BS7799 Sbi
BS7799 Sbi
BS7799 Sbi
Patrick Kishore
General Manager (IT) &
Chief Information Security Officer
State Bank of India
Where we were
ELITEX-2008 2
Changes brought in IT
• Late 1990s – More than 8000 branches either
on decentralized systems or manually
operated,
• Main Frame / Mini Computers used at
CO/LHO/ZO for backend operations.
• Internet Banking Facility for individuals.
• All ATMs of State Bank Group networked.
ELITEX-2008 3
TBA - Distributed System Components
Branches
Banking
Application
Diskless OS, Database
LAN
LAN
nodes
Internet-Banking
ATM
ELITEX-2008 4
Changes brought in IT
• 2001 - KMPG appointed consultant for
preparing IT Plan for the Bank. Core
Banking proposed, FNS, CS, COMLINK
selected
• 2002 – All branches computerized but on
decentralized systems,
– Core Banking initiative started
ELITEX-2008 5
Changes brought in IT
• 2008- more than 6500 branches (95% of
business) on Core Banking Solution (CBS),
• Internet Banking facility for Corporate
customers
• More Interfaces developed with eCommerce
& other sites through alternate channels like
ATM & Online Banking
• All Foreign Offices on Centralized Solution
• BPR initiative to realign business process
with changes due to IT
ELITEX-2008 6
Changes brought in IT
ELITEX-2008 7
CBS - Core Banking System
Components Datacenter
Branches
Application Developers
Desktops,
Branch Core-Banking
Servers Application
ELITEX-2008 8
RBI Guidelines
STRUCTURE
RISK ASSESMENT
ELITEX-2008
RISK MANAGEMENT
INFORMATION SYSTEMS SECURITY
IT Governance at SBI
COMMUNICATION
COMPLIANCE
10
Organization structure of IT
DGM (ITSS)
Application Owners
AGM (ITSS)
ELITEX-2008 11
Organization structure of IT
Enabler Enforcer Auditor
Information Security Application Owners / Inspection &
Department Business Owners/ Management
• Assess risks System administrators Audit Dept.
/ IT Personnel • Auditing
• Define Policies, and
• Implement technical compliance against
develop Standards
and Procedures and procedural policies across
controls applications and
• Provide training &
locations
awareness • Manage Network,
servers & applications • Vulnerability testing
• Deploy & manage
security products securely adhering to • Penetration testing
• Define security policies, standards & • Application security
architecture for procedures testing
network, databases • Report Incidents • Feedback to ISD on
& applications: effectiveness of
Secure • Act on Security Logs policies
Configuration Docs
ELITEX-2008 12
Organizational Structure of IS
DMD(IT)
AGM (ISD)
FUNCTIONS
Consulting Monitoring Compliance
ELITEX-2008 14
How we manage
Develop and enable implementation of strong systems
along 6 pillars of security.
ELITEX-2008 15
Security Governance
Board/ CEO Integrated Risk Management Committee
Set directions Align information security with overall risk
Approve top level policies management
Promote security culture ISD represented on the Committee
Delegate responsibility
Provide resources
Review security status
ISS Standards Committee
Approve detailed standards & procedures
Annual Review of Standards and
Procedures – need to address new security
threats, and mitigation;
Changes to procedures based on feed
back
ELITEX-2008 16
Security Governance
• IT Policy and IS Security Policy approved by
the Board
• Standard and Procedures (25 domains)
approved by ISSSC
• Half yearly reviews by ISSSC to update IT
Policy and IS Security Policy - Standard and
Procedures
• Security Guidelines for Critical Applications
• Security Policies for Overseas operations
• IS Roles and Responsibilities across
Organisation approved by the Board
• Security Guidelines for Branches and Offices
ELITEX-2008 17
Security Governance
• Central Anti-Virus, Firewall/IDS monitoring
teams setup
• Associate Banks supported in ISMS initiatives
• Policies enforced through periodic security
compliance reviews
• Promoting IS Awareness and Security Culture
across the Bank
ELITEX-2008 18
Consulting
ELITEX-2008 19
Monitoring
.
• Firewall Rule Base
• Anti-virus
• Firewall & IDS Logs
• Discover gaps in policy, standards & procedures
• Assess User difficulties
• Periodic Vulnerability Assessments and
Penetration Tests
• Best Security Practices for Processes
ELITEX-2008 20
Compliance
ELITEX-2008 21
Incident Response
ELITEX-2008 22
Security Awareness
• User awareness through multiple channels like
intranet, training etc.
• e-Learning package on information security
distributed across Bank
• Specialized IS awareness sessions for controllers
• Dedicated IS Security sessions during training.
• Observing “Computer Security Day” every year
across the organization.
• Write ups on Information Security in the in-house
magazines
• Exchange of information on threats and
vulnerabilities at appropriate forums.
ELITEX-2008 23
Improving our IS Security
ELITEX-2008 24
Challenges ahead
• Retaining Bank's lead Position
– Maintaining Business Edge over competitors in the
context of sameness in IT infrastructure
• Assured Availability
– Financially critical systems increasingly depend on
IT Delivery channels- no margin for downtime
• Infrastructure derisking
– Tie-up with multiple vendors for spreading risks due
to infrastructure failures and obsolescence
ELITEX-2008 25
Challenges ahead
• Vendor Management
– Multiple vendor support necessary for working of
highly complex technology
– Coordinating various vendors to provide a secure IT
infrastructure for business operations
– Alternatives for failure of a specific vendor services
– Extant of Replacing vendors with internal staff
ELITEX-2008 26
Challenges ahead
• Managing IS Security
– Information Security dependency on vendor inputs
– Complex networked environment leading to lack of
Know Your - Employee , Systems & Procedures ,
Vendors
– Maintaining Confidentiality & Privacy of Data while in
storage, transmission & processing.
• Providing DRP & BCP in a complex
technology infrastructure supported by
multiple vendors
ELITEX-2008 27
Questions ?
ELITEX-2008 28