Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of May 2006 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story


Banking on six pillars of safety

S Krishna Kumar, GM (IT) & CISO, SBI, has rested his security strategy on six pillars of safety that include governance, risk assessment and compliance

S Krishna

He is a humble man, with the heavy responsibility of securing a mammoth organisation, operating on a global scale. As the GM-IT & Chief Information Security Officer (CISO) of State Bank of India, Krishna Kumar has tackled the bank’s information security threats with a smart shield—a clever security strategy.

Scale of Operations

The complexity of Kumar’s task is apparent when you look at the breadth of his organisation’s business. The bank has more than 9,100 branches in India, and 54 branches and offices abroad. The State Bank group, which comprises SBI and seven other subsidiary banks has around 13,700 branches.

There are more than 160,000 users on the network which includes all officers and clerks. Core banking solutions are used across 4,200 branches and more are connected every week.

SBI’s financial assets are worth $105 billion, and the group is $144 billion. The entire IT infrastructure of all the banks in the group is managed out of the IT department in Belapur (Navi Mumbai), and information security of this massive infrastructure is Kumar’s responsibility.

“The objective and focus of the information security programme is to protect our information assets. The way to achieve it is the challenge I face,” says Kumar.

SBI's Strategy


  • Upper management buy-in
  • Concept of six pillars of safety: governance, structure, risk assessment, risk management, communication, and compliance
  • Policy approval at board level
  • Risk mitigation processes
  • Documented standards and procedures
  • Management overview for controllers
  • SLA monitoring


  • Firewall
  • Anti-virus
  • IDS
  • Management tools

Higher Management Buy-In

According to Kumar, “Information security in SBI has commitment and support at the highest level in the organisation. The state of information security is periodically reviewed by the top management.”

The staff in the information security department consists of officials who are certified in CISA or CISM. Kumar, who heads the department, is CISA and CISM certified.

The Winning Strategy

In his early days in the IT department, Kumar recognised that information security management is not an isolated IT issue, and is made up of aspects such as governance, business, and organisational structure.

After a close and careful look at the bank’s business needs and complexities, he devised a security strategy that he believes is holistic in approach and includes all the components needed for an effective information security programme.

He built his strategy around the concept of six pillars of information security management: governance, structure, risk assessment, risk management, communication and compliance.

The Pillars of Safety

“All the pillars are equally critical in providing information security assurance,” says Kumar in an obvious reference to organisations which focus only on security products and penetration tests.

Information security in SBI derives its strength from the highest authority, the board, which has approved the bank’s information security policies, and provided direction and support mechanisms to evolve the required standards and procedures.

All project groups (application owners) participate in the information security and mitigation process.

“Risk mitigation is not a one-size-fits-all process, and takes different routes depending on the risk and business imperatives. It’s something we devise after considering the business needs vis-à-vis security controls,” Kumar explains.

Being a financial organisation, the bank is subject to a number of regulations, both internal and external in nature. These are considered an integral part of the security architecture.

Kumar’s strategy also takes into account the fact that it’s crucial to communicate all policies and procedures to heads of departments across an organisation, so that there can be appropriate guidance to end-users.

Why It Works
The uniqueness of the security strategy is apparent from the breadth of the organisation’s business and scale of its operations. Added to that is the problem of legacy data collected over years of operations, legacy mindset of existing personnel which needs to be migrated, and stiff competition from other banks.

Kumar has successfully roped in the higher management at all levels of the strategy—creation, deployment, and review. He has created a strategy based on the concept of six essential pillars. This has provided a holistic and complete approach to the organisation’s information security.

Documented Standards and Procedures

The information security policy approved by the board is supported by a comprehensive standards, procedures & guidelines document. A management overview is also a part of the documentation.

“It is necessary that all personnel across the business understand the underlying philosophy and basis of the security policy. Merely writing a security policy and sending it to different departments will not take us far,” explains Kumar.

The policy documents should include a management overview for the controllers who would enforce the policies in their jurisdiction. The purpose of the management overview is manifold. It brings in the context, which is the evolving IT infrastructure in the bank, the need for a strong policy and the procedural framework for information security, policy lifecycle, implementation, user awareness, and compliance requirements.

The policies, standards and procedures are reviewed annually by a multi-disciplinary committee of top and senior management which includes the head of IT.

Monitoring SLAs

Kumar believes that it’s not good enough to have just the performance levels specified in a Service Level Agreement (SLA). The organisation should also be able to measure service levels, use appropriate measurement metrics, build adequate deterrents against under-performance and monitor the performance of all outsourcing arrangements.

On Disaster Recovery (DR), Kumar observes that a DR system has been set up for critical applications in a different city and periodic mock drills are conducted.

“An important but often neglected aspect of the DR plan is to shuffle a core team of operations personnel between production and DR sites periodically. This ensures the availability of skilled resources at the DR site. They are current with the latest state of the production application,” says Kumar.

Skill Sets

Kumar believes that to be a good security strategist it is important to have a thorough understanding of the business domain.

“The best way to approach information security is from the business side—ask what the business need is, assess the risk, and fashion a risk mitigation strategy that fits,” he asserts.

Based on the concept of the six pillars, Kumar believes that in order to achieve security in an IT-driven business, one must concentrate on people, processes, and technology with equal emphasis. It is relatively easier to supervise and control technology compared to people and processes.

“Information security needs continuous commitment from top management, application owners and all levels of users. It is not an end game but a continuing journey,” he says.

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.