SSA 2005Nominee Profile
Vigilance at IDBI Bank
At IDBI Bank, security is not just about terminology but
part and parcel of its organisational culture. by Shivani Shinde.
Security of investment is an integral part of any banking
business, and Sanjay Sharma, Head, IT, IDBI Bank, believes that it is the lifeline
of a bank. Banking is all about trust. People save in banks to secure
their investments and be able to utilise it when the need arises, Sharma
Of course, security is not a new concept in banking. However,
its nature and reach have changed. Explains Sharma, Security has been
a part of banking right from day one, the only difference is that earlier security
was restricted to a branch, while now it is 24x7, 365 days a year, and goes
beyond the brick-and-mortar model.
Though IDBI Bank came out with a security policy in 2001,
he believes that technology can never provide a complete solution as human errors
are beyond its parameters.
Sharma feels that stakeholders must be involved in the formulation
of any policy, and that a security policy is no exception. However, it is an
uphill task to get the management and other departments involved in the decision-making
process of the security policy.
For any business, return on investment (RoI) is crucial and
banking is no different. But making a CEO understand security investments needs
more than the gift of gab. At IDBI Bank, an Information Security Steering Committee
(ISSC) has been set up with all the stakeholders as its members. The ISSC has
its members from HR, Audit, Risk, Operations and the IT team.
Sharma feels that making people sign on paper is not going
to help. For instance, at IDBI, when an issue is discussed, the advice expected
is active rather than passive. We have changed. We are growing, and we
cannot do much with passive ideas. If participation does not happen, then, I
say, blackhat hackers (virtual intruders) might attack the bank. They might
do something on the Web site which might harm our reputation. If they manage
to get in further, there is financial risk, which again cannot be quantified,
he says. In short, the management should be made a party to decisions.
Having a security framework involves a lot more than just
a booklet of dos and donts. The first thing to do is to educate
the management. For the management, there is just one server in the data
centre, and it is secure. The task is to make them understand that what I am
talking about is not hypothetical, says Sharma. They have to realise that
security is an ongoing process.
However, education must be comprehensible to the audience.
There is no point in me going and telling the management that we need
an IDS...they wouldnt know what it is, says he. The education would
thus include explaining the process, technology and all other related issues.
The IDBI Bank strategy
- Security policy intrinsic to HR policy
- User education and awareness through e-mail,
newsletters and quizzes on the intranet
- Strict e-mail and Internet policy. Anyone
who is allowed Internet access has to comply with additional regulations
- Encourage internal security certification
- Audits conducted by an external agency
- Multiple firewalls from different vendors
- Ethical hackers as a line of defence against
Guarding the Fort
Accordingly, all the necessary steps have been taken to ensure
a secure working environment and glitch-free business processes. Some of the
systems in place are tools to read or filter logs and generate alerts, IDS,
and multiple firewalls from different vendors. For external threats, they have
external consultants who are ethical hackers and monitor the site 24x7.
Security is a culture and hence an embedded process in the
banks product development. It is important to understand the issues from
all perspectives. For instance, Sharma has cleared the Certified Information
Systems Auditor (CISA) exams and topped his batch with 87 percent. It
is easy to criticise the auditor. You need to understand the challenges that
the person has to face. Since doing this certification involves going through
all security frameworks, terms, importance of audits, why it is important to
do so, etc., it gives you the knowledge to see things and understand them in
a better way, explains Sharma.
What is unique?
According to Sanjay Sharma, IDBI Banks
security system is unique because they are always trying to innovate.
He believes that security should never be static and hence a CIO must
keep on reinventing things. This would also apply to equipment and infrastructure.
We do realise that security is not a static thing. Security is an
embedded process in our product development, operational processes and
an integral part of the organisation, remarks Sharma.
The other unique aspect is internal certification process that officials
are encouraged to participate in. Sharma himself is CISA-certified. He
says that it allows him to understand the other side of the story.
Security is a culture rather than a word at IDBI. But Sharma feels that
nothing is perfect and there can never be 100 percent safety.
A clear road map
Having a policy is one thing and implementing it is another.
IDBI Bank realised that the policy will need two essential criteria. One, it
had to be dynamic in nature, which means every time there is a change it has
to be incorporated and regular audits conducted. Second, the security policy
has to be pervasive.
The ISSC group certifies people for security checks, and
then their work is to incorporate the processes related to the security policy
into the HR policy and make employees aware of the issues and threats. I
think any policy-related issue should have a top-down approach if it is to be
successful, opines Sharma.
He believes that when it comes to enforcement, it is the
approach that matters. According to him, users at lower levels need strict enforcement
compared to those higher up.
Apart from the usual e-mail, newsletter and intranet campaigns,
enforcement also includes employees signing and accepting the companys
policy. This is included in the banks HR policy. Other than this, they
have periodic checks to monitor employees Internet usage. Sharma feels
that compliance can happen only with constant monitoring.