SSA 2005—BFSI Winners
Six pillars of safety
Krishna Kumar, GM (IT) & CISO, State Bank of India, has built his winning
security strategy on six pillars of safety that support the information security
needs of the banking giant. Heres a closer look at the banks security
architecture. by Soutiman Das Gupta
Heres a humble man, with the heavy responsibility of
securing a mammoth organisation, operating on a global scale. As the GM-IT &
Chief Information Security Officer (CISO) of State Bank of India, Krishna Kumar
has tackled the banks information security threats with a smart shielda
clever security strategy.
That is why we chose him as the SecureSynergy Security Strategist
in the BFSI category.
Scale of operations
The complexity of Kumars task is apparent when you
look at the breadth of his organisations business. The bank has more than
9,100 branches in India, and 54 branches and offices abroad. The State Bank
group, which comprises SBI and seven other subsidiary banks, has around 13,700
There are more than 160,000 users on the network which includes
all officers and clerks. Core banking solutions are used across 4,200 branches
and many more are connected every week.
SBIs financial assets are worth $105 billion, and the
groups, $144 billion. The entire IT infrastructure of all the banks in
the group is managed out of the IT department in Belapur (Navi Mumbai), and
information security of this massive infrastructure is Kumars responsibility.
The objective and focus of the information security
programme is to protect our information assets. The way to achieve it is the
challenge I face, says Kumar.
- Upper management buy-in
- Concept of six pillars of safety: Governance,
Structure, Risk Assessment, Risk Management, Communication, and Compliance
- Policy approval at Board level
- Risk mitigation processes
- Documented standards and procedures
- Management overview for controllers
- SLA monitoring
- Management tools
Information security needs
continuous commitment from top management, application owners and all
levels of users.It is not an end game
but a continuing journey
Higher management buy-in
According to Kumar, Information security in SBI has
commitment and support at the highest level in the organisation. The state of
information security is periodically reviewed by the top management.
The staff in the information security department consists
of officials who are certified in CISA or CISM. Kumar, who heads the department,
is CISA and CISM certified.
The winning strategy
In his early days in the IT department, Kumar recognised
that information security management is not an isolated IT issue, and is made
up of aspects such as governance, business, and organisational structure.
After a close and careful look at the banks business
needs and complexities, he devised a security strategy that he believes is holistic
in approach and includes all the components needed for an effective information
He built his strategy around the concept of six pillars of
information security management: governance, structure, risk assessment, risk
management, communication and compliance.
Krishna Kumar believes that
it's crucial to communicate all policies and procedures to heads
of departments across the organisation so that there can be appropriate
guidance to end-users
The pillars of safety
All the pillars are equally critical in providing information
security assurance, says Kumar, in an obvious reference to organisations
which focus only on security products and penetration tests.
Information security in SBI derives its strength from the
highest authority, the Board. The Board has approved the banks information
security policies, and provided direction and supporting mechanisms to evolve
the required standards and procedures.
All project groups (application owners) participate in the
information security and mitigation process.
Risk mitigation is not a one-size-fits-all process,
and takes different routes depending on the risk and business imperatives. Its
something we devise after considering the business needs vis-à-vis security
controls, Kumar explains.
Being a financial organisation, the bank is subject to a
number of regulations, both internal and external in nature. These are considered
an integral part of the security architecture.
Kumars strategy also takes into account the fact that
its crucial and necessary to communicate all policies and procedures to
heads of departments across the organisation, so that there can be appropriate
guidance to end-users.
Documented standards and procedures
The information security policy approved by the board is
supported by a comprehensive and elaborate Standards, Procedures & Guidelines
document. A management overview is also a part of the documentation.
It is necessary that all personnel across the business
understand the underlying philosophy and basis of the security policy. Merely
writing a security policy and sending it to different departments will not take
us far, explains Kumar.
The policy documents should include a management overview
for the controllers who would enforce the policies in their jurisdiction. The
purpose of the management overview is manifold. It brings in the context, which
is the evolving IT infrastructure in the bank, the need for a strong policy
and the procedural framework for information security, policy lifecycle, implementation,
user awareness, and compliance requirements.
The policies, standards and procedures are reviewed annually
by a multi-disciplinary committee of top and senior management which includes
the Head of IT.
|Uniqueness of the strategy
The uniqueness of the security
strategy is apparent from the breadth of the organisation's business and
scale of its operations. Added to that is the problem of legacy data collected
over years of operations, legacy mindset of existing personnel which needs
to be migrated, and stiff competition from other banks.
Kumar has successfully roped
in the higher management at all levels of the strategycreation,
deployment, and review. He has created a strategy based on the concept
of six essential pillars. This has provided a holistic and complete approach
to the organisation's information security.
Kumar believes that its not good enough to have just
the performance levels specified in a Service Level Agreement (SLA). The organisation
should also be able to measure service levels, use appropriate measurement metrics,
build adequate deterrents against under-performance and monitor the performance
of all outsourcing arrangements.
On Disaster Recovery (DR), Kumar observes that a DR system
has been set up for critical applications in a different city and periodic mock
drills are conducted.
An important but often neglected aspect of the DR plan
is to shuffle a core team of operations personnel between production and DR
sites periodically. This ensures the availability of skilled resources at the
DR site. They are current with the latest state of the production application,
Kumar believes that to be a good security strategist it is
important to have a thorough understanding of the business domain.
The best way to approach information security is from
the business sideask what the business need is, assess the risk, and fashion
a risk mitigation strategy that fits, he asserts.
Based on the concept of the six pillars, Kumar believes that
in order to achieve security in an IT-driven business, one must concentrate
on people, processes, and technology with equal emphasis. It is relatively easier
to supervise and control technology compared to people and processes.
Information security needs continuous commitment from
top management, application owners and all levels of users. It is not an end
game but a continuing journey, he says.