for the indian banking sector - idrbt practices/isg_booklet_nov... · for the indian banking sector...

IT Governance Series

for the Indian Banking Sector

Sub-Group on Information Security GovernanceInstitute for Development and Research

in Banking Technology(Established by Reserve Bank of India)

Hyderabad - 57. www.idrbt.ac.in

Information Security GovernanceInformation Security Governance

IDRBT Sub-Group onInformation Security Governance

Mentors

Members

Ÿ

Ÿ

Shri B. Sambamurthy, Director, IDRBT

Shri S. Ganesh Kumar, CGM, IDRBT

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Shri S Mukhopadhyay, GM & CISO, State Bank of India

Shri Sameer Ratolikar, CISO, Bank of India

Shri P S Rashtrawar, CISO, Bank of Baroda

Shri K S S Muralikrishna, Senior Manager, Information Security, Andhra Bank

Shri Sunil Dhaka, CISO, ICICI Bank

Shri Vishal Salvi, CISO, HDFC Bank

Shri Niraj Kapasi, IS Auditor and International Vice President, ISACA

Shri M. V. Sivakumaran, Faculty, IDRBT and Convener.

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

The sub-group wishes to acknowledge the contribution made by:

Shri M. Pradeep Kumar, Chief Manager and CISO, Corporation Bank

Shri Pravin Sharma, AGM, IT Security, Union Bank of India

Shri Vivek Gupta, AGM, Information Security, Allahabad Bank

Shri Alevoor Acharr, IS Auditor and Consultant

Dr. V. Radha, Faculty, IDRBT

Shri Sanjay Sharma, Adviser, IDBI Bank, scanned the final draft and his valuable

contribution is duly acknowledged

Acknowledgements

IT Governance Series : Information Security Governance for the Indian Banking Sector, Version 1.0, November 2011.

An IDRBT Publication. All Rights Reserved. For restricted circulation in the Indian Banking Industry.

Information Security Governancefor the Indian Banking Sector

I am very glad that IDRBT is releasing a Handbook on Information Security Governance for the

Indian Banking Sector.

The subject is topical for the contemporary Indian banking sector as banks have made impressive

advances in terms of computerization. This brings with it a different working environment as

compared to that of manual banking. On one hand, it has brought new levels of efficiencies in the

areas of transacting business, record keeping and housekeeping and on the other hand, it has

increased the vulnerability of the systems.

As banks are reaching out to customers through various new channels such as internet banking and

mobile banking, there is an urgent need for banks to put in place a proper mechanism to protect

themselves and their customers. Therefore, there is an imperative need for an appropriate

organisational structure. Moreover, from the legal perspective, there is also a need to protect the

personal data of customer.

IDRBT has dealt with this subject that is very relevant today as it is related to safeguarding the most

significant asset of the banks - financial data.

In this context, the Handbook on Information Security Governance has relevance to the Indian

Banking Sector. This handbook has suggested a model governance structure for banks and practical

guidelines for its implementation.

I am sure this will help in sensitizing banks and serve as a practical handbook for implementing

Information Security Governance.

I congratulate all the members of the Group who have prepared this handbook.

Anand Sinha

Deputy Governor, Reserve Bank of IndiaMumbai

November 04, 2011

Foreword

1


T HERE has been massive use of Information and Communications Technology (ICT) in the

banking sector in India. Delivery channels have immensely increased the choices offered to the

customer to conduct transactions with ease and convenience. Various wholesale and retail payment

and settlement systems have enabled faster means of moving the money to settle funds among

banks and customers. Banks have been taking up new initiatives for financial inclusion, customer

relationship management, etc., to widen the reach of banking.

The dependence on technology is such that the banking business cannot be thought of in isolation

without technology. The dependence on technology has led to various challenges and issues like

frequent changes or obsolescence, multiplicity and complexity of systems, different types of controls

for different types of technologies/systems, proper alignment with business objectives and

legal/regulatory requirements, dependence on vendors due to outsourcing of IT services, vendor

related concentration risk, segregation of duties, external threats leading to cyber frauds/crime,

higher impact due to intentional or unintentional acts of internal employees, new social engineering

techniques employed to acquire confidential credentials, need for governance processes to

adequately manage technology and information security, need for appreciation of cyber laws and

their impact and to ensure continuity of business processes in the event of major exigencies.

Technology risks not only have a direct impact on a bank as operational risks but can also exacerbate

other risks like credit risks and market risks. Given the increasing reliance of customers on electronic

delivery channels, any security related issues have the potential to undermine public confidence in

the use of e-banking and may lead to reputation risks. Compliance risk is also an outcome in the event

of non-adherence to any regulatory or legal requirements arising out of the use of ICT. These issues

ultimately have the potential to impact the safety and soundness of a banking system and in extreme

cases may lead to systemic crisis.

Corporate Governance constitutes the accountability framework of a bank. Information Technology

(IT) Governance is an integral part of it. It involves leadership support, organizational structure and

processes to ensure that a bank's IT sustains and extends business strategies and objectives.

Effective IT Governance is the responsibility of the Board of Directors and Executive Management.

I thank and congratulate the Members of the Working Group on Information Security Governance for

the Indian Banking Sector and Institute for Development and Research in Banking Technology

(IDRBT) for doing an excellent job in preparing and timely release of this report.

K. Ramakrishnan

Chief Executive, Indian Banks' Association

Message from IBA

2


3

I NFORMATION is a key strategic and operating asset for many enterprises and more particularly

for financial services industry. Its reliability, accuracy and availability are critical to achieve

business goals. From a customer perspective privacy and confidentiality needs to be protected.

Compliance with IT Act requires demonstration of reasonable security by banks. With ever increasing

use of electronic channels by customers, information security is becoming complex. The occurrence

of security breach is not if, but when. We need an appropriate information governance structure to

achieve those objectives.

IS Governance is still in infancy both in understanding and practice. It is in this context IDRBT has

attempted to come out with a reference framework. This edition deals with establishing

organizational structure, role and responsibilities of both IT and business divisions.

Threat landscape is fast changing. In terms of threats it is a moving target and in terms of response

management, it is work in progress most of the time.

It is useful to begin by promoting a culture that recognizes the value of information as enterprise

asset. Top managements need to set the tone and security posture by establishing security vision and

strategy.

There are several elements of IT infrastructure like servers, applications, network, data base, end

point security, delivery channels. Each by itself is a specialized function. Security functions, activities

and policies need to be aggregated through appropriate security organizational structure. While

strategy and policy formulations are best dealt with in a centralized model, functions and activities are

best achieved in a federated model.

Security cannot be seen as an exclusive IT function or from operational risk perspective. Information

security transcends IT division's boundaries and particularly functions like compliance, access

rights/services, data privacy, protection and trust revolve around business. IT-Business alignment

would foster shared security vision and strategy. Information security can converge with physical

security as well.

While everyone is responsible for security, it is the CISO who continuously assesses and enforces

compliance.

IDRBT recognizes that there is no unique security organizational structure. The proposed structure is

only a reference point. Banks may adopt and adapt the structure and roles as dictated by the scale

and complexity of business.

I thank the members of the group for their contribution in developing this framework.

B. Sambamurthy

Director, IDRBT

Preface


4

T HE Financial Sector is getting increasingly interconnected and complex. Acquisition, processing

and use of vast amounts of customer data apart from banks' own business information has

brought to light the vulnerabilities in information systems that can lead to compromise of

confidentiality, integrity and availability of information. This brings into focus the need for effective

Information Security Governance in banks to protect themselves and their customers adequately and

appropriately.

The Guidelines from the RBI Working Group on Information Security, Electronic Banking, Technology

Risk Management and Cyber Frauds have also reiterated the urgency for putting in place a robust

information security framework in banks. This document is a contribution in that direction.

IDRBT has formed the CISO Forum which provides a platform for Information Security professionals

in banks to share their concerns and arrive at actionable programmes. A sub-group of the CISO

Forum has been constituted to outline the contours of Information Security Governance for the Indian

Banking Sector. This sub-group has developed this document to provide a framework for Information

Security Governance that banks can adopt with necessary modifications to suit their specific needs

depending on their size and scale of operations.

“Information security governance is a subset of enterprise governance that provides strategic

direction, ensures that objectives are achieved, manages risks appropriately, uses organisational

resources responsibly, and monitors the success or failure of the enterprise security programme”

- ISACA.

Effective Information Security Governance in Banks calls for a variety of efforts and initiatives across

the entire spectrum of the Organizational Structure. Notable among them are:

Board level direction and active involvement in Information Security

Top Management support for prompt resolution of Information Security Issues

Integration between Business and Information Security

Alignment of Information Security mechanisms with Organizational Goals and Objectives

Information Security planning and assessment of new technologies before deployment.

Ownership and accountability, at all levels – controlling offices as well as field operations – for

planning, implementing, monitoring, reporting on and improving Information Security.

Definition

Essentials for IS Governance

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Introduction

InformationSecurity Governance


5

The Critical Success Factors which would facilitate the attainment of satisfactory levels of Information

Security Assurance within the bank are:

Appropriate placement of Information Security within the Organizational Structure

Consistent message and conviction from the Board and the Top Management vis-a-vis

Information security policy perspectives

Adequate and appropriate employee education and awareness on information asset protection

Continuous and consistent enforcement of information security polices and standards

Ability and willingness to justify the cost of Information Security initiatives

Constantly raising the bar with regard to Best Practices and Metrics being adopted in ensuring and

improving Information Security.

This document focusses on the managerial aspects of Information Security and not on the technical

side. And to be precise, this is an effort to provide an effective Information Security Governance

Structure for the Indian Banking Sector. This document would also facilitate compliance with

Information Security Management Systems (ISMS) - ISO/IEC 27001, especially, the Control

Objectives relating to Internal Organization, as given below:

To manage information security within the organization.

Management shall actively support security within the organization through clear direction,

demonstrated commitment, explicit assignment, and acknowledgment of information security

responsibilities.

Information security activities shall be co- ordinated by representatives from different parts

of the organization with relevant roles and job functions [Overall coordination shall be with

Information Security Group (ISG) headed by CISO. At the organization level the responsibility is with

CISO].

All information security responsibilities shall be clearly defined.

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Managerial Focus

Internal Organization

Objective:

Management commitment to information security

Information security coordination

Allocation of information security responsibilities

Control:

Control:

Control:

Critical Success Factors

InformationSecurity Governance


6

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

There must be a robust governance framework in place to ensure top management involvement

and oversight in Information Security on a regular basis.

The Bank must have a comprehensive information security policy covering all aspects of security

domains.

Information security must be a dynamic and ongoing process aimed at continuous improvement.

The principle of Defence in Depth may be adopted to protect critical assets by providing them with

a layered security.

Information security must focus on business and provide value and quality to its stakeholders.

Information security risks and costs are the joint responsibility of Business and IT.

Information security should be part of everyone's responsibility and hence to be embedded in

staff roles and job descriptions.

Information security function must have a dedicated, skilled, experienced & adequately staffed

team.

All IT and Business Changes, including new initiatives must be subjected to a thorough and robust

risk management process with a clear focus on protecting classified information and critical

business applications.

Information security must be part of the design architecture of any product and service.

Information security risk management must be based on Business Impact Assessment and

evaluate current and future threats and develop a long term roadmap for effective protection of

all information assets.

Information Security Programme must encompass the Business Continuity Management and

Disaster Recovery Plans of the Bank.

Information security team must act in a professional and ethical manner to foster a positive

security culture within the Bank.

The Information Security Committee must have an effective oversight to review and monitor the

Information Security Programme of the Bank.

Information security function must provide timely and accurate metrics on performance with

regard to Information Security.

Information security governance must comply with relevant legal and regulatory requirements.

Policies and controls must account for business context.

Information Security is not a practice within business and is an integral part of business and as

such a corporate level function.

InformationSecurity: Core Principles


7

Strategies forImplementationŸ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

The Information Security Committee at the top management level should be responsible for overall

governance of the Information Security Programme of the Bank and will report to the Board.

A Working Group on Information Security should be set up in the Bank, which shall have representatives

from business, operations, audit, IT, vigilance, physical security / admin etc. This Working Group should

meet on a regular basis to discuss implementation issues pertaining to information security.

The Information Security policies shall be approved by the Board and cover the three important aspects

of information viz. People, Process and Technology.

The Information Security Risk Management shall cover risk identification, assessment, remediation and

acceptance of residual risk.

Education and Awareness efforts shall be continued on a regular basis to keep the rank and file abreast

of their roles and responsibilities vis-à-vis the expectations from the Information Security Policy.

Information Security should be a regular component in training programmes offered within the Bank.

This may be supplemented by online education in the form of snippets, write-ups for paced-learning,

tests and quizzes.

Customer Education on Information Security, especially in Electronic Banking and delivery channels,

must be accorded due prominence. Regular, multi-pronged efforts must be made to inculcate best

practices and common minimum standards among customers to provide security to their electronic

transactions. Appropriate tools and channels may be utilized for this purpose.

Security Implications of the Business Continuity and Disaster Recovery Policies must be approved and

periodically reviewed by the Board.

Information Security function must be adequately staffed, trained, equipped and motivated to maintain

the Bank's Security Posture at expected levels.

Banks information system shall be regularly subjected to regular information security testing

commensurate with their exposure (criticality and threats) level.

For effective implementation of information security policies at the grass root level, each department or

functional division should identify an official who would be responsible for driving information security

agenda for that respective unit.

The information security program should have comprehensive and detailed metrics which will be

presented to the Information Security Committee.

The information security programme (design, implementation & execution) should be reviewed and

tested by the Bank's IT audit. The IT audit strategy should be aligned with information security strategy

for the areas of implementation and execution.

The information security enforcement strategy should be comprehensive and should cover the

complete lifecycle of Data, Applications, Technology, Infrastructure, People, Products and Services.

The Information security programme shall be tested on an ongoing basis for compliance to applicable

regulations.

The Information security programme shall be benchmarked with the industry level and global best

practices.

Banks should not only have security strategy but also ability to execute strategy and ability to measure

execution.


8

CMDBoard

ED

Information SecurityCommittee

Head - Integrated Risk Management(HIRM)

Chief Information Security Officer(CISO)

Information Security

Risk Management(ISRM)

Information SecurityAwareness

Management(ISAM)

Security OperationsCenter and Incident

Management(SOCIM)

Organization Chart for IS Governance

Note: Depending upon the size and scale of the Bank, the roles under the CISO may be clubbed or handled separately. Wherever needed, ISRM and ISAM may be clubbed together.

Position / Designation Rank

HIRM (Head - Integrated Risk Management) CGM / GM / DGM

CISO (Chief Information Security Officer) GM / DGM / AGM

ISRM (Information Security Risk Management) DGM / AGM / CM

DGM / AGM / CM

DGM / AGM / CM

ISAM (Information Security Awareness Management)

SOCIM (Security Operations Centre and Incident Management)


9

Information Security Committee

The role of the Information Security committee is to devise strategies and policies for the protection of

all assets of the bank (including information, applications, infrastructure and people). The committee

will also provide guidance and direction on the Security Implications of the business continuity and

disaster recovery plans.

Develop and facilitate implementation of information

security policies, standards and procedures to

ensure that all identified risks are managed within

the bank's risk appetite.

Create an information security and risk management

structure covering the entire bank, with clearly

defined roles and responsibilities.

Create and follow a risk assessment process that is

consistent across the bank to identify, evaluate key

risks and approve control measures and mitigation

strategies.

Regularly monitor the information security and risk

management processes and corrective actions to

ensure compliance with regulatory requirements.

Ensure that the Information Security Team is

appropriately skilled and adequately staffed.

Regularly present reports to the Board and invite feedback on the information security

management processes.

The Head of Integrated Risk Management will be a senior level official of the rank of CGM/GM/DGM.

The HIRM is responsible for all Risk Management functions in the Bank, like Credit Risk, Market Risk,

and Operational Risk. Information Security will be one of the most critical components of Operational

Risk that has to be looked after by the HIRM. He is the senior-most executive in the Information

Security function in the bank and provides the required leadership and support for this across the

bank, with the full backing and commitment from the Board.

Information Security Governance

Information Security Policy and Strategy

Information Security Risk Assessment, Management and Monitoring

Security Aspects and Implications of Business Continuity Planning in the Bank.

Allocation of adequate resources for Information Security Management

Responsibilities:

Responsibilities (in the Information Security Governance domain):

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Head – Integrated Risk Management (HIRM)

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Frequency of

Meetings :

Chaired by :

Members :

Quarterly

Executive Director.

H e a d – I n t e g r a t e d R i s k

Management – Convener

Chief Information Officer

Head - Audit

Head - Compliance

Head - Human Resource

Head - Business Operations

Head - Administration

Head - IT Assurance

Chief Information Security Officer

Head - Physical Security

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ


10

Depending upon the size of the bank and its scale of operations, a sufficiently senior level official of the

rank of GM/DGM/AGM needs to be designated as the Chief Information Security Officer (CISO)

responsible for articulating and enforcing the policies that a bank uses to protect its information

assets apart from coordinating the information security related issues / implementation within the

organization as well as relevant external agencies.

The CISO needs to report directly to the Head of Integrated Risk Management (HIRM) function and

should not have a direct reporting relationship with the CIO. The CISO's role spans across both

strategic and operational dimensions and is responsible for all the administrative tasks and control

related to Information Security and reports to the Owner of this function, the HIRM.

Information Security Policy and Strategy – Inputs and Enhancements

Establish security guidelines and measures to protect data and systems.

Information Security Risk, Threat, Vulnerability Assessment, Review, Management, Monitoring

and Reporting – on a continuous basis

Monitoring Key Goal Indicators and Key Performance Indicators of the Information Security

Programme

Establish and disseminate enforceable rules

Business Continuity and Disaster Recovery Planning – Security Inputs and Enhancements

Oversee Information Security Awareness training

Security Operations Centre and Incident Management

Business Case for Information Security Investments and Expenditure

Maintaining the Security Posture and Profile of the Bank at expected levels

Active collaboration and communication with business and operating units.

Gathering internal and external security intelligence

Set up Security organisation structure with well designed roles and responsibilities

Compliance with regulatory requirements on Information Security.

Facilitating investigations in IT frauds and mitigation measures

The CISO's role description given here supersedes our earlier version given in

on page 12.

Responsibilities:

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

* IT Governance

Series: Organizational Structure for IT in the Indian Banking Sector, Vol 1, May, 2010,

The Chief Information Security Officer (CISO)*


Information Security Risk Manager (ISRM)

The ISRM owns the Risk Management Life Cycle as far as Information Security is concerned. He

assists the CISO by discharging the following.

Information Security Risk Assessment

Information Security Risk Analysis and Evaluation

Information Security Risk Mitigation

Identification and assignment of controls.

Information Security Risk Management

Compliance with Information Security Risk Management Guidelines – External and Internal

Monitoring Information Security Policy Implementation

The ISAM is responsible for enhancing the Information Security Awareness levels and for striving to

create a conducive environment and compliance culture across the bank. He is expected to keep

himself abreast of the latest developments in the field of Information Security Standards and Best

Practices so that proactive steps can be taken for adopting them, wherever possible and applicable in

the bank, at the earliest. He is a friend, philosopher and guide to the entire bank, as far as education

and awareness-building in Information Security is concerned.

Information Security Policy – Inputs and Enhancements

Measurement and Monitoring of Effectiveness of Information Security Policy implementation.

Education, Awareness and Promotion of Information Security initiatives across the bank.

Intensive Training of various types and for different levels on Information Security

Promoting customer education and awareness on Information Security through appropriate

channels, tools and interventions.

Proactive dissemination of Information Security Policy initiatives, mechanisms and best practices

– a Resource Base of online tutorials, demos, quizzes and FAQ's on the Intranet for easy access

within the bank.

Responsibilities:

Responsibilities:

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Information Security Awareness Manager (ISAM)

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

11


References

The SOCIM executive is responsible for effective oversight of the Security Operations Centre and

Incident Management capabilities for the bank as a whole. The Security Posture and Status is

demonstrated by this functionary.

Owner of the Bank-wide Security Operations Centre(SOC)

Owner of Incident Management at the bank level.

Responsible for creating, training, upgrading Incident Response Teams across the bank at

various levels.

Continuous surveillance of the IT Infrastructure of the bank to guard against Information

Security breaches and incidents: IT and non-IT.

Responsible for monitoring and reviewing security logs of applications, operating systems,

databases, networks, etc.

Demonstrating the much-needed robustness and improvement in the information security

compliance environment and preparedness to meet eventualities.

Keeping abreast of the fast paced changes in technology and business process to make the SOC

live up to the growing demands from within and outside.

Regular Penetration Testing, Vulnerability Assessment and liaison with local CERT.

Responsible for collection, aggregation, correlation, analysis and synthesis of information related

to security incidents to learn effective lessons and to incorporate changes in policies and

procedures accordingly on a continuous basis.

Organizational Structure for IT in the Indian Banking Sector, IT Governance Series, IDRBT, May

2010.

Report and Recommendations of the Working Group on Information Security, Electronic Banking,

Technology Risk Management and Cyber Frauds, RBI, January 2011.

IS Governance: Guidance to Boards of Directors, ISACA,

Critical Elements of Information Security Program Success, ISACA,

Responsibilities:

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

www.isaca.org

www.isaca.org

Security Operations Centre and Incident Management (SOCIM)

12

Mission of IDRBT

Castle Hills, Road No. 1, Masab Tank, Hyderabad - 500 057. INDIA. Ph: + 91-40-23534981-85, Fax: +91-40-23535157. http://www.idrbt.ac.in, e-mail: [email protected]

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

Ÿ

To envision and foresee technology requirements of the Indian

Banking and Financial Sector and Research & Develop the

required technologies

To incubate and develop state-of-the-art banking technology

products and services to facilitate better and easy banking

Understand the emerging global technology trends, its

implication, and guide the Indian Banking and Financial Sector

accordingly

To provide Training, Advisory and Consultancy Services on

Technology, Technology Infrastructure, and Technology

Management matters for Banking and Financial Sector

Play a catalytic role in development of Banking Technology as a

recognized discipline of study

To create a pool of Banking Technology professionals through

innovative and quality educational initiatives

Participate directly and indirectly in development of standards and

best practices

for the indian banking sector - idrbt practices/isg_booklet_nov... · for the indian banking sector...

Documents