BS7799 Sbi

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 28
At a glance
Powered by AI
Over time, SBI transitioned from mainly manual processes to becoming fully computerized and implementing a core banking system across most of its branches. It also expanded internet banking and established centralized systems.

In the early 1990s, SBI had over 7000 branches operating mainly on manual procedures. In the late 1990s, it computerized all branches but they used decentralized systems. From 2001 onwards, SBI implemented a core banking system across most branches and expanded internet banking for customers.

The core components of SBI's banking system include the core banking application, operating system, database, internet banking, ATMs, branch servers, wide area network (WAN) and alternative channels. It connects various branches and departments through this network infrastructure.

EXPERIENCE IN IMPLEMENTING

SECURITY MEASURES AT SBI –


A CASE STUDY

Patrick Kishore
General Manager (IT) &
Chief Information Security Officer
State Bank of India
Where we were

• Early 1990s – More than 7000 branches


based on manual procedures derived from
Imperial Bank of India and evolved over
decades.
• Mainframes used for MIS, Reconciliation &
Fund Settlement processes

ELITEX-2008 2
Changes brought in IT
• Late 1990s – More than 8000 branches either
on decentralized systems or manually
operated,
• Main Frame / Mini Computers used at
CO/LHO/ZO for backend operations.
• Internet Banking Facility for individuals.
• All ATMs of State Bank Group networked.

ELITEX-2008 3
TBA - Distributed System Components
Branches

Banking
Application
Diskless OS, Database
LAN
LAN
nodes
Internet-Banking

ATM

User Control Officer System Administrator

ELITEX-2008 4
Changes brought in IT
• 2001 - KMPG appointed consultant for
preparing IT Plan for the Bank. Core
Banking proposed, FNS, CS, COMLINK
selected
• 2002 – All branches computerized but on
decentralized systems,
– Core Banking initiative started

ELITEX-2008 5
Changes brought in IT
• 2008- more than 6500 branches (95% of
business) on Core Banking Solution (CBS),
• Internet Banking facility for Corporate
customers
• More Interfaces developed with eCommerce
& other sites through alternate channels like
ATM & Online Banking
• All Foreign Offices on Centralized Solution
• BPR initiative to realign business process
with changes due to IT
ELITEX-2008 6
Changes brought in IT

• Large Network as backbone for connectivity


across the country
• Multiple Service Providers for providing the
links – BSNL, MTNL, Reliance, Tata & Railtel
• Multiple Technologies to support the
networking infrastructure – Leased lines,
Dial-up, CDMA & VSATs

ELITEX-2008 7
CBS - Core Banking System
Components Datacenter
Branches
Application Developers

Desktops,
Branch Core-Banking
Servers Application

WAN, OS, Database


WAN,
Internet
Internet
Alternative Internet-Banking
Channels
ATM

Branch User/Admins Network Administrators System Administrators

ELITEX-2008 8
RBI Guidelines

• RBI constituted a “working group on


information systems security for banking and
financial sector” - 2001

• Banks were required to put in place effective


security policies & controls.

•Information Systems Security Department to


be set up to address security issues on an
ongoing basis.
ELITEX-2008 9
GOVERNANCE

STRUCTURE

RISK ASSESMENT

ELITEX-2008
RISK MANAGEMENT
INFORMATION SYSTEMS SECURITY
IT Governance at SBI

COMMUNICATION

COMPLIANCE
10
Organization structure of IT

DMD(IT) DMD (I&A)

CGM (IT) CIO CGM (I&A)

GM (ITSS) GM (IT) & CISO GM (I&A)

DGM (ITSS)
Application Owners

AGM (ITSS)

ELITEX-2008 11
Organization structure of IT
Enabler Enforcer Auditor
Information Security Application Owners / Inspection &
Department Business Owners/ Management
• Assess risks System administrators Audit Dept.
/ IT Personnel • Auditing
• Define Policies, and
• Implement technical compliance against
develop Standards
and Procedures and procedural policies across
controls applications and
• Provide training &
locations
awareness • Manage Network,
servers & applications • Vulnerability testing
• Deploy & manage
security products securely adhering to • Penetration testing
• Define security policies, standards & • Application security
architecture for procedures testing
network, databases • Report Incidents • Feedback to ISD on
& applications: effectiveness of
Secure • Act on Security Logs policies
Configuration Docs

ELITEX-2008 12
Organizational Structure of IS
DMD(IT)

GM (IT) & CISO

AGM (ISD)

Information Security Officers

FUNCTIONS
Consulting Monitoring Compliance

2003 - Information Security consultant appointed for Information


Security Initiation
2004 - Information Security Department setup headed by
GM (IT) & CISO and supported by CISA qualified ISOs
ISSSC setup by the Board
ELITEX-2008 13
Objective of IS

To provide bank’s business processes with


reliable information systems by
systematically assessing, communicating
and mitigating risks, thereby increasing
customers’ trust on the bank and achieving
world class standards in information
security.

ELITEX-2008 14
How we manage
Develop and enable implementation of strong systems
along 6 pillars of security.

ELITEX-2008 15
Security Governance
Board/ CEO Integrated Risk Management Committee
Set directions Align information security with overall risk
Approve top level policies management
Promote security culture ISD represented on the Committee
Delegate responsibility
Provide resources
Review security status
ISS Standards Committee
Approve detailed standards & procedures
Annual Review of Standards and
Procedures – need to address new security
threats, and mitigation;
Changes to procedures based on feed
back

ELITEX-2008 16
Security Governance
• IT Policy and IS Security Policy approved by
the Board
• Standard and Procedures (25 domains)
approved by ISSSC
• Half yearly reviews by ISSSC to update IT
Policy and IS Security Policy - Standard and
Procedures
• Security Guidelines for Critical Applications
• Security Policies for Overseas operations
• IS Roles and Responsibilities across
Organisation approved by the Board
• Security Guidelines for Branches and Offices
ELITEX-2008 17
Security Governance
• Central Anti-Virus, Firewall/IDS monitoring
teams setup
• Associate Banks supported in ISMS initiatives
• Policies enforced through periodic security
compliance reviews
• Promoting IS Awareness and Security Culture
across the Bank

ELITEX-2008 18
Consulting

• Carrying out Risk Analysis


• Formulation / Modification of IT Policy and IS
Security Policy for the Bank.
• Secured Configuration Document for various
Operating Systems & Databases.
• Devising effective Mitigation measures.
• Reviewing Banks’ new IT enabled product &
services for IS

ELITEX-2008 19
Monitoring
.
• Firewall Rule Base
• Anti-virus
• Firewall & IDS Logs
• Discover gaps in policy, standards & procedures
• Assess User difficulties
• Periodic Vulnerability Assessments and
Penetration Tests
• Best Security Practices for Processes

ELITEX-2008 20
Compliance

• Compliance Review of process followed by


different applications, periodicity based on
criticality of the application.
• Application Security review of critical
applications.
• Review of SDLC followed for Applications.
• Security review of selected branches and offices
• Action Taken Reports from Application Owners

ELITEX-2008 21
Incident Response

• RCA for security incident reported through


service desk or email
• Risk mitigating measures against phishing
attacks
• Security measures against ATM based
incidents
• Anti-virus, Anti-spam initiatives

ELITEX-2008 22
Security Awareness
• User awareness through multiple channels like
intranet, training etc.
• e-Learning package on information security
distributed across Bank
• Specialized IS awareness sessions for controllers
• Dedicated IS Security sessions during training.
• Observing “Computer Security Day” every year
across the organization.
• Write ups on Information Security in the in-house
magazines
• Exchange of information on threats and
vulnerabilities at appropriate forums.
ELITEX-2008 23
Improving our IS Security

• Benchmarking SBI initiatives against


International Best Practices
• E&Y benchmarking initiative in 2006
• RBI requirement under section 35
• External audit of IS initiatives
• BS27001 certification of CDC-DRC, ATM & INB

ELITEX-2008 24
Challenges ahead
• Retaining Bank's lead Position
– Maintaining Business Edge over competitors in the
context of sameness in IT infrastructure
• Assured Availability
– Financially critical systems increasingly depend on
IT Delivery channels- no margin for downtime
• Infrastructure derisking
– Tie-up with multiple vendors for spreading risks due
to infrastructure failures and obsolescence

ELITEX-2008 25
Challenges ahead

• Vendor Management
– Multiple vendor support necessary for working of
highly complex technology
– Coordinating various vendors to provide a secure IT
infrastructure for business operations
– Alternatives for failure of a specific vendor services
– Extant of Replacing vendors with internal staff

ELITEX-2008 26
Challenges ahead
• Managing IS Security
– Information Security dependency on vendor inputs
– Complex networked environment leading to lack of
Know Your - Employee , Systems & Procedures ,
Vendors
– Maintaining Confidentiality & Privacy of Data while in
storage, transmission & processing.
• Providing DRP & BCP in a complex
technology infrastructure supported by
multiple vendors

ELITEX-2008 27
Questions ?

ELITEX-2008 28

You might also like