EXPERIENCE IN IMPLEMENTING SECURITY MEASURES AT SBI –
A CASE STUDY
Patrick Kishore General Manager (IT) &
Chief Information Security OfficerState Bank of India
ELITEX-2008 2
Where we were
• Early 1990s – More than 7000 branches based on manual procedures derived from Imperial Bank of India and evolved over decades.
• Mainframes used for MIS, Reconciliation & Fund Settlement processes
ELITEX-2008 3
Changes brought in IT
• Late 1990s – More than 8000 branches either on decentralized systems or manually operated,
• Main Frame / Mini Computers used at CO/LHO/ZO for backend operations.
• Internet Banking Facility for individuals. • All ATMs of State Bank Group networked.
ELITEX-2008 4
TBA - Distributed System Components
Banking Application
OS, Database
Internet-Banking
ATM
Diskless nodes LANLAN
Branches
System AdministratorUser Control Officer
ELITEX-2008 5
Changes brought in IT
• 2001 - KMPG appointed consultant for preparing IT Plan for the Bank. Core Banking proposed, FNS, CS, COMLINK selected
• 2002 – All branches computerized but on decentralized systems, – Core Banking initiative started
ELITEX-2008 6
Changes brought in IT
• 2008- more than 6500 branches (95% of business) on Core Banking Solution (CBS),
• Internet Banking facility for Corporate customers
• More Interfaces developed with eCommerce & other sites through alternate channels like ATM & Online Banking
• All Foreign Offices on Centralized Solution• BPR initiative to realign business process
with changes due to IT
ELITEX-2008 7
Changes brought in IT
• Large Network as backbone for connectivity across the country
• Multiple Service Providers for providing the links – BSNL, MTNL, Reliance, Tata & Railtel
• Multiple Technologies to support the networking infrastructure – Leased lines, Dial-up, CDMA & VSATs
ELITEX-2008 8
CBS - Core Banking System Components
Datacenter
Network Administrators
Core-Banking Application
OS, Database
Internet-Banking
ATM
Desktops, Branch Servers
WAN, Internet
WAN, Internet
Branches
Application Developers
System AdministratorsBranch User/Admins
Alternative Channels
ELITEX-2008 9
RBI Guidelines
• RBI constituted a “working group on information systems security for banking and financial sector” - 2001
• Banks were required to put in place effective security policies & controls.
•Information Systems Security Department to be set up to address security issues on an ongoing basis.
ELITEX-2008 10
IT Governance at SBI
INFORMATION SYSTEMS SECURITY
GO
VE
RN
AN
CE
ST
RU
CT
UR
E
RIS
K A
SS
ES
ME
NT
RIS
K M
AN
AG
EM
EN
T
CO
MM
UN
ICA
TIO
N
CO
MP
LIA
NC
E
ELITEX-2008 11
Organization structure of IT
DMD(IT)
GM (IT) & CISO
DMD (I&A)
CGM (IT)
GM (ITSS)
DGM (ITSS)
AGM (ITSS)
GM (I&A)
CIO CGM (I&A)
Application Owners
ELITEX-2008 12
Organization structure of IT
Application Owners /Business Owners/System administrators
/ IT Personnel• Implement technical
and procedural controls
• Manage Network, servers & applications securely adhering to policies, standards & procedures
• Report Incidents
• Act on Security Logs
EnforcerInformation Security
Department• Assess risks
• Define Policies, and develop Standards and Procedures
• Provide training & awareness
• Deploy & manage security products
• Define security architecture for network, databases & applications: Secure Configuration Docs
EnablerInspection &
Management Audit Dept.
• Auditing compliance against policies across applications and locations
• Vulnerability testing
• Penetration testing
• Application security testing
• Feedback to ISD on effectiveness of policies
Auditor
ELITEX-2008 13
Organizational Structure of IS
AGM (ISD)
Information Security Officers
DMD(IT)
GM (IT) & CISO
FUNCTIONS
Consulting Monitoring Compliance
2003 - Information Security consultant appointed for Information Security Initiation2004 - Information Security Department setup headed by GM (IT) & CISO and supported by CISA qualified ISOs ISSSC setup by the Board
ELITEX-2008 14
Objective of IS
To provide bank’s business processes with reliable information systems by
systematically assessing, communicating and mitigating risks, thereby increasing
customers’ trust on the bank and achieving world class standards in information
security.
ELITEX-2008 15
How we manage
Develop and enable implementation of strong systems
along 6 pillars of security.
ELITEX-2008 16
Security Governance
Set directions Approve top level policiesPromote security cultureDelegate responsibilityProvide resourcesReview security status
Align information security with overall risk management ISD represented on the Committee
Approve detailed standards & procedures Annual Review of Standards and Procedures – need to address new security threats, and mitigation; Changes to procedures based on feed back
Board/ CEO Integrated Risk Management Committee
ISS Standards Committee
ELITEX-2008 17
Security Governance
• IT Policy and IS Security Policy approved by the Board
• Standard and Procedures (25 domains) approved by ISSSC
• Half yearly reviews by ISSSC to update IT Policy and IS Security Policy - Standard and Procedures
• Security Guidelines for Critical Applications • Security Policies for Overseas operations• IS Roles and Responsibilities across
Organisation approved by the Board• Security Guidelines for Branches and Offices
ELITEX-2008 18
Security Governance
• Central Anti-Virus, Firewall/IDS monitoring teams setup
• Associate Banks supported in ISMS initiatives• Policies enforced through periodic security
compliance reviews• Promoting IS Awareness and Security Culture
across the Bank
ELITEX-2008 19
Consulting
• Carrying out Risk Analysis• Formulation / Modification of IT Policy and IS
Security Policy for the Bank.• Secured Configuration Document for various
Operating Systems & Databases.• Devising effective Mitigation measures.• Reviewing Banks’ new IT enabled product &
services for IS
ELITEX-2008 20
Monitoring
• Firewall Rule Base• Anti-virus• Firewall & IDS Logs • Discover gaps in policy, standards & procedures• Assess User difficulties• Periodic Vulnerability Assessments and
Penetration Tests• Best Security Practices for Processes
.
ELITEX-2008 21
Compliance
• Compliance Review of process followed by different applications, periodicity based on criticality of the application.
• Application Security review of critical applications.
• Review of SDLC followed for Applications.• Security review of selected branches and offices• Action Taken Reports from Application Owners
ELITEX-2008 22
Incident Response
• RCA for security incident reported through service desk or email
• Risk mitigating measures against phishing attacks
• Security measures against ATM based incidents
• Anti-virus, Anti-spam initiatives
ELITEX-2008 23
Security Awareness• User awareness through multiple channels like
intranet, training etc.
• e-Learning package on information security distributed across Bank
• Specialized IS awareness sessions for controllers
• Dedicated IS Security sessions during training.
• Observing “Computer Security Day” every year across the organization.
• Write ups on Information Security in the in-house magazines
• Exchange of information on threats and vulnerabilities at appropriate forums.
ELITEX-2008 24
Improving our IS Security
• Benchmarking SBI initiatives against International Best Practices
• E&Y benchmarking initiative in 2006• RBI requirement under section 35 • External audit of IS initiatives • BS27001 certification of CDC-DRC, ATM & INB
ELITEX-2008 25
Challenges ahead
• Retaining Bank's lead Position– Maintaining Business Edge over competitors in the
context of sameness in IT infrastructure
• Assured Availability – Financially critical systems increasingly depend on
IT Delivery channels- no margin for downtime
• Infrastructure derisking– Tie-up with multiple vendors for spreading risks due
to infrastructure failures and obsolescence
ELITEX-2008 26
Challenges ahead
• Vendor Management– Multiple vendor support necessary for working of
highly complex technology– Coordinating various vendors to provide a secure IT
infrastructure for business operations– Alternatives for failure of a specific vendor services– Extant of Replacing vendors with internal staff
ELITEX-2008 27
Challenges ahead
• Managing IS Security– Information Security dependency on vendor inputs – Complex networked environment leading to lack of
Know Your - Employee , Systems & Procedures , Vendors
– Maintaining Confidentiality & Privacy of Data while in storage, transmission & processing.
• Providing DRP & BCP in a complex technology infrastructure supported by multiple vendors
ELITEX-2008 28
Questions ?