Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of January 2007

Untitled Document

 Home > Cover Story
 Print Friendly Page ||  Email this story



Thanks to its risk management framework, every application that's used at ICICI Bank is assessed for risk before it is deployed. The reason for this is that there is always an internal and external risk to the bank's assets. By Vinita Gupta.

Risk assessment and security systems are critical for any bank. ICICI Bank's risk assessment processes are reviewed against the bank’s security policy framework. The company also has its own Security Operations Centre for monitoring its security set-up, 24X7.

Critical systems are audited every year by the bank's internal audit department while external audits are conducted by one or two of the Big Four consulting firms and a regulatory body.

Security is crucial

The bank's security policy covers Internet, password, logical access, disaster recovery, Internet messaging, database, application, operating systems, intranet, network, physical, anti-virus, wireless as well as freeware and shareware usage among other things.

Murli Nambiar, Head- Information Security Group of ICICI Bank says, “Many areas are covered but at present the top priorities in the security policy are logical access, password, application, database, operating system and network.”

“Security is crucial for each and every area as a particular area may not be critical at present but in the future it could be .”

Risk Management Framework

Every application is assessed using the bank's risk management framework before it gets deployed at ICICI Bank's data center.

Nambiar says that the framework is important as it enables a focussed approach towards reducing the risk that assets face from internal and external forces. To avoid internal risk, the bank has stringent policies to lock down devices and facilities are provided on a ‘need to use’ basis. The security department makes sure that the systems are secure especially servers as frauds typically originate on the server side. Norms are followed: only a few employees are allowed to use external storage devices such as pen drives and CD-Rs.

It also conducts training programs for the IT administrators, system and application owners and Web developers. The Web developers are trained on secure coding practice on a yearly basis, code reviews are done to determine the efficacy of the process. The Intranet is used for disseminating information about existing threats, for instance, they send e-mails to end users and administrators to make them aware of the latest security threats such as viruses, security patches etc.

He adds, “The findings from the audit reports are basically gaps which have to be closed by the system or application owners. If the risk factor in such cases has changed and gaps cannot be closed for any reason they are highlighted to management for taking appropriate action as per the risk mitigation process.”

BC and DR
  • The bank has an alternate disaster recovery site.
  • The equipment is identical at both the primary and the secondary site.
  • Daily back-ups are taken on to tape.
  • Critical data is backed up in real time while the rest is copied off at the end of the day.
  • The BCP plan has the recovery time objective for each system. The recovery time objective for each application is decided based upon the business needs and criticality of the data generated by it.

  • All metrics that are actionable from the IT security policy are monitored on a monthly basis. Operating systems, application security, database, physical, desktops, servers and password security are some of the areas being monitored.
  • The metrics are measured manually wherein the auditors conduct physical tests of the systems wherein tools such as desktop management tool are used to scan for viruses and apply security patches for desktops, laptops and servers.
  • Metric sampling is carried out monthly.

Security Operation Centre

According to Murli Nambiar, a security strategist needs to understand and maintain the fine balance between managing risk and doing business. His perspective of security covers not only IT but also people and processes. It is essential to have a holistic view

At ICICI Bank, business processes are reviewed during the risk assessment process and internal audits. The processes are reviewed against the security policy framework requirements and refined or modified to bring them into alignment with IT.

The company has its own Security Operations Centre which is manned 24X7.

The security operations group monitors the status of all devices and ensures that systems are available and not compromised. Some aspects which the group monitors are hacking attempts and Denial of Service (DoS) attacks.

The information security officers consist of domain experts responsible for LAN, WAN, Web and database security. The security operations group normally resolves issues and escalates matters to the security officers for second level support. The information security officers escalates the issues to the management if a corporate decision needs to be taken.

Security Architecture
  • Application security is reviewed periodically, every application undergoes an assessment before implementation in production
  • Penetration testing is executed for all Web based systems
  • Perimeter security is taken care of by using routers, switches, firewalls, IDS (planned by Jan 07 – IPS, SIEM, WAF)
  • Wireless LAN secured with encryption and authentication (rogue access point detection; software evaluations are in progress)
  • The ATM and voice networks have been secured

ICICI Bank IT Set-up
  • ICICI Messenger: This software was developed internally in 2006 to provide secure instant messaging for internal users
  • FTP server: An open source FTP server application has been customised to meet the requirements of the bank
  • PT and VA: Penetration testing (PT) and vulnerability assessment (VA) are done as and when required. They change the vendors involved every year
  • Network printers: Unnecessary protocols are disabled
  • Unauthorised messaging: Only approved software (ICICI Messenger) is used
  • Data security: Encryption software has been loaded on desktops, servers and laptops

Security Systems

Numerous transactions are carried out on a daily basis hence it’s necessary for the bank to have proper security systems that secure its assets from internal and external threats. Some of these are:

  • Firewalls, intrusion detection systems, anti-virus as well as routers to secure the perimeter.
  • Encryption for desktops and laptops to secure data being carried out on media.
  • Biometrics was implemented last year for critical departments. This has helped reduce user ID and password sharing.

The bank has also deployed a desktop management suite which helps the IT team scan the environment for deviations and take corrective action. This helps identify discrepancies and violations of security policy, check for spyware and adware, block device ports (USB, Infrared, Bluetooth) from a central console and check for policy non-compliance on servers. Using the software they also conduct vulnerability Assessment (VA) and patch management on desktops and servers to keep them updated with the latest security patches, helping to reduce risks involved with insecure systems being exploited.

The bank uses standard messaging software and it has blocked freebies. The benefits of using a standard messaging software is to eliminate the risk of using free software which provides various features other than messaging and may be detrimental to the bank’s security.

The Wireless LAN (WLAN) is secured with encryption and only authenticated users are permitted to use the ICICI Bank wireless network.

Network printers are secured against unauthorised access and misuse.

About the Bank
  • ICICI Bank was in started in 1994.
  • It is headquartered in Mumbai with subsidiaries, branches and offices abroad.
  • ICICI Bank has total assets of about Rs 2,513.89 billion as of March 31, 2006 and profit after tax of Rs 25.40 billion for the fiscal year ending March 31, 2006.
  • It has 30,000+ employees, 614 branches and extension counters as well as 2,300+ ATMs.
  • The branches are connected through 64 Kbps leased lines.

Asset Profiling
  • Data center (DC) and system owners are responsible for maintaining inventory and use an online system called DC Governance
  • Critical systems go through a strict DC induction process wherein systems are hardened, audited, and penetration tested
  • System owners ensure that the inventory lists are updated when the application or the system changes
  • All systems have specific owners who are responsible for maintaining security
  • All media is classified and secured

BS7799 / ISO 17799 certified

This year the bank received the BS7799 /ISO 17799 certification for two of its departments.

According to Nambiar, certification can help the company address security in a structured format. Presently they have certified two departments, the call centre and the Global Trade Services Unit (GTSU) and are in the process of certifying other critical departments by March 2007.

Meet the CIO
  • Murli Nambiar is the Head, Information Security Group. He is a graduate in Physics and postgraduate in management studies from Bombay University.
  • He has 13 years of IT experience, of which about seven years have been in information security domain. In addition to information security he has extensive experience in areas of Infrastructure and Networking.

    He has earned the following certifications:

  • Microsoft certified Systems Engineer (MCSE), Certified Information Systems Security professional (CISSP), Certified Information Systems Auditor (CISA) and BS 7799 lead Auditor.
  • According to him a security strategist is a person who understands and helps to maintain the fine balance between managing risks and doing business. His perspective of security covers IT but also people and processes.

Information Security Governance

In ICICI Bank the Information Security committee or Deputy Managing Director reviews security policy changes and approves the same. The Information security committee consists of senior management from technology and operations.

The senior department heads, sign the IT risk management framework which covers threat, vulnerability and impact as well as residual risk. Significant changes to systems are reviewed for changes in the risk profile and the IT security policy is reviewed on a yearly basis and audited for effectiveness on a monthly basis. Security standards are defined in the bank for all systems or technologies and deployed across systems.


ICICI Bank’s security team consists of security professionals in IT teams. Periodic training programs are conducted for the security team, class room training for all IT administrators and system and application owners is also carried out. All the web developers are trained on secure coding practice on a yearly basis.

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.