EXPERIENCE IN IMPLEMENTING

SECURITY MEASURES AT SBI –

A CASE STUDY

Patrick Kishore
General Manager (IT) &
Chief Information Security Officer
State Bank of India
 Where we were

• Early 1990s – More than 7000 branches

based on manual procedures derived from
Imperial Bank of India and evolved over
decades.
• Mainframes used for MIS, Reconciliation &
Fund Settlement processes

ELITEX-2008 2
 Changes brought in IT
• Late 1990s – More than 8000 branches either
on decentralized systems or manually
operated,
• Main Frame / Mini Computers used at
CO/LHO/ZO for backend operations.
• Internet Banking Facility for individuals.
• All ATMs of State Bank Group networked.

ELITEX-2008 3
 TBA - Distributed System Components
Branches

Banking
Application
Diskless OS, Database
LAN
LAN
nodes
Internet-Banking

ATM

User Control Officer System Administrator

ELITEX-2008 4
 Changes brought in IT
• 2001 - KMPG appointed consultant for
preparing IT Plan for the Bank. Core
Banking proposed, FNS, CS, COMLINK
selected
• 2002 – All branches computerized but on
decentralized systems,
– Core Banking initiative started

ELITEX-2008 5
 Changes brought in IT
• 2008- more than 6500 branches (95% of
business) on Core Banking Solution (CBS),
• Internet Banking facility for Corporate
customers
• More Interfaces developed with eCommerce
& other sites through alternate channels like
ATM & Online Banking
• All Foreign Offices on Centralized Solution
• BPR initiative to realign business process
with changes due to IT
ELITEX-2008 6
 Changes brought in IT

• Large Network as backbone for connectivity

across the country
• Multiple Service Providers for providing the
links – BSNL, MTNL, Reliance, Tata & Railtel
• Multiple Technologies to support the
networking infrastructure – Leased lines,
Dial-up, CDMA & VSATs

ELITEX-2008 7
 CBS - Core Banking System
Components Datacenter
Branches
Application Developers

Desktops,
Branch Core-Banking
Servers Application

WAN, OS, Database

WAN,
Internet
Internet
Alternative Internet-Banking
Channels
ATM

Branch User/Admins Network Administrators System Administrators

ELITEX-2008 8
 RBI Guidelines

• RBI constituted a “working group on

information systems security for banking and
financial sector” - 2001

• Banks were required to put in place effective

security policies & controls.

•Information Systems Security Department to

be set up to address security issues on an
ongoing basis.
ELITEX-2008 9
 GOVERNANCE

STRUCTURE

RISK ASSESMENT

ELITEX-2008
RISK MANAGEMENT
INFORMATION SYSTEMS SECURITY
IT Governance at SBI

COMMUNICATION

COMPLIANCE
10
 Organization structure of IT

DMD(IT) DMD (I&A)

CGM (IT) CIO CGM (I&A)

GM (ITSS) GM (IT) & CISO GM (I&A)

DGM (ITSS)
Application Owners

AGM (ITSS)

ELITEX-2008 11
 Organization structure of IT
Enabler Enforcer Auditor
Information Security Application Owners / Inspection &
Department Business Owners/ Management
• Assess risks System administrators Audit Dept.
/ IT Personnel • Auditing
• Define Policies, and
• Implement technical compliance against
develop Standards
and Procedures and procedural policies across
controls applications and
• Provide training &
locations
awareness • Manage Network,
servers & applications • Vulnerability testing
• Deploy & manage
security products securely adhering to • Penetration testing
• Define security policies, standards & • Application security
architecture for procedures testing
network, databases • Report Incidents • Feedback to ISD on
& applications: effectiveness of
Secure • Act on Security Logs policies
Configuration Docs

ELITEX-2008 12
Organizational Structure of IS
DMD(IT)

GM (IT) & CISO

AGM (ISD)

Information Security Officers

FUNCTIONS
Consulting Monitoring Compliance

2003 - Information Security consultant appointed for Information

Security Initiation
2004 - Information Security Department setup headed by
GM (IT) & CISO and supported by CISA qualified ISOs
ISSSC setup by the Board
ELITEX-2008 13
 Objective of IS

To provide bank’s business processes with

reliable information systems by
systematically assessing, communicating
and mitigating risks, thereby increasing
customers’ trust on the bank and achieving
world class standards in information
security.

ELITEX-2008 14
 How we manage
Develop and enable implementation of strong systems
along 6 pillars of security.

ELITEX-2008 15
 Security Governance
Board/ CEO Integrated Risk Management Committee
Set directions Align information security with overall risk
Approve top level policies management
Promote security culture ISD represented on the Committee
Delegate responsibility
Provide resources
Review security status
ISS Standards Committee
Approve detailed standards & procedures
Annual Review of Standards and
Procedures – need to address new security
threats, and mitigation;
Changes to procedures based on feed
back

ELITEX-2008 16
 Security Governance
• IT Policy and IS Security Policy approved by
the Board
• Standard and Procedures (25 domains)
approved by ISSSC
• Half yearly reviews by ISSSC to update IT
Policy and IS Security Policy - Standard and
Procedures
• Security Guidelines for Critical Applications
• Security Policies for Overseas operations
• IS Roles and Responsibilities across
Organisation approved by the Board
• Security Guidelines for Branches and Offices
ELITEX-2008 17
 Security Governance
• Central Anti-Virus, Firewall/IDS monitoring
teams setup
• Associate Banks supported in ISMS initiatives
• Policies enforced through periodic security
compliance reviews
• Promoting IS Awareness and Security Culture
across the Bank

ELITEX-2008 18
 Consulting

• Carrying out Risk Analysis

• Formulation / Modification of IT Policy and IS
Security Policy for the Bank.
• Secured Configuration Document for various
Operating Systems & Databases.
• Devising effective Mitigation measures.
• Reviewing Banks’ new IT enabled product &
services for IS

ELITEX-2008 19
 Monitoring
.
• Firewall Rule Base
• Anti-virus
• Firewall & IDS Logs
• Discover gaps in policy, standards & procedures
• Assess User difficulties
• Periodic Vulnerability Assessments and
Penetration Tests
• Best Security Practices for Processes

ELITEX-2008 20
 Compliance

• Compliance Review of process followed by

different applications, periodicity based on
criticality of the application.
• Application Security review of critical
applications.
• Review of SDLC followed for Applications.
• Security review of selected branches and offices
• Action Taken Reports from Application Owners

ELITEX-2008 21
 Incident Response

• RCA for security incident reported through

service desk or email
• Risk mitigating measures against phishing
attacks
• Security measures against ATM based
incidents
• Anti-virus, Anti-spam initiatives

ELITEX-2008 22
 Security Awareness
• User awareness through multiple channels like
intranet, training etc.
• e-Learning package on information security
distributed across Bank
• Specialized IS awareness sessions for controllers
• Dedicated IS Security sessions during training.
• Observing “Computer Security Day” every year
across the organization.
• Write ups on Information Security in the in-house
magazines
• Exchange of information on threats and
vulnerabilities at appropriate forums.
ELITEX-2008 23
 Improving our IS Security

• Benchmarking SBI initiatives against

International Best Practices
• E&Y benchmarking initiative in 2006
• RBI requirement under section 35
• External audit of IS initiatives
• BS27001 certification of CDC-DRC, ATM & INB

ELITEX-2008 24
 Challenges ahead
• Retaining Bank's lead Position
– Maintaining Business Edge over competitors in the
context of sameness in IT infrastructure
• Assured Availability
– Financially critical systems increasingly depend on
IT Delivery channels- no margin for downtime
• Infrastructure derisking
– Tie-up with multiple vendors for spreading risks due
to infrastructure failures and obsolescence

ELITEX-2008 25
 Challenges ahead

• Vendor Management
– Multiple vendor support necessary for working of
highly complex technology
– Coordinating various vendors to provide a secure IT
infrastructure for business operations
– Alternatives for failure of a specific vendor services
– Extant of Replacing vendors with internal staff

ELITEX-2008 26
 Challenges ahead
• Managing IS Security
– Information Security dependency on vendor inputs
– Complex networked environment leading to lack of
Know Your - Employee , Systems & Procedures ,
Vendors
– Maintaining Confidentiality & Privacy of Data while in
storage, transmission & processing.
• Providing DRP & BCP in a complex
technology infrastructure supported by
multiple vendors

ELITEX-2008 27
Questions ?

ELITEX-2008 28