Thanks to its risk management framework, every application
that's used at ICICI Bank is assessed for risk before it is deployed. The reason
for this is that there is always an internal and external risk to the bank's
assets. By Vinita Gupta.
assessment and security systems are critical for any bank. ICICI Bank's risk
assessment processes are reviewed against the banks security policy framework.
The company also has its own Security Operations Centre for monitoring its security
Critical systems are audited every year by the bank's internal audit department
while external audits are conducted by one or two of the Big Four consulting
firms and a regulatory body.
Security is crucial
The bank's security policy covers Internet, password, logical access, disaster
recovery, Internet messaging, database, application, operating systems, intranet,
network, physical, anti-virus, wireless as well as freeware and shareware usage
among other things.
Murli Nambiar, Head- Information Security Group of ICICI Bank says, Many
areas are covered but at present the top priorities in the security policy are
logical access, password, application, database, operating system and network.
Security is crucial for each and every area as a particular area may not
be critical at present but in the future it could be .
Risk Management Framework
Every application is assessed using the bank's risk management framework before
it gets deployed at ICICI Bank's data center.
Nambiar says that the framework is important as it enables a focussed approach
towards reducing the risk that assets face from internal and external forces.
To avoid internal risk, the bank has stringent policies to lock down devices
and facilities are provided on a need to use basis. The security
department makes sure that the systems are secure especially servers as frauds
typically originate on the server side. Norms are followed: only a few employees
are allowed to use external storage devices such as pen drives and CD-Rs.
It also conducts training programs for the IT administrators,
system and application owners and Web developers. The Web developers are trained
on secure coding practice on a yearly basis, code reviews are done to determine
the efficacy of the process. The Intranet is used for disseminating information
about existing threats, for instance, they send e-mails to end users and administrators
to make them aware of the latest security threats such as viruses, security
He adds, The findings from the audit reports are basically
gaps which have to be closed by the system or application owners. If the risk
factor in such cases has changed and gaps cannot be closed for any reason they
are highlighted to management for taking appropriate action as per the risk
- The bank has an alternate disaster recovery
- The equipment is identical at both the
primary and the secondary site.
- Daily back-ups are taken on to tape.
- Critical data is backed up in real time
while the rest is copied off at the end of the day.
- The BCP plan has the recovery time objective
for each system. The recovery time objective for each application is
decided based upon the business needs and criticality of the data generated
- All metrics that are actionable from the
IT security policy are monitored on a monthly basis. Operating systems,
application security, database, physical, desktops, servers and password
security are some of the areas being monitored.
- The metrics are measured manually wherein
the auditors conduct physical tests of the systems wherein tools such
as desktop management tool are used to scan for viruses and apply security
patches for desktops, laptops and servers.
- Metric sampling is carried out monthly.
Security Operation Centre
According to Murli Nambiar, a security
strategist needs to understand and maintain the fine balance between managing
risk and doing business. His perspective of security covers not only IT
but also people and processes. It is essential to have a holistic view
At ICICI Bank, business processes are reviewed during the risk assessment process
and internal audits. The processes are reviewed against the security policy
framework requirements and refined or modified to bring them into alignment
The company has its own Security Operations Centre which is manned 24X7.
The security operations group monitors the status of all
devices and ensures that systems are available and not compromised. Some aspects
which the group monitors are hacking attempts and Denial of Service (DoS) attacks.
The information security officers consist of domain experts
responsible for LAN, WAN, Web and database security. The security operations
group normally resolves issues and escalates matters to the security officers
for second level support. The information security officers escalates the issues
to the management if a corporate decision needs to be taken.
- Application security is reviewed periodically,
every application undergoes an assessment before implementation in production
- Penetration testing is executed for all
Web based systems
- Perimeter security is taken care of by
using routers, switches, firewalls, IDS (planned by Jan 07 IPS,
- Wireless LAN secured with encryption and
authentication (rogue access point detection; software evaluations are
- The ATM and voice networks have been secured
- ICICI Messenger:
This software was developed internally in 2006 to provide secure instant
messaging for internal users
- FTP server:
An open source FTP server application has been customised to meet the
requirements of the bank
- PT and VA: Penetration testing
(PT) and vulnerability assessment (VA) are done as and when required.
They change the vendors involved every year
- Network printers: Unnecessary protocols
- Unauthorised messaging: Only approved
software (ICICI Messenger) is used
- Data security:
Encryption software has been loaded on desktops, servers and laptops
Numerous transactions are carried out on a daily basis hence its necessary
for the bank to have proper security systems that secure its assets from internal
and external threats. Some of these are:
- Firewalls, intrusion detection systems, anti-virus
as well as routers to secure the perimeter.
- Encryption for desktops and laptops to secure data
being carried out on media.
- Biometrics was implemented last year for critical
departments. This has helped reduce user ID and password sharing.
The bank has also deployed a desktop management suite which helps the IT team
scan the environment for deviations and take corrective action. This helps identify
discrepancies and violations of security policy, check for spyware and adware,
block device ports (USB, Infrared, Bluetooth) from a central console and check
for policy non-compliance on servers. Using the software they also conduct vulnerability
Assessment (VA) and patch management on desktops and servers to keep them updated
with the latest security patches, helping to reduce risks involved with insecure
systems being exploited.
The bank uses standard messaging software and it has blocked freebies. The benefits
of using a standard messaging software is to eliminate the risk of using free
software which provides various features other than messaging and may be detrimental
to the banks security.
The Wireless LAN (WLAN) is secured with encryption and only authenticated users
are permitted to use the ICICI Bank wireless network.
Network printers are secured against unauthorised access and misuse.
- ICICI Bank was in started in 1994.
- It is headquartered in Mumbai with subsidiaries,
branches and offices abroad.
- ICICI Bank has total assets of about Rs
2,513.89 billion as of March 31, 2006 and profit after tax of Rs 25.40
billion for the fiscal year ending March 31, 2006.
- It has 30,000+ employees, 614 branches
and extension counters as well as 2,300+ ATMs.
- The branches are connected through 64
Kbps leased lines.
- Data center (DC) and system owners are
responsible for maintaining inventory and use an online system called
- Critical systems go through a strict DC
induction process wherein systems are hardened, audited, and penetration
- System owners ensure that the inventory
lists are updated when the application or the system changes
- All systems have specific owners who are
responsible for maintaining security
- All media is classified and secured
BS7799 / ISO 17799 certified
This year the bank received the BS7799 /ISO 17799 certification for two of its
According to Nambiar, certification can help the company address security in
a structured format. Presently they have certified two departments, the call
centre and the Global Trade Services Unit (GTSU) and are in the process of certifying
other critical departments by March 2007.
Information Security Governance
In ICICI Bank the Information Security committee or Deputy Managing Director
reviews security policy changes and approves the same. The Information security
committee consists of senior management from technology and operations.
The senior department heads, sign the IT risk management
framework which covers threat, vulnerability and impact as well as residual
risk. Significant changes to systems are reviewed for changes in the risk profile
and the IT security policy is reviewed on a yearly basis and audited for effectiveness
on a monthly basis. Security standards are defined in the bank for all systems
or technologies and deployed across systems.
ICICI Banks security team consists of security professionals in IT teams.
Periodic training programs are conducted for the security team, class room training
for all IT administrators and system and application owners is also carried
out. All the web developers are trained on secure coding practice on a yearly