DSCI-KPMG Survey 2010
description
Transcript of DSCI-KPMG Survey 2010
A NASSCOM® Initiative
DSCI-KPMG Survey 2010
State Of Data Security and Privacy in the Indian Banking Industry
Vinayak GodseDirector- Data Protection, DSCI
19th April, 2011
A NASSCOM® Initiative
State of Data Security and Privacy in the Banking Industry
Coverage: PSU, Private and Foreign Banks
Areas of Survey:
Contemporary to
Industry need |Current Challenges| Practices |Technology Trends |Compliance Expectations
Objective of Survey:
In-depth assessment of the area under coverage
Insights into the state of security and privacy
Understand characteristics and structure of the initiatives
Evaluation of maturity of practices and approach
Benchmarking with security and privacy trends
Execution: Comprehensive questionnaireIndustry consultation | Project Advisory Group | Interaction with Professionals
Interview- Personal, Email and Telephonic
A NASSCOM® Initiative
50
25
10
5
5
0 20 40 60 80 100
Executive Director (ED)
Chief Risk Officer (CRO)
Chief Financial Officer (CFO)
Chief Information Officer (CIO) / Chief Technology Officer (CTO)
Chief Operating Officer (COO)
Reporting to Top Management - 45%
9:30 Review security reports coming from different tools, solutions& operational groups
10:30 Participate in business strategy meetings for security implication of new initiatives
11:30 Interact with lines-of-business on their security requirements
12:00 Interact with IT teams for installation, admin & maintenance of security devices
12:30 Interact with support functions like HR, Finance and Admin for enforcing measures in their respective departments
14:00 Review state of security in Lines-of-business, their applications and systems
15:00 Oversee undergoing security projects
15:30 Review & approve change requests
16:00 Check for new issues, threats and vulnerabilities
17:00 Take review of operational teams
17:30 Issue guidelines to enterprise units on specific or general security measures
CISO Role & Time Spent
Operational
Tactical
Strategic
Security Organization
A NASSCOM® Initiative
Security Tasks CISO Compliance IT Security
IT Infra
External
Security strategy plan
Preparing security policies & procedures
Implementation of the policies & procedures
Defining & managing the security architecture
Security solutions evaluation and procurement
Install security solutions, products and tools
Administration of security technologies-
Application security testing, code review, etc
Security monitoring
Report, investigate and close security incidents
Keep track of the evolving regulatory requirements
Security OrganizationTask Distribution
A NASSCOM® Initiative
Maturity – Security and Privacy Practices
Constant review to assess security posture in the wake of new threats & vulnerabilities
Significant efforts are dedicated to ensure collaboration with external sources & internal functions
Focus given to innovation in the security initiatives
Security Solutions are provided with an architectural treatment
Techniques such as threat modeling, threat tree, and principles such as embedding ‘security in design’ are proactively adopted
90 %
65%
60 %
40 %
35 %
An understanding of different roles, entities (data subject, Controller, etc)
PIA is performed for new initiatives & change
Understanding about Privacy Principles and their applicability
Technology, solutions and processes are deployed for privacy
A dedicated policy initiative for privacy
Processes reviewed regularly from privacy perspective
Scope of audit charter is extended to include privacy
Embedding privacy in the design
58 %
53%
47 %
43 %
32 %
32 %
26 %
16%
Security Privacy
A NASSCOM® Initiative
Customer notification for change in the policy
The policy clearly spells the restriction in disclosure of the information to third party
Users are given access to their information & provision to correct/update their data
The links to the policy is available on all important user centric data forms
Customer acceptance on privacy policy is taken before providing banking services. Limitation imposed for collection and usage of the PI
53 %
47%
37 %
26 %
11 %
Providing demo for secure usage of banking services
Real time security messages while executing transactions
Publishing security messages on different communications channels
Spreading awareness through public media
Conducting dedicated customer awareness programs
53 %
47%
37 %
26 %
11 %
Security Privacy
Customer Awareness
A NASSCOM® Initiative
Masking the card number (PAN) in all user communication & transaction notification
The scope of card security is extended to the designated merchants also
Card expiry date is not printed and stored at the merchant side
Storing the card data in logs files in encrypted form
Encryption of stored authorization information
53 %
47%
40 %
40 %
27 %
Involvement of process owners and lines of business is ensured in the data security initiatives
For each of the partner/third-party relationships or processes, the awareness exists of how the data is managed in its life cycle
Data classification techniques have been deployed and followed rigorously
Uniformity of controls is maintained when data is moving in different environments
A granular level visibility exists over the financial and sensitive data
80 %
75%
65 %
55 %
50 %
Data Security Card Data
Data & Card Security
A NASSCOM® Initiative
Transaction Security
Transaction
Login ID/Password
Virtual Keybo
ard
Risk based
Authent-ication
Separate Transaction Password
OTP Identity Grid
SMS verifica
tion
SMS Alert
Account Logging 89% 67% 11% 28% 11% 11% 17% 28%Checking A/C Statements 88% 47% 0% 6% 6% 0% 0% 0%Register Payee 78% 56% 6% 39% 22% 6% 44% 50%Profile change 88% 56% 6% 31% 13% 6% 19% 38%Money transfer to self 82% 53% 0% 47% 18% 6% 0% 59%Money transfer to other 76% 59% 6% 65% 29% 6% 24% 71%Paying utility bills 65% 53% 0% 47% 18% 6% 18% 47%Online purchases 76% 53% 6% 59% 12% 12% 18% 65%Service Requests 82% 59% 0% 24% 6% 6% 0% 29%
A NASSCOM® Initiative
Security testing of application includes code review
A mechanism to identify criticality of each application
Application Security (AS) is derived out of well defined security architecture
Lines of businesses are involved in AS initiatives
AS is integrated with incident management
Compliance requirements mapped to in scope applications
Dedicated application security function exists
Techniques such as Threat modeling & threat tree are adopted
Developers community involved in AS initiatives
AS is integral part of Application lifecycle management
65 %
65%
65 %
65 %
60 %
55 %
55 %
40 %
35 %
15 %
Enterprise tools to integrate security in application lifecycle
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
30 %
25%
10 %
Application Security
Subscribing to Analysts reports
Security research reports
Mandating the vendors / third parties
Security forums on the Internet
Subscribing to vuln, exploits databases.
65 %
60%
60 %
50 %
40 %
Application Security Program Tool Adoption
Threat Tracking
A NASSCOM® Initiative
Inventory of all the possible scenarios that lead to incident and fraud
Collaborate with CERT-IN
Support forensic capabilities
Integrated with organization IT processes for remedial actions
Collaboration with external knowledge sources
Scope has been extended to third parties
Real time monitoring mechanisms exist that can proactively detect anomalies
Mechanism that generate incident based on patterns and business rule exceptions
Mechanism to define detective and investigative requirements
74 %
74%
68 %
68 %
58 %
58 %
53 %
47 %
47 %
Developing a strong forensic investigation capabilities
Identify the personal information flow to the organization
Revising organization’s security policy
Identifying and making an inventory of scenarios
Creating awareness amongst contractors/third-party employees
Incident & Fraud Management
Response to IT (Amendment) Act , 2008
50 %
50 %
35 %
20 %
15 %
Incident, Fraud and Compliance
A NASSCOM® Initiative
45%
75%
75%
60%
70%
45%
75%
35%
30%
50%
30%
45%
30%
65%
40%
30%
25%
25%
20%
35%
20%
20%
20%
55%
40%
30%
50%
40%
45%
10%
45%
35%
30%
10%
35%
5%
10%
30%
20%
20%
15%
25%
25%
15%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Security Maturity
Position of Security Function
Customer Centric Privacy
Customer Education & Awareness
Card Security Initiatives
Security of Payment Gateway
Response to ITAA 2008
Customer Centric Security
Data Centric Approach
Threat Tracking
Threat & Vulnerability Mgmt
Application Security Program
Incident & Fraud Management
BCP/DRP Preparedness
Resiliency Measures
Physical Security
Low Maturity Medium Maturity High Maturity
Bench Marking
A NASSCOM® Initiative
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Low Maturity
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Low Maturity Medium Maturity
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Low Maturity Medium Maturity High Maturity
Bench Marking Bank XYZ
A NASSCOM® Initiative
THANK YOU