BS7799 SBI
-
Upload
neelpankajj -
Category
Documents
-
view
218 -
download
0
Transcript of BS7799 SBI
-
8/8/2019 BS7799 SBI
1/28
EXPERIENCE IN IMPLEMENTING
SECURITY MEASURES AT SBI A CASE STUDY
Patrick Kishore
General Manager (IT) &
Chief Information Security Officer
State Bank of India
-
8/8/2019 BS7799 SBI
2/28
ELITEX-2008 2
Where we were
Early 1990s More than 7000 branches
based on manual procedures derived from
Imperial Bank of India and evolved over
decades.
Mainframes used for MIS, Reconciliation &
Fund Settlement processes
-
8/8/2019 BS7799 SBI
3/28
ELITEX-2008 3
Changes brought in IT
Late 1990s More than 8000 branches either
on decentralized systems or manually
operated,
Main Frame / Mini Computers used atCO/LHO/ZO for backend operations.
Internet Banking Facility for individuals.
All ATMs of State Bank Group networked.
-
8/8/2019 BS7799 SBI
4/28
ELITEX-2008 4
TBA - Distributed System Components
Banking
Application
OS, Database
Internet-Banking
ATM
Diskless
nodes LAN
LAN
Branches
System AdministratorUser Control Officer
-
8/8/2019 BS7799 SBI
5/28
ELITEX-2008 5
Changes brought in IT
2001 - KMPG appointed consultant for
preparing IT Plan for the Bank. Core
Banking proposed, FNS, CS, COMLINK
selected 2002 All branches computerized but on
decentralized systems,
Core Banking initiative started
-
8/8/2019 BS7799 SBI
6/28
ELITEX-2008 6
Changes brought in IT
2008- more than 6500 branches (95% ofbusiness) on Core Banking Solution (CBS),
Internet Banking facility for Corporate
customers More Interfaces developed with eCommerce
& other sites through alternate channels likeATM & Online Banking
All Foreign Offices on Centralized Solution BPR initiative to realign business process
with changes due to IT
-
8/8/2019 BS7799 SBI
7/28
ELITEX-2008 7
Changes brought in IT
Large Network as backbone for connectivity
across the country
Multiple Service Providers for providing the
links BSNL, MTNL, Reliance, Tata & Railtel Multiple Technologies to support the
networking infrastructure Leased lines,
Dial-up, CDMA & VSATs
-
8/8/2019 BS7799 SBI
8/28
ELITEX-2008 8
CBS - Core Banking System
Components
Datacenter
Network Administrators
Core-Banking
Application
OS, Database
Internet-Banking
ATM
Desktops,
Branch
Servers
WAN,
Internet
WAN,
Internet
BranchesApplication Developers
System AdministratorsBranch User/Admins
Alternative
Channels
-
8/8/2019 BS7799 SBI
9/28
ELITEX-2008 9
RBI Guidelines
RBI constituted a working group on
information systems security for banking and
financial sector - 2001
Banks were required to put in place effective
security policies & controls.
Information Systems Security Department tobe set up to address security issues on an
ongoing basis.
-
8/8/2019 BS7799 SBI
10/28
ELITEX-2008 10
IT Governance at SBI
INFORMATION SYSTEMS SECURITY
GOVERNANCE
STRUC
TUR
E
RISK
ASS
ESMENT
RISK
MANAGEMENT
COMMUN
I CATION
COMPL
IAN
CE
-
8/8/2019 BS7799 SBI
11/28
ELITEX-2008 11
Organization structure of IT
DMD(IT)
GM (IT) & CISO
DMD (I&A)
CGM (IT)
GM (ITSS)
DGM (ITSS)
AGM (ITSS)
GM (I&A)
CIOCGM (I&A)
Application Owners
-
8/8/2019 BS7799 SBI
12/28
ELITEX-2008 12
Organization structure of IT
Application Owners /Business Owners/System administrators/ IT Personnel
Implement technical
and proceduralcontrols
Manage Network,
servers & applications
securely adhering to
policies, standards &
procedures
Report Incidents
Act on Security Logs
EnforcerInformation Security
Department Assess risks
Define Policies, anddevelop Standards
and Procedures Provide training &
awareness
Deploy & managesecurity products
Define securityarchitecture fornetwork, databases& applications:SecureConfiguration Docs
EnablerInspection &
Management
Audit Dept. Auditing
compliance against
policies acrossapplications andlocations
Vulnerability testing
Penetration testing
Application security
testing
Feedback to ISD oneffectiveness ofpolicies
Auditor
-
8/8/2019 BS7799 SBI
13/28
ELITEX-2008 13
Organizational Structure of IS
AGM (ISD)
Information Security Officers
DMD(IT)
GM (IT) & CISO
FUNCTIONS
Consulting Monitoring Compliance
2003 - Information Security consultant appointed for InformationSecurity Initiation
2004 - Information Security Department setup headed by
GM (IT) & CISO and supported by CISA qualified ISOs
ISSSC setup by the Board
-
8/8/2019 BS7799 SBI
14/28
ELITEX-2008 14
Objective of IS
To provide banks business processes with
reliable information systems by
systematically assessing, communicatingand mitigating risks, thereby increasing
customers trust on the bank and achieving
world class standards in information
security.
-
8/8/2019 BS7799 SBI
15/28
ELITEX-2008 15
How we manage
Develop and enable implementation of strong systems
along 6 pillars of security.
-
8/8/2019 BS7799 SBI
16/28
ELITEX-2008 16
Security Governance
Set directionsApprove top level policies
Promote security culture
Delegate responsibility
Provide resourcesReview security status
Align information security with overall risk
management
ISD represented on the Committee
Approve detailed standards & procedures
Annual Review of Standards and
Procedures need to address new security
threats, and mitigation;Changes to procedures based on feed
back
Board/ CEO Integrated Risk Management Committee
ISS Standards Committee
-
8/8/2019 BS7799 SBI
17/28
ELITEX-2008 17
Security Governance
IT Policy and IS Security Policy approved bythe Board
Standard and Procedures (25 domains)approved by ISSSC
Half yearly reviews by ISSSC to update ITPolicy and IS Security Policy - Standard andProcedures
Security Guidelines for Critical Applications
Security Policies for Overseas operations IS Roles and Responsibilities across
Organisation approved by the Board Security Guidelines for Branches and Offices
-
8/8/2019 BS7799 SBI
18/28
ELITEX-2008 18
Security Governance
Central Anti-Virus, Firewall/IDS monitoringteams setup
Associate Banks supported in ISMS initiatives
Policies enforced through periodic securitycompliance reviews
Promoting IS Awareness and Security Cultureacross the Bank
-
8/8/2019 BS7799 SBI
19/28
ELITEX-2008 19
Consulting
Carrying out Risk Analysis
Formulation / Modification of IT Policy and IS
Security Policy for the Bank.
Secured Configuration Document for variousOperating Systems & Databases.
Devising effective Mitigation measures.
Reviewing Banks new IT enabled product &services for IS
-
8/8/2019 BS7799 SBI
20/28
ELITEX-2008 20
Monitoring
Firewall Rule Base
Anti-virus
Firewall & IDS Logs
Discover gaps in policy, standards & procedures
Assess User difficulties
Periodic Vulnerability Assessments and
Penetration Tests Best Security Practices for Processes
.
-
8/8/2019 BS7799 SBI
21/28
ELITEX-2008 21
Compliance
Compliance Review of process followed by
different applications, periodicity based on
criticality of the application.
Application Security review of criticalapplications.
Review of SDLC followed for Applications.
Security review of selected branches and offices Action Taken Reports from Application Owners
-
8/8/2019 BS7799 SBI
22/28
ELITEX-2008 22
Incident Response
RCA for security incident reported through
service desk or email
Risk mitigating measures against phishing
attacks Security measures against ATM based
incidents
Anti-virus, Anti-spam initiatives
-
8/8/2019 BS7799 SBI
23/28
ELITEX-2008 23
Security Awareness User awareness through multiple channels like
intranet, training etc.
e-Learning package on information security
distributed across Bank
Specialized IS awareness sessions for controllers
Dedicated IS Security sessions during training.
Observing Computer Security Day every year
across the organization.
Write ups on Information Security in the in-housemagazines
Exchange of information on threats and
vulnerabilities at appropriate forums.
-
8/8/2019 BS7799 SBI
24/28
ELITEX-2008 24
Improving our IS Security
Benchmarking SBI initiatives against
International Best Practices
E&Y benchmarking initiative in 2006
RBI requirement under section 35
External audit of IS initiatives
BS27001 certification of CDC-DRC, ATM & INB
-
8/8/2019 BS7799 SBI
25/28
ELITEX-2008 25
Challenges ahead
Retaining Bank's lead Position
Maintaining Business Edge over competitors in the
context of sameness in IT infrastructure
Assured Availability Financially critical systems increasingly depend on
IT Delivery channels- no margin for downtime
Infrastructure derisking
Tie-up with multiple vendors for spreading risks due
to infrastructure failures and obsolescence
-
8/8/2019 BS7799 SBI
26/28
ELITEX-2008 26
Challenges ahead
Vendor Management
Multiple vendor support necessary for working of
highly complex technology
Coordinating various vendors to provide a secure ITinfrastructure for business operations
Alternatives for failure of a specific vendor services
Extant of Replacing vendors with internal staff
-
8/8/2019 BS7799 SBI
27/28
ELITEX-2008 27
Challenges ahead
Managing IS Security
Information Security dependency on vendor inputs
Complex networked environment leading to lack of
Know Your - Employee , Systems & Procedures ,
Vendors Maintaining Confidentiality & Privacy of Data while in
storage, transmission & processing.
Providing DRP & BCP in a complex
technology infrastructure supported bymultiple vendors
-
8/8/2019 BS7799 SBI
28/28
ELITEX-2008 28
Questions ?