1 / 13

“How banks can frame an IT Security Strategy” Umesh Jain President & CIO Yes Bank, India

“How banks can frame an IT Security Strategy” Umesh Jain President & CIO Yes Bank, India. Challenges. Management Awareness Employee Awareness Focus on IT and Systems Quantification of Risks Costs & Budgets. Management Awareness.

ivo
Download Presentation

“How banks can frame an IT Security Strategy” Umesh Jain President & CIO Yes Bank, India

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. “How banks can frame an IT Security Strategy”Umesh JainPresident & CIOYes Bank, India

  2. Challenges • Management Awareness • Employee Awareness • Focus on IT and Systems • Quantification of Risks • Costs & Budgets

  3. Management Awareness • Success stories of other institutions esp. viz. business benefits • Easy to read independent research papers from ‘select’ credible and respected sources • Gartner, Mckinsey, Forrester etc • IS Council comprising Leadership team • Being member makes them interested & responsible • Highlight low risk high cost items as well and trade them off • Highlight high risk and low cost items and prioritize them • ISO/BS Certification, Awards • Customer and shareholder benefits

  4. Management Awareness • News on other organizations’ failures and its implications on that organization • Eye Opener esp. when contextualized • Dossiers on regulatory requirements • Benchmark your organization • Get IS Council to sign off on Risk Acceptances! • Independent Internal Audit

  5. Employee Awareness • Training & Education • Make them interesting and interactive with videos etc • Real life stories • Focus on both IT & non-IT • Periodic Quizzes • Periodic flyers • Make IS a top of the memory recall subject • Rewards & Recognition • For compliance & leading from the front

  6. Employee Awareness • Penalties • For non-compliance • Directly proportional to severity of issue • Surprise checks and ethical breach attempts • Clean desk audits • Password sharing • Any breach to be recorded, linked to Performance Management

  7. Focus on Technology • Problem both ways – Inside Out & Outside IN • Mindsets of both IT & non-IT need to change • Awareness programs should focus on non-IT related security even more than IT related security • Data Classification of non-IT assets/documents • Information on pin-boards, walls, desks, drawers • Tail Gating, Password Sharing • Physical security – Lock and Key! • Mobile devices • Awareness programs should talk about IT only to limited extent & in layman’s terms • CISO outside IT management, equal focus on non-IT

  8. Quantification of Risks • Lack of historical or industry data or formal methods to quantify the IS Risk • Can vary from 0 to infinite • Actualization of one risk can be disastrous and not contained • CBA or ROI cannot be obtained, work on TCO • Use industry benchmarks, apply factor based on • Scale • Maturity • Risk appetite • Model • Geographic spread • Product & service offering

  9. Costs & Budgets • In principle agreement on total spend on IS risk • As a % of Total Operating Expense • Work out a multi year roadmap to accommodate budgets • Force ranking of risks that need to be prioritized • Outsourcing • Security as a Managed Service – brings in industry wide expertise, economies of scale, IPR tools that are bundled with services • Security as a service • Pay per use models • Keep pace with dynamically changing threat landscape

  10. Key Success Factors • Leadership Direction and Management support • Close alignment with corporate culture • User awareness as security control • Consistent and standardized risk mgmt processes supported by tools & technology • Measurable results

  11. Initiatives at YBL • Information Security Council • Representatives from Yes Bank leadership team • Meets once a quarter • Think tank & decision making forum • Strategic alignment with business • Identity and Access management • Unique identification on all systems • Auto creation of ID on joining & auto deletion on exit • Semi-automated provisioning & de-provisioning • Automated Quarterly Entitlement reviews • Almost Zero Cost, simple, effective and efficient • All new applications to use LDAP features • File System security using Windows & Exchange

  12. Initiatives at YBL • Comprehensive Coverage • Employees, Consultants etc • Internal Reviews and Independent Audits • Third Party Information Security Assessments • IS involved in project lifecycle with signoffs at various stages • Data classification of non-IT Assets • Robust Processes • SIRT, Risk Acceptance, Deviations • Reviews & surprise Audits • Hardening Standards & Deviations

  13. Initiatives at YBL • Outsourcing • Managed Services • One man team of CISO • Cost efficient (70% saves, no capex) • Effective • Best practices • Reacting to dynamically changing threat landscape • Tools for management • First movers • Dual Factor Authentication

More Related