130 likes | 267 Views
State Of Data Security and Privacy in the Indian Banking Industry. DSCI-KPMG Survey 2010. Vinayak Godse Director- Data Protection, DSCI. 19 th April, 2011. State of Data Security and Privacy in the Banking Industry. Coverage:. PSU, Private and Foreign Banks. Areas of Survey:.
E N D
State Of Data Security and Privacy in the Indian Banking Industry DSCI-KPMG Survey 2010 Vinayak Godse Director- Data Protection, DSCI 19th April, 2011
State of Data Security and Privacy in the Banking Industry Coverage: PSU, Private and Foreign Banks Areas of Survey: Contemporary to Industry need |Current Challenges| Practices |Technology Trends |Compliance Expectations Objective of Survey: In-depth assessment of the area under coverage Insights into the state of security and privacy Understand characteristics and structure of the initiatives Evaluation of maturity of practices and approach Benchmarking with security and privacy trends Execution: Comprehensive questionnaire Industry consultation | Project Advisory Group | Interaction with Professionals Interview- Personal, Email and Telephonic
Security Organization • 9:30Review security reports coming from different tools, solutions& operational groups • 10:30Participate in business strategy meetings for security implication of new initiatives • 11:30 Interact with lines-of-business on their security requirements • 12:00Interact with IT teams for installation, admin & maintenance of security devices • 12:30Interact with support functions like HR, Finance and Admin for enforcing measures in their respective departments • 14:00Review state of security in Lines-of-business, their applications and systems • 15:00 Oversee undergoing security projects • 15:30Review & approve change requests • 16:00Check for new issues, threats and vulnerabilities • 17:00 Take review of operational teams • 17:30Issue guidelines to enterprise units on specific or general security measures CISO Role & Time Spent Strategic Chief Information Officer (CIO) / Chief Technology Officer (CTO) Chief Risk Officer (CRO) Executive Director (ED) Operational Chief Operating Officer (COO) Tactical Chief Financial Officer (CFO) Reporting to Top Management - 45%
Security Organization Task Distribution
Maturity – Security and Privacy Practices Security Privacy Constant review to assess security posture in the wake of new threats & vulnerabilities An understanding of different roles, entities (data subject, Controller, etc) Security Solutions are provided with an architectural treatment Understanding about Privacy Principles and their applicability Processes reviewed regularly from privacy perspective Significant efforts are dedicated to ensure collaboration with external sources & internal functions A dedicated policy initiative for privacy Technology, solutions and processes are deployed for privacy Focus given to innovation in the security initiatives Scope of audit charter is extended to include privacy Techniquessuch as threat modeling, threat tree, and principlessuch as embedding ‘security in design’ are proactively adopted Embedding privacy in the design PIA is performed for new initiatives & change
Customer Awareness Security Privacy Publishing security messages on different communications channels Users are given access to their information & provision to correct/update their data Customer acceptance on privacy policy is taken before providing banking services. Limitation imposed for collection and usage of the PI Providing demo for secure usage of banking services Real time security messageswhile executing transactions The policy clearly spells the restriction in disclosure of the information to third party Conducting dedicated customer awareness programs The links to the policy is available on all important user centric data forms Customer notification for change in the policy Spreading awareness through public media
Data & Card Security Card Data Data Security Storing the card data in logs files in encrypted form Involvement of process owners and lines of business is ensured in the data security initiatives For each of the partner/third-party relationships or processes, the awareness exists of how the data is managed in its life cycle Encryption of stored authorization information Masking the card number (PAN) in all user communication & transaction notification A granular level visibility existsover the financial and sensitive data Card expiry date is not printed and stored at the merchant side Uniformity of controls is maintained when data is moving in different environments The scope of card securityis extended to the designated merchants also Data classification techniques have been deployed and followed rigorously
Application Security Application Security Program Tool Adoption A mechanism to identify criticality of each application Static Application Security Testing (SAST) Compliance requirements mapped to in scope applications Dynamic Application Security Testing (DAST) Application Security (AS) is derived out of well defined security architecture Enterprise tools to integrate security in application lifecycle AS is integral part of Application lifecycle management Lines of businesses are involved in AS initiatives Threat Tracking Dedicatedapplication security functionexists Security research reports AS is integrated with incident management Subscribing to vuln, exploits databases. Developers community involved in AS initiatives Mandating the vendors / third parties Security testing of application includes code review Security forums on the Internet Techniques such as Threat modeling & threat treeare adopted Subscribing to Analysts reports
Incident, Fraud and Compliance Incident & Fraud Management Collaboration with external knowledge sources Response to IT (Amendment) Act , 2008 Collaborate with CERT-IN Identify the personal information flow to the organization Scope has been extended to third parties Support forensic capabilities Revising organization’s security policy Real time monitoring mechanisms exist that can proactively detect anomalies Creating awareness amongst contractors/third-party employees Integrated with organization IT processes for remedial actions Identifying and making an inventory of scenarios Mechanism to define detective and investigative requirements Developing a strong forensic investigationcapabilities Inventory of all the possible scenarios that lead to incident and fraud Mechanismthat generateincident based on patterns and business rule exceptions
Bench Marking Bank XYZ