Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of October 2005 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story

SSA 2005—Nominee Profile

Vigilance at IDBI Bank

At IDBI Bank, security is not just about terminology but part and parcel of its organisational culture. by Shivani Shinde.

Sanjay Sharma

Security of investment is an integral part of any banking business, and Sanjay Sharma, Head, IT, IDBI Bank, believes that it is the lifeline of a bank. “Banking is all about trust. People save in banks to secure their investments and be able to utilise it when the need arises,” Sharma points out.

Of course, security is not a new concept in banking. However, its nature and reach have changed. Explains Sharma, “Security has been a part of banking right from day one, the only difference is that earlier security was restricted to a branch, while now it is 24x7, 365 days a year, and goes beyond the brick-and-mortar model.”

Though IDBI Bank came out with a security policy in 2001, he believes that technology can never provide a complete solution as human errors are beyond its parameters.

Getting involved

Sharma feels that stakeholders must be involved in the formulation of any policy, and that a security policy is no exception. However, it is an uphill task to get the management and other departments involved in the decision-making process of the security policy.

For any business, return on investment (RoI) is crucial and banking is no different. But making a CEO understand security investments needs more than the gift of gab. At IDBI Bank, an Information Security Steering Committee (ISSC) has been set up with all the stakeholders as its members. The ISSC has its members from HR, Audit, Risk, Operations and the IT team.

Sharma feels that making people sign on paper is not going to help. For instance, at IDBI, when an issue is discussed, the advice expected is active rather than passive. “We have changed. We are growing, and we cannot do much with passive ideas. If participation does not happen, then, I say, blackhat hackers (virtual intruders) might attack the bank. They might do something on the Web site which might harm our reputation. If they manage to get in further, there is financial risk, which again cannot be quantified, ” he says. In short, the management should be made a party to decisions.

Education First

Having a security framework involves a lot more than just a booklet of do’s and don’ts. The first thing to do is to educate the management. “For the management, there is just one server in the data centre, and it is secure. The task is to make them understand that what I am talking about is not hypothetical,” says Sharma. They have to realise that security is an ongoing process.

However, education must be comprehensible to the audience. “There is no point in me going and telling the management that we need an IDS...they wouldn’t know what it is,” says he. The education would thus include explaining the process, technology and all other related issues.

The IDBI Bank strategy


  • Security policy intrinsic to HR policy
  • User education and awareness through e-mail, newsletters and quizzes on the intranet
  • Strict e-mail and Internet policy. Anyone who is allowed Internet access has to comply with additional regulations
  • Encourage internal security certification
  • Audits conducted by an external agency


  • Multiple firewalls from different vendors
  • Anti-virus
  • IDS
  • Ethical hackers as a line of defence against external threats

Guarding the Fort

Accordingly, all the necessary steps have been taken to ensure a secure working environment and glitch-free business processes. Some of the systems in place are tools to read or filter logs and generate alerts, IDS, and multiple firewalls from different vendors. For external threats, they have external consultants who are ethical hackers and monitor the site 24x7.

Security is a culture and hence an embedded process in the bank’s product development. It is important to understand the issues from all perspectives. For instance, Sharma has cleared the Certified Information Systems Auditor (CISA) exams and topped his batch with 87 percent. “It is easy to criticise the auditor. You need to understand the challenges that the person has to face. Since doing this certification involves going through all security frameworks, terms, importance of audits, why it is important to do so, etc., it gives you the knowledge to see things and understand them in a better way,” explains Sharma.

What is unique?

According to Sanjay Sharma, IDBI Bank’s security system is unique because they are always trying to innovate. He believes that security should never be static and hence a CIO must keep on reinventing things. This would also apply to equipment and infrastructure. “We do realise that security is not a static thing. Security is an embedded process in our product development, operational processes and an integral part of the organisation,” remarks Sharma.
The other unique aspect is internal certification process that officials are encouraged to participate in. Sharma himself is CISA-certified. He says that it allows him to understand the other side of the story.
Security is a culture rather than a word at IDBI. But Sharma feels that nothing is perfect and there can never be 100 percent safety.

A clear road map

Having a policy is one thing and implementing it is another. IDBI Bank realised that the policy will need two essential criteria. One, it had to be dynamic in nature, which means every time there is a change it has to be incorporated and regular audits conducted. Second, the security policy has to be pervasive.

The ISSC group certifies people for security checks, and then their work is to incorporate the processes related to the security policy into the HR policy and make employees aware of the issues and threats. “I think any policy-related issue should have a top-down approach if it is to be successful,” opines Sharma.

He believes that when it comes to enforcement, it is the approach that matters. According to him, users at lower levels need strict enforcement compared to those higher up.

Apart from the usual e-mail, newsletter and intranet campaigns, enforcement also includes employees signing and accepting the company’s policy. This is included in the bank’s HR policy. Other than this, they have periodic checks to monitor employees’ Internet usage. Sharma feels that compliance can happen only with constant monitoring.

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.