IT Governance Series
for the Indian Banking Sector
Sub-Group on Information Security GovernanceInstitute for Development and Research
in Banking Technology(Established by Reserve Bank of India)
Hyderabad - 57. www.idrbt.ac.in
Information Security GovernanceInformation Security Governance
IDRBT Sub-Group onInformation Security Governance
Mentors
Members
Ÿ
Ÿ
Shri B. Sambamurthy, Director, IDRBT
Shri S. Ganesh Kumar, CGM, IDRBT
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Shri S Mukhopadhyay, GM & CISO, State Bank of India
Shri Sameer Ratolikar, CISO, Bank of India
Shri P S Rashtrawar, CISO, Bank of Baroda
Shri K S S Muralikrishna, Senior Manager, Information Security, Andhra Bank
Shri Sunil Dhaka, CISO, ICICI Bank
Shri Vishal Salvi, CISO, HDFC Bank
Shri Niraj Kapasi, IS Auditor and International Vice President, ISACA
Shri M. V. Sivakumaran, Faculty, IDRBT and Convener.
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
The sub-group wishes to acknowledge the contribution made by:
Shri M. Pradeep Kumar, Chief Manager and CISO, Corporation Bank
Shri Pravin Sharma, AGM, IT Security, Union Bank of India
Shri Vivek Gupta, AGM, Information Security, Allahabad Bank
Shri Alevoor Acharr, IS Auditor and Consultant
Dr. V. Radha, Faculty, IDRBT
Shri Sanjay Sharma, Adviser, IDBI Bank, scanned the final draft and his valuable
contribution is duly acknowledged
Acknowledgements
IT Governance Series : Information Security Governance for the Indian Banking Sector, Version 1.0, November 2011.
An IDRBT Publication. All Rights Reserved. For restricted circulation in the Indian Banking Industry.
Information Security Governancefor the Indian Banking Sector
I am very glad that IDRBT is releasing a Handbook on Information Security Governance for the
Indian Banking Sector.
The subject is topical for the contemporary Indian banking sector as banks have made impressive
advances in terms of computerization. This brings with it a different working environment as
compared to that of manual banking. On one hand, it has brought new levels of efficiencies in the
areas of transacting business, record keeping and housekeeping and on the other hand, it has
increased the vulnerability of the systems.
As banks are reaching out to customers through various new channels such as internet banking and
mobile banking, there is an urgent need for banks to put in place a proper mechanism to protect
themselves and their customers. Therefore, there is an imperative need for an appropriate
organisational structure. Moreover, from the legal perspective, there is also a need to protect the
personal data of customer.
IDRBT has dealt with this subject that is very relevant today as it is related to safeguarding the most
significant asset of the banks - financial data.
In this context, the Handbook on Information Security Governance has relevance to the Indian
Banking Sector. This handbook has suggested a model governance structure for banks and practical
guidelines for its implementation.
I am sure this will help in sensitizing banks and serve as a practical handbook for implementing
Information Security Governance.
I congratulate all the members of the Group who have prepared this handbook.
Anand Sinha
Deputy Governor, Reserve Bank of IndiaMumbai
November 04, 2011
Foreword
1
Information Security Governancefor the Indian Banking Sector
T HERE has been massive use of Information and Communications Technology (ICT) in the
banking sector in India. Delivery channels have immensely increased the choices offered to the
customer to conduct transactions with ease and convenience. Various wholesale and retail payment
and settlement systems have enabled faster means of moving the money to settle funds among
banks and customers. Banks have been taking up new initiatives for financial inclusion, customer
relationship management, etc., to widen the reach of banking.
The dependence on technology is such that the banking business cannot be thought of in isolation
without technology. The dependence on technology has led to various challenges and issues like
frequent changes or obsolescence, multiplicity and complexity of systems, different types of controls
for different types of technologies/systems, proper alignment with business objectives and
legal/regulatory requirements, dependence on vendors due to outsourcing of IT services, vendor
related concentration risk, segregation of duties, external threats leading to cyber frauds/crime,
higher impact due to intentional or unintentional acts of internal employees, new social engineering
techniques employed to acquire confidential credentials, need for governance processes to
adequately manage technology and information security, need for appreciation of cyber laws and
their impact and to ensure continuity of business processes in the event of major exigencies.
Technology risks not only have a direct impact on a bank as operational risks but can also exacerbate
other risks like credit risks and market risks. Given the increasing reliance of customers on electronic
delivery channels, any security related issues have the potential to undermine public confidence in
the use of e-banking and may lead to reputation risks. Compliance risk is also an outcome in the event
of non-adherence to any regulatory or legal requirements arising out of the use of ICT. These issues
ultimately have the potential to impact the safety and soundness of a banking system and in extreme
cases may lead to systemic crisis.
Corporate Governance constitutes the accountability framework of a bank. Information Technology
(IT) Governance is an integral part of it. It involves leadership support, organizational structure and
processes to ensure that a bank's IT sustains and extends business strategies and objectives.
Effective IT Governance is the responsibility of the Board of Directors and Executive Management.
I thank and congratulate the Members of the Working Group on Information Security Governance for
the Indian Banking Sector and Institute for Development and Research in Banking Technology
(IDRBT) for doing an excellent job in preparing and timely release of this report.
K. Ramakrishnan
Chief Executive, Indian Banks' Association
Message from IBA
2
Information Security Governancefor the Indian Banking Sector
3
I NFORMATION is a key strategic and operating asset for many enterprises and more particularly
for financial services industry. Its reliability, accuracy and availability are critical to achieve
business goals. From a customer perspective privacy and confidentiality needs to be protected.
Compliance with IT Act requires demonstration of reasonable security by banks. With ever increasing
use of electronic channels by customers, information security is becoming complex. The occurrence
of security breach is not if, but when. We need an appropriate information governance structure to
achieve those objectives.
IS Governance is still in infancy both in understanding and practice. It is in this context IDRBT has
attempted to come out with a reference framework. This edition deals with establishing
organizational structure, role and responsibilities of both IT and business divisions.
Threat landscape is fast changing. In terms of threats it is a moving target and in terms of response
management, it is work in progress most of the time.
It is useful to begin by promoting a culture that recognizes the value of information as enterprise
asset. Top managements need to set the tone and security posture by establishing security vision and
strategy.
There are several elements of IT infrastructure like servers, applications, network, data base, end
point security, delivery channels. Each by itself is a specialized function. Security functions, activities
and policies need to be aggregated through appropriate security organizational structure. While
strategy and policy formulations are best dealt with in a centralized model, functions and activities are
best achieved in a federated model.
Security cannot be seen as an exclusive IT function or from operational risk perspective. Information
security transcends IT division's boundaries and particularly functions like compliance, access
rights/services, data privacy, protection and trust revolve around business. IT-Business alignment
would foster shared security vision and strategy. Information security can converge with physical
security as well.
While everyone is responsible for security, it is the CISO who continuously assesses and enforces
compliance.
IDRBT recognizes that there is no unique security organizational structure. The proposed structure is
only a reference point. Banks may adopt and adapt the structure and roles as dictated by the scale
and complexity of business.
I thank the members of the group for their contribution in developing this framework.
B. Sambamurthy
Director, IDRBT
Preface
Information Security Governancefor the Indian Banking Sector
4
T HE Financial Sector is getting increasingly interconnected and complex. Acquisition, processing
and use of vast amounts of customer data apart from banks' own business information has
brought to light the vulnerabilities in information systems that can lead to compromise of
confidentiality, integrity and availability of information. This brings into focus the need for effective
Information Security Governance in banks to protect themselves and their customers adequately and
appropriately.
The Guidelines from the RBI Working Group on Information Security, Electronic Banking, Technology
Risk Management and Cyber Frauds have also reiterated the urgency for putting in place a robust
information security framework in banks. This document is a contribution in that direction.
IDRBT has formed the CISO Forum which provides a platform for Information Security professionals
in banks to share their concerns and arrive at actionable programmes. A sub-group of the CISO
Forum has been constituted to outline the contours of Information Security Governance for the Indian
Banking Sector. This sub-group has developed this document to provide a framework for Information
Security Governance that banks can adopt with necessary modifications to suit their specific needs
depending on their size and scale of operations.
“Information security governance is a subset of enterprise governance that provides strategic
direction, ensures that objectives are achieved, manages risks appropriately, uses organisational
resources responsibly, and monitors the success or failure of the enterprise security programme”
- ISACA.
Effective Information Security Governance in Banks calls for a variety of efforts and initiatives across
the entire spectrum of the Organizational Structure. Notable among them are:
Board level direction and active involvement in Information Security
Top Management support for prompt resolution of Information Security Issues
Integration between Business and Information Security
Alignment of Information Security mechanisms with Organizational Goals and Objectives
Information Security planning and assessment of new technologies before deployment.
Ownership and accountability, at all levels – controlling offices as well as field operations – for
planning, implementing, monitoring, reporting on and improving Information Security.
Definition
Essentials for IS Governance
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Introduction
InformationSecurity Governance
Information Security Governancefor the Indian Banking Sector
5
The Critical Success Factors which would facilitate the attainment of satisfactory levels of Information
Security Assurance within the bank are:
Appropriate placement of Information Security within the Organizational Structure
Consistent message and conviction from the Board and the Top Management vis-a-vis
Information security policy perspectives
Adequate and appropriate employee education and awareness on information asset protection
Continuous and consistent enforcement of information security polices and standards
Ability and willingness to justify the cost of Information Security initiatives
Constantly raising the bar with regard to Best Practices and Metrics being adopted in ensuring and
improving Information Security.
This document focusses on the managerial aspects of Information Security and not on the technical
side. And to be precise, this is an effort to provide an effective Information Security Governance
Structure for the Indian Banking Sector. This document would also facilitate compliance with
Information Security Management Systems (ISMS) - ISO/IEC 27001, especially, the Control
Objectives relating to Internal Organization, as given below:
To manage information security within the organization.
Management shall actively support security within the organization through clear direction,
demonstrated commitment, explicit assignment, and acknowledgment of information security
responsibilities.
Information security activities shall be co- ordinated by representatives from different parts
of the organization with relevant roles and job functions [Overall coordination shall be with
Information Security Group (ISG) headed by CISO. At the organization level the responsibility is with
CISO].
All information security responsibilities shall be clearly defined.
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Managerial Focus
Internal Organization
Objective:
Management commitment to information security
Information security coordination
Allocation of information security responsibilities
Control:
Control:
Control:
Critical Success Factors
InformationSecurity Governance
Information Security Governancefor the Indian Banking Sector
6
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
There must be a robust governance framework in place to ensure top management involvement
and oversight in Information Security on a regular basis.
The Bank must have a comprehensive information security policy covering all aspects of security
domains.
Information security must be a dynamic and ongoing process aimed at continuous improvement.
The principle of Defence in Depth may be adopted to protect critical assets by providing them with
a layered security.
Information security must focus on business and provide value and quality to its stakeholders.
Information security risks and costs are the joint responsibility of Business and IT.
Information security should be part of everyone's responsibility and hence to be embedded in
staff roles and job descriptions.
Information security function must have a dedicated, skilled, experienced & adequately staffed
team.
All IT and Business Changes, including new initiatives must be subjected to a thorough and robust
risk management process with a clear focus on protecting classified information and critical
business applications.
Information security must be part of the design architecture of any product and service.
Information security risk management must be based on Business Impact Assessment and
evaluate current and future threats and develop a long term roadmap for effective protection of
all information assets.
Information Security Programme must encompass the Business Continuity Management and
Disaster Recovery Plans of the Bank.
Information security team must act in a professional and ethical manner to foster a positive
security culture within the Bank.
The Information Security Committee must have an effective oversight to review and monitor the
Information Security Programme of the Bank.
Information security function must provide timely and accurate metrics on performance with
regard to Information Security.
Information security governance must comply with relevant legal and regulatory requirements.
Policies and controls must account for business context.
Information Security is not a practice within business and is an integral part of business and as
such a corporate level function.
InformationSecurity: Core Principles
Information Security Governancefor the Indian Banking Sector
7
Strategies forImplementationŸ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
The Information Security Committee at the top management level should be responsible for overall
governance of the Information Security Programme of the Bank and will report to the Board.
A Working Group on Information Security should be set up in the Bank, which shall have representatives
from business, operations, audit, IT, vigilance, physical security / admin etc. This Working Group should
meet on a regular basis to discuss implementation issues pertaining to information security.
The Information Security policies shall be approved by the Board and cover the three important aspects
of information viz. People, Process and Technology.
The Information Security Risk Management shall cover risk identification, assessment, remediation and
acceptance of residual risk.
Education and Awareness efforts shall be continued on a regular basis to keep the rank and file abreast
of their roles and responsibilities vis-à-vis the expectations from the Information Security Policy.
Information Security should be a regular component in training programmes offered within the Bank.
This may be supplemented by online education in the form of snippets, write-ups for paced-learning,
tests and quizzes.
Customer Education on Information Security, especially in Electronic Banking and delivery channels,
must be accorded due prominence. Regular, multi-pronged efforts must be made to inculcate best
practices and common minimum standards among customers to provide security to their electronic
transactions. Appropriate tools and channels may be utilized for this purpose.
Security Implications of the Business Continuity and Disaster Recovery Policies must be approved and
periodically reviewed by the Board.
Information Security function must be adequately staffed, trained, equipped and motivated to maintain
the Bank's Security Posture at expected levels.
Banks information system shall be regularly subjected to regular information security testing
commensurate with their exposure (criticality and threats) level.
For effective implementation of information security policies at the grass root level, each department or
functional division should identify an official who would be responsible for driving information security
agenda for that respective unit.
The information security program should have comprehensive and detailed metrics which will be
presented to the Information Security Committee.
The information security programme (design, implementation & execution) should be reviewed and
tested by the Bank's IT audit. The IT audit strategy should be aligned with information security strategy
for the areas of implementation and execution.
The information security enforcement strategy should be comprehensive and should cover the
complete lifecycle of Data, Applications, Technology, Infrastructure, People, Products and Services.
The Information security programme shall be tested on an ongoing basis for compliance to applicable
regulations.
The Information security programme shall be benchmarked with the industry level and global best
practices.
Banks should not only have security strategy but also ability to execute strategy and ability to measure
execution.
Information Security Governancefor the Indian Banking Sector
8
CMDBoard
ED
Information SecurityCommittee
Head - Integrated Risk Management(HIRM)
Chief Information Security Officer(CISO)
Information Security
Risk Management(ISRM)
Information SecurityAwareness
Management(ISAM)
Security OperationsCenter and Incident
Management(SOCIM)
Organization Chart for IS Governance
Note: Depending upon the size and scale of the Bank, the roles under the CISO may be clubbed or handled separately. Wherever needed, ISRM and ISAM may be clubbed together.
Position / Designation Rank
HIRM (Head - Integrated Risk Management) CGM / GM / DGM
CISO (Chief Information Security Officer) GM / DGM / AGM
ISRM (Information Security Risk Management) DGM / AGM / CM
DGM / AGM / CM
DGM / AGM / CM
ISAM (Information Security Awareness Management)
SOCIM (Security Operations Centre and Incident Management)
Information Security Governancefor the Indian Banking Sector
9
Information Security Committee
The role of the Information Security committee is to devise strategies and policies for the protection of
all assets of the bank (including information, applications, infrastructure and people). The committee
will also provide guidance and direction on the Security Implications of the business continuity and
disaster recovery plans.
Develop and facilitate implementation of information
security policies, standards and procedures to
ensure that all identified risks are managed within
the bank's risk appetite.
Create an information security and risk management
structure covering the entire bank, with clearly
defined roles and responsibilities.
Create and follow a risk assessment process that is
consistent across the bank to identify, evaluate key
risks and approve control measures and mitigation
strategies.
Regularly monitor the information security and risk
management processes and corrective actions to
ensure compliance with regulatory requirements.
Ensure that the Information Security Team is
appropriately skilled and adequately staffed.
Regularly present reports to the Board and invite feedback on the information security
management processes.
The Head of Integrated Risk Management will be a senior level official of the rank of CGM/GM/DGM.
The HIRM is responsible for all Risk Management functions in the Bank, like Credit Risk, Market Risk,
and Operational Risk. Information Security will be one of the most critical components of Operational
Risk that has to be looked after by the HIRM. He is the senior-most executive in the Information
Security function in the bank and provides the required leadership and support for this across the
bank, with the full backing and commitment from the Board.
Information Security Governance
Information Security Policy and Strategy
Information Security Risk Assessment, Management and Monitoring
Security Aspects and Implications of Business Continuity Planning in the Bank.
Allocation of adequate resources for Information Security Management
Responsibilities:
Responsibilities (in the Information Security Governance domain):
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Head – Integrated Risk Management (HIRM)
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Frequency of
Meetings :
Chaired by :
Members :
Quarterly
Executive Director.
H e a d – I n t e g r a t e d R i s k
Management – Convener
Chief Information Officer
Head - Audit
Head - Compliance
Head - Human Resource
Head - Business Operations
Head - Administration
Head - IT Assurance
Chief Information Security Officer
Head - Physical Security
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Information Security Governancefor the Indian Banking Sector
10
Depending upon the size of the bank and its scale of operations, a sufficiently senior level official of the
rank of GM/DGM/AGM needs to be designated as the Chief Information Security Officer (CISO)
responsible for articulating and enforcing the policies that a bank uses to protect its information
assets apart from coordinating the information security related issues / implementation within the
organization as well as relevant external agencies.
The CISO needs to report directly to the Head of Integrated Risk Management (HIRM) function and
should not have a direct reporting relationship with the CIO. The CISO's role spans across both
strategic and operational dimensions and is responsible for all the administrative tasks and control
related to Information Security and reports to the Owner of this function, the HIRM.
Information Security Policy and Strategy – Inputs and Enhancements
Establish security guidelines and measures to protect data and systems.
Information Security Risk, Threat, Vulnerability Assessment, Review, Management, Monitoring
and Reporting – on a continuous basis
Monitoring Key Goal Indicators and Key Performance Indicators of the Information Security
Programme
Establish and disseminate enforceable rules
Business Continuity and Disaster Recovery Planning – Security Inputs and Enhancements
Oversee Information Security Awareness training
Security Operations Centre and Incident Management
Business Case for Information Security Investments and Expenditure
Maintaining the Security Posture and Profile of the Bank at expected levels
Active collaboration and communication with business and operating units.
Gathering internal and external security intelligence
Set up Security organisation structure with well designed roles and responsibilities
Compliance with regulatory requirements on Information Security.
Facilitating investigations in IT frauds and mitigation measures
The CISO's role description given here supersedes our earlier version given in
on page 12.
Responsibilities:
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
* IT Governance
Series: Organizational Structure for IT in the Indian Banking Sector, Vol 1, May, 2010,
The Chief Information Security Officer (CISO)*
Information Security Governancefor the Indian Banking Sector
Information Security Risk Manager (ISRM)
The ISRM owns the Risk Management Life Cycle as far as Information Security is concerned. He
assists the CISO by discharging the following.
Information Security Risk Assessment
Information Security Risk Analysis and Evaluation
Information Security Risk Mitigation
Identification and assignment of controls.
Information Security Risk Management
Compliance with Information Security Risk Management Guidelines – External and Internal
Monitoring Information Security Policy Implementation
The ISAM is responsible for enhancing the Information Security Awareness levels and for striving to
create a conducive environment and compliance culture across the bank. He is expected to keep
himself abreast of the latest developments in the field of Information Security Standards and Best
Practices so that proactive steps can be taken for adopting them, wherever possible and applicable in
the bank, at the earliest. He is a friend, philosopher and guide to the entire bank, as far as education
and awareness-building in Information Security is concerned.
Information Security Policy – Inputs and Enhancements
Measurement and Monitoring of Effectiveness of Information Security Policy implementation.
Education, Awareness and Promotion of Information Security initiatives across the bank.
Intensive Training of various types and for different levels on Information Security
Promoting customer education and awareness on Information Security through appropriate
channels, tools and interventions.
Proactive dissemination of Information Security Policy initiatives, mechanisms and best practices
– a Resource Base of online tutorials, demos, quizzes and FAQ's on the Intranet for easy access
within the bank.
Responsibilities:
Responsibilities:
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Information Security Awareness Manager (ISAM)
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
11
Information Security Governancefor the Indian Banking Sector
References
The SOCIM executive is responsible for effective oversight of the Security Operations Centre and
Incident Management capabilities for the bank as a whole. The Security Posture and Status is
demonstrated by this functionary.
Owner of the Bank-wide Security Operations Centre(SOC)
Owner of Incident Management at the bank level.
Responsible for creating, training, upgrading Incident Response Teams across the bank at
various levels.
Continuous surveillance of the IT Infrastructure of the bank to guard against Information
Security breaches and incidents: IT and non-IT.
Responsible for monitoring and reviewing security logs of applications, operating systems,
databases, networks, etc.
Demonstrating the much-needed robustness and improvement in the information security
compliance environment and preparedness to meet eventualities.
Keeping abreast of the fast paced changes in technology and business process to make the SOC
live up to the growing demands from within and outside.
Regular Penetration Testing, Vulnerability Assessment and liaison with local CERT.
Responsible for collection, aggregation, correlation, analysis and synthesis of information related
to security incidents to learn effective lessons and to incorporate changes in policies and
procedures accordingly on a continuous basis.
Organizational Structure for IT in the Indian Banking Sector, IT Governance Series, IDRBT, May
2010.
Report and Recommendations of the Working Group on Information Security, Electronic Banking,
Technology Risk Management and Cyber Frauds, RBI, January 2011.
IS Governance: Guidance to Boards of Directors, ISACA,
Critical Elements of Information Security Program Success, ISACA,
Responsibilities:
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
www.isaca.org
www.isaca.org
Security Operations Centre and Incident Management (SOCIM)
12
Mission of IDRBT
Castle Hills, Road No. 1, Masab Tank, Hyderabad - 500 057. INDIA. Ph: + 91-40-23534981-85, Fax: +91-40-23535157. http://www.idrbt.ac.in, e-mail: [email protected]
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
Ÿ
To envision and foresee technology requirements of the Indian
Banking and Financial Sector and Research & Develop the
required technologies
To incubate and develop state-of-the-art banking technology
products and services to facilitate better and easy banking
Understand the emerging global technology trends, its
implication, and guide the Indian Banking and Financial Sector
accordingly
To provide Training, Advisory and Consultancy Services on
Technology, Technology Infrastructure, and Technology
Management matters for Banking and Financial Sector
Play a catalytic role in development of Banking Technology as a
recognized discipline of study
To create a pool of Banking Technology professionals through
innovative and quality educational initiatives
Participate directly and indirectly in development of standards and
best practices