How banks can frame an it security strategy umesh jain president cio yes bank india
1 / 13

- PowerPoint PPT Presentation

  • Uploaded on

“How banks can frame an IT Security Strategy” Umesh Jain President & CIO Yes Bank, India Challenges Management Awareness Employee Awareness Focus on IT and Systems Quantification of Risks Costs & Budgets Management Awareness

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - Audrey

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
How banks can frame an it security strategy umesh jain president cio yes bank india l.jpg

“How banks can frame an IT Security Strategy”Umesh JainPresident & CIOYes Bank, India

Challenges l.jpg

  • Management Awareness

  • Employee Awareness

  • Focus on IT and Systems

  • Quantification of Risks

  • Costs & Budgets

Management awareness l.jpg
Management Awareness

  • Success stories of other institutions esp. viz. business benefits

  • Easy to read independent research papers from ‘select’ credible and respected sources

    • Gartner, Mckinsey, Forrester etc

  • IS Council comprising Leadership team

    • Being member makes them interested & responsible

    • Highlight low risk high cost items as well and trade them off

    • Highlight high risk and low cost items and prioritize them

  • ISO/BS Certification, Awards

    • Customer and shareholder benefits

Management awareness4 l.jpg
Management Awareness

  • News on other organizations’ failures and its implications on that organization

    • Eye Opener esp. when contextualized

  • Dossiers on regulatory requirements

    • Benchmark your organization

  • Get IS Council to sign off on Risk Acceptances!

  • Independent Internal Audit

Employee awareness l.jpg
Employee Awareness

  • Training & Education

    • Make them interesting and interactive with videos etc

    • Real life stories

    • Focus on both IT & non-IT

  • Periodic Quizzes

  • Periodic flyers

    • Make IS a top of the memory recall subject

  • Rewards & Recognition

    • For compliance & leading from the front

Employee awareness6 l.jpg
Employee Awareness

  • Penalties

    • For non-compliance

    • Directly proportional to severity of issue

  • Surprise checks and ethical breach attempts

    • Clean desk audits

    • Password sharing

    • Any breach to be recorded, linked to Performance Management

Focus on technology l.jpg
Focus on Technology

  • Problem both ways – Inside Out & Outside IN

    • Mindsets of both IT & non-IT need to change

  • Awareness programs should focus on non-IT related security even more than IT related security

    • Data Classification of non-IT assets/documents

      • Information on pin-boards, walls, desks, drawers

    • Tail Gating, Password Sharing

    • Physical security – Lock and Key!

    • Mobile devices

  • Awareness programs should talk about IT only to limited extent & in layman’s terms

  • CISO outside IT management, equal focus on non-IT

Quantification of risks l.jpg
Quantification of Risks

  • Lack of historical or industry data or formal methods to quantify the IS Risk

    • Can vary from 0 to infinite

    • Actualization of one risk can be disastrous and not contained

    • CBA or ROI cannot be obtained, work on TCO

    • Use industry benchmarks, apply factor based on

      • Scale

      • Maturity

      • Risk appetite

      • Model

      • Geographic spread

      • Product & service offering

Costs budgets l.jpg
Costs & Budgets

  • In principle agreement on total spend on IS risk

    • As a % of Total Operating Expense

  • Work out a multi year roadmap to accommodate budgets

  • Force ranking of risks that need to be prioritized

  • Outsourcing

    • Security as a Managed Service – brings in industry wide expertise, economies of scale, IPR tools that are bundled with services

    • Security as a service

      • Pay per use models

    • Keep pace with dynamically changing threat landscape

Key success factors l.jpg
Key Success Factors

  • Leadership Direction and Management support

  • Close alignment with corporate culture

  • User awareness as security control

  • Consistent and standardized risk mgmt processes supported by tools & technology

  • Measurable results

Initiatives at ybl l.jpg
Initiatives at YBL

  • Information Security Council

    • Representatives from Yes Bank leadership team

    • Meets once a quarter

    • Think tank & decision making forum

    • Strategic alignment with business

  • Identity and Access management

    • Unique identification on all systems

    • Auto creation of ID on joining & auto deletion on exit

    • Semi-automated provisioning & de-provisioning

    • Automated Quarterly Entitlement reviews

    • Almost Zero Cost, simple, effective and efficient

    • All new applications to use LDAP features

    • File System security using Windows & Exchange

Initiatives at ybl12 l.jpg
Initiatives at YBL

  • Comprehensive Coverage

    • Employees, Consultants etc

    • Internal Reviews and Independent Audits

    • Third Party Information Security Assessments

    • IS involved in project lifecycle with signoffs at various stages

    • Data classification of non-IT Assets

  • Robust Processes

    • SIRT, Risk Acceptance, Deviations

    • Reviews & surprise Audits

    • Hardening Standards & Deviations

Initiatives at ybl13 l.jpg
Initiatives at YBL

  • Outsourcing

    • Managed Services

    • One man team of CISO

    • Cost efficient (70% saves, no capex)

    • Effective

      • Best practices

      • Reacting to dynamically changing threat landscape

      • Tools for management

  • First movers

    • Dual Factor Authentication