|
Security
Banking on six pillars of safety
S Krishna Kumar, GM (IT) & CISO, SBI, has rested
his security strategy on six pillars of safety that include governance, risk
assessment and compliance
S Krishna
Kumar |
He is a humble man, with the heavy responsibility of securing
a mammoth organisation, operating on a global scale. As the GM-IT & Chief
Information Security Officer (CISO) of State Bank of India, Krishna Kumar has
tackled the bank’s information security threats with a smart shield—a
clever security strategy.
Scale of Operations
The complexity of Kumar’s task is apparent when you look at the breadth
of his organisation’s business. The bank has more than 9,100 branches in
India, and 54 branches and offices abroad. The State Bank group, which comprises
SBI and seven other subsidiary banks has around 13,700 branches.
There are more than 160,000 users on the network which includes all officers
and clerks. Core banking solutions are used across 4,200 branches and more are
connected every week.
SBI’s financial assets are worth $105 billion, and the group is $144 billion.
The entire IT infrastructure of all the banks in the group is managed out of
the IT department in Belapur (Navi Mumbai), and information security of this
massive infrastructure is Kumar’s responsibility.
“The objective and focus of the information security
programme is to protect our information assets. The way to achieve it is the
challenge I face,” says Kumar.
Processes
- Upper management buy-in
- Concept of six pillars of safety: governance, structure, risk assessment,
risk management, communication, and compliance
- Policy approval at board level
- Risk mitigation processes
- Documented standards and procedures
- Management overview for controllers
- SLA monitoring
Technology
- Firewall
- Anti-virus
- IDS
- Management tools
|
Higher Management Buy-In
According to Kumar, “Information security in SBI has commitment and support
at the highest level in the organisation. The state of information security
is periodically reviewed by the top management.”
The staff in the information security department consists of officials who are
certified in CISA or CISM. Kumar, who heads the department, is CISA and CISM
certified.
The Winning Strategy
In his early days in the IT department, Kumar recognised that information security
management is not an isolated IT issue, and is made up of aspects such as governance,
business, and organisational structure.
After a close and careful look at the bank’s business needs and complexities,
he devised a security strategy that he believes is holistic in approach and
includes all the components needed for an effective information security programme.
He built his strategy around the concept of six pillars of information security
management: governance, structure, risk assessment, risk management, communication
and compliance.
The Pillars of Safety
“All the pillars are equally critical in providing information security
assurance,” says Kumar in an obvious reference to organisations which focus
only on security products and penetration tests.
Information security in SBI derives its strength from the highest authority,
the board, which has approved the bank’s information security policies,
and provided direction and support mechanisms to evolve the required standards
and procedures.
All project groups (application owners) participate in the information security
and mitigation process.
“Risk mitigation is not a one-size-fits-all process,
and takes different routes depending on the risk and business imperatives. It’s
something we devise after considering the business needs vis-à-vis security
controls,” Kumar explains.
Being a financial organisation, the bank is subject to a number of regulations,
both internal and external in nature. These are considered an integral part
of the security architecture.
Kumar’s strategy also takes into account the fact that it’s crucial
to communicate all policies and procedures to heads of departments across an
organisation, so that there can be appropriate guidance to end-users.
| The uniqueness of the security strategy
is apparent from the breadth of the organisation’s business and scale
of its operations. Added to that is the problem of legacy data collected
over years of operations, legacy mindset of existing personnel which needs
to be migrated, and stiff competition from other banks.
Kumar has successfully roped in the higher management
at all levels of the strategy—creation, deployment, and review. He
has created a strategy based on the concept of six essential pillars.
This has provided a holistic and complete approach to the organisation’s
information security.
|
Documented Standards and Procedures
The information security policy approved by the board is supported by a comprehensive
standards, procedures & guidelines document. A management overview is also
a part of the documentation.
“It is necessary that all personnel across the business understand the
underlying philosophy and basis of the security policy. Merely writing a security
policy and sending it to different departments will not take us far,” explains
Kumar.
The policy documents should include a management overview for the controllers
who would enforce the policies in their jurisdiction. The purpose of the management
overview is manifold. It brings in the context, which is the evolving IT infrastructure
in the bank, the need for a strong policy and the procedural framework for information
security, policy lifecycle, implementation, user awareness, and compliance requirements.
The policies, standards and procedures are reviewed annually by a multi-disciplinary
committee of top and senior management which includes the head of IT.
Monitoring SLAs
Kumar believes that it’s not good enough to have just the performance levels
specified in a Service Level Agreement (SLA). The organisation should also be
able to measure service levels, use appropriate measurement metrics, build adequate
deterrents against under-performance and monitor the performance of all outsourcing
arrangements.
On Disaster Recovery (DR), Kumar observes that a DR system has been set up for
critical applications in a different city and periodic mock drills are conducted.
“An important but often neglected aspect of the DR plan is to shuffle a
core team of operations personnel between production and DR sites periodically.
This ensures the availability of skilled resources at the DR site. They are
current with the latest state of the production application,” says Kumar.
Skill Sets
Kumar believes that to be a good security strategist it is important to have
a thorough understanding of the business domain.
“The best way to approach information security is from the business side—ask
what the business need is, assess the risk, and fashion a risk mitigation strategy
that fits,” he asserts.
Based on the concept of the six pillars, Kumar believes that in order to achieve
security in an IT-driven business, one must concentrate on people, processes,
and technology with equal emphasis. It is relatively easier to supervise and
control technology compared to people and processes.
“Information security needs continuous commitment from
top management, application owners and all levels of users. It is not an end
game but a continuing journey,” he says.
|
|| Feedback
|| Subscribe-
