guidelines provided by the Reserve Bank of India (RBI), and the Central Vigilance Commission (CVC) for pro-tection and retention of electronic data. The RBI has indicated a ‘compliance audit’ for all transaction data in its is-suance of ‘Information systems audit policy for the banking and financial sector’.

Figure 1 shows the perfection per-centage of each sample bank against a sampling of the above points. The aver-age perfection percentage for the bank is 43.3%, clearly identifying the lack of adoption of data retention methods through appropriate categorisation, auditing the risk weightage, and spe-cific accountability of data, etc. IT ini-tiatives of the bank have not included due diligence of risk classification of business and regulatory data, or the risk of losing such data.

Figure 1 shows the average compli-ance of all banks in the sample. The retention of data in terms of classifica-tion of data, risk evaluation for loss of data, a data mobilisation mechanism, and access to historical data shows that the current process of backup achieves 100% compliance on accessibility to historical data. However, the Assess-ment Model of data compromise and magnitude of loss has never been used by the participating banks.

The lean state of data classification as per business and regulatory needs also indicates a lack of risk analysis with respect to operations, reputation, legal, and regulatory. Most banks have never undertaken any audit activity to authenticate the existing backup model and data. The risks are not analysed and measured for any loss of data.

The RBI & CVC guidelines on retention of electronic record: The above figure gives an overview of the status of retention of electronic records in PSU banks. It suggests the banks’ readiness of adoption in the present situation, and provides them with areas of adequate focus to ensure re-

meet the ever-changing regulatory and compliance requirement of data availability and sensitivity. E&Y has interviewed clients at multiple levels within the client organisation com-prising the operational and strategic decision makers.

The interview is categorised under the following sections - Meeting the business requirement, Data retention, Regulatory requirements for data pro-tection, Balance between ‘Investment’ & ‘Value’, and Lifecycle management of data. Each section had specific ques-tions marked with specific weightage to identify the status of compliance to provide a holistic perspective on the overall maturity, in terms of compli-ance, risk mitigation, and business classification of data.

A glimpse of the response averaged across participating banks is detailed in the later section of the article. Refer to Table 1, for a detailed level of Aver-age percentage perfection level. The Perfection % is a measure on a scale from zero to hundred, and is the mea-sure of perfection.

Survey method and key findings

1. Retention of Electronic RecordThe Retention policy for documents

considered in this environment, are mainly records of accounting and tax, of customers, regulator, internal records (employee and employment etc.), legal and historical.

E&Y devised 10 questions relating to the section to arrive at the sample. The questions were posed mainly on data classification, accountability, retention and access to historical data, data transition or exchange between locations within and outside the organisation, and accountability for managing the data. There are standard

Executive SummaryIndian PSU banks have undergone

a transformation over the past decade. The discrete data in the banks have been transformed into a centralised repository through the process of Core Banking Solutions. This has been complemented by integration of multiple delivery channels like NEFT, RTGS, SWIFT, Internet banking, and SMS banking etc. The entire banking environment has shifted to a complete electronic medium, both for customer transactions and internal transactions, including reporting to the manage-ment and officials.

The electronic data can be accessed by clients & internal consumers of the bank from within and outside its infrastructure. This has required that regulators and organisations deliber-ate on protecting the data both in static and dynamic form. The electronic data has been mandated to comply with the privacy and data protection laws lev-ied by the regulatory authority. PSU Banks have adopted specific means to comply with the requirements. There is a need to safeguard data from loss in the form of electronic theft, and due to tampering or human error, and also data storing, as well as making the right data available to the regulator. All banks have adopted basic means to mitigate the data theft risk by taking backups regularly. The frequency of such backups is driven and adjudged by system integrators owning the responsibility of running the IT infra-structure, including the services.

Ernst & Young conducted a survey across a set of PSU Banks to assess the prevalent Backup & Archival pro-cesses and efforts of banks to develop and adopt new technology trends to

Public sector DomainBackup & Archival Scenario in Indian

Table 1:Sl. Section of Questioner Average % ofNo Perfection1 retention of electronic record 43.3%2 regulatory requirement for Data Protection 77.1%3 balance between ’investment’ & ‘Value’ 37.5%4 life Cycle management of the Data 50.7%

ADVeRtoRIAL

32 cFoCoNNeCT February 2013

2011, their compliance of backup poli-cies with the policies, regulations, and guidelines of regulators, frequency of data sharing with the regulator, check-ing backed-up data for possible gaps, and necessary compliance checking.

The following figure shows that the average regulatory compliance for electronic data is less than 70% for the sampled banks measured in individual parameters of the survey. This clearly identifies the discrete approach in compliance adoption of regulatory statutes, as adjudged by the regulator in the current PSU bank-ing environment. Compliance to KYC information set forth in SPDI 2011, backup policy definition, and access to legacy data is 100%, whereas model testing for probable compromised records is less than 30%, and policy definition for data retention etc, is around 80%. This clearly suggests that, in the current practice of IT within banks, risk assessment of data is not authenticated and hence, policies and procedures adopted are unchecked and are of theoretical value. Business risk exposure has never been audited to ascertain the contingency.

Although all banks confirmed 100% compliance to the Regulatory and Business requirement of the data, but activities to ensure organisational effort to check or audit such data thereby, conducting a compliance test, model testing for probable data loss scenario, and compliance to KYC norms for customer data have not been done. This might expose Banks to an unprepared-for situation; thereby re-sulting in significant commercial and Business loss.

Understanding:Business impact of non-compli-

ance to Regulatory Requirement of

tention of electronic record. As guided by the RBI, electronic records can be preserved through encryption of log files, retention of log data, maintaining a proper information handling proce-dure, scheduling information backup, maintenance and reassessment of retention plan, and review of audit trail information. The CVC has also categorised data based on business value, thereby indicating the retention period through multiple circulars at various stages.

Understanding:The Retention of electronic re-

cords’ current state in the surveyed banks is alarming in terms of regula-tory compliance and exposure to busi-ness risks due to unavailability of such historical data. Banks need to adapt to sophisticated and smarter means of data retention, adoption of proper strategy and measures, complemented by adherence to such strategy. A regu-lar review of the same is essential to stay abreast of requirements. Conven-tional methods of tape-based backup are predominant in all the banks.

Business impact due to non-compliance of retention of electronic records: The failure to comply with Retention of electronic record may result in disciplinary action and even prosecution, depending on the nature and severity of the violation or non-compliance, resulting in reputational loss for the organisation.

The average risk percentage for loss of data due to inadequate retention mecha-nism and non-compliance is 54.7%. Con-sidering the average Assets (Advances) quantum across the surveyed PSU Banks, the indicative commercial risk exposure is around Rs 44k crore.

2. Regulatory Requirement for Data Protection

The increasing exposure and risk to banking data, calls for data classifica-tion in banks. Such classification at a broad level can be termed Business data and Regulatory data. Effective categorisation of data allows setting risk measures for it, based on its usage. The changes in the banking environ-ment need to be weighed against the threats permissible in it. Such analysis of risk by performing a vulnerability assessment becomes critical to help adopt the right security measures and alternatives. The Banking organisation needs to adapt to the fact that the cost of protection is significantly lower than the cost of loss. An aspiration to define required proactive measures will certainly minimise the cost of reactive measures.

The averaged out percentage of all measurable parameters to determine perfection percentage on the sample taken for ‘Regulatory Requirement for Data Protection’ is 77.1%. The measurement parameters for the banks were adequacy of maintenance of KYC norms defined by SPDI rules

Figure 1: Retention of electronic records Figure 2: Regulatory requirement of data protection

steps against threat Compliance test for legal and regulatory requirement

Data classification as per vulnerabilitylegacy data storage, access and compliance

availability of responsibility matrix within iT...

overall policy for data retention

assessment model for data compromise by auditor

maintenance of kYC informationregulatory/statutory/business data categorization

Data movement methodology model testing environment for probable...

Frequency of historical data accessPeriodic submission of regulatory data

mitigate data correlation

backup policy and data storageCurrent setup mechanism: categorization wise...

Complicance to kYC information rules (sPDi) 2011essential data categorization

0 010 1020 2030 3040 4050 5060 6070 7080 8090 90100 100

ADVeRtoRIAL

EMC is an undisputed leader in the overall Purpose Built Backup Appliance (PBBA) market with 66.6%* revenue share.

iDC defines Pbba as a standalone disk-based solution that utilizes software, disk arrays, server engine(s), or nodes that are used for a target for backup data and specifically data coming from a backup application or can be tightly integrated with the backup software to catalog, index, schedule, and perform data movement. regardless of packaging (as an appliance or gateway), Pbbas can have multiple interfaces or protocols. also, Pbbas often can provide and receive replication to or from remote sites and a secondary Pbba for the purpose of disaster recovery (Dr).

*according to the international Data Corporation (iDC) worldwide Quarterly Purpose-built backup appliance Tracker for Q3, 2012

February 2013 cFoCoNNeCT 33

Figure 3: Potential percentage of business impacts mapped against fraud prone areas

Figure 4: Balance between ‘Investment’ and ‘Value’

compliance to data loss prevention techniques is the following:l Brand damage and loss of reputationl Loss of competitive advantagel Loss of customersl Loss of market sharesl Erosion of shareholder valuel Fines and civil penal chargesl Litigation and legal actionl Regulatory fines l Significant cost and effort to notify

the affected parties and recover from the breach.

Recommendation:Define internal policies for data storage

and retention thereby leveraging archival for historical data with infrequent access and backing up of operational data.

4. Life Cycle Management of Data The quantum of organisation data

is growing everyday at a phenomenal pace. This is why it has become neces-sary for organisations to mandate an efficient ‘Data lifecycle management’. In this section we try to understand the current process of data lifecycle prac-tised by banks. The existing compli-ance of backup and archival policies by banks for the business and regulatory requirement of data, include adoption of business continuity mechanism, ensuring right backup processes for data availability, sanitisation effort for data duplication, and success or failure ratio of backup. The growth of annual data and the banks’ initiative to comply with data protection needs budgets for backup and archival.

Figure 5 suggests that banks have neither adopted a mechanism to main-tain data uniqueness, nor are they formalising in their annual IT budgets improvements in their backup and archival environment.

Security initiatives Indian banks have adopted a pro-

gramme to establish security functions

Data Protection: Non-compliance of regulatory data protection may expose banks to the risk of non-compliance to regulators’ requirement of empirical data which can have a multi-dimen-sional impact on the organisation. For example, the possible indicative im-pact (See Figure 3) for non-fulfillment of KYC requirement may lead to fraud incidents through following fraud-prone practices such as, the following: l Incorrect sanctioning of credit limitl Unsecured channel for data trans-

mission within and outside the organisation

l Money launderingl Larceny of distinctivenessl Multiple fundingl Non evidential / fraudulent docu-

mentationl Overvaluation / non existence of

mortgages and collaterals Model testing becomes essential

to adopt steps against such indicative fraud-prone practices. This will help banks to justify proactive steps for data protection, thereby countering unforeseen causes of fraud. Predomi-nantly, among PSU banks, entire IT services and support is outsourced. Involvement of the third party attaches risks of data theft in offsite movement of tapes for maintaining a secondary copy of data.

The Gartner Report G00153682 has estimated risk exposure to data loss in the banking sector in the UK is a conservative estimation of USD500 million.

Recommendations: Encryption of sensitive data at rest or moving data in a compliant manner.

3. Balance between ‘Investment’ & ‘Value’

The clients were sampled on their investment plans, policy governance, and reasoning out yearly investment in backup and archival, including the extent to which they have strategised

in their yearly budget for this to pro-tect the business critical and regulatory data. The margins of gap between the Banks are remarkable wherein, one bank has defined measures in place to maintain data based on classification, but another Bank has not.

The average Perfection Benchmark percentage across the sampled Banks is 37.5% to access the ratio between their yearly ‘Investment & Value’, tagged for electronic data retention within the organisations. Such dis-crete readiness in terms of defining appropriate guidelines and processes is remarkably different between the organisations as shown in figure 4.

Figure 4 depicts the average pre-paredness of banks to adjudge the in-vestment pattern on acquiring Backup and Archival solutions based on the value of the data. Till such sensitivity is built and appropriate value is tagged to the data, appropriate solutions to comply with the regulatory and busi-ness data is not possible.

Currently, banks do not have a mechanism to remove data duplicity from their backup environment. This has exposed them to non-optimised investment for data retention and archival, thereby increasing the time for completion of backup, and phe-nomenally increasing restoration time by around 25%, adding complexity of management, and additional cost, etc. Crystallisation of data by remov-ing duplication is possible after doing adequate data classification both for business and regulatory data.

business impactThe banking industry has never

done a calculation or assessment for proactive readiness to invest in protection of necessary data against reactive damages incurred by losing such compliance data.

The damages incurred for non-

incorrect sanctioning of credit limitinvestment for protection of data

minimizing duplicity

Classification for investment requirement

Data / information reproducebility

larceny of distinctiveness

Non evidential / fraudulentdocumentation

money laundering

multiple funding

overvaluation / non existence ofmortgages and collaterals

16.030.4

17.125.4

7.2

3.9

0 10 20 30 40 50 60 70 80 90

ADVeRtoRIAL

34 cFoCoNNeCT February 2013

governed by international standards such as ISO 27001. This initiative includes regular vulnerability assess-ment and a proactive design threat control mechanism. The following bar diagramme denotes % responses against security initiatives.

business impactImproper lifecycle management

of transactional, regulatory, and per-sonal sensitive information by banks may result in a catastrophic business impact in terms of incorrect dealings of information articulated as follows: l Failure of high priority transactions l Erroneous transactionsl Forecasting of predictive payable

and fund calculation as part of asset liability management

ConclusionPractical tips to help optimise

backup and archival strategy en-suring zero data loss: First, an ap-propriate data retrieval mechanism, and periodic checks on data quality and availability should be in place. Also, proper data classification, a mechanism for complete information lifecycle management, avoiding data duplication from the backup environ-ment, assessing the commercial im-pact of loss, and a vulnerability check of current methods.

Second, the average RPO and RTO of banks can improve significantly by adopting disk-based backup as against the current practice of using tapes.

Essentials to be done for appropri-ate safeguarding of data: Regarding data loss prevention it is always better to protect the data proactively, than to recover it after a breach. 1. Identify and classify data followed by effective review of backup and

recovery tools, strategy, and approach every 12 to 18 months.2. Monitor regulatory guidance & applicable laws annually, includ-ing data privacy and protection laws and regulations targeting DC and DR, among others. Also, adopt appropriate information governance based on data classifica-tion thereby, archiving historical data and backing up operational data.3. Adopt business and regulatory data de-duplication thereby, minimising risk, cost, and management of data4. Put in place an appropriate access and secured data transmission mecha-nism (to be evaluated once every 12 to 18 months) 5. Adapt to cost-effective and smarter

11. Improve authorisation and access control measures12. Understand usage, flows, and data loss vectors13. Periodically update policies and awareness creation14. Undertake internal and external audit of compliance

As part of the understanding from the survey, a broad level adoption of a proposed framework is defined in the figure below. This will help banks to understand the need for retention and management of current and future data. This framework will help estab-lish a correlation between the ‘Value’ of data, ‘Risk’ of unavailability of such data; and to adjudge the budget for such classified data.

Figure 5: Lifecycle management of data Figure 6: Percentage responses against security initiatives taken

0 010 1020 2030 3040 4050 5060 6070 7080 8090 90100 100

budget verification mechanism to comply to... Dsigning of techniques such as threat modeling...

annual growth of data Periodic review regulations and circulars

success ratio and maintenance of unique data granular reporting to top management

in house correction of backed up date secuity solution architecture

availability of backup environment both Qualitative and Qualitative risk matrics

Protection of moving data constant review of the environment against new...

what is the percentage of iT budget been spend on...

administrative criteria for the environment enterprise portal for governing security management

annual investment for continuance of the existing... significant effort for complianc documentation

Procedure of current backup iT security organization guided by iso 27001...

business continuity for data security strategy plan

archival policy for offline data / customer data... Continuous vigilance on evolving security issues

acknowledgement: State of Data Security and Privacy in the Indian Banking Industry, SSCI – KPMG Survey 2011Data Loss Prevention by Ernst and YoungIndian banking fraud survey – 2012 by DeloitteInformation systems security guidelines for the Banking and Financial Sector by Reserve Bank of India (http://rbidocs.rbi.org.in/rdocs/Publica-tionReport/Pdfs/26988.pdf) Gartner Report - G00153682

means of data retention for manage-ment efficiency 6. Minimise movement of tapes, thereby replicating backup data over a WAN7. Introduce disk-based backup, against a tape-based environment8. Implement data lifecycle manage-ment9. Disallow unauthorised devices on the network10. Deny permission to copy sensitive data to removable media

Policy &ProcedurePolicy & Procedure

retention strategybackup & archival

audi

t of c

ompl

ianc

eto

regu

lato

r bus

ines

sre

quire

men

tData Classification

business & regularity

Value

CostRisk

DataClassification

retentionstrategy

audit

Data Classification to ascertain rightful ‘Value’,‘risk’ & ‘Cost’ of protection of such data

regulator compliance for data ‘retention’ &backupData life cycle management mechanism

regular audit of strategy, Data authenticity andavailability, management

Framework for Business and Regulatory data Retention

setup & review of backup Policy, tools,procedure and technology

ADVeRtoRIAL

Based on a report prepared by Ernst & Young

February 2013 cFoCoNNeCT 35