IT Governance Series Sub-Group on Institute for Development and Research in Banking Technology (Established by Reserve Bank of India) Hyderabad - 57. www.idrbt.ac.in
IDRBT Sub-Group on Mentors Shri B. Sambamurthy, Director, IDRBT Shri S. Ganesh Kumar, CGM, IDRBT Members Shri S Mukhopadhyay, GM & CISO, State Bank of India Shri Sameer Ratolikar, CISO, Bank of India Shri P S Rashtrawar, CISO, Bank of Baroda Shri K S S Muralikrishna, Senior Manager, Information Security, Andhra Bank Shri Sunil Dhaka, CISO, ICICI Bank Shri Vishal Salvi, CISO, HDFC Bank Shri Niraj Kapasi, IS Auditor and International Vice President, ISACA Shri M. V. Sivakumaran, Faculty, IDRBT and Convener. Acknowledgements The sub-group wishes to acknowledge the contribution made by: Shri M. Pradeep Kumar, Chief Manager and CISO, Corporation Bank Shri Pravin Sharma, AGM, IT Security, Union Bank of India Shri Vivek Gupta, AGM, Information Security, Allahabad Bank Shri Alevoor Acharr, IS Auditor and Consultant Dr. V. Radha, Faculty, IDRBT Shri Sanjay Sharma, Adviser, IDBI Bank, scanned the final draft and his valuable contribution is duly acknowledged IT Governance Series :, Version 1.0, November 2011. An IDRBT Publication. All Rights Reserved. For restricted circulation in the Indian Banking Industry.
Foreword I am very glad that IDRBT is releasing a Handbook on for the Indian Banking Sector. The subject is topical for the contemporary Indian banking sector as banks have made impressive advances in terms of computerization. This brings with it a different working environment as compared to that of manual banking. On one hand, it has brought new levels of efficiencies in the areas of transacting business, record keeping and housekeeping and on the other hand, it has increased the vulnerability of the systems. As banks are reaching out to customers through various new channels such as internet banking and mobile banking, there is an urgent need for banks to put in place a proper mechanism to protect themselves and their customers. Therefore, there is an imperative need for an appropriate organisational structure. Moreover, from the legal perspective, there is also a need to protect the personal data of customer. IDRBT has dealt with this subject that is very relevant today as it is related to safeguarding the most significant asset of the banks - financial data. In this context, the Handbook on has relevance to the Indian Banking Sector. This handbook has suggested a model governance structure for banks and practical guidelines for its implementation. I am sure this will help in sensitizing banks and serve as a practical handbook for implementing. I congratulate all the members of the Group who have prepared this handbook. Mumbai November 04, 2011 Anand Sinha Deputy Governor, Reserve Bank of India 1
Message from IBA THERE has been massive use of Information and Communications Technology (ICT) in the banking sector in India. Delivery channels have immensely increased the choices offered to the customer to conduct transactions with ease and convenience. Various wholesale and retail payment and settlement systems have enabled faster means of moving the money to settle funds among banks and customers. Banks have been taking up new initiatives for financial inclusion, customer relationship management, etc., to widen the reach of banking. The dependence on technology is such that the banking business cannot be thought of in isolation without technology. The dependence on technology has led to various challenges and issues like frequent changes or obsolescence, multiplicity and complexity of systems, different types of controls for different types of technologies/systems, proper alignment with business objectives and legal/regulatory requirements, dependence on vendors due to outsourcing of IT services, vendor related concentration risk, segregation of duties, external threats leading to cyber frauds/crime, higher impact due to intentional or unintentional acts of internal employees, new social engineering techniques employed to acquire confidential credentials, need for governance processes to adequately manage technology and information security, need for appreciation of cyber laws and their impact and to ensure continuity of business processes in the event of major exigencies. Technology risks not only have a direct impact on a bank as operational risks but can also exacerbate other risks like credit risks and market risks. Given the increasing reliance of customers on electronic delivery channels, any security related issues have the potential to undermine public confidence in the use of e-banking and may lead to reputation risks. Compliance risk is also an outcome in the event of non-adherence to any regulatory or legal requirements arising out of the use of ICT. These issues ultimately have the potential to impact the safety and soundness of a banking system and in extreme cases may lead to systemic crisis. Corporate Governance constitutes the accountability framework of a bank. Information Technology (IT) Governance is an integral part of it. It involves leadership support, organizational structure and processes to ensure that a bank's IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management. I thank and congratulate the Members of the Working Group on for the Indian Banking Sector and Institute for Development and Research in Banking Technology (IDRBT) for doing an excellent job in preparing and timely release of this report. K. Ramakrishnan Chief Executive, Indian Banks' Association 2
Preface INFORMATION is a key strategic and operating asset for many enterprises and more particularly for financial services industry. Its reliability, accuracy and availability are critical to achieve business goals. From a customer perspective privacy and confidentiality needs to be protected. Compliance with IT Act requires demonstration of reasonable security by banks. With ever increasing use of electronic channels by customers, information security is becoming complex. The occurrence of security breach is not if, but when. We need an appropriate information governance structure to achieve those objectives. IS Governance is still in infancy both in understanding and practice. It is in this context IDRBT has attempted to come out with a reference framework. This edition deals with establishing organizational structure, role and responsibilities of both IT and business divisions. Threat landscape is fast changing. In terms of threats it is a moving target and in terms of response management, it is work in progress most of the time. It is useful to begin by promoting a culture that recognizes the value of information as enterprise asset. Top managements need to set the tone and security posture by establishing security vision and strategy. There are several elements of IT infrastructure like servers, applications, network, data base, end point security, delivery channels. Each by itself is a specialized function. Security functions, activities and policies need to be aggregated through appropriate security organizational structure. While strategy and policy formulations are best dealt with in a centralized model, functions and activities are best achieved in a federated model. Security cannot be seen as an exclusive IT function or from operational risk perspective. Information security transcends IT division's boundaries and particularly functions like compliance, access rights/services, data privacy, protection and trust revolve around business. IT-Business alignment would foster shared security vision and strategy. Information security can converge with physical security as well. While everyone is responsible for security, it is the CISO who continuously assesses and enforces compliance. IDRBT recognizes that there is no unique security organizational structure. The proposed structure is only a reference point. Banks may adopt and adapt the structure and roles as dictated by the scale and complexity of business. I thank the members of the group for their contribution in developing this framework. B. Sambamurthy Director, IDRBT 3
Information Security Governance Introduction THE Financial Sector is getting increasingly interconnected and complex. Acquisition, processing and use of vast amounts of customer data apart from banks' own business information has brought to light the vulnerabilities in information systems that can lead to compromise of confidentiality, integrity and availability of information. This brings into focus the need for effective in banks to protect themselves and their customers adequately and appropriately. The Guidelines from the RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds have also reiterated the urgency for putting in place a robust information security framework in banks. This document is a contribution in that direction. IDRBT has formed the CISO Forum which provides a platform for Information Security professionals in banks to share their concerns and arrive at actionable programmes. A sub-group of the CISO Forum has been constituted to outline the contours of for the Indian Banking Sector. This sub-group has developed this document to provide a framework for Information Security Governance that banks can adopt with necessary modifications to suit their specific needs depending on their size and scale of operations. Definition Information security governance is a subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risks appropriately, uses organisational resources responsibly, and monitors the success or failure of the enterprise security programme - ISACA. Essentials for IS Governance Effective in Banks calls for a variety of efforts and initiatives across the entire spectrum of the Organizational Structure. Notable among them are: Board level direction and active involvement in Information Security Top Management support for prompt resolution of Information Security Issues Integration between Business and Information Security Alignment of Information Security mechanisms with Organizational Goals and Objectives Information Security planning and assessment of new technologies before deployment. Ownership and accountability, at all levels controlling offices as well as field operations for planning, implementing, monitoring, reporting on and improving Information Security. 4
Information Security Governance Critical Success Factors The Critical Success Factors which would facilitate the attainment of satisfactory levels of Information Security Assurance within the bank are: Appropriate placement of Information Security within the Organizational Structure Consistent message and conviction from the Board and the Top Management vis-a-vis Information security policy perspectives Adequate and appropriate employee education and awareness on information asset protection Continuous and consistent enforcement of information security polices and standards Ability and willingness to justify the cost of Information Security initiatives Constantly raising the bar with regard to Best Practices and Metrics being adopted in ensuring and improving Information Security. Managerial Focus This document focusses on the managerial aspects of Information Security and not on the technical side. And to be precise, this is an effort to provide an effective Structure. This document would also facilitate compliance with Information Security Management Systems (ISMS) - ISO/IEC 27001, especially, the Control Objectives relating to Internal Organization, as given below: Internal Organization Objective: To manage information security within the organization. Management commitment to information security Control: Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities. Information security coordination Control: Information security activities shall be co- ordinated by representatives from different parts of the organization with relevant roles and job functions [Overall coordination shall be with Information Security Group (ISG) headed by CISO. At the organization level the responsibility is with CISO]. Allocation of information security responsibilities Control: All information security responsibilities shall be clearly defined. 5
Information Security: Core Principles There must be a robust governance framework in place to ensure top management involvement and oversight in Information Security on a regular basis. The Bank must have a comprehensive information security policy covering all aspects of security domains. Information security must be a dynamic and ongoing process aimed at continuous improvement. The principle of Defence in Depth may be adopted to protect critical assets by providing them with a layered security. Information security must focus on business and provide value and quality to its stakeholders. Information security risks and costs are the joint responsibility of Business and IT. Information security should be part of everyone's responsibility and hence to be embedded in staff roles and job descriptions. Information security function must have a dedicated, skilled, experienced & adequately staffed team. All IT and Business Changes, including new initiatives must be subjected to a thorough and robust risk management process with a clear focus on protecting classified information and critical business applications. Information security must be part of the design architecture of any product and service. Information security risk management must be based on Business Impact Assessment and evaluate current and future threats and develop a long term roadmap for effective protection of all information assets. Information Security Programme must encompass the Business Continuity Management and Disaster Recovery Plans of the Bank. Information security team must act in a professional and ethical manner to foster a positive security culture within the Bank. The Information Security Committee must have an effective oversight to review and monitor the Information Security Programme of the Bank. Information security function must provide timely and accurate metrics on performance with regard to Information Security. Information security governance must comply with relevant legal and regulatory requirements. Policies and controls must account for business context. Information Security is not a practice within business and is an integral part of business and as such a corporate level function. 6
Strategies for Implementation The Information Security Committee at the top management level should be responsible for overall governance of the Information Security Programme of the Bank and will report to the Board. A Working Group on Information Security should be set up in the Bank, which shall have representatives from business, operations, audit, IT, vigilance, physical security / admin etc. This Working Group should meet on a regular basis to discuss implementation issues pertaining to information security. The Information Security policies shall be approved by the Board and cover the three important aspects of information viz. People, Process and Technology. The Information Security Risk Management shall cover risk identification, assessment, remediation and acceptance of residual risk. Education and Awareness efforts shall be continued on a regular basis to keep the rank and file abreast of their roles and responsibilities vis-à-vis the expectations from the Information Security Policy. Information Security should be a regular component in training programmes offered within the Bank. This may be supplemented by online education in the form of snippets, write-ups for paced-learning, tests and quizzes. Customer Education on Information Security, especially in Electronic Banking and delivery channels, must be accorded due prominence. Regular, multi-pronged efforts must be made to inculcate best practices and common minimum standards among customers to provide security to their electronic transactions. Appropriate tools and channels may be utilized for this purpose. Security Implications of the Business Continuity and Disaster Recovery Policies must be approved and periodically reviewed by the Board. Information Security function must be adequately staffed, trained, equipped and motivated to maintain the Bank's Security Posture at expected levels. Banks information system shall be regularly subjected to regular information security testing commensurate with their exposure (criticality and threats) level. For effective implementation of information security policies at the grass root level, each department or functional division should identify an official who would be responsible for driving information security agenda for that respective unit. The information security program should have comprehensive and detailed metrics which will be presented to the Information Security Committee. The information security programme (design, implementation & execution) should be reviewed and tested by the Bank's IT audit. The IT audit strategy should be aligned with information security strategy for the areas of implementation and execution. The information security enforcement strategy should be comprehensive and should cover the complete lifecycle of Data, Applications, Technology, Infrastructure, People, Products and Services. The Information security programme shall be tested on an ongoing basis for compliance to applicable regulations. The Information security programme shall be benchmarked with the industry level and global best practices. Banks should not only have security strategy but also ability to execute strategy and ability to measure execution. 7
Organization Chart for IS Governance CMD ED Board Information Security Committee Head - Integrated Risk Management (HIRM) Chief Information Security Officer (CISO) Information Security Risk Management (ISRM) Information Security Awareness Management (ISAM) Security Operations Center and Incident Management (SOCIM) Position / Designation HIRM (Head - Integrated Risk Management) CISO (Chief Information Security Officer) ISRM (Information Security Risk Management) ISAM (Information Security Awareness Management) SOCIM (Security Operations Centre and Incident Management) Rank CGM / GM / DGM GM / DGM / AGM DGM / AGM / CM DGM / AGM / CM DGM / AGM / CM Note: Depending upon the size and scale of the Bank, the roles under the CISO may be clubbed or handled separately. Wherever needed, ISRM and ISAM may be clubbed together. 8
Information Security Committee The role of the Information Security committee is to devise strategies and policies for the protection of all assets of the bank (including information, applications, infrastructure and people). The committee will also provide guidance and direction on the Security Implications of the business continuity and disaster recovery plans. Responsibilities: Develop and facilitate implementation of information security policies, standards and procedures to ensure that all identified risks are managed within the bank's risk appetite. Create an information security and risk management structure covering the entire bank, with clearly defined roles and responsibilities. Create and follow a risk assessment process that is consistent across the bank to identify, evaluate key risks and approve control measures and mitigation strategies. Regularly monitor the information security and risk management processes and corrective actions to ensure compliance with regulatory requirements. Frequency of Meetings : Chaired by : Quarterly Executive Director. Members : H e a d I n t e g r a t e d R i s k Management Convener Chief Information Officer Head - Audit Head - Compliance Head - Human Resource Head - Business Operations Head - Administration Head - IT Assurance Chief Information Security Officer Head - Physical Security Ensure that the Information Security Team is appropriately skilled and adequately staffed. Regularly present reports to the Board and invite feedback on the information security management processes. Head Integrated Risk Management (HIRM) The Head of Integrated Risk Management will be a senior level official of the rank of CGM/GM/DGM. The HIRM is responsible for all Risk Management functions in the Bank, like Credit Risk, Market Risk, and Operational Risk. Information Security will be one of the most critical components of Operational Risk that has to be looked after by the HIRM. He is the senior-most executive in the Information Security function in the bank and provides the required leadership and support for this across the bank, with the full backing and commitment from the Board. Responsibilities (in the domain): Information Security Policy and Strategy Information Security Risk Assessment, Management and Monitoring Security Aspects and Implications of Business Continuity Planning in the Bank. Allocation of adequate resources for Information Security Management 9
The Chief Information Security Officer (CISO)* Depending upon the size of the bank and its scale of operations, a sufficiently senior level official of the rank of GM/DGM/AGM needs to be designated as the Chief Information Security Officer (CISO) responsible for articulating and enforcing the policies that a bank uses to protect its information assets apart from coordinating the information security related issues / implementation within the organization as well as relevant external agencies. The CISO needs to report directly to the Head of Integrated Risk Management (HIRM) function and should not have a direct reporting relationship with the CIO. The CISO's role spans across both strategic and operational dimensions and is responsible for all the administrative tasks and control related to Information Security and reports to the Owner of this function, the HIRM. Responsibilities: Information Security Policy and Strategy Inputs and Enhancements Establish security guidelines and measures to protect data and systems. Information Security Risk, Threat, Vulnerability Assessment, Review, Management, Monitoring and Reporting on a continuous basis Monitoring Key Goal Indicators and Key Performance Indicators of the Information Security Programme Establish and disseminate enforceable rules Business Continuity and Disaster Recovery Planning Security Inputs and Enhancements Oversee Information Security Awareness training Security Operations Centre and Incident Management Business Case for Information Security Investments and Expenditure Maintaining the Security Posture and Profile of the Bank at expected levels Active collaboration and communication with business and operating units. Gathering internal and external security intelligence Set up Security organisation structure with well designed roles and responsibilities Compliance with regulatory requirements on Information Security. Facilitating investigations in IT frauds and mitigation measures * The CISO's role description given here supersedes our earlier version given in IT Governance Series: Organizational Structure for IT in the Indian Banking Sector, Vol 1, May, 2010, on page 12. 10
Information Security Risk Manager (ISRM) The ISRM owns the Risk Management Life Cycle as far as Information Security is concerned. He assists the CISO by discharging the following. Responsibilities: Information Security Risk Assessment Information Security Risk Analysis and Evaluation Information Security Risk Mitigation Identification and assignment of controls. Information Security Risk Management Compliance with Information Security Risk Management Guidelines External and Internal Monitoring Information Security Policy Implementation Information Security Awareness Manager (ISAM) The ISAM is responsible for enhancing the Information Security Awareness levels and for striving to create a conducive environment and compliance culture across the bank. He is expected to keep himself abreast of the latest developments in the field of Information Security Standards and Best Practices so that proactive steps can be taken for adopting them, wherever possible and applicable in the bank, at the earliest. He is a friend, philosopher and guide to the entire bank, as far as education and awareness-building in Information Security is concerned. Responsibilities: Information Security Policy Inputs and Enhancements Measurement and Monitoring of Effectiveness of Information Security Policy implementation. Education, Awareness and Promotion of Information Security initiatives across the bank. Intensive Training of various types and for different levels on Information Security Promoting customer education and awareness on Information Security through appropriate channels, tools and interventions. Proactive dissemination of Information Security Policy initiatives, mechanisms and best practices a Resource Base of online tutorials, demos, quizzes and FAQ's on the Intranet for easy access within the bank. 11
Security Operations Centre and Incident Management (SOCIM) The SOCIM executive is responsible for effective oversight of the Security Operations Centre and Incident Management capabilities for the bank as a whole. The Security Posture and Status is demonstrated by this functionary. Responsibilities: Owner of the Bank-wide Security Operations Centre(SOC) Owner of Incident Management at the bank level. Responsible for creating, training, upgrading Incident Response Teams across the bank at various levels. Continuous surveillance of the IT Infrastructure of the bank to guard against Information Security breaches and incidents: IT and non-it. Responsible for monitoring and reviewing security logs of applications, operating systems, databases, networks, etc. Demonstrating the much-needed robustness and improvement in the information security compliance environment and preparedness to meet eventualities. Keeping abreast of the fast paced changes in technology and business process to make the SOC live up to the growing demands from within and outside. Regular Penetration Testing, Vulnerability Assessment and liaison with local CERT. Responsible for collection, aggregation, correlation, analysis and synthesis of information related to security incidents to learn effective lessons and to incorporate changes in policies and procedures accordingly on a continuous basis. References Organizational Structure for IT in the Indian Banking Sector, IT Governance Series, IDRBT, May 2010. Report and Recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, RBI, January 2011. IS Governance: Guidance to Boards of Directors, ISACA, www.isaca.org Critical Elements of Information Security Program Success, ISACA, www.isaca.org 12
Mission of IDRBT To envision and foresee technology requirements of the Indian Banking and Financial Sector and Research & Develop the required technologies To incubate and develop state-of-the-art banking technology products and services to facilitate better and easy banking Understand the emerging global technology trends, its implication, and guide the Indian Banking and Financial Sector accordingly To provide Training, Advisory and Consultancy Services on Technology, Technology Infrastructure, and Technology Management matters for Banking and Financial Sector Play a catalytic role in development of Banking Technology as a recognized discipline of study To create a pool of Banking Technology professionals through innovative and quality educational initiatives Participate directly and indirectly in development of standards and best practices Castle Hills, Road No. 1, Masab Tank, Hyderabad - 500 057. INDIA. Ph: + 91-40-23534981-85, Fax: +91-40-23535157. http://www.idrbt.ac.in, e-mail: publisher@idrbt.ac.in