|
SSA 2005—BFSI Winners
Six pillars of safety
 S
Krishna Kumar, GM (IT) & CISO, State Bank of
India, has built his winning security strategy on six
pillars of safety that support the information security
needs of the banking giant. Here’s a closer look at the
bank’s security architecture. by Soutiman Das
Gupta
Here’s a humble man, with the heavy
responsibility of securing a mammoth organisation,
operating on a global scale. As the GM-IT & Chief
Information Security Officer (CISO) of State Bank of
India, Krishna Kumar has tackled the bank’s information
security threats with a smart shield—a clever security
strategy.
That is why we chose him as the
SecureSynergy Security Strategist in the BFSI
category.
Scale of operations
The complexity of Kumar’s task is
apparent when you look at the breadth of his
organisation’s business. The bank has more than 9,100
branches in India, and 54 branches and offices abroad.
The State Bank group, which comprises SBI and seven
other subsidiary banks, has around 13,700 branches.
There are more than 160,000 users on
the network which includes all officers and clerks. Core
banking solutions are used across 4,200 branches and
many more are connected every week.
SBI’s financial assets are worth $105
billion, and the group’s, $144 billion. The entire IT
infrastructure of all the banks in the group is managed
out of the IT department in Belapur (Navi Mumbai), and
information security of this massive infrastructure is
Kumar’s responsibility.
“The objective and focus of the
information security programme is to protect our
information assets. The way to achieve it is the
challenge I face,” says Kumar.
| SBI’s
strategy
Processes
- Upper management
buy-in
- Concept of six
pillars of safety: Governance, Structure, Risk
Assessment, Risk Management, Communication, and
Compliance
- Policy approval at
Board level
- Risk mitigation
processes
- Documented
standards and procedures
- Management overview
for controllers
- SLA monitoring
Technology
- Firewall
- Anti-virus
- IDS
- Management
tools
|
|
Information security needs
continuous commitment from top management,
application owners and all levels of
users.It is not an
end game but a continuing
journey |
Higher management buy-in
According to Kumar, “Information
security in SBI has commitment and support at the
highest level in the organisation. The state of
information security is periodically reviewed by the top
management.”
The staff in the information security
department consists of officials who are certified in
CISA or CISM. Kumar, who heads the department, is CISA
and CISM certified.
The winning strategy
In his early days in the IT
department, Kumar recognised that information security
management is not an isolated IT issue, and is made up
of aspects such as governance, business, and
organisational structure.
After a close and careful look at the
bank’s business needs and complexities, he devised a
security strategy that he believes is holistic in
approach and includes all the components needed for an
effective information security programme.
He built his strategy around the
concept of six pillars of information security
management: governance, structure, risk assessment, risk
management, communication and compliance.
|
Krishna
Kumar believes that it's crucial to communicate
all policies and procedures to heads of departments across the
organisation so that there can be appropriate
guidance to
end-users |
The pillars of safety
“All the pillars are equally critical
in providing information security assurance,” says
Kumar, in an obvious reference to organisations which
focus only on security products and penetration
tests.
Information security in SBI derives
its strength from the highest authority, the Board. The
Board has approved the bank’s information security
policies, and provided direction and supporting
mechanisms to evolve the required standards and
procedures.
All project groups (application
owners) participate in the information security and
mitigation process.
“Risk mitigation is not a
one-size-fits-all process, and takes different routes
depending on the risk and business imperatives. It’s
something we devise after considering the business needs
vis-ŕ-vis security controls,” Kumar explains.
Being a financial organisation, the
bank is subject to a number of regulations, both
internal and external in nature. These are considered an
integral part of the security architecture.
Kumar’s strategy also takes into
account the fact that it’s crucial and necessary to
communicate all policies and procedures to heads of
departments across the organisation, so that there can
be appropriate guidance to end-users.
Documented standards and
procedures
The information security policy
approved by the board is supported by a comprehensive
and elaborate Standards, Procedures & Guidelines
document. A management overview is also a part of the
documentation.
“It is necessary that all personnel
across the business understand the underlying philosophy
and basis of the security policy. Merely writing a
security policy and sending it to different departments
will not take us far,” explains Kumar.
The policy documents should include a
management overview for the controllers who would
enforce the policies in their jurisdiction. The purpose
of the management overview is manifold. It brings in the
context, which is the evolving IT infrastructure in the
bank, the need for a strong policy and the procedural
framework for information security, policy lifecycle,
implementation, user awareness, and compliance
requirements.
The policies, standards and procedures
are reviewed annually by a multi-disciplinary committee
of top and senior management which includes the Head of
IT.
| Uniqueness of the strategy
The
uniqueness of the security strategy is apparent
from the breadth of the organisation's business
and scale of its operations. Added to that is the
problem of legacy data collected over years of
operations, legacy mindset of existing personnel
which needs to be migrated, and stiff competition
from other banks.
Kumar
has successfully roped in the higher management at
all levels of the strategy—creation, deployment,
and review. He has created a strategy based on the
concept of six essential pillars. This has
provided a holistic and complete approach to the
organisation's information security.
|
Monitoring SLAs
Kumar believes that it’s not good
enough to have just the performance levels specified in
a Service Level Agreement (SLA). The organisation should
also be able to measure service levels, use appropriate
measurement metrics, build adequate deterrents against
under-performance and monitor the performance of all
outsourcing arrangements.
On Disaster Recovery (DR), Kumar
observes that a DR system has been set up for critical
applications in a different city and periodic mock
drills are conducted.
“An important but often neglected
aspect of the DR plan is to shuffle a core team of
operations personnel between production and DR sites
periodically. This ensures the availability of skilled
resources at the DR site. They are current with the
latest state of the production application,” says Kumar.
Skill sets
Kumar believes that to be a good
security strategist it is important to have a thorough
understanding of the business domain.
“The best way to approach information
security is from the business side—ask what the business
need is, assess the risk, and fashion a risk mitigation
strategy that fits,” he asserts.
Based on the concept of the six
pillars, Kumar believes that in order to achieve
security in an IT-driven business, one must concentrate
on people, processes, and technology with equal
emphasis. It is relatively easier to supervise and
control technology compared to people and processes.
“Information security needs continuous
commitment from top management, application owners and
all levels of users. It is not an end game but a
continuing journey,” he says.
soutimand@networkmagazineindia.com
| 
|| Feedback
|| Subscribe-
