banking is the need to
cater to the growing and changing expectations of the customers who relentlessly
demand continuous improvement in the quality of services offered, reduction in
charges and access to new products. In the context of global competition, the
banks have to use other factors to facilitate the increasing IT investments. The
Centre Vigilance Commission lays down certain statutory requirements for banks
in this regard i.e. achieve 100% branch computerization, availability of
certification services for ensuring the security of electronic transactions with an
eye on the growing size, complexity and integrity of the financial markets.
Technological advancements bring along concerns on the privacy,
confidentiality and integrity of information. It is being seen that such concerns
have a major impact on the functioning and existence of banks and financial
institutions. While many banks in India have taken steps to improve their IS much
still remains to be achieved
It is often perceived by the management of banks that IS is technical and
complex. Contrary to this is that IS is similar to any other area of managerial
decision. Further, IS investment should also have a return on investment. This is
to be achieved by an effectiveIS Risk Assessment.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
53/101
2.7 CTO/ CIOs viewpoint
The best way to approach IS is from the business side ask what the business
need is, assess the risk and fashion a risk mitigation strategy that fits.
-- S Krishna Kumar, GM (IT) and CISO, SBI.
The devising of an appropriate and suitable security strategy depends upon
several aspects such as breadth of the organisations business, volume of
transactions per day/ month, scale of operation, (no. of years in the current
business) necessity of data migration, competition in the sector, etc.
Table No.2: Risk Mitigation Strategy
The security strategy must be in-line with the business needs and the
complexities, so as to prove holistic in approach and should include all the
components needed for theISprogram.
Processes
Upper management buy in
Concept of six pillars of safety: governance, structure, risk assessment,
risk management, communication and compliance.
Policy approval at board level
Risk mitigation processes
Documented standards and procedures
Management overview for controllers
Service Level Agreement (SLA) monitoring
Technology
Firewall
Anti-virus IDS (Intrusion Detection Systems)
Management Tools
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
54/101
IS has commitment and support at the highest level in the organisation.
The state of IS is periodically reviewed by the top management.
All the pillars are equally critical in providing IS assurance, rather than
merely focusing on the security products and penetration tests. IS derives its
strength from the highest authority, the board, which has approved the banks IS
policies and provided direction and support mechanisms to evolve the required
standards and procedures.
Risk mitigation is not a one-size-fits-all process, and takes different
routes depending on the risk and business imperatives. This needs to be devised
after considering business needs vis--vis security controls. Being a financial
organisation, the banks are subject to a number of regulations, both internal and
external in nature. These are considered an integral part of the Security
Architecture.
It is necessary that all the personnel across the business understand the
underlying philosophy and basis of the security policy. Merely writing a security
policy and sending it to the different departments will never succeed.
It is not good enough to have just the performance levels specified in a
Service Level Agreement (SLA). The organisation should also be able to measure
service levels, use appropriate measurement metrics, build adequate deterrents
against under-performance and monitor the performance of all the outsourcing
agreements.
Business Continuity and Disaster planning bear a lot of importance in the
ISStrategy or Program. On this, Mr. Kumar observes that a Disaster Recovery
(DR) system has been set up for critical applications in a different city and
periodic mock drills are conducted.
An important but often neglected aspect of the DR plan is to shuffle a
core team of operations personnel between production and DR sites periodically.
This ensures the availability of skilled resources at the DR site. They are current
with the latest state of the production application, says Kumar.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
55/101
2.8 Summary
The basic IS needs of banks and financial institutions are very similar to
those of most large organisations. The problem in the banks is that they are fairly
high value targets. Gaining unauthorised access to a banks customer records can
make identity theft easy on a large scale. Unauthorised access to customer records
creates operational, legal and reputational risks for banks.
Currently banks are spending approx 5-6% of their total IT Budget on
security and this amount of money may prove to be inadequate to ensure effective
ISRM considering the threats existing in the e-world today. Not only should the
banks spend more on IS but also ensure that their IS risks are mitigated. A
structured IS Risk Assessment will enable banks to accomplish this objective. A
Return on Investment (ROI) in IS should be demanded by the management.
Further banks should approachIS in a structured manner.
-
8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02
56/101
CHAPTER 3
METHODOLOGY
3.1 Introduction
This chapter elaborately discusses the methodology of this study. The
research questions and assumptions (hypotheses) proposed in Chapter 1 are
presented here. All phases of the research design, data collection, location of the
research performed, method of inquiry and statistical analysis are reviewed.
Finally, summary of the whole chapter is done. The research can be categorised as
a combination of exploratory and descriptive study seeking insights into the IS
andRisk Managementin banks in India.
3.2 Research Questions and Research Hypotheses
The research assumptions (hypotheses) framed in the study posses a strong
background of the literature review. The combination of the research assumptions
(hypotheses) and
top related