EXPERIENCE IN IMPLEMENTING SECURITY MEASURES AT SBI –

A CASE STUDY

Patrick Kishore General Manager (IT) &

Chief Information Security OfficerState Bank of India

ELITEX-2008 2

Where we were

• Early 1990s – More than 7000 branches based on manual procedures derived from Imperial Bank of India and evolved over decades.

• Mainframes used for MIS, Reconciliation & Fund Settlement processes

ELITEX-2008 3

Changes brought in IT

• Late 1990s – More than 8000 branches either on decentralized systems or manually operated,

• Main Frame / Mini Computers used at CO/LHO/ZO for backend operations.

• Internet Banking Facility for individuals. • All ATMs of State Bank Group networked.

ELITEX-2008 4

TBA - Distributed System Components

Banking Application

OS, Database

Internet-Banking

ATM

Diskless nodes LANLAN

Branches

System AdministratorUser Control Officer

ELITEX-2008 5

Changes brought in IT

• 2001 - KMPG appointed consultant for preparing IT Plan for the Bank. Core Banking proposed, FNS, CS, COMLINK selected

• 2002 – All branches computerized but on decentralized systems, – Core Banking initiative started

ELITEX-2008 6

Changes brought in IT

• 2008- more than 6500 branches (95% of business) on Core Banking Solution (CBS),

• Internet Banking facility for Corporate customers

• More Interfaces developed with eCommerce & other sites through alternate channels like ATM & Online Banking

• All Foreign Offices on Centralized Solution• BPR initiative to realign business process

with changes due to IT

ELITEX-2008 7

Changes brought in IT

• Large Network as backbone for connectivity across the country

• Multiple Service Providers for providing the links – BSNL, MTNL, Reliance, Tata & Railtel

• Multiple Technologies to support the networking infrastructure – Leased lines, Dial-up, CDMA & VSATs

ELITEX-2008 8

CBS - Core Banking System Components

Datacenter

Network Administrators

Core-Banking Application

OS, Database

Internet-Banking

ATM

Desktops, Branch Servers

WAN, Internet

WAN, Internet

Branches

Application Developers

System AdministratorsBranch User/Admins

Alternative Channels

ELITEX-2008 9

RBI Guidelines

• RBI constituted a “working group on information systems security for banking and financial sector” - 2001

• Banks were required to put in place effective security policies & controls.

•Information Systems Security Department to be set up to address security issues on an ongoing basis.

ELITEX-2008 10

IT Governance at SBI

INFORMATION SYSTEMS SECURITY

GO

VE

RN

AN

CE

ST

RU

CT

UR

E

RIS

K A

SS

ES

ME

NT

RIS

K M

AN

AG

EM

EN

T

CO

MM

UN

ICA

TIO

N

CO

MP

LIA

NC

E

ELITEX-2008 11

Organization structure of IT

DMD(IT)

GM (IT) & CISO

DMD (I&A)

CGM (IT)

GM (ITSS)

DGM (ITSS)

AGM (ITSS)

GM (I&A)

CIO CGM (I&A)

Application Owners

ELITEX-2008 12

Organization structure of IT

Application Owners /Business Owners/System administrators

/ IT Personnel• Implement technical

and procedural controls

• Manage Network, servers & applications securely adhering to policies, standards & procedures

• Report Incidents

• Act on Security Logs

EnforcerInformation Security

Department• Assess risks

• Define Policies, and develop Standards and Procedures

• Provide training & awareness

• Deploy & manage security products

• Define security architecture for network, databases & applications: Secure Configuration Docs

EnablerInspection &

Management Audit Dept.

• Auditing compliance against policies across applications and locations

• Vulnerability testing

• Penetration testing

• Application security testing

• Feedback to ISD on effectiveness of policies

Auditor

ELITEX-2008 13

Organizational Structure of IS

AGM (ISD)

Information Security Officers

DMD(IT)

GM (IT) & CISO

FUNCTIONS

Consulting Monitoring Compliance

2003 - Information Security consultant appointed for Information Security Initiation2004 - Information Security Department setup headed by GM (IT) & CISO and supported by CISA qualified ISOs ISSSC setup by the Board

ELITEX-2008 14

Objective of IS

To provide bank’s business processes with reliable information systems by

systematically assessing, communicating and mitigating risks, thereby increasing

customers’ trust on the bank and achieving world class standards in information

security.

ELITEX-2008 15

How we manage

Develop and enable implementation of strong systems

along 6 pillars of security.

ELITEX-2008 16

Security Governance

Set directions Approve top level policiesPromote security cultureDelegate responsibilityProvide resourcesReview security status

Align information security with overall risk management ISD represented on the Committee

Approve detailed standards & procedures Annual Review of Standards and Procedures – need to address new security threats, and mitigation; Changes to procedures based on feed back

Board/ CEO Integrated Risk Management Committee

ISS Standards Committee

ELITEX-2008 17

Security Governance

• IT Policy and IS Security Policy approved by the Board

• Standard and Procedures (25 domains) approved by ISSSC

• Half yearly reviews by ISSSC to update IT Policy and IS Security Policy - Standard and Procedures

• Security Guidelines for Critical Applications • Security Policies for Overseas operations• IS Roles and Responsibilities across

Organisation approved by the Board• Security Guidelines for Branches and Offices

ELITEX-2008 18

Security Governance

• Central Anti-Virus, Firewall/IDS monitoring teams setup

• Associate Banks supported in ISMS initiatives• Policies enforced through periodic security

compliance reviews• Promoting IS Awareness and Security Culture

across the Bank

ELITEX-2008 19

Consulting

• Carrying out Risk Analysis• Formulation / Modification of IT Policy and IS

Security Policy for the Bank.• Secured Configuration Document for various

Operating Systems & Databases.• Devising effective Mitigation measures.• Reviewing Banks’ new IT enabled product &

services for IS

ELITEX-2008 20

Monitoring

• Firewall Rule Base• Anti-virus• Firewall & IDS Logs • Discover gaps in policy, standards & procedures• Assess User difficulties• Periodic Vulnerability Assessments and

Penetration Tests• Best Security Practices for Processes

.

ELITEX-2008 21

Compliance

• Compliance Review of process followed by different applications, periodicity based on criticality of the application.

• Application Security review of critical applications.

• Review of SDLC followed for Applications.• Security review of selected branches and offices• Action Taken Reports from Application Owners

ELITEX-2008 22

Incident Response

• RCA for security incident reported through service desk or email

• Risk mitigating measures against phishing attacks

• Security measures against ATM based incidents

• Anti-virus, Anti-spam initiatives

ELITEX-2008 23

Security Awareness• User awareness through multiple channels like

intranet, training etc.

• e-Learning package on information security distributed across Bank

• Specialized IS awareness sessions for controllers

• Dedicated IS Security sessions during training.

• Observing “Computer Security Day” every year across the organization.

• Write ups on Information Security in the in-house magazines

• Exchange of information on threats and vulnerabilities at appropriate forums.

ELITEX-2008 24

Improving our IS Security

• Benchmarking SBI initiatives against International Best Practices

• E&Y benchmarking initiative in 2006• RBI requirement under section 35 • External audit of IS initiatives • BS27001 certification of CDC-DRC, ATM & INB

ELITEX-2008 25

Challenges ahead

• Retaining Bank's lead Position– Maintaining Business Edge over competitors in the

context of sameness in IT infrastructure

• Assured Availability – Financially critical systems increasingly depend on

IT Delivery channels- no margin for downtime

• Infrastructure derisking– Tie-up with multiple vendors for spreading risks due

to infrastructure failures and obsolescence

ELITEX-2008 26

Challenges ahead

• Vendor Management– Multiple vendor support necessary for working of

highly complex technology– Coordinating various vendors to provide a secure IT

infrastructure for business operations– Alternatives for failure of a specific vendor services– Extant of Replacing vendors with internal staff

ELITEX-2008 27

Challenges ahead

• Managing IS Security– Information Security dependency on vendor inputs – Complex networked environment leading to lack of

Know Your - Employee , Systems & Procedures , Vendors

– Maintaining Confidentiality & Privacy of Data while in storage, transmission & processing.

• Providing DRP & BCP in a complex technology infrastructure supported by multiple vendors

ELITEX-2008 28

Questions ?