|
SSA 2005—Nominee Profile
Vigilance at IDBI Bank
At IDBI Bank, security is not just
about terminology but part and parcel of its
organisational culture. by Shivani
Shinde.
Security of investment is an integral
part of any banking business, and Sanjay Sharma, Head,
IT, IDBI Bank, believes that it is the lifeline of a
bank. “Banking is all about trust. People save in banks
to secure their investments and be able to utilise it
when the need arises,” Sharma points out.
Of course, security is not a new
concept in banking. However, its nature and reach have
changed. Explains Sharma, “Security has been a part of
banking right from day one, the only difference is that
earlier security was restricted to a branch, while now
it is 24x7, 365 days a year, and goes beyond the
brick-and-mortar model.”
Though IDBI Bank came out with a
security policy in 2001, he believes that technology can
never provide a complete solution as human errors are
beyond its parameters.
Getting involved
Sharma feels that stakeholders must be
involved in the formulation of any policy, and that a
security policy is no exception. However, it is an
uphill task to get the management and other departments
involved in the decision-making process of the security
policy.
For any business, return on investment
(RoI) is crucial and banking is no different. But making
a CEO understand security investments needs more than
the gift of gab. At IDBI Bank, an Information Security
Steering Committee (ISSC) has been set up with all the
stakeholders as its members. The ISSC has its members
from HR, Audit, Risk, Operations and the IT team.
Sharma feels that making people sign
on paper is not going to help. For instance, at IDBI,
when an issue is discussed, the advice expected is
active rather than passive. “We have changed. We are
growing, and we cannot do much with passive ideas. If
participation does not happen, then, I say, blackhat
hackers (virtual intruders) might attack the bank. They
might do something on the Web site which might harm our
reputation. If they manage to get in further, there is
financial risk, which again cannot be quantified, ” he
says. In short, the management should be made a party to
decisions.
Education First
Having a security framework involves a
lot more than just a booklet of do’s and don’ts. The
first thing to do is to educate the management. “For the
management, there is just one server in the data centre,
and it is secure. The task is to make them understand
that what I am talking about is not hypothetical,” says
Sharma. They have to realise that security is an ongoing
process.
However, education must be
comprehensible to the audience. “There is no point in me
going and telling the management that we need an
IDS...they wouldn’t know what it is,” says he. The
education would thus include explaining the process,
technology and all other related issues.
|
The IDBI Bank
strategy
Processes
- Security policy
intrinsic to HR policy
- User education and
awareness through e-mail, newsletters and
quizzes on the intranet
- Strict e-mail and
Internet policy. Anyone who is allowed Internet
access has to comply with additional
regulations
- Encourage internal
security certification
- Audits conducted by
an external agency
Technology
- Multiple firewalls
from different vendors
- Anti-virus
- IDS
- Ethical hackers as
a line of defence against external
threats
|
Guarding the Fort
Accordingly, all the necessary steps
have been taken to ensure a secure working environment
and glitch-free business processes. Some of the systems
in place are tools to read or filter logs and generate
alerts, IDS, and multiple firewalls from different
vendors. For external threats, they have external
consultants who are ethical hackers and monitor the site
24x7.
Security is a culture and hence an
embedded process in the bank’s product development. It
is important to understand the issues from all
perspectives. For instance, Sharma has cleared the
Certified Information Systems Auditor (CISA) exams and
topped his batch with 87 percent. “It is easy to
criticise the auditor. You need to understand the
challenges that the person has to face. Since doing this
certification involves going through all security
frameworks, terms, importance of audits, why it is
important to do so, etc., it gives you the knowledge to
see things and understand them in a better way,”
explains Sharma.
|
What is
unique?
According to Sanjay
Sharma, IDBI Bank’s security system is unique
because they are always trying to innovate. He
believes that security should never be static and
hence a CIO must keep on reinventing things. This
would also apply to equipment and infrastructure.
“We do realise that security is not a static
thing. Security is an embedded process in our
product development, operational processes and an
integral part of the organisation,” remarks
Sharma.
The other unique aspect is internal
certification process that officials are
encouraged to participate in. Sharma himself is
CISA-certified. He says that it allows him to
understand the other side of the
story.
Security is a culture rather than a word
at IDBI. But Sharma feels that nothing is perfect
and there can never be 100 percent
safety. |
A clear road map
Having a policy is one thing and
implementing it is another. IDBI Bank realised that the
policy will need two essential criteria. One, it had to
be dynamic in nature, which means every time there is a
change it has to be incorporated and regular audits
conducted. Second, the security policy has to be
pervasive.
The ISSC group certifies people for
security checks, and then their work is to incorporate
the processes related to the security policy into the HR
policy and make employees aware of the issues and
threats. “I think any policy-related issue should have a
top-down approach if it is to be successful,” opines
Sharma.
He believes that when it comes to
enforcement, it is the approach that matters. According
to him, users at lower levels need strict enforcement
compared to those higher up.
Apart from the usual e-mail,
newsletter and intranet campaigns, enforcement also
includes employees signing and accepting the company’s
policy. This is included in the bank’s HR policy. Other
than this, they have periodic checks to monitor
employees’ Internet usage. Sharma feels that compliance
can happen only with constant monitoring.
shivani@expresscomputeronline.com
| 
|| Feedback
|| Subscribe-
