8/8/2019 BS7799 SBI

1/28

EXPERIENCE IN IMPLEMENTING

SECURITY MEASURES AT SBI A CASE STUDY

Patrick Kishore

General Manager (IT) &

Chief Information Security Officer

State Bank of India

8/8/2019 BS7799 SBI

2/28

ELITEX-2008 2

Where we were

Early 1990s More than 7000 branches

based on manual procedures derived from

Imperial Bank of India and evolved over

decades.

Mainframes used for MIS, Reconciliation &

Fund Settlement processes

8/8/2019 BS7799 SBI

3/28

ELITEX-2008 3

Changes brought in IT

Late 1990s More than 8000 branches either

on decentralized systems or manually

operated,

Main Frame / Mini Computers used atCO/LHO/ZO for backend operations.

Internet Banking Facility for individuals.

All ATMs of State Bank Group networked.

8/8/2019 BS7799 SBI

4/28

ELITEX-2008 4

TBA - Distributed System Components

Banking

Application

OS, Database

Internet-Banking

ATM

Diskless

nodes LAN

LAN

Branches

System AdministratorUser Control Officer

8/8/2019 BS7799 SBI

5/28

ELITEX-2008 5

Changes brought in IT

2001 - KMPG appointed consultant for

preparing IT Plan for the Bank. Core

Banking proposed, FNS, CS, COMLINK

selected 2002 All branches computerized but on

decentralized systems,

Core Banking initiative started

8/8/2019 BS7799 SBI

6/28

ELITEX-2008 6

Changes brought in IT

2008- more than 6500 branches (95% ofbusiness) on Core Banking Solution (CBS),

Internet Banking facility for Corporate

customers More Interfaces developed with eCommerce

& other sites through alternate channels likeATM & Online Banking

All Foreign Offices on Centralized Solution BPR initiative to realign business process

with changes due to IT

8/8/2019 BS7799 SBI

7/28

ELITEX-2008 7

Changes brought in IT

Large Network as backbone for connectivity

across the country

Multiple Service Providers for providing the

links BSNL, MTNL, Reliance, Tata & Railtel Multiple Technologies to support the

networking infrastructure Leased lines,

Dial-up, CDMA & VSATs

8/8/2019 BS7799 SBI

8/28

ELITEX-2008 8

CBS - Core Banking System

Components

Datacenter

Network Administrators

Core-Banking

Application

OS, Database

Internet-Banking

ATM

Desktops,

Branch

Servers

WAN,

Internet

WAN,

Internet

BranchesApplication Developers

System AdministratorsBranch User/Admins

Alternative

Channels

8/8/2019 BS7799 SBI

9/28

ELITEX-2008 9

RBI Guidelines

RBI constituted a working group on

information systems security for banking and

financial sector - 2001

Banks were required to put in place effective

security policies & controls.

Information Systems Security Department tobe set up to address security issues on an

ongoing basis.

8/8/2019 BS7799 SBI

10/28

ELITEX-2008 10

IT Governance at SBI

INFORMATION SYSTEMS SECURITY

GOVERNANCE

STRUC

TUR

E

RISK

ASS

ESMENT

RISK

MANAGEMENT

COMMUN

I CATION

COMPL

IAN

CE

8/8/2019 BS7799 SBI

11/28

ELITEX-2008 11

Organization structure of IT

DMD(IT)

GM (IT) & CISO

DMD (I&A)

CGM (IT)

GM (ITSS)

DGM (ITSS)

AGM (ITSS)

GM (I&A)

CIOCGM (I&A)

Application Owners

8/8/2019 BS7799 SBI

12/28

ELITEX-2008 12

Organization structure of IT

Application Owners /Business Owners/System administrators/ IT Personnel

Implement technical

and proceduralcontrols

Manage Network,

servers & applications

securely adhering to

policies, standards &

procedures

Report Incidents

Act on Security Logs

EnforcerInformation Security

Department Assess risks

Define Policies, anddevelop Standards

and Procedures Provide training &

awareness

Deploy & managesecurity products

Define securityarchitecture fornetwork, databases& applications:SecureConfiguration Docs

EnablerInspection &

Management

Audit Dept. Auditing

compliance against

policies acrossapplications andlocations

Vulnerability testing

Penetration testing

Application security

testing

Feedback to ISD oneffectiveness ofpolicies

Auditor

8/8/2019 BS7799 SBI

13/28

ELITEX-2008 13

Organizational Structure of IS

AGM (ISD)

Information Security Officers

DMD(IT)

GM (IT) & CISO

FUNCTIONS

Consulting Monitoring Compliance

2003 - Information Security consultant appointed for InformationSecurity Initiation

2004 - Information Security Department setup headed by

GM (IT) & CISO and supported by CISA qualified ISOs

ISSSC setup by the Board

8/8/2019 BS7799 SBI

14/28

ELITEX-2008 14

Objective of IS

To provide banks business processes with

reliable information systems by

systematically assessing, communicatingand mitigating risks, thereby increasing

customers trust on the bank and achieving

world class standards in information

security.

8/8/2019 BS7799 SBI

15/28

ELITEX-2008 15

How we manage

Develop and enable implementation of strong systems

along 6 pillars of security.

8/8/2019 BS7799 SBI

16/28

ELITEX-2008 16

Security Governance

Set directionsApprove top level policies

Promote security culture

Delegate responsibility

Provide resourcesReview security status

Align information security with overall risk

management

ISD represented on the Committee

Approve detailed standards & procedures

Annual Review of Standards and

Procedures need to address new security

threats, and mitigation;Changes to procedures based on feed

back

Board/ CEO Integrated Risk Management Committee

ISS Standards Committee

8/8/2019 BS7799 SBI

17/28

ELITEX-2008 17

Security Governance

IT Policy and IS Security Policy approved bythe Board

Standard and Procedures (25 domains)approved by ISSSC

Half yearly reviews by ISSSC to update ITPolicy and IS Security Policy - Standard andProcedures

Security Guidelines for Critical Applications

Security Policies for Overseas operations IS Roles and Responsibilities across

Organisation approved by the Board Security Guidelines for Branches and Offices

8/8/2019 BS7799 SBI

18/28

ELITEX-2008 18

Security Governance

Central Anti-Virus, Firewall/IDS monitoringteams setup

Associate Banks supported in ISMS initiatives

Policies enforced through periodic securitycompliance reviews

Promoting IS Awareness and Security Cultureacross the Bank

8/8/2019 BS7799 SBI

19/28

ELITEX-2008 19

Consulting

Carrying out Risk Analysis

Formulation / Modification of IT Policy and IS

Security Policy for the Bank.

Secured Configuration Document for variousOperating Systems & Databases.

Devising effective Mitigation measures.

Reviewing Banks new IT enabled product &services for IS

8/8/2019 BS7799 SBI

20/28

ELITEX-2008 20

Monitoring

Firewall Rule Base

Anti-virus

Firewall & IDS Logs

Discover gaps in policy, standards & procedures

Assess User difficulties

Periodic Vulnerability Assessments and

Penetration Tests Best Security Practices for Processes

.

8/8/2019 BS7799 SBI

21/28

ELITEX-2008 21

Compliance

Compliance Review of process followed by

different applications, periodicity based on

criticality of the application.

Application Security review of criticalapplications.

Review of SDLC followed for Applications.

Security review of selected branches and offices Action Taken Reports from Application Owners

8/8/2019 BS7799 SBI

22/28

ELITEX-2008 22

Incident Response

RCA for security incident reported through

service desk or email

Risk mitigating measures against phishing

attacks Security measures against ATM based

incidents

Anti-virus, Anti-spam initiatives

8/8/2019 BS7799 SBI

23/28

ELITEX-2008 23

Security Awareness User awareness through multiple channels like

intranet, training etc.

e-Learning package on information security

distributed across Bank

Specialized IS awareness sessions for controllers

Dedicated IS Security sessions during training.

Observing Computer Security Day every year

across the organization.

Write ups on Information Security in the in-housemagazines

Exchange of information on threats and

vulnerabilities at appropriate forums.

8/8/2019 BS7799 SBI

24/28

ELITEX-2008 24

Improving our IS Security

Benchmarking SBI initiatives against

International Best Practices

E&Y benchmarking initiative in 2006

RBI requirement under section 35

External audit of IS initiatives

BS27001 certification of CDC-DRC, ATM & INB

8/8/2019 BS7799 SBI

25/28

ELITEX-2008 25

Challenges ahead

Retaining Bank's lead Position

Maintaining Business Edge over competitors in the

context of sameness in IT infrastructure

Assured Availability Financially critical systems increasingly depend on

IT Delivery channels- no margin for downtime

Infrastructure derisking

Tie-up with multiple vendors for spreading risks due

to infrastructure failures and obsolescence

8/8/2019 BS7799 SBI

26/28

ELITEX-2008 26

Challenges ahead

Vendor Management

Multiple vendor support necessary for working of

highly complex technology

Coordinating various vendors to provide a secure ITinfrastructure for business operations

Alternatives for failure of a specific vendor services

Extant of Replacing vendors with internal staff

8/8/2019 BS7799 SBI

27/28

ELITEX-2008 27

Challenges ahead

Managing IS Security

Information Security dependency on vendor inputs

Complex networked environment leading to lack of

Know Your - Employee , Systems & Procedures ,

Vendors Maintaining Confidentiality & Privacy of Data while in

storage, transmission & processing.

Providing DRP & BCP in a complex

technology infrastructure supported bymultiple vendors

8/8/2019 BS7799 SBI

28/28

ELITEX-2008 28

Questions ?