A Security to Bank Upon - Security Strategist 2004

Archives ||About Us || Advertise || Feedback || Subscribe-

Issue of November 2004

Home > Security Strategist 2004

Print Friendly Page ||

Email this story

A Security to Bank Upon

Technology: he's
identified and deployed. People: he has educated and reformed. Process: he's put an infallible one into place…and that's what makes VK Ramani, President IT, UTI Bank a winning Security Strategist.
by Deepali Gupta

Being in Ramani's shoes is no mean feat. His IT setup caters to UTI Bank's 250-odd branches comprising 3500 employees and 23 lakh customers. Across its database server and three application servers Ramani has not yet experienced any data security concerns. However, he deemed putting a tight security in place essential because of the growing usage of Internet banking.

UTI Bank has close to 1 lakh Internet-enabled accounts and 12 percent of the total transactions of the bank are over the Internet, a figure that promises to rise.

Behind the curtains

Anti-virus, intrusion detection, firewalls, and access controls are the current and obvious security implementations. “We have it all. These are basics, without them I would not say I have internet banking. Without them the customer would run away from our bank,” Ramani exclaims.

But Ramani likes to keep wary of the threats lurking behind the curtains, that have neither been identified nor expected. He has deployed ethical hackers that try to outsmart the crackers looking for mischief.

He has set up a security team that involves the executive director as well as the operations head. An audit department inspects the finer aspects and specific technical audits like the LAN audit, which is outsourced.

At the heart

Conventionally, most Security Strategists face a great deal of trouble first understanding the business and then making the business understand the need for the IT solutions they provide. Ramani, and his bank, are well-protected from that problem. They have bankers and IT specialists across the board.

Besides, the business users of UTI Bank repose such confidence in Ramani that, "They accept the applications we make without even looking at them," he says as he beams with pride. And this may well be at the heart of Ramani's security success.

Dynamics of the SS role

Ramani sees his role as a Security Strategist (SS) going through cycles of being at the bottom, center and, top.

"I find something needs to be done, that's the bottom, because you don't really know what's happening. Then I interact with everyone to implement a system, that's the center. And finally, you're on top, because everything is done. Then of course I look for what else needs to be done, and as soon as I find it, I am back at the bottom," Ramani explains.

A stitch just in time

Ramani does not like to sit complacent but he is not a believer in premeditated action either.

"If there is no threat the mitigation capacity is not at its peak," he says. Security thus, according to him has to be a reaction to dynamic situations rather than action too much in advance.

"People can get an application software, or build a system, but security is like the grease required to keep everything running smoothly because banking is about money, and money is about security," Ramani comments. And knowing this, is what made implementing security at UTI Bank unique for Ramani.

Power to the people

"Security weakness lies in the control over the people process interface," Ramani rightly points out. For that, the bank has two policies in place. There is clearly defined ownership of every security clause, such that every department is responsible for some amount of security. Ownership helps in accountability.

"Security breaches are bound to happen, but the mettle of the security is proved by the speed with which you fix accountability and take corrective action. If you are lax in this, no amount of policy and documentation is of any use," says Ramani, as he makes his stand clear.

The security policies at the bank are complied more by education of the masses rather than monitoring. The mail policy is completely self-authored, and some amount of content checking is conducted on external mail. At some point, Ramani suggests, there has to be a trade off between process flexibility and security risk. Nevertheless, Ramani's target standard is the BS7799.

According to Ramani it's important that business users are constantly aware that the risk today is higher than ever before. And the customer too should be privy to the information that security practices may sometimes be cumbersome, but they are important. Thus security must be adopted not imposed.

In case of disaster

UTI Bank has one Disaster Recovery (DR) site in Bangalore. The site has been tested three time, and testing for network and application redundancy is done on a regular basis. In an ideal scenario, in case of a disaster the downtime of the system is five hours, provided the concerned officials are at their posts. Ramani suspects that since employees keep going on training and assignments, in a disaster-ridden situation it may take a while to bring the people where they are required.

Deepali Gupta can be reached at: deepali@networkmagazineindia.com

Tips of the trade

Top management should drive security.
Ensure that there are well-defined measures of implementation.
Create ownership of the implementation to the right person. There should always be a maker and checker audit trail.
More than training IT personnel, it's important to create awareness in the user.
Monitor that the people are doing what they are scheduled to do.
After implementation take a good look at the system from the outside in order to spot the threats that have not been identified.

-	<Back to Top>-

© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.