130 likes | 288 Views
“How banks can frame an IT Security Strategy” Umesh Jain President & CIO Yes Bank, India. Challenges. Management Awareness Employee Awareness Focus on IT and Systems Quantification of Risks Costs & Budgets. Management Awareness.
E N D
“How banks can frame an IT Security Strategy”Umesh JainPresident & CIOYes Bank, India
Challenges • Management Awareness • Employee Awareness • Focus on IT and Systems • Quantification of Risks • Costs & Budgets
Management Awareness • Success stories of other institutions esp. viz. business benefits • Easy to read independent research papers from ‘select’ credible and respected sources • Gartner, Mckinsey, Forrester etc • IS Council comprising Leadership team • Being member makes them interested & responsible • Highlight low risk high cost items as well and trade them off • Highlight high risk and low cost items and prioritize them • ISO/BS Certification, Awards • Customer and shareholder benefits
Management Awareness • News on other organizations’ failures and its implications on that organization • Eye Opener esp. when contextualized • Dossiers on regulatory requirements • Benchmark your organization • Get IS Council to sign off on Risk Acceptances! • Independent Internal Audit
Employee Awareness • Training & Education • Make them interesting and interactive with videos etc • Real life stories • Focus on both IT & non-IT • Periodic Quizzes • Periodic flyers • Make IS a top of the memory recall subject • Rewards & Recognition • For compliance & leading from the front
Employee Awareness • Penalties • For non-compliance • Directly proportional to severity of issue • Surprise checks and ethical breach attempts • Clean desk audits • Password sharing • Any breach to be recorded, linked to Performance Management
Focus on Technology • Problem both ways – Inside Out & Outside IN • Mindsets of both IT & non-IT need to change • Awareness programs should focus on non-IT related security even more than IT related security • Data Classification of non-IT assets/documents • Information on pin-boards, walls, desks, drawers • Tail Gating, Password Sharing • Physical security – Lock and Key! • Mobile devices • Awareness programs should talk about IT only to limited extent & in layman’s terms • CISO outside IT management, equal focus on non-IT
Quantification of Risks • Lack of historical or industry data or formal methods to quantify the IS Risk • Can vary from 0 to infinite • Actualization of one risk can be disastrous and not contained • CBA or ROI cannot be obtained, work on TCO • Use industry benchmarks, apply factor based on • Scale • Maturity • Risk appetite • Model • Geographic spread • Product & service offering
Costs & Budgets • In principle agreement on total spend on IS risk • As a % of Total Operating Expense • Work out a multi year roadmap to accommodate budgets • Force ranking of risks that need to be prioritized • Outsourcing • Security as a Managed Service – brings in industry wide expertise, economies of scale, IPR tools that are bundled with services • Security as a service • Pay per use models • Keep pace with dynamically changing threat landscape
Key Success Factors • Leadership Direction and Management support • Close alignment with corporate culture • User awareness as security control • Consistent and standardized risk mgmt processes supported by tools & technology • Measurable results
Initiatives at YBL • Information Security Council • Representatives from Yes Bank leadership team • Meets once a quarter • Think tank & decision making forum • Strategic alignment with business • Identity and Access management • Unique identification on all systems • Auto creation of ID on joining & auto deletion on exit • Semi-automated provisioning & de-provisioning • Automated Quarterly Entitlement reviews • Almost Zero Cost, simple, effective and efficient • All new applications to use LDAP features • File System security using Windows & Exchange
Initiatives at YBL • Comprehensive Coverage • Employees, Consultants etc • Internal Reviews and Independent Audits • Third Party Information Security Assessments • IS involved in project lifecycle with signoffs at various stages • Data classification of non-IT Assets • Robust Processes • SIRT, Risk Acceptance, Deviations • Reviews & surprise Audits • Hardening Standards & Deviations
Initiatives at YBL • Outsourcing • Managed Services • One man team of CISO • Cost efficient (70% saves, no capex) • Effective • Best practices • Reacting to dynamically changing threat landscape • Tools for management • First movers • Dual Factor Authentication