A Security to Bank Upon
identified and deployed. People: he has educated and reformed. Process:
he's put an infallible one into place
and that's what makes VK Ramani,
President IT, UTI Bank a winning Security Strategist.
by Deepali Gupta
Being in Ramani's shoes is no mean feat. His IT setup caters
to UTI Bank's 250-odd branches comprising 3500 employees and 23 lakh customers.
Across its database server and three application servers Ramani has not yet
experienced any data security concerns. However, he deemed putting a tight security
in place essential because of the growing usage of Internet banking.
UTI Bank has close to 1 lakh Internet-enabled accounts and
12 percent of the total transactions of the bank are over the Internet, a figure
that promises to rise.
Behind the curtains
Anti-virus, intrusion detection, firewalls, and access controls are the current
and obvious security implementations. We have it all. These are basics,
without them I would not say I have internet banking. Without them the customer
would run away from our bank, Ramani exclaims.
But Ramani likes to keep wary of the threats lurking behind the curtains, that
have neither been identified nor expected. He has deployed ethical hackers that
try to outsmart the crackers looking for mischief.
He has set up a security team that involves the executive
director as well as the operations head. An audit department inspects the finer
aspects and specific technical audits like the LAN audit, which is outsourced.
At the heart
Conventionally, most Security Strategists face a great deal of trouble first
understanding the business and then making the business understand the need
for the IT solutions they provide. Ramani, and his bank, are well-protected
from that problem. They have bankers and IT specialists across the board.
Besides, the business users of UTI Bank repose such confidence in Ramani that,
"They accept the applications we make without even looking at them,"
he says as he beams with pride. And this may well be at the heart of Ramani's
Dynamics of the SS role
Ramani sees his role as a Security Strategist (SS) going through cycles of being
at the bottom, center and, top.
"I find something needs to be done, that's the bottom,
because you don't really know what's happening. Then I interact with everyone
to implement a system, that's the center. And finally, you're on top, because
everything is done. Then of course I look for what else needs to be done, and
as soon as I find it, I am back at the bottom," Ramani explains.
A stitch just in time
Ramani does not like to sit complacent but he is not a believer in premeditated
"If there is no threat the mitigation capacity is not at its peak,"
he says. Security thus, according to him has to be a reaction to dynamic situations
rather than action too much in advance.
"People can get an application software, or build a system, but security
is like the grease required to keep everything running smoothly because banking
is about money, and money is about security," Ramani comments. And knowing
this, is what made implementing security at UTI Bank unique for Ramani.
Power to the people
"Security weakness lies in the control over the people process interface,"
Ramani rightly points out. For that, the bank has two policies in place. There
is clearly defined ownership of every security clause, such that every department
is responsible for some amount of security. Ownership helps in accountability.
"Security breaches are bound to happen, but the mettle of the security
is proved by the speed with which you fix accountability and take corrective
action. If you are lax in this, no amount of policy and documentation is of
any use," says Ramani, as he makes his stand clear.
The security policies at the bank are complied more by education of the masses
rather than monitoring. The mail policy is completely self-authored, and some
amount of content checking is conducted on external mail. At some point, Ramani
suggests, there has to be a trade off between process flexibility and security
risk. Nevertheless, Ramani's target standard is the BS7799.
According to Ramani it's important that business users are constantly aware
that the risk today is higher than ever before. And the customer too should
be privy to the information that security practices may sometimes be cumbersome,
but they are important. Thus security must be adopted not imposed.
In case of disaster
UTI Bank has one Disaster Recovery (DR) site in Bangalore. The site has been
tested three time, and testing for network and application redundancy is done
on a regular basis. In an ideal scenario, in case of a disaster the downtime
of the system is five hours, provided the concerned officials are at their posts.
Ramani suspects that since employees keep going on training and assignments,
in a disaster-ridden situation it may take a while to bring the people where
they are required.
Deepali Gupta can be reached at: firstname.lastname@example.org