SSA 2005Nominee Profile
Step by step
security is an ongoing process that has to be achieved in a focussed and systematic
manner, one step at a time. This belief has helped Murli Nambiar, Head,
Information Security Group, AGM, draft strategies that have secured ICICI Bank.
by Anil Patrick R
The basic tenet behind Murli Nambiars approach towards devising a security
strategy is to have a thorough understanding of the assets that need to be protected.
He is also a strong advocate of the security awareness among the users. This
mindset has placed ICICI Banks top honcho of Information Security among
the elite security strategists of this year.
When there are more than 550 domestic and international locations to protect,
it has to be admitted that Nambiars task is not exactly a stroll in the
park. What I always try to understand is the exact nature of what is to
be protected. If I know what Im trying to protect, then I can start thinking
about strategies and technologies which can be used to fix those gaps,
says Murli Nambiar, Head, Information Security Group, AGM, ICICI Bank.
Nambiars strategist role with ICICI Bank started two years backJune
2003 to be precise. The bank already had a security infrastructure in place
at that time, and Nambiar was brought in to perfect its security strategies.
The first thing on Nambiars agenda was to determine the security status
of the bank across 30 crucial domains. The security policies were enhanced
a little bit more than what was already in place. I streamlined them to bring
out a distinct vision on security matters for the organisation, says Nambiar.
Nambiar then set about defining vulnerable areas. These were defined in a systematic
manner to determine security gaps and identify threats. For example, perimeter
security was one of the areas identified. Then there were different areas such
as internal networks, wireless networks, voice, etc. These different domains
were secured one at a time and it has resulted in a robust security infrastructure.
The major problem that Nambiar faced was the lack of awareness regarding the
security policy. Although security policies and processes were being followed,
most people were not really aware about information security.
So, the first thing he did on this front was to ensure that everyone understood
the need for security. A mandatory online security awareness programme with
a certification at the end of it was put in place. It is an online programme
on security that is comprehensive and mandatory. Every employee has to sit through
the programme and get certified, says Nambiar.
When a new employee joins, he is made to sign an agreement to follow the IT
policy. The new recruits are also mandatorily required to go through the awareness
programme. Apart from this, the bank has direct classroom training for system
administrators and application system administrators focussing on their domain
specifics. A test is scheduled at the end of this programme.
The banks security policy is reviewed every year, but changes are incorporated
in between as the need arises. Policy changes are reviewed by a committee and
once it is approved, it goes to the board of directors.
We have infrastructure comprising 30 domains and it is necessary to ensure
that all the system owners are in sync with the policy. Then we have to get
the senior management to review and approve it. This is followed by the boards
approval. It is an exercise that takes about three months, says Nambiar.
Security cannot be achieved if systematic checks are not performed. On the primary
audit front, ICICI bank uses tools that scan the networks for desktop level
deviations on a monthly basis.
Apart from this, a monthly IT security policy compliance test is also done.
There are 30 domains in the IT security policy. The audit team reviews each
domain and conducts a sample audit. For example, if it is a branch audit, the
team will go to the branch and find out the status of all the desktops. Any
discrepancy or deviation is highlighted to the owner for rectification.
Outstation audits are done using tools. Apart from this the bank also undergoes
yearly audits done by KPMG and RBI.
|What is unique?
A focussed approach dealing
with security facets one step at a time is the unique factor in ICICI
Banks security strategy. The stress on understanding weaknesses
helps the bank select the right technology to plug the security gaps.
These aspects coupled with the stress on security awareness for users
and regular policy compliance audits helps ICICI bank to have a well rounded
|ICICI Banks security
- Mandatory security awareness certification
- Monthly IT security policy compliance
- Yearly policy reviews
- Yearly external audits
- Hardened servers, desktops and laptops
- Network and host IDS
- Anti-virus on servers, desktops, and laptops
- Authentication of wireless devices
- Firewall/IDS logs monitored 24x7
The tech angle
Apart from a mandatory online
awareness programme, the bank has direct classroom
training for system administrators and application
system administrators focussing on their domain
specifics, followed by a test at the end
Other than perimeter security (firewalls),
the bank also uses network and host IDS. Sys locks have
been implemented on servers and anti-virus software
is loaded on all systems.
According to Nambiar, software is in place to authenticate wireless devices
on the WLAN. Voice has also been secured. On the hardening front, servers are
hardened. Desktops and laptops are also hardened according to their defined
Operations team monitors IDS and firewall logs on a 24x7 basis. The organisation
is also evaluating software which can automate the log correlation process.
The bank is at present working on securing ATMs. We lock ATMs down because
their systems can be impacted. Anti-virus software is also installed on the
ATMs, says Nambiar.
In the future
In the works is the implementation of an enterprise identity management solution
and endpoint security. The bank is also working on a project for policy compliance
and vulnerability assessment for servers. This is to ensure that once the servers
are hardened and a baseline is achieved, any change to this state will result
in an alert to the system administrators.
On the certification front, ICICI Banks GTSU (Global Trade Services Unit)
is currently BS 7799 certified. We are looking at the other locations
to be certified soon in the next three to four months, says Nambiar.