informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02

8/2/2019 informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02

1/101

INFORMATION SECURITY RISK

MANAGEMENT IN BANKS


2/101

TABLE OF CONTENTS

SR.NO. CONTENTS PAGE (S)

DECLARATION i

LIST OF TABLES ii

LIST OF FIGURES iii

EXECUTIVE SUMMARY 1

1 CHAPTER:1 INTRODUCTION 3 11

1.1 Background 3

1.2 Purpose Of The Study 5

1.3 Importance Of The Study 6

1.4 Statement Of The Problem 9

1.5 Research Questions 9

1.6 Hypotheses 9

1.7 Research Methodology 10

1.8 Limitations 10

1.9 Overview of the Study 11

2 CHAPTER : 2 - LITERATURE REVIEW 12 46

2.1 History of Information Security and Risk Management 13

2.2 Scope of IS 14

2.3 How is IS applicable in Banks 15

2.4 The IS Scenario in India 37

2.5 Understanding Information Security (IS) 42

2.6 Spending Patterns (Technologically and Financially) 43

2.7 CTO / CIOs view point 45


3/101

2.8 Summary 47

3 Chapter : 3 METHODOLOGY 48 54

3.1 Introduction 48

3.2 Research Questions and Research Hypotheses 48 49

3.3 Data Collection / Collected 49

3.4 Location of the Data 52

3.5 Pilot Test 53

3.6 Method of Inquiry 54

3.7 Analysis performed on the data 55

3.8 Summary 55

4 Chapter : 4 ANALYSIS 56 734.1 Introduction 56

4.2 Key Findings 57

4.3 Detailed Survey Results 58

5 Chapter : 5 CONCLUSION 75 93

5.1 General Password Guidelines 84

5.2 Password Protection 86

5.3 Changing Passwords 87

5.4 Security Breach Examples 87

5.5 Bank Procedures 88

5.6 Downloading Software 88

5.7 Laptop Security 89

5.8 Fax Machines 89

5.9 Internet Security Concerns 90


4/101

5.10 Physical Security 90

5.11 Monitoring and Inspections 90


5/101

List of Figures


CHAPTER:1 INTRODUCTION

1.3 Figure No. 1 IS Risks 7

CHAPTER : 2 - LITERATURE REVIEW

2.2 Figure No. 2: Security Management process 14

2.3 Figure No. 3 Occupations of Computer Crime

Defendants

23

2.3 Figure No. 4 Types of Computer Crimes 24

2.3 Figure No. 5 Average Computer Crime Losses 24

2.3 Figure No. 6 Victims of Computer Crimes 25

2.3 Figure No. 7 Computer Crime Cases in Courts 26

2.3 Figure No.8: TCO Analysis 31

2.6 Figure No. 9: IT Spending Patterns 43

Chapter : 3 METHODOLOGY

3.3 Figure No.10: Selection of Data Collection Method 50

Chapter : 4 ANALYSIS

4.3 Figure No.11:- Respondents based on the type of organisation 58

4.3 Figure No.12:- Respondents based on the location of the

organisation

59

4.3 Figure No.13:- Respondents by Job Description 60

4.3 Figure No.14:- IT spending as a part of budget 61

4.3 Figure No.15:-Percentage of IS functions outsourced 63

4.3 Figure No.16:-Risk Mitigation Policies 64


6/101

4.3 Figure No.17:-Unauthorised access in the recent past 65

4.3 Figure No.18:-Security Technologies used 66

4.3 Figure No.19:-Security Audits 68

4.3 Figure No.19:- IS Awareness Training 69

4.3 Figure No.20:- Critical Issues 71

4.3 Figure No.21:- Responses based on the Age Groups 73

4.3 Figure No.22:- Respondents based on Income group. 74

Chapter : 5 CONCLUSION

5.1 Figure No.23:- Suspicious Activity Investigation Report 81

5.1 Figure No.23:- ATM / Debit card Fraud Claim Format 83


7/101

List of Tables


CHAPTER : 2 - LITERATURE REVIEW

2.3 Table No.1: Types of Attacks 16

2.7 Table No.2: Risk Mitigation Strategy 45


8/101

Executive Summary

The Environmental Challenges

Most organisations recognize the critical role that information technology (IT)

plays in supporting their business objectives. But today's highly connected IT

infrastructures exist in an environment that is increasingly hostileattacks are being

mounted with increasing frequency and are demanding ever shorter reaction times. Often,

organisations are unable to react to new security threats before their business is impacted.

Managing the security of their infrastructuresand the business value that those

infrastructures deliverhas become a primary concern for IT departments.

Furthermore, new legislation that stems from privacy concerns, financial obligations, and

corporate governance is forcing organisations to manage their IT infrastructures more

closely and effectively than in the past. Many government agencies and organisations that

do business with those agencies are mandated by law to maintain a minimum level of

security oversight. Failure to proactively manage security may put executives and whole

organisations at risk due to breaches in fiduciary and legal responsibilities.

A Better Way

The holistic roadmap to security risk management provides a proactive approach

that can assist organisations of all sizes with their response to the requirements presented

by these environmental and legal challenges. A formal security risk management process

enables enterprises to operate in the most cost efficient manner with a known and

acceptable level of business risk. It also gives organisations a consistent, clear path toorganise and prioritise limited resources in order to manage risk. The benefits of using

security risk management would be realised when the cost-effective controls that lower

risk to an acceptable level are implemented.

The definition of acceptable risk, and the approach to manage risk, varies for every

organisation. There is no right or wrong answer; there are many risk management models

in use today. Each model has tradeoffs that balance accuracy, resources, time,

complexity, and subjectivity. Investing in a risk management processwith a solid

framework and clearly defined roles and responsibilitiesprepares the organisation to


9/101

articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to

the business. Additionally, an effective risk management program will help the

organisation to make significant progress toward meeting new legislative requirements.

During a risk assessment process, qualitative steps identify the most important risks

quickly. A quantitative process based on carefully defined roles and responsibilities

follows next. Together, the qualitative and quantitative steps in the risk assessment

process provide the basis on which you can make solid decisions about risk and

mitigation, following an intelligent business process.

Critical Success Factors

There are many keys to successful implementation of a security risk management

program throughout an organization.

First, security risk management will fail without executive support and

commitment. When security risk management is led from the top, organizations can

articulate security in terms of value to the business. Next, a clear definition of roles and

responsibilities is fundamental to success. The Information Security Group owns

identifying the probability that the risk will occur by taking current and proposed controls

into account. The Information Technology group is responsible for implementing

controls that the Security Steering Committee has selected when the probability of an

exploit presents an unacceptable risk.

Investing in a security risk management programwith a solid, achievable

process and defined roles and responsibilitiesprepares an organization to

articulate priorities, plan to mitigate threats, and address critical business threats

and vulnerabilities.


10/101

Executive Summary

The Environmental Challenges

Most organisations recognise the critical role that Information Technology (IT)

plays in supporting their business objectives. But today's highly connected IT

infrastructures exist in an environment that is increasingly hostile where attacks are being

mounted with increasing frequency and are demanding ever shorter reaction times. Often,

organisations are unable to react to new security threats prior to their business being

impacted. Managing the security of their infrastructures and the business value that those

infrastructures deliver, has become a primary concern for IT departments.

Furthermore, new legislation that stems from privacy concerns, financial obligations, and

corporate governance is forcing organisations to manage their IT infrastructures more

closely and more effectively than in the past. Many government agencies and

organisations that do business with those agencies are mandated by law to maintain aminimum level of security oversight. Failure to proactively manage security may put

executives and entire organisations at risk due to breaches in fiduciary and legal

responsibilities.

A Better Way

The holistic roadmap to security risk management provides a proactive approach

that can assist organisations of all sizes with their response to the requirements presented

by these environmental and legal challenges. A formal security risk management process

enables enterprises to operate in the most cost efficient manner with a known and

acceptable level of business risk. It also gives organisations a consistent, clear path to

organise and prioritise limited resources in order to manage risk. The benefits of using

security risk management would be realised when the cost-effective controls that lower

risk to an acceptable level are implemented.

The definition of acceptable risk, and the approach to manage risk, varies for every

organisation. Even so, there is no absolute right or wrong answers, inspite of the various

risk management models in use today. Each model has tradeoffs that balance accuracy,

resources, time, complexity, and subjectivity. Investing in a risk management process,


11/101

with a solid framework and clearly defined roles and responsibilities, prepares the

organisation to articulate priorities, mitigate threats, and address the next threat or

vulnerability to the business. Additionally, an effective risk management program will

help the organisation to make significant progress toward meeting new legislative

requirements. During a risk assessment process, qualitative steps identify the most

important risks quickly. A quantitative process based on carefully defined roles and

responsibilities follows next. Together, the qualitative and quantitative steps in the risk

assessment process provide the basis on which you can make solid decisions regarding

risk and its mitigation, following an intelligent business process.

Critical Success Factors

There are many keys to the successful implementation of a security risk

management program throughout an organisation.

First, security risk management will fail without executive support and

commitment. When security risk management is led from the top, organizations can

articulate security in terms of value to the business. Next, a clear definition of roles and

responsibilities is fundamental to its success. The IS Group acknowledges and identifies

the risk - probability factor that the risk will occur by taking into account the current

and proposed controls. The Information Technology group is responsible for

implementing controls that the Security Steering Committee has selected when the

probability of an exploit presents an unacceptable risk.

Investing in a security risk management program that translates into a solid,

achievable process with defined roles and responsibilities prepares an organisation to

articulate priorities, mitigate threats, and address critical business threats and

vulnerabilities.


12/101

CHAPTER 1

INTRODUCTION

1.1 Background

Information is an asset that, like other important business assets, is essential to an

organisations business and therefore needs to be updated regularly and suitably

protected. Since most of the businesses in the present and recent past have been

electronically connected in networks, the IS and its management plays a major

role. As a result of this existing and ever-increasing interconnectivity, information

is now exposed to a growing number and a wide variety of threats and

vulnerabilities.

Businesses are vulnerable to various kinds of information risks inflicting

varied damage and resulting in significant losses. This damage can range fromerrors harming database integrity to fires destroying entire computer centers or

facilities. To controlIS risks, the management needs to anticipate and be aware of

the potential threats, risks and resultant loss and accordingly deploy the necessary

controls across the environment.

IS is the protection of information from a wide range of threats in order to

ensure business continuity, minimise business risk, and maximise the return on

investment (ROI) and thereby extend the business opportunities.

Security is like oxygen; when you have it, you take it for granted,

But when you dont, getting it becomes the immediate and pressing priority

----- Joseph Nye, Harvard University.

An IS Risk can be defined as any activity or event which threatens the

achievement of identified business objectives by compromising

Confidentiality, Integrity, Availability of the business information1.


13/101

It is essential for the organisations to observe, review and analyse their

electronic systems, due to the advent of the Internet era, such that any malicious

activity which occurs becomes predictable. Keeping this in mind, IS Risk

Management in large corporations such as Banks is essential since they are

reliant on Information Technology (IT) and IT systems in the processing, storage

and transmission of company and customer data. As a consequence, in the event

of an IT System failure, be it through the malicious or technical event of system

failure or information loss, it would not be feasible to use manual processing as an

alternative or solution to the problems. There are also a number of security issues

surroundingIS like the increased mobility of banks has resulted in remote access

from wireless and through the internet. Access to a banks information assets are

no longer limited to its internal employees, working from a fixed known location

or fixed environment. The value of the computers and hardware may be valued in

thousands of dollars, however the information which may be contained as data,

could be more in value.

There's probably not a business owner out there who doesn't make sure

with some regularity that the locks intended to keep intruders off the premises are

doing their job. But owners of small and medium-size businesses tend to be much

less vigilant when it comes to IS Management even though the potential risks

of an IS breach can be far more staggering than those posed by a burglar.

Destructive viruses, worms and hackers don't discriminate by the size of an

organisation. Data loss, lost productivity, decreased profits, opportunity costs,

privacy concerns and corporate liability are some of the areas where companies

are vulnerable. Publicly held companies have an additional accountability for the

integrity of their financial reporting dataand systems under laws and acts such as

the Sarbanes-Oxley Act, etc.


14/101

1.2 Purpose of the Study

IS is a continual imperative for banks as vulnerabilities inIS / Information

Availability are continuously being exploited in new ways. Security of new

technologies / channels need to be focused, for e.g., E-commerce, online banking

and debit cards. This becomes even more essential in the light of increase in fraud

related losses in these areas along with the existing technologies and manual

transaction processing risks.

Banks have always been and are one of the most important targets for hackers,

crackers and cyber criminals, as IS breach may lead to potential losses. These

losses may lead to downfall of the banking industry and thus have its impact on

the economy.

The actual losses on account ofIS issues are difficult to estimate. However, 639companies that responded to the 2005 CSI/FBI Computer Crime and Security

Survey ,reported total losses of $130 million with viruses, unauthorised access

and theft of proprietary information accounting for 80% of it. Given the risks, IS

should be a top priority of any organisation and not just for its IT department.

That's where a formalIS ManagementProgram comes in.

Comment [s1]: Was it a countrspecific survey? If so, please mentcountry


15/101

It is important to recognise that all organisations acceptsome level of risk.

Risk is, after all, a trade off between the amount of money you wish to spend on

counter-measures, against the perceived level of threat and vulnerability, to

protect the estimated value of your assets. The important thing is that risk is

identified, and either a) mitigated, b) transferred, c) insured, or d) clearly

documented as a risk acceptance.

Figure No. 1 IS Risks


16/101

Security risk is also heavily influenced by time. For example, if a new

virus is released, for which no patch is available, then the rate of infection is

critical. All organisations are subject to security threats, as these expose their

vulnerabilities. For this increases significantly with factors, such as their need to

do business over the Internet, the profile of the organisation, and the value of their

assets. High profile corporations are under constant threat because of the possible

infamy associated with security breaches.

Some of the key threats to organisations include:

Virus, Trojans and Worms

Phishing

Pharming

Email SPAM

Web Site Defacements Denial of Service Attacks (DoS)

Spoofing

Identity theft

War walking, War driving, etc., (Wireless Network Threats)

Theft of information (e.g. credit card details, source code, biotechnology

secrets), etc.,

Hence, this study may prove important and extremely significant as it

would provide better in-sights with regards to updating security personnel. This

would definitely enable them to handle any kind of security issues at any given

point of time.


17/101

1.4 Statement of the Problem

Based on the problem definition, the objectives of the research will be:

To identify and examine the current IS landscape prevailing in various

Banks.

To identify the information risks and security concerns threatening the

Banks.

To determine the loss of revenue because of the information loss due to

various reasons such as virus attacks, unauthorised access, theft, pilferage,

security breach or by calamity / disaster.

To determine the cost in theIRSMS implementation.

1.5 Research Questions

The research will address the questions such as:

What are the information risks and security threats involved in the Banks?

What benefits will be derived by implementing these systems in the

existing scenario?

What should be the ideal characteristics of theIRSMS?

What functions in security and risk management must be accomplished by

an IRSMS to support Banks?

What would be the Total Cost of Ownership (TCO) for the institution?

1.6 Hypotheses

The security policies in the same organisation (Bank) may differ based on

the geographic location.

Many Banks prefer accepting the security risk rather than mitigating,

transferring or avoiding it.

IRSMS policies show wide variations across all types of financial

institutions (here the type of bank would be considered, i.e. Apex / Public

Comment [ R2]: Kindly suggescan be done here. Are there any mfor the same?

Comment [s3]: Will you quanthis is amount? If not, what is the used to measure loss?

Comment [s4]: In my opinion,should b

Comment [ R5]: Would it ok ifnot include questions 2 and 8 marked in red. OR kindly suggest

amendments can be done?


18/101

Sector Commercial / Private Commercial / Co-operative / Foreign bank.)

1.7 Research Methodology

The method of inquiry involved both primary as well as secondary data

collection. Questionnaire was prepared taking into account the necessity of

qualitative as well as quantitative analysis. Primary data collection is done by

inviting responses through means of a questionnaire, from the IS Officers/ IT

officers, Certified Information Systems Auditors, Certified Information Systems

Managers, Compliance officers, etc., with a minimum of 1-3 years of experience

in the IS Risk Management field. Secondary data was gathered from various

published sources, authentic journals, past research papers, newspapers,

magazines and articles.

1.8 Limitations

The findings are based entirely upon the research conducted in India and

hence may not be applicable to other countries of the world on counts of

technological diversity and contextual forces.

These kind of researches need to be done periodically to gauge the

authenticity of the security risk management program designed in an

organisation such as banks, due to the constant changing technology and

its vulnerabilities.

To prove the hypotheses The security policies in the same organisation(Bank) may differ based on the geographic location, the research may

not have considered several banks of similar type. It may be limited to

same bank with different locations.

The research may not be able to provide the exact financial figures or the

financial impact due to the occurrence of the IS Threats and the Risk that

is followed because of the reputation risk involved in it. The respondents

might not provide complete, incomplete, partial or authentic information

regarding the questions posed for the survey.


19/101

1.9 Overview of the Paper

An introduction to the topic of research IS Risk Management is provided in

Chapter 1. The introduction focuses on aspects such as:

Background of the Research Study,

Purpose and Importance of the Study,

Problem Statement,

Research Questions With Certain Assumptions,

Research Methodology.

It also throws light on the limitations of the study research.

In the Literature Review, the research provides a close look and feel of the

similar incidents in the past and in the present amongst various banks across the

country and the globe. The basic intention of this academic report is to spread

awareness regardingIS Threats and the Risk which follows them. The researcher

has tried to collect several examples from within the country or across the globe

which are on similar lines.

Chapter 3 is dedicated to the methodology of the research. It points

towards to sources of the data and information collection through surveys,

questionnaires, personal interviews, authentic articles on the web, magazines, etc.

This chapter re-visits the research questions, research hypotheses, etc. mentioned

in Chapter 1. This chapter also highlights the method of inquiry and the method of

analysis when the data is collected.

Chapter 4 illustrates the analysis performed on the data to obtain the

desired results. The analysis also throws more light on the key findings which I

came across while performing the analysis.

Chapter 5 provides the overall findings and the conclusions based on the

survey, the analysis and also from the management perspective. This chapter also

mentions, what needs to be done in order to prevent the IS Threats from recurring

and the steps taken to prevent them. Infact, the steps need to be incorporated in

the initial procedures of both, personnel management, and sourcing and change

management decisions. The bottom-line being Prevention is always better than

cure.


20/101

CHAPTER 2

LITERATURE REVIEW

Introduction

The chapter provides further insights regarding the traditional definition of

IS and Risk Management along with its historical background. This also puts light

on the makeover or the phase shift which has occurred in the field of IT. The

chapter also defines the scope of Information Systems andIS.

The literature review shows how theIS and Risk Management is applicable to the

banks. Why is it essential to take the responsibility and subdue the threats causing

the financial losses to the business sector as well as to the national and world

economies? In order to achieve this feat it becomes even more important to

understand what kinds of attacks are possible and the manner in which they

should be dealt with? Due to the scope and limited constraint, this academic

research is unable to throw light on all the threats or mention the remedies for

them. But, even so, a wide range of threats have been mentioned below with some

actual facts.

The literature review also attempts to focus on the computer frauds that

have occurred and their repercussions. It also points out the reason why computer

crimes are difficult to prove in a court of law. The types of computer crimes, their

impacts or effects and the victims are explained in the review. The review also

focuses on drawing the readers attention towards the understanding ofIS atlength. The focus area for all the organisations, including banks, is the IT

spending pattern, which is already considered and explained in the review.


21/101

2.1 History ofIS and Risk Management

IS Management A Concept

IS Management is the process used to identify and understand risks

to the Confidentiality, Integrity, and Availability of Information and

Information Systems.

Phase Shift ofIS

The role of IS has changed during the past few years. The

Traditional definition of protecting networks and the datacenters has

undergone a shift in focus resulting in the enablement of the businesses

with security solutions actually moving the business forward or even to

the next step. Security is now a way of life and a must-do for businesses inorder to survive. Hence, it has become obvious that, wherever the

information goes, security follows.

No longer can IS be an afterthought. An increased need for

efficiency and productivity, reducing costs, reaching multiple markets and

faster time- to- market are few business benefits which are driving

organisations to makeIS a part of the organisational DNA.


22/101

2.2 Scope ofIS

IS Management defines the controls we must implement to ensure

we sensibly manage computer related risk3

Figure No. 2: Security Management process

IS is the protection of information from a wide range of threats in

order to ensure business continuity, minimise business risk, and maximise

return on investments and business opportunities.

Source: Deloitte Touche Tohmatsu

Not just technology, but people and

processes too defense in depth.

An ongoing, continuous activity ~ you

dont just do security as a one-off

event.


23/101

A basic IS model should encompass Confidentiality, Integrity and

Availability; however there are also additions such as Accountability and

Auditability.2

In other words, The objective and focus of the IS Management is

to protect and manage the Information assets.

2.3 How isIS Applicable to Banks?

"IS is definitely a journey, not a destination--there are always new challenges

to meet."

-- ChiefIS officer at a major financial services corporation

Banking Institutions have become critical centers of gravity. A collapse

in the banking institution can lead to collapse in the banking sector and cause a

huge setback to economy of the nation, which would also concern world at large.

This makes them more attractive targets for potential adversaries.

Potential adversaries could be either malicious or non-malicious. Among the

malicious adversaries would be hackers (including phreakers, crackers, trashers

and pirates), terrorists/ cyber terrorists, organised crime, other criminal elements,

competitors and disgruntled employees. On the other hand, careless or poorly

trained employees would be non-malicious adversaries, who, either through lack

of training, lack of concern, or lack of attentiveness, poses a threat to the

Information Systems.

Adversaries would employ attack techniques that could be classified as

passive or active, insider, close-in or distribution attacks. Some of them explained

below. Passive attacks involve passive monitoring of communications sent over

public media and include monitoring plaintext, decrypting weakly encrypted

traffic, and password sniffing and traffic analysis.


24/101

Active attacks would include attempts to:

Serial No. Type of attack

1 Circumvent or break security features

2 Introduce malicious code (such as computer viruses, trojans or worms)

3 Subvert data or system integrity

4 Modify data in transit

5 Replay (insertion of data)

6 Hijack sessions

7 Masquerade as authorised user

8 Exploit vulnerabilities in software that runs with system privileges

9 Exploit network trust

10 Set in denial of service

Table No.1: Type of Attacks

In Close-in attacks an unauthorised individual gains close physical

proximity to the networks, systems, or facilities for the purpose of modifying,

gathering, or denying access to, information. Gaining such proximity is

accomplished through surreptitious entry, open access, or both. Close-in attacks

include modification of data, information gathering, system tampering, and

physical destruction of the local system. A person who is either authorised to

be within the physical boundaries of theIS processing system or has direct accessto the IS processing system can be responsible for the insider attacks. Insider

attacks are usually difficult to detect and to defend against.

Distribution attacks maliciously modify hardware or software between

the time of its production by a developer and its installation, or when it is in

transit from one site to another.

The risks of seriousIS failures are all around us. Breaches, such as teenage

hackers and e-mail viruses which were once a nuisance only for information

technology professionals now pose a significant risk for executives and can


25/101

threaten intellectual property and brand equity. Each new lapse in security is

highlighted by glaring media coverage, amplifies consumer awareness and

concern.

The disclosure by Master-Card that 40million of its credit and debit card

account details had been exposed is yet another more indication of the magnitude

scale of the problem. Certainly, the growing fear of identity theft is a matter of

concern for executives in industries that interact directly with consumers. A recent

survey conducted in conjunction with the Merchant Risk Council, in the US,

revealed that over 90 per cent of retailers agreed that consumers make purchasing

or transaction decisions based on their trust in the companys ability to secure

their data. Also, almost 90 per cent felt that IS is or will become a point of

competition in the retail sector.IS is not just an issue for retailers and banks all

companies face new risks, ranging from industrial espionage to sabotage.

Compounding these concerns, compliance fears generated by Sarbanes- Oxley

and the forthcoming Basel II accord have fostered an environment of risk aversion

inside many organisations. Of course, there are plenty of risks to fear. The process

of opening companies to the internet has exposed a multitude of software

vulnerabilities, especially as many older systems were not developed with this

security in mind. Building stronger walls around enterprise systems can help to

keep out some unwanted visitors, but those clever invaders or disloyal insiders

who find their way into the fortress discover a treasure trove of information once

they have gained access.

To make matters worse, many risks lie deeply hidden within the extended

enterprise. While most large companies have taken significant actions to beef up

their own internal security, their smaller partners often harbour risks that open the

entire enterprise to vulnerability. Every day, business partners take unseen risks

and, when partners experience security failures, it has the same devastating

impact. In the case of MasterCard, the loss arose out of a security breach at the

Card Systems Solutions a small, private payment processor with only about 100

employees. Card Systems quickly felt the pain of the mistake as both Visa and

American Express promptly withdrew their business, pushing Card Systems into a


26/101

financial crisis. Yet the fact that the problem was not within Visa or MasterCard

made little difference to consumers, who rightly saw the problem as the

responsibility of the credit card companies.

The escalation of security breaches and the painful surprise many

executives feel when a failure occurs in their business have brewed a culture of

fear within many organisations. Vendors within the security industry have quickly

capitalised on this fear along with the confusion around new compliance

measures, such as Sarbanes-Oxley. But before tossing money at a cure in the hope

that it will eliminate these new risks, managers should first work to incorporate

information risk into an overall enterprise risk management strategy. Like any

other risk within the company, security risks must be identified and balanced

against the benefits and costs of mitigation. Unfortunately, in contrast to many

other business risks, the discussion about IS risk has focused solely on the

negative experiences. Of course, no one likes a bad outcome. A hurricane, like a

security failure that exposes sensitive customer information, results in damage

and cost. However, in other areas of business, risk is associated with return

higher risks yield higher returns. This is also true for IS risk. Very often, IT risks

arise from sloppiness or corner-cutting, such as the failure to follow best software

development practice or to test and audit new systems. In some instances, this

notion is true. However, many IT risks occur within the context of a larger

business strategy with associated rewards.

For example:

Working with a small innovative start-up company whose promising

software solution could generate significant returns, but could also

harbour the associated risk of the small companys IT environment

Starting or acquiring operations in low-cost countries where the

infrastructure is less secure

Outsourcing business processes to suppliers with lower-cost structures

but unknown or hard-to-monitor security practices


27/101

Exposing internal business data to customers and partners to help with

the creation of new services or reduce operating costs.

All of these create security risk, even with the best practices. Becoming

aware of the risks is just the first step in building an effective management

strategy. In our survey of retailers, over 85 per cent said that the level ofIS

offered by their suppliers was important to them. Yet we find that companies in

each industry are struggling to develop effective ways to measure and manage

security risks across their extended enterprise.

A simple way to reduce security risk is to limit business innovation to

avoid partnering, pull systems offline and lock down the fort. This is a serious

mistake. Instead, risk should be balanced with reward. Embedding IT risk into

your overall enterprise risk management strategy implies establishing a risk

posture that does not seek to eliminate security risk, but rather manages it. The

key is first to understand the vulnerabilities, threats and consequences.

Vulnerabilities are areas that can be exploited by malicious individuals or

organisations.

Examples could include poorly maintained software (such as failing to

patch known security holes), poor security practices (such as inadequate password

and identity management), or the exposure of older systems with an unknown

security to the internet. Given these vulnerabilities, what are the threats? Are there

outsiders who are motivated and capable of exploiting the vulnerability? Or are

there insiders who may be tempted to steal intellectual property? Finally, if the

security was breached, what are the consequences? Would they be primarily

internally observed or would they impact external groups, such as customers or

business partners?

Internal failures, like viruses, generate real operational costs for the IT

department but rarely put the company into a catastrophic tailspin. On the other

hand, external failures, such as a breach of customer information, can be much

more painful, warranting far greater attention. To manage risk in the most

effective way possible, companies should includeIS in the broader perspective of

business risk management, where the board of directors governs the companys


28/101

overall risk posture. This same perspective must also be applied to business

partners. For many companies, measuring supplier risk will require new tools for

supplier security qualification. Like those tools used to assess a suppliers product

quality, supply chain reliability, or its long-term financial viability, suppliers

should be qualified using a technical assessment of security and an assessment of

the suppliers information risk management practices. Risks of working with a

new partner can then be balanced against the benefit that the partner delivers.

Most importantly, managing information risk is everyones responsibility

not simply the job of IT executives. Rather than viewing IT executives as

security guards, technology- savvy executives from corporate directors to line

managers should act as consultants to the entire organisation. CIOs with strong

business and technical skills are uniquely qualified to help educate the

organisation and chart a course to bring IT risk into the overall risk management

strategy. Bringing IT into the enterprise risk management strategy will not only

protect against catastrophic operational surprises, but will empower managers to

seize the exciting opportunities before them.

Computers have been in existence in European and American countries for

a long time. Consequently, frauds associated with the computer environment have

also been in existence for a long time. The American Institute of Certified Public

Accountants (AICPA) was commissioned to conduct a study of EDP- related

frauds in the banking and insurance sectors. The study, Report on the Study of

EDP-Related Fraud in the Banking and Insurance Industries, revealed many

shocking findings, the more significant of which are:

In some cases, fraud occurred during normal transaction process

cycle;

Many took advantage of the weaknesses in the system of internal

controls;

Most frauds were in input area;

Input was either unauthorised or proper input was manipulated;

File maintenance was common method;


29/101

Manipulation involved extending due dates on loans / or changing

names and addresses;

Loss from reported cases worked up to several million US dollars;

In all cases, perpetrators were employees.

Dawn P. Parker, Senior Management Systems Consultant and

Researcher on computer crime and security in a report for the National

Institute of Justice, US Department of Justice, identified 17 crime

techniques, the more significant of which are

Eavesdropping or Spying: This involves wire-tapping and

monitoring radio frequency emissions.

Scanning: Scanning prevents sequential change of information to

automated system to identify those items that receive a positive

response, such as: Telephone Numbers

User IDs

Passwords

Credit Cards

Masquerading: In this, the perpetrator assumes the identity of an

authorised computer user.

Piggy - backing: This can occur when the user signs off or a

session terminates improperly. The terminal is left in an active

state or in a state where it is assumed that the user is still active.

Data Diddling: It involves changing data before or during their

input into the computer.

Trojan horse: It is a convert placement or alteration of computer

instructions or data in a program so that the computer performs

unauthorised functions. It is primary method for inserting abusive

acts, as in salami techniques.


30/101

Logic Bomb: It is an unauthorised act of program instructions

inserted into a regular program such that an unauthorised or

malicious act is perpetrated at a predetermined time.

Data Leakage: It involves removal of data from a computer system

or facility.

The National Center for Computer Crime Data, a Los Angeles-based

research organisation, has been providing information on computer

crimes.

The statistics relate to:

Average computer crime losses;

Victims of the computer crimes;

Occupations of the computer crime defendants;

Types of computer crime;

Computer crime cases in courts.


31/101

1

6 6 6

10

19

26 26

0

5

10

15

20

25

30

No. of Cases

Miscellaneous

Ex-employeesof

Victims

Accomplic

es

Law

Enforc

ers

Compute

r

Professionals

Unemployeedor

Criminals

Stude

nts

Employees(Acc.

To

Comp.)

Sources of Crimes

Occupations of Computer Crime Defendants

Figure No. 3 Occupations of Computer Crime Defendants


32/101

Extortion

Theft of services

Theft of money

Damage of

Hardware

Alternation of

Data

Harrasment

Theft of

information

Damage to

software

Figure No. 4 Types of Computer Crimes

It was seen that computer crime losses were very high, with theft of

services and money contributing the maximum. Commercial users topped the list

of computer crime victims.

$10,517

$55,166

$93,600

$0

$20,000

$40,000

$60,000

$80,000

$100,000

Thef t of money Theft ofprogram / data

Damage tosystem /data

Figure No. 5 Average Computer Crime Losses


33/101

24

12 12

17 17

36

0

5

10

15

20

25

30

35

40

% of cases

Miscellaneous

Universities

Banks

Individuals

Government

T

elecommunications

Commercialusers

Victims of Computer Crimes

Figure No. 6 Victims of Computer Crimes

Technology improvements provide greater sophistication for users.

However, they also create significant security and control concerns. It is also of

great concern that a computer criminal is less likely to be caught than a bank

robber. Parker conducted two studies on general and computer bank frauds and

embezzlement respectively in 1976. The two studies revealed that average losses

from computer bank frauds and embezzlement were approximately six times

higher than those from general bank frauds.

Computer crimes in India

In India, although computers made an entry much later, we are catching up

fast in the area of computer frauds, too. However, most of the crimes do not

get reported as the organisations are hesitant to file a report as it might affect

their credibility.


34/101

Pleaded Guilty,

76%

Found Guilty, 8%Found not guilty,

16%

Figure No. 7 Computer Crime Cases in Courts

Few of the reported cases in the press are mentioned below

The Hindu, on March 7, 1996 carried a report,

Quantum jump in the number of bank frauds, according to which Mr. R

Janakiraman, former deputy governor, Reserve Bank of India, whileaddressing a session on frauds in banks and other financial institutions

prevention and detection organised by the Institute of Criminological

Research, Education and Services (ICRES), observed that the frauds

committed by the bank employees in collusion with outsiders accounted for

the largest number of frauds rather than those committed single-handedly

either by the bank employees or outsiders.


35/101

India today, in its February 28, 1999 issue carried a report,

High-tech frauds Thieving with technology

The Economic Times report,

Banks feel techno-crime byte dated December 19, 1996 mentioned how

Sanjay Subharwal and his accomplice who cracked the Automatic Teller

Machine (ATM) code of his sister-in-laws account after 99 attempts and

siphoned off Rs. 1.52 lakh.

The Economic Times dated January 12, 1997 stated

The days of Nagarwallas using VVIP names to withdraw millions from a

bank are old hat.

India Today in one of its issues reported, Hacking New Frontiers wrote

R. Srinivasans employers, a stock broking firm in Chennai, were very happywith him and his proficiency in their new computers. He brought in new

clients and increased the volume of shares traded. But the company was losing

heavily on share transactions. A few months later, the managers found out

why: Srinivasans clients were no more than electronic entities, existing

only on the pathways of their computers. Losses: Rs. 50 lakh.

Giving another example, the report says:

No one knew when account no. 20456 became active. The Bank of Indias

computer at Mumbais Mulund branch only recorded that its owner Ganesh

Rao had drawn Rs. 76,700 since February. So when Rao was overdrawing on

April 3, they took a second look at him. Before them was Sanjay Rajbhar, a

computer professional who ran a network controlling accounts. In a bank that

still maintains huge, yellowing ledgers. Rajbhar had found a defunct account

and resurrected it with a few key-strokes.


36/101

Technology is a strategic resource available at a cost albeit with an altered

risk-benefit matrix.

--- Ashok Bhattacharya

General Manager Technology, State Bank of Mysore.

Technology has become the backbone of human civilisation. Technology,

its concepts, gadgets and formulations are matters of common use spanning

drawing rooms of our residences to board rooms of corporates, to halls of

deliberations at the United Nations (UN). Though technology and its applications

have remained the subject of debates from time to time, contribution of

technology in the field of business, health, education, entertainment, information

and communication and , of course, banking are growing day by day. For most of

us, it is no more a question of whether to use technology or not, it is more a

question of how to exercise our options in using technology. Which, when and

what-if are some of the major questions that banks and financial services industry

have to consider to roll out technology, maintain it and upgrade the same. Indeed,

strategic use of IT is the vital part of business intelligence that banks are relying

upon for growth and viability to face the competition, and this reliance will be

sharpened in the days to come in order to handle Customer Relationship

Management (CRM) issues effectively.

Public Sector Banks (PSBs), which have large portfolios in terms of

business and employment, are in various stages of migrating to new systems. As a

matter of fact, this new strategic system may generally be identified with Core

Banking aided by ATM networks and other e-process. Some of the important

features of such migration / upgradation are:

From distributed / stand alone banking to core baking / anywhere banking.

Alternative delivery channels like ATMs, Internet Banking, Credit Cards,

Smart Cards and Kiosks.

Cross-selling products like insurance, money market and other financial

products.


37/101

Use of multimedia, online help and assistance.

Electronic Fund Transfers (EFT).

Digitisation of data, online encryption and straight-through processing.

Business Continuity and Risk Mitigation including KYC (Know Your

Customers) and AML (Anti-Money Laundering) implementation.

Online trading, settlement, treasury, domestic and cross-border

transactions.

Data Warehousing, MIS and Business Intelligence Decision Support

System.

Intra-Bank email systems, which incidentally revolutionised banks

internal communications, introducing online knowledge repository, training /

applicable instructions / job cards, etc.

Considering that technology is a risk multiplier both in operations and

business, properly manned, and a sophisticated disaster recovery process are

in place.

These quanta jump in technology, envelopes the whole organisational

entity, its activities, interfaces and all stakeholders. For a large organisation like a

PSB, on the backdrop of which the present article is based, having about 650

retail branches, business transactions exceeding Rs. 30,000 cr., providing direct

employment to about 10,000 persons, automation decisions are size-oriented.

Sizes of operations have a critical bearing on choice, cost and consequences of the

IT projects.

The general method adopted by PSBs is to make a preliminary survey of

actual functional systems in various other banks, appoint consultants and arrive at

desired specifications of the system to be procured and then go for tendering for a

suitable software/ hardware and related services. All PSBs follow Central

Vigilance Commissions (CVC) guidelines in selecting the final vendor for

software, hardware accessories and maintenance thereof. It may be mentioned

here that a precise cost benefit analysis may not be always feasible as


38/101

technological upgradation, new technology, etc. are mostly required to remain in

the market and / or to retain the market share.

Notwithstanding the same, while selecting technology and finalizing roll

out plan, PSBs do take care of the following factors

New technology will bring in new risks and accordingly, the cost

benefit and risks of the new technology need to be considered and

optimised for maximum productivity,

The life of the technology is also becoming shorter and shorter. For

this reason banks / financial institutions also need to be ready with

resources and plough back of revenue enhancements so that systems

can be replaced before they become totally obsolete,

The agreement to purchase / hire services level agreements; each must

be legal besides technologically feasible so that buyers can use the

system as required by them and vendor failures are avoided. At this stage, banks / financial institutions may also finalise the

process of User Acceptance Test (UAT) that they would like to follow

before commercial roll out of the system at the branches / offices. This

is very important and must be developed with a professional approach

as otherwise banks will suffer avoidable pangs and costs of

customisation with high risk situations.

If the system purchased is on a turnkey basis, then confidence level of

such UAT should be very high.

It would also be appropriately pragmatic for the bank to prepare an

action plan of converting fixed costs to take full advantage of new

technology / upgradation. Suitable steps to remove road blocks which

prevent such conversion / replacement be tackled.

Based on the above components, below are the schematic triangles of

concerns that bankers / financial institutions would do well to keep in mind while

selecting / rolling out expensive and all encompassing technologies.


39/101

Figure No. 8: - TCO Analysis

Figure No.8: TCO Analysis

No doubt, the implementation of a new system, say, Core Banking

Solutions (CBS), that is now being set up in most of the banks will enhance

banking services in a visible manner. The customers of a branch now become the

customers of the whole bank. Speed and accuracy of the transaction processing,

money transfers, remittances, local and national clearing, all get enhanced

enabling the bank to handle more transactions with the cost of transactions with

the cost of transaction coming down to a great extent. Thus, CBS coupled with

ATM network and Internet Banking and Real Time Gross Settlement (RTGS)

gives the customer the facility of doing business with the bank round the clock

without visiting the banks branch. Internet Banking is very popular with young

clientele as utility payments, travel arrangements, bill payments and even

purchase of cinema tickets can be done sitting at home or at office.


40/101

As RTGS has also been enabled in many commercial bank branches, the

reach of Electronic Funds Transfers System (EFTS) now stand highly enhanced.

It is clearly visible that technology is a strategic resource available at a cost, albeit

with an altered risk benefit matrix. As a matter of fact, every upgradation of

technology may become a risk multiplier if appropriate risk mitigation steps have

not been embedded in the system and provided in the handling procedure itself.

One of the risk areas is outsourcing, in which because of consideration of core

competency and costs, outsourcing all technological inputs including hiring of

hardware, software livewire are resorted. Business Process Outsourcing (BPO)

has become a mantra in most of the private enterprises, which have high

adaptability to new technologies. Even there, appropriate levels of agreement are

reached and roadblocks set up to prevent control of the business passing on from

hands of management to hands of BPO.

In commercial banks, outsourcing is mainly done to obtain assistance

wherever they lack core competency to handle highly technological jobs including

troubleshooting of IT systems. Here also, many banks have tried to use in-house

people to maintain their systems, but this mostly resulted in legacy of problems

creating handicaps for the bank to move speedily to new technology platforms.

Outsourcings of technological services, at least to launch an IT project, are quite

common in todays banking industry. Banks have asked by regulators to finalise a

policy of outsourcing so that risks of outsourcing critical basic applications are

managed properly.

Further, the salary structures of PSBs also do not permit employment of

highly qualified experts in the area of technology. Recently, SBI and TCS have

joined hands to float a separate company, which presumably will not have such

salary and perquisites / constraints and would, therefore, be able to retain the

technical experts for a reasonable time. It may also be noted that new technologies

invariably give rise to new opportunities, which can be harnessed under the

general expression of Business Process Re-engineering (BPR). The CBS, which is


41/101

operating on a centralized data and information reservoir, has the ability to

convert a branch customer into a bank customer and, thereby, make it possible to

process many hitherto distributed banking activities into centralized activity.

Banks are coming up with outlets, Centralised Processing Units (CPUs), where all

loan processing, renewal, and documentation for all branches are done, leaving

branches free for marketing and business of cross-selling. Banks that have rolled

out CBS find a grand by product opportunity to take such B2C initiatives, which

have vastly improved credit appraisal, disbursement, documentation, deposit

mobilization, cheque and customer instruction processing.

As an example, it may be elaborated that, previously, all cheques in

clearing would come to the branches for verification of signature, balances and

payment thereof. But now, service branches are having all this information on the

screen itself and cheques need out travel to the branches, thus, eliminating time

and ensuring quality. This new technology or new system is highly successful

when it meets the following criteria:

Increase in revenue / volume of business

Reduction of cost of operations

Reduction in delivery time for most B2C transactions.

Improving general customer service and loyalty of customers.

Most of the banks and financial institutions and even insurance companies

that are using high level of IT are endeavoring to measure success of their

investment decisions by actual movement of the above factors. The beneficial

impact of modern day technology has ushered in a new era in services available to

bank customers. Some such features are: Transacting from any branch;

specialised collections, remittances and fund transfers; 24 / 7; banking through

ATMs and Internet banking; Automated payments; Automated Standing

Instructions (ASIs); Using banks Web portals for latest rates, new products and

terms; Submission of stock and other statements for loan account customers; with

RTGS facility, funds transfer to accounts with other banks has also become

possible.


42/101

While technology (to be more precise information and Internet

technology) has brought in metamorphic changes in the area of banking and

financial services, problems do persist in various areas some are new, some also

suffer from aggregation of risk owing to change in technology. Having rolled out

CBS latest in banking technology in 100% of our branches along with a

network of ATMs, Internet Banking, RTGS, etc., we find many problems, if

handled either before installation or immediately on roll out, would strengthen the

banks delivery, customer satisfaction and bottom line. Some such problem areas

are as under:

Biometric Access Control

In spite of decades of history of full computerisation in banks even under

CBS, most banks internal access control is based on individual ID and password.

Abuse of this system in a large organisation is well- known and difficult to

combat; thus, it needs to replace the system by biometric system preferably, the

ID of individual employee of the bank should be replaced by his / her fingerprints.

It would then be easier to track and eliminate all possible abuses or mistakes.

UAT

We have mentioned the importance of UAT earlier. It is reiterated that

through PSBs know fully well their inputs and the required outputs, data for

testing comprehensively new systems are not generally available. Banks are

depending on the vendors expertise in these matters and generally mistakes are

rectified through trial and error. In this context, Auditability of systems assumes

considerable importance.

MIS Data Warehousing

Generally, CBS available in the market may not come with a full blow

MIS or data warehousing capability. These need to be developed or the existing

one has to be integrated.

Input Control / Output Reports

The CBS is a platform mainly for handling Bank to Customer (B2C)

transactions. Normally, no problem is envisaged from transactions to reporting

level which has gone through a proper UAT. But large banks always find it quite


43/101

difficult to ensure full accuracy at the input levels. An error of input, mapping and

legacy problems at the granular level creates data integrity problems.

Variability of Cost

The success of new technology lies in harnessing its ability to cut down

transaction cost, as also replacing fixed cost b variable cost. But this is not

happening at the required place and time and often new technology represent

additional cost without reduction of fixed cost already existing.

Captive users

Some of the major problems have come up in the fact that banks that have

selected, and installed new technology have become captive users of the vendors.

This problem may further accentuate in the absence of proper service level

agreements.

Attrition

Many of the bank staff members who have adopted and quickly masternew technology may be leaving the bank with better offers, creating gaps for day

- to - day management.

Service Level Agreements (SLAs)

However, many of these problems are not insurmountable, but definitely

controllable. With appropriate planning and consultation they can be managed,

subject to the existence of appropriate agreement of hiring / purchasing /

outsourcing and SLAs. A professional arrangement in this area will ensure

continuity of vendors stake, which is important.

Systems and operation, Documentation / Manuals

In the new system, fully developed documentation should be available.

Online help generally does not meet the requirement of users. Sometimes, these

are not available and vendors themselves suffer from the attrition, thus creating a

somewhat a chaotic situation during commercial run of the system, which may

degenerate unless appropriate control and administration is exercised. Prevention

is always better than cure.


44/101

B2B / Government Business, etc.

A large part of a banks business is treasury management, and bank to

bank transactions, including multi- currency transactions. Some of the PSBs are

also entrusted to do government business. Most of these core banking systems do

not have proper modules where such transactions and transactional MIS can be

processed simultaneously. The additional requirements need to be anticipated and

negotiated with the vendors at the opportune time. Suitable middleware can be

used in this regard.

India is a software powerhouse. But its IT security practices are

pathetic and consumers should beware

--- Sucheta Dalal Consulting Editor of MONEYLIFE

Last June an employee with Hong Kong Bank in Bangalore was arrested

following an investigation into a theft of pound sterling 230,000 from a British

customers account. Earlier this month, Channel 4 of London controversially

claimed that credit card data, along with the passport and driving license

numbers, are being stolen from call centers in India and sold to the highest

bidder.

A survey on the Global State of the

made little or no progress


45/101

While things are pretty bad on the global IT security front, things are

worse in India. The study says: Our of the most unsettling findings in this years

study is the sad state of security in India, by a wide margin the worlds primary

locus for IT outsourcing. India lags far behind the rest of the biggest IT

powerhouses in the world; these findings should cause considerable concern.

Many survey respondents in India admitted to not adhering to the most routine

security practices. Extortion, fraud and intellectual property theft occurred last

year are double and even quadruple those of the rest of the world. Nearly one in

three Indian organisations suffered some financial loss because of a cyber attack

last year, compared with one of five worldwide and one out of eight in the United

States.

According to CSOonline.com, The problem is obvious, but right now its

apparently easier to ignore than to address. Harder to ignore is the constant news

of large organisations losing laptops packed with unencrypted personal data on

millions of customers. Every report that such incidents should motivate

companies to tighten security, but every year the survey indicates thats not

happening.

2.4 TheIS Scenario in India

Banking institutions are getting more and more conscious about the IS

taking into consideration the scams that have occurred in the past and continued

to do so even today. A flood of new security attacks targeting banking customers

over the last twelve months has forced organisation or regulatory bodies to

introduce new directives and methodologies such as the recommended use of two-

factor authentication by online banks by the end of 2006. These groups believe

that single-factor authentication (the use of a username and password) is now

inadequate to protect users against recent internet scams such as Phishing,

Pharming and RAT attacks. By the end of 2006, many Asian online banks will be

required to implement the new directives covering two-factor authentication,

which relies on something the consumer has, such as a token or smartcard. This

would help identify the individual more specifically. Introducing the methodology


46/101

in relatively short span of time would be the next big challenge faced by the

banks. This would also have to ensure that the chosen method is convenient

enough for broad consumer adoption while keeping costs down.

Banks in India need to be complimented on the inculcation of technology

in a large way in their day-to-day operations. In a short span of less than two

decades, customers of the banks have felt the positive impact of technological

solutions implemented by banks. The customer in a bank has a virtual menu of

options as far as delivery channels are concerned and all these are the benefits of

technology, with the most visible benefits happening in the areas of payments for

retail transactions. A variety of Cards, Automated Teller Machines (ATMs),

Electronic Based Fund Transfers (EFT), Internet Banking, Mobile Banking are all

some of the latest technology based payment solutions, which have gained large

acceptance amongst Indian Banking arena.

While addressing a critical topic such as technology which has today

become a basic necessity rather than a luxury in the banking sector, the various

components must be examined which comprise the building blocks on which the

banking would be functioning in the morrow. I would, therefore, enlist some of the

major aspects which appear to be the corner stones in the road that we are

paving so that the highway would ensure free, safe and secure conduct of the

banking services and business.

Technology implementation comes with its attendant requirements too. A

few major aspects which need to be reckoned relate to the

Need for standardization across hardware, operating systems,

system software and application software to facilitate inter-

connectivity of systems across branches.

Need for high levels of security in an environment which requires

high levels of confidentiality; IS is an important requirement.

Need for a technology plan which has to be periodically monitored

and also upgraded consequent upon changes in the technology

itself.


47/101

Need for business process re-engineering with a large scale usage

of computers the objective is not merely mechanise activities but

to result in holistic benefits of computerization for both the

customer and the staff at the branches.

Sharing of technology experiences and expertise so as to reap the

benefits of the technology implementation across a wider

community.

With technological solutions rapidly evolving, more new products and

services may soon become the order of the day. This technology evolution needs

to be thoroughly supported by the IS practices and procedures in order to avoid

the chaotic situation otherwise.

Prominent among the attendant challenges is the paradigm shift in the

concept of security. With the delivery of channels relating to funds based services,such as, movement of funds electronically between different accounts of

customers taking place with the use of technology, the requirements relating to

security also need to undergo metamorphosis at a rapid pace.

Various concepts, such as, digital signatures, certification, storage of

information in a secure and tamper- proof manner all assume significance and

have to be a futuristic part of the practices and procedures in the day-to-day

functioning of banks of tomorrow.

Security requirements have to be provided from a two pronged perspective

- first for the internal requirements of the banks themselves and the second

relating to the legal precincts of the laws of the land. It is indeed a matter of

satisfaction that the INFINET (Indian Financial Network) is a safe, secure and

efficient communications network for the exclusive use of the banking sector,

which provides for the inter-bank communication.


48/101

The key advantage of INFINET is its own security framework in the

form of the PUBLIC KEY INFRASTRUCTURE (PKI), which is in conformity to

the provisions of the Information Technology Act, 2000. Several large financial

institutions are now starting to implement two-factor authentication, to re-

establish trust with their users, fearing that if nothing is done profits will be lost,

customer confidence will drop, and the leading to a loss of brand image in a long

run.

At YES BANK, our priority is delivering solutions that take into account

present and future customer needs, said H. Srikrishnan, CIO and Executive

Director, YES BANK. We identified that current and prospective customers have

access to a PC with a reliable bandwidth connection, but a key concern was the

ability for us to guarantee a high level of security, giving them the confidence to

use Internet banking without the worry of fraud or theft. Thus, our priority was

addressing this issue and identifying a solution, which would improve customer

confidence and provide a reliable and user-friendly experience.

According to recent surveys conducted by various IS organisations,

identity theft has seen looms over any other kind of crime worldwide.

Currently the IS implementation in banks suffers from deficiencies such as:

A comprehensive Security Risk Assessment is not being

conducted before drafting a security policy for the bank.

The Acceptable Usage Policy (AUP) is not communicated to all

staff of the bank.

The scope of Information Systems Audit at branches is restricted

to checklist audits.

Defined Vulnerability Assessment Policy has not been set out for

the data centers of banks.


49/101


50/101

2.5 UnderstandingInformation Security (IS)

In view of the critical implications of Information Security (IS) for banks

and financial institutions, it is necessary to emphasise that the management of the

bank should have a good understanding of the IS risks.

IS is not only the concern of the Information Technology Department

but for the entire organisation. It is said that Security in an

organisation is as strong as its weakest link. Hence, each and every

user of information, right from the senior management to the clerk in

the branch has to be involved in any security initiative taken by the

bank. This will mean that they have to be aware of the security threats

and should practice the laid down policies and procedures.

IS Policy has to be aligned to the business objectives by a proper ISRisk Assessment. This means that the risks identified and measured

during structured IS Risk Assessment should be mitigated with

effective security policy and procedures.

IS Policy cannot be the same for all banks despite there being

similarities in their business function. This is due to the reason that

each bank has its unique risks which might be multidimensional

considering their locations, their services, their business goals and

their technical infrastructure.

Banks can optimize their resource spending in IS by strategising their

security spending to mitigate their high impact risks identified during

thereIS Risk Assessment. Hence,IS should be seen as an investment.

Security Audits at branches need to be conducted by qualified

personnel as it needs to encompass an audit through the computer.


51/101

IS consists of CIA principle. Hence in every decision, the security

requirement of CIA has to be observed.

IS Risk Assessment is not only restricted to Vulnerability Assessment

of technical infrastructure but extends to identifying critical assets,

their threats and organisational vulnerabilities. It also includes

Business Impact Analysis (BIA), measuring risks and suggesting

appropriate controls.

2.6 Spending patterns (Technologically and Financially)

According to the Gartner report on IT spending of financial services, the

worldwide financial sector spends about US$ 129 billion annually on IT services.

Figure No. 9: IT Spending Patterns

154145

136

114

129123

WORLDWIDE FINANCIAL SERVICES IT SERVICESSPENDING ($ Billion)

The Worldwide Financial Services Industry Spendsabout $129 billion Annually on IT Services

Source Gartner

FY 02 FY 04 FY 06FY 03 FY 05 FY 07

CAGR

FFiinnaanncciiaall SSeerrvviicceess IITT SSeerrvviicceess KKeeyy FFaaccttss


52/101

According to a report from Indian Institute of Information Technology -

The application of Information and Communication technology to the banking

sector has been growing in the recent past. IT spending by the BFSI segment,

jumped by a healthy 18 percent during 2002-03 to touch Rs. 60 billion (US $1.24

billion).

Indian Banks on an average spend an estimated amount of Rs. 1.5 billion

on software and hardware for core and internet banking services, on an average.

According to industry estimates, the BFSI segment accounts for around 10

percent of the total IT industry and about 28 percent of the domestic IT market.

Spending by the BFSI segment is expected to jump to Rs. 98 billion during 2004-

05 fiscal. The main driver for the increasing use of IT in banking is the need to

cater to the growing and changing expectations of the customers who relentlessly

demand continuous improvement in the quality of services offered, reduction in

charges and access to new products. In the context of global competition, the

banks have to use other factors to facilitate the increasing IT investments. The

Centre Vigilance Commission lays down certain statutory requirements for banks

in this regard i.e. achieve 100% branch computerization, availability of

certification services for ensuring the security of electronic transactions with an

eye on the growing size, complexity and integrity of the financial markets.

Technological advancements bring along concerns on the privacy,

confidentiality and integrity of information. It is being seen that such concerns

have a major impact on the functioning and existence of banks and financial

institutions. While many banks in India have taken steps to improve their IS much

still remains to be achieved

It is often perceived by the management of banks that IS is technical and

complex. Contrary to this is that IS is similar to any other area of managerial

decision. Further, IS investment should also have a return on investment. This is

to be achieved by an effectiveIS Risk Assessment.


53/101

2.7 CTO/ CIOs viewpoint

The best way to approach IS is from the business side ask what the business

need is, assess the risk and fashion a risk mitigation strategy that fits.

-- S Krishna Kumar, GM (IT) and CISO, SBI.

The devising of an appropriate and suitable security strategy depends upon

several aspects such as breadth of the organisations business, volume of

transactions per day/ month, scale of operation, (no. of years in the current

business) necessity of data migration, competition in the sector, etc.

Table No.2: Risk Mitigation Strategy

The security strategy must be in-line with the business needs and the

complexities, so as to prove holistic in approach and should include all the

components needed for theISprogram.

Processes

Upper management buy in

Concept of six pillars of safety: governance, structure, risk assessment,

risk management, communication and compliance.

Policy approval at board level

Risk mitigation processes

Documented standards and procedures

Management overview for controllers

Service Level Agreement (SLA) monitoring

Technology

Firewall

Anti-virus IDS (Intrusion Detection Systems)

Management Tools


54/101

IS has commitment and support at the highest level in the organisation.

The state of IS is periodically reviewed by the top management.

All the pillars are equally critical in providing IS assurance, rather than

merely focusing on the security products and penetration tests. IS derives its

strength from the highest authority, the board, which has approved the banks IS

policies and provided direction and support mechanisms to evolve the required

standards and procedures.

Risk mitigation is not a one-size-fits-all process, and takes different

routes depending on the risk and business imperatives. This needs to be devised

after considering business needs vis--vis security controls. Being a financial

organisation, the banks are subject to a number of regulations, both internal and

external in nature. These are considered an integral part of the Security

Architecture.

It is necessary that all the personnel across the business understand the

underlying philosophy and basis of the security policy. Merely writing a security

policy and sending it to the different departments will never succeed.

It is not good enough to have just the performance levels specified in a

Service Level Agreement (SLA). The organisation should also be able to measure

service levels, use appropriate measurement metrics, build adequate deterrents

against under-performance and monitor the performance of all the outsourcing

agreements.

Business Continuity and Disaster planning bear a lot of importance in the

ISStrategy or Program. On this, Mr. Kumar observes that a Disaster Recovery

(DR) system has been set up for critical applications in a different city and

periodic mock drills are conducted.

An important but often neglected aspect of the DR plan is to shuffle a

core team of operations personnel between production and DR sites periodically.

This ensures the availability of skilled resources at the DR site. They are current

with the latest state of the production application, says Kumar.


55/101

2.8 Summary

The basic IS needs of banks and financial institutions are very similar to

those of most large organisations. The problem in the banks is that they are fairly

high value targets. Gaining unauthorised access to a banks customer records can

make identity theft easy on a large scale. Unauthorised access to customer records

creates operational, legal and reputational risks for banks.

Currently banks are spending approx 5-6% of their total IT Budget on

security and this amount of money may prove to be inadequate to ensure effective

ISRM considering the threats existing in the e-world today. Not only should the

banks spend more on IS but also ensure that their IS risks are mitigated. A

structured IS Risk Assessment will enable banks to accomplish this objective. A

Return on Investment (ROI) in IS should be demanded by the management.

Further banks should approachIS in a structured manner.


56/101

CHAPTER 3

METHODOLOGY

3.1 Introduction

This chapter elaborately discusses the methodology of this study. The

research questions and assumptions (hypotheses) proposed in Chapter 1 are

presented here. All phases of the research design, data collection, location of the

research performed, method of inquiry and statistical analysis are reviewed.

Finally, summary of the whole chapter is done. The research can be categorised as

a combination of exploratory and descriptive study seeking insights into the IS

andRisk Managementin banks in India.

3.2 Research Questions and Research Hypotheses

The research assumptions (hypotheses) framed in the study posses a strong

background of the literature review. The combination of the research assumptions

(hypotheses) and

informationsecurityandriskmanagementforbanksinindia-090325090104-phpapp02

Documents