SSA 2005—Nominee Profile

Step by step

Information security is an ongoing process that has to be achieved in a focussed and systematic manner, one step at a time. This belief has helped Murli Nambiar, Head, Information Security Group, AGM, draft strategies that have secured ICICI Bank. by Anil Patrick R

The basic tenet behind Murli Nambiar’s approach towards devising a security strategy is to have a thorough understanding of the assets that need to be protected. He is also a strong advocate of the security awareness among the users. This mindset has placed ICICI Bank’s top honcho of Information Security among the elite security strategists of this year.

When there are more than 550 domestic and international locations to protect, it has to be admitted that Nambiar’s task is not exactly a stroll in the park. “What I always try to understand is the exact nature of what is to be protected. If I know what I’m trying to protect, then I can start thinking about strategies and technologies which can be used to fix those gaps,” says Murli Nambiar, Head, Information Security Group, AGM, ICICI Bank.

The beginning

Nambiar’s strategist role with ICICI Bank started two years back—June 2003 to be precise. The bank already had a security infrastructure in place at that time, and Nambiar was brought in to perfect its security strategies.

The first thing on Nambiar’s agenda was to determine the security status of the bank across 30 crucial domains. “The security policies were enhanced a little bit more than what was already in place. I streamlined them to bring out a distinct vision on security matters for the organisation,” says Nambiar.

Nambiar then set about defining vulnerable areas. These were defined in a systematic manner to determine security gaps and identify threats. For example, perimeter security was one of the areas identified. Then there were different areas such as internal networks, wireless networks, voice, etc. These different domains were secured one at a time and it has resulted in a robust security infrastructure.

Creating awareness

The major problem that Nambiar faced was the lack of awareness regarding the security policy. Although security policies and processes were being followed, most people were not really aware about information security.

So, the first thing he did on this front was to ensure that everyone understood the need for security. A mandatory online security awareness programme with a certification at the end of it was put in place. “It is an online programme on security that is comprehensive and mandatory. Every employee has to sit through the programme and get certified,” says Nambiar.

When a new employee joins, he is made to sign an agreement to follow the IT policy. The new recruits are also mandatorily required to go through the awareness programme. Apart from this, the bank has direct classroom training for system administrators and application system administrators focussing on their domain specifics. A test is scheduled at the end of this programme.

Policy matters

The bank’s security policy is reviewed every year, but changes are incorporated in between as the need arises. Policy changes are reviewed by a committee and once it is approved, it goes to the board of directors.

“We have infrastructure comprising 30 domains and it is necessary to ensure that all the system owners are in sync with the policy. Then we have to get the senior management to review and approve it. This is followed by the board’s approval. It is an exercise that takes about three months,” says Nambiar.

Monthly audits

Security cannot be achieved if systematic checks are not performed. On the primary audit front, ICICI bank uses tools that scan the networks for desktop level deviations on a monthly basis.

Apart from this, a monthly IT security policy compliance test is also done. There are 30 domains in the IT security policy. The audit team reviews each domain and conducts a sample audit. For example, if it is a branch audit, the team will go to the branch and find out the status of all the desktops. Any discrepancy or deviation is highlighted to the owner for rectification.

Outstation audits are done using tools. Apart from this the bank also undergoes yearly audits done by KPMG and RBI.

The tech angle

Other than perimeter security (firewalls), the bank also uses network and host IDS. Sys locks have been implemented on servers and anti-virus software is loaded on all systems.

According to Nambiar, software is in place to authenticate wireless devices on the WLAN. Voice has also been secured. On the hardening front, servers are hardened. Desktops and laptops are also hardened according to their defined configuration.

Operations team monitors IDS and firewall logs on a 24x7 basis. The organisation is also evaluating software which can automate the log correlation process.

The bank is at present working on securing ATMs. “We lock ATMs down because their systems can be impacted. Anti-virus software is also installed on the ATMs,” says Nambiar.

In the future

In the works is the implementation of an enterprise identity management solution and endpoint security. The bank is also working on a project for policy compliance and vulnerability assessment for servers. This is to ensure that once the servers are hardened and a baseline is achieved, any change to this state will result in an alert to the system administrators.

On the certification front, ICICI Bank’s GTSU (Global Trade Services Unit) is currently BS 7799 certified. ”We are looking at the other locations to be certified soon in the next three to four months,” says Nambiar.

anilpatrick@networkmagazineindia.com