Banking on six pillars of safety
S Krishna Kumar, GM (IT) & CISO, SBI, has rested
his security strategy on six pillars of safety that include governance, risk
assessment and compliance
He is a humble man, with the heavy responsibility of securing
a mammoth organisation, operating on a global scale. As the GM-IT & Chief
Information Security Officer (CISO) of State Bank of India, Krishna Kumar has
tackled the banks information security threats with a smart shielda
clever security strategy.
Scale of Operations
The complexity of Kumars task is apparent when you look at the breadth
of his organisations business. The bank has more than 9,100 branches in
India, and 54 branches and offices abroad. The State Bank group, which comprises
SBI and seven other subsidiary banks has around 13,700 branches.
There are more than 160,000 users on the network which includes all officers
and clerks. Core banking solutions are used across 4,200 branches and more are
connected every week.
SBIs financial assets are worth $105 billion, and the group is $144 billion.
The entire IT infrastructure of all the banks in the group is managed out of
the IT department in Belapur (Navi Mumbai), and information security of this
massive infrastructure is Kumars responsibility.
The objective and focus of the information security
programme is to protect our information assets. The way to achieve it is the
challenge I face, says Kumar.
- Upper management buy-in
- Concept of six pillars of safety: governance, structure, risk assessment,
risk management, communication, and compliance
- Policy approval at board level
- Risk mitigation processes
- Documented standards and procedures
- Management overview for controllers
- SLA monitoring
- Management tools
Higher Management Buy-In
According to Kumar, Information security in SBI has commitment and support
at the highest level in the organisation. The state of information security
is periodically reviewed by the top management.
The staff in the information security department consists of officials who are
certified in CISA or CISM. Kumar, who heads the department, is CISA and CISM
The Winning Strategy
In his early days in the IT department, Kumar recognised that information security
management is not an isolated IT issue, and is made up of aspects such as governance,
business, and organisational structure.
After a close and careful look at the banks business needs and complexities,
he devised a security strategy that he believes is holistic in approach and
includes all the components needed for an effective information security programme.
He built his strategy around the concept of six pillars of information security
management: governance, structure, risk assessment, risk management, communication
The Pillars of Safety
All the pillars are equally critical in providing information security
assurance, says Kumar in an obvious reference to organisations which focus
only on security products and penetration tests.
Information security in SBI derives its strength from the highest authority,
the board, which has approved the banks information security policies,
and provided direction and support mechanisms to evolve the required standards
All project groups (application owners) participate in the information security
and mitigation process.
Risk mitigation is not a one-size-fits-all process,
and takes different routes depending on the risk and business imperatives. Its
something we devise after considering the business needs vis-à-vis security
controls, Kumar explains.
Being a financial organisation, the bank is subject to a number of regulations,
both internal and external in nature. These are considered an integral part
of the security architecture.
Kumars strategy also takes into account the fact that its crucial
to communicate all policies and procedures to heads of departments across an
organisation, so that there can be appropriate guidance to end-users.
|The uniqueness of the security strategy
is apparent from the breadth of the organisations business and scale
of its operations. Added to that is the problem of legacy data collected
over years of operations, legacy mindset of existing personnel which needs
to be migrated, and stiff competition from other banks.
Kumar has successfully roped in the higher management
at all levels of the strategycreation, deployment, and review. He
has created a strategy based on the concept of six essential pillars.
This has provided a holistic and complete approach to the organisations
Documented Standards and Procedures
The information security policy approved by the board is supported by a comprehensive
standards, procedures & guidelines document. A management overview is also
a part of the documentation.
It is necessary that all personnel across the business understand the
underlying philosophy and basis of the security policy. Merely writing a security
policy and sending it to different departments will not take us far, explains
The policy documents should include a management overview for the controllers
who would enforce the policies in their jurisdiction. The purpose of the management
overview is manifold. It brings in the context, which is the evolving IT infrastructure
in the bank, the need for a strong policy and the procedural framework for information
security, policy lifecycle, implementation, user awareness, and compliance requirements.
The policies, standards and procedures are reviewed annually by a multi-disciplinary
committee of top and senior management which includes the head of IT.
Kumar believes that its not good enough to have just the performance levels
specified in a Service Level Agreement (SLA). The organisation should also be
able to measure service levels, use appropriate measurement metrics, build adequate
deterrents against under-performance and monitor the performance of all outsourcing
On Disaster Recovery (DR), Kumar observes that a DR system has been set up for
critical applications in a different city and periodic mock drills are conducted.
An important but often neglected aspect of the DR plan is to shuffle a
core team of operations personnel between production and DR sites periodically.
This ensures the availability of skilled resources at the DR site. They are
current with the latest state of the production application, says Kumar.
Kumar believes that to be a good security strategist it is important to have
a thorough understanding of the business domain.
The best way to approach information security is from the business sideask
what the business need is, assess the risk, and fashion a risk mitigation strategy
that fits, he asserts.
Based on the concept of the six pillars, Kumar believes that in order to achieve
security in an IT-driven business, one must concentrate on people, processes,
and technology with equal emphasis. It is relatively easier to supervise and
control technology compared to people and processes.
Information security needs continuous commitment from
top management, application owners and all levels of users. It is not an end
game but a continuing journey, he says.