state of data security and privacy in the indian banking ... · bpo, and the banking sector. the...
TRANSCRIPT
PROMOTING DATA PROTECTION
A InitiativeNASSCOM ®
PROMOTING DATA PROTECTION
Handling Computer Security Incidents
In association with
Under the Cyber Security Awareness Program of DIT-NASSCOM
State of Data Security and Privacy in the
Indian Banking Industry
DSCI-KPMG Survey 2010
Data Security Council of India (DSCI) is a section 25, not-for-profit company, setup by
NASSCOM as an independent Self Regulatory Organization (SRO) to promote data protection, develop security and privacy codes & standards and encourage the IT/BPO industry to implement the same.
For more information about DSCI or this report, contact:
DATA SECURITY COUNCIL OF INDIANiryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi - 110057, India
Phone: +91-11-26155070, Fax: +91-11-26155072
Email: [email protected]
Published in February 2011
Copyright © 2011 DSCI. All rights reserved.
Disclaimer
This document contains information that is Intellectual Property of DSCI. DSCI expressly
disclaims to the maximum limit permissible by law, all warranties, express or implied,
including, but not limiting to implied warranties of merchantability, fitness for a particularpurpose and non-infringement. DSCI disclaims responsibility for any loss, injury, liability or
damage of any kind resulting from and arising out of use of this material/information or part
thereof. Views expressed herein are views of DSCI and/or its respective authors and shouldnot be construed as legal advice or legal opinion. Further, the general availability of
information or part thereof does not intend to constitute legal advice or to create a Lawyer/
Attorney-Client relationship, in any manner whatsoever.
Rapidly globalizing world economies invite financial transactions across
borders. Increasingly, financial assets exist in the form of digitized information
that constantly changes location and may reside anywhere in the world. The
security of this digitized information gains prominence due to its susceptibility
to compromise in cyberspace. It is natural for banks to rely heavily on IT in
this information age and as a consequence, banks are required to ensure the
safety of the information, even as individuals –the end users -may not be so
aware and alert about security.
DIT has sponsored the DSCI annual security surveys of the IT/BPO companies
in India for the last couple of years. In view of the increasing importance of
security in the banking sector, DIT supported DSCI’s decision to conduct
separate security surveys for the BPO and the banking sector. As before, this
survey has been conducted through KPMG, in association with CERT-In. The
objective of the DSCI-KPMG security survey was to identify the information
security concerns and initiatives in the banking sector. The survey will also
help us appreciate the sector’s understanding of the privacy protection
requirements under the amended Information Technology Act.
It is a matter of satisfaction for us that several banks came forward to
participate in this survey. The findings offer an insight into the banking sector
and help establish a ground for improved data security and privacy protection.
Message from CERT-In
State of Data Security and Privacy in the Indian Banking Industry
Dr. Gulshan RaiDG, CERT-In
Data Security Council of India (DSCI) is a section 25, not-for-profit company, setup by
NASSCOM as an independent Self Regulatory Organization (SRO) to promote data protection, develop security and privacy codes & standards and encourage the IT/BPO industry to implement the same.
For more information about DSCI or this report, contact:
DATA SECURITY COUNCIL OF INDIANiryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi - 110057, India
Phone: +91-11-26155070, Fax: +91-11-26155072
Email: [email protected]
Published in February 2011
Copyright © 2011 DSCI. All rights reserved.
Disclaimer
This document contains information that is Intellectual Property of DSCI. DSCI expressly
disclaims to the maximum limit permissible by law, all warranties, express or implied,
including, but not limiting to implied warranties of merchantability, fitness for a particularpurpose and non-infringement. DSCI disclaims responsibility for any loss, injury, liability or
damage of any kind resulting from and arising out of use of this material/information or part
thereof. Views expressed herein are views of DSCI and/or its respective authors and shouldnot be construed as legal advice or legal opinion. Further, the general availability of
information or part thereof does not intend to constitute legal advice or to create a Lawyer/
Attorney-Client relationship, in any manner whatsoever.
Rapidly globalizing world economies invite financial transactions across
borders. Increasingly, financial assets exist in the form of digitized information
that constantly changes location and may reside anywhere in the world. The
security of this digitized information gains prominence due to its susceptibility
to compromise in cyberspace. It is natural for banks to rely heavily on IT in
this information age and as a consequence, banks are required to ensure the
safety of the information, even as individuals –the end users -may not be so
aware and alert about security.
DIT has sponsored the DSCI annual security surveys of the IT/BPO companies
in India for the last couple of years. In view of the increasing importance of
security in the banking sector, DIT supported DSCI’s decision to conduct
separate security surveys for the BPO and the banking sector. As before, this
survey has been conducted through KPMG, in association with CERT-In. The
objective of the DSCI-KPMG security survey was to identify the information
security concerns and initiatives in the banking sector. The survey will also
help us appreciate the sector’s understanding of the privacy protection
requirements under the amended Information Technology Act.
It is a matter of satisfaction for us that several banks came forward to
participate in this survey. The findings offer an insight into the banking sector
and help establish a ground for improved data security and privacy protection.
Message from CERT-In
State of Data Security and Privacy in the Indian Banking Industry
Dr. Gulshan RaiDG, CERT-In
Information Management is increasingly becoming the very core of banking
operations. As more and more financial transactions are conducted without
the use of currency, it is only information that is exchanged instead of real
money. Electronic banking makes use of the Internet, ATMs, mobiles and a
number of other devices, which already have changed the face of banking.
Information is clearly one of the more important assets of a bank. It has to be
protected to establish and maintain trust between a bank and its customers,
even as it complies with, and demonstrates compliance to regulations.
Information technology has graduated from being a business enabler to a
business driver. Information security is a key function of an organization that
enables other business functions to perform their activities effectively.
Information security objectives continue to be confidentiality, availability,
integrity of information; with accountability and assurance that can be
demonstrated.
Banks are in the forefront of using cutting edge IT, and information security
technology and processes that are similar to those in the IT/BPO sector. This
year, DSCI in consultation with Department of Information Technology,
Government of India, decided to conduct separate security surveys for the
BPO, and the banking sector. The survey questionnaire has been specifically
designed for the banking industry. The objective was to see how the
technologies are helping banks meet customer service expectations, how are
they using technologies and processes to meet the challenge of hackers and
cyber criminals. Banks need to continuously create security awareness of
customers, who are availing of online banking services, and unlike the BPO
sector, are not employees, but part of the larger population in the country. The
survey covers the following areas of data security and privacy – positioning of
security and privacy, transaction security, customer centric security initiatives,
maturity & characteristics of key security disciplines such as ‘Threat &
Vulnerability Management’, impact of IT (Amendment) Act, 2008 amongst
others.
It was gratifying to see that banks from the public sector, private sector and
the foreign banks responded enthusiastically to the survey questionnaire. The
survey provides some very interesting and in-depth insights. For example, it is
interesting to note that with increased digitization of customer information,
increased levels of customer awareness on privacy and notification of IT
(Amendment) Act, 2008, privacy has emerged as an important focus area for
the banks in India though it is yet to be factored in the banking ecosystem
through implementation of a comprehensive privacy program. Such findings
were possible because of granularity in the design of the questionnaire.
We believe that the survey results will be of use to the banking industry in
improving their state of data security and privacy protection.
Message from DSCI Message from KPMG
Banking and Information Technology can hardly be separated. This is one such
industry, which not only depends on the technology, but where technology
has contributed to its immense development and proliferation. It may not be
untrue to conclude that the effectiveness of technology implemented at a
bank could determine its profitability and growth potential. Since most of the
business operations can simply be accomplished with information exchange,
the need to protect integrity of information is of paramount importance. This is
why security has to be part of the service delivery and an important hygiene,
rather than being a point of differentiation.
The unique aspect about information security in banking industry is that the
security posture of a bank does not depend solely on the safeguards and
practices implemented by the bank, it is equally dependent on the awareness
of the users using the banking channel and the quality of end-user terminals.
This makes the task for protecting information confidentiality and integrity a
greater challenge for the banking industry.
The survey reveals that the industry is aware of the challenges it faces and is
reasonably prepared to safeguard itself from traditional threats. Since the
banking industry of India has grown at a steady pace over the last several
years and has also stood tall during the event of global meltdown, experts
attribute that one of the key factors for this stability is stronger governance
and regulatory control. It is important to note that the Indian banking regulator
(RBI) has generally been proactive in advising banks on issues relating to
security and has acted as an important institution to drive the importance of
this matter at the level of Board of Directors. This has also remained a primary
driver for the industry to maintain high standards of information security.
The survey indicates that the focus of the data governance processes so far
has focused on integrity of data, but there is a need to increase efforts in the
direction of data privacy. With IT (Amendment) Act providing stronger
penalties for breaches of personal data, banking industry will certainly get
impacted and therefore, there is a case of stronger focus on this dimension
going forward.
With newer delivery channels and increased extension of banking boundaries,
there is an equal increase in threats. While banks continue to remain focused
on ensuring security of information and protection of personally identifiable
information, growth of these new channels will be driven by the increased
customer confidence and innovative security practices, which banks
undertake to make banking secure, yet convenient.
We are pleased to be a part of this one of its kind survey, which attempts to
highlight the current state of information security and privacy in banking
industry in India. With these insightful survey findings, banks should be able
to learn and adopt best practices. We hope that the survey will also help
banks benchmark their security and privacy practices with that of the industry
players and also help develop roadmaps for enhancing the security posture.
We thank all the participants of this survey for their valuable time and insights
to make this survey meaningful for the industry.
Dr. Kamlesh BajajCEO, DSCI
Akhilesh TutejaExecutive Director, KPMG in India
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
Information Management is increasingly becoming the very core of banking
operations. As more and more financial transactions are conducted without
the use of currency, it is only information that is exchanged instead of real
money. Electronic banking makes use of the Internet, ATMs, mobiles and a
number of other devices, which already have changed the face of banking.
Information is clearly one of the more important assets of a bank. It has to be
protected to establish and maintain trust between a bank and its customers,
even as it complies with, and demonstrates compliance to regulations.
Information technology has graduated from being a business enabler to a
business driver. Information security is a key function of an organization that
enables other business functions to perform their activities effectively.
Information security objectives continue to be confidentiality, availability,
integrity of information; with accountability and assurance that can be
demonstrated.
Banks are in the forefront of using cutting edge IT, and information security
technology and processes that are similar to those in the IT/BPO sector. This
year, DSCI in consultation with Department of Information Technology,
Government of India, decided to conduct separate security surveys for the
BPO, and the banking sector. The survey questionnaire has been specifically
designed for the banking industry. The objective was to see how the
technologies are helping banks meet customer service expectations, how are
they using technologies and processes to meet the challenge of hackers and
cyber criminals. Banks need to continuously create security awareness of
customers, who are availing of online banking services, and unlike the BPO
sector, are not employees, but part of the larger population in the country. The
survey covers the following areas of data security and privacy – positioning of
security and privacy, transaction security, customer centric security initiatives,
maturity & characteristics of key security disciplines such as ‘Threat &
Vulnerability Management’, impact of IT (Amendment) Act, 2008 amongst
others.
It was gratifying to see that banks from the public sector, private sector and
the foreign banks responded enthusiastically to the survey questionnaire. The
survey provides some very interesting and in-depth insights. For example, it is
interesting to note that with increased digitization of customer information,
increased levels of customer awareness on privacy and notification of IT
(Amendment) Act, 2008, privacy has emerged as an important focus area for
the banks in India though it is yet to be factored in the banking ecosystem
through implementation of a comprehensive privacy program. Such findings
were possible because of granularity in the design of the questionnaire.
We believe that the survey results will be of use to the banking industry in
improving their state of data security and privacy protection.
Message from DSCI Message from KPMG
Banking and Information Technology can hardly be separated. This is one such
industry, which not only depends on the technology, but where technology
has contributed to its immense development and proliferation. It may not be
untrue to conclude that the effectiveness of technology implemented at a
bank could determine its profitability and growth potential. Since most of the
business operations can simply be accomplished with information exchange,
the need to protect integrity of information is of paramount importance. This is
why security has to be part of the service delivery and an important hygiene,
rather than being a point of differentiation.
The unique aspect about information security in banking industry is that the
security posture of a bank does not depend solely on the safeguards and
practices implemented by the bank, it is equally dependent on the awareness
of the users using the banking channel and the quality of end-user terminals.
This makes the task for protecting information confidentiality and integrity a
greater challenge for the banking industry.
The survey reveals that the industry is aware of the challenges it faces and is
reasonably prepared to safeguard itself from traditional threats. Since the
banking industry of India has grown at a steady pace over the last several
years and has also stood tall during the event of global meltdown, experts
attribute that one of the key factors for this stability is stronger governance
and regulatory control. It is important to note that the Indian banking regulator
(RBI) has generally been proactive in advising banks on issues relating to
security and has acted as an important institution to drive the importance of
this matter at the level of Board of Directors. This has also remained a primary
driver for the industry to maintain high standards of information security.
The survey indicates that the focus of the data governance processes so far
has focused on integrity of data, but there is a need to increase efforts in the
direction of data privacy. With IT (Amendment) Act providing stronger
penalties for breaches of personal data, banking industry will certainly get
impacted and therefore, there is a case of stronger focus on this dimension
going forward.
With newer delivery channels and increased extension of banking boundaries,
there is an equal increase in threats. While banks continue to remain focused
on ensuring security of information and protection of personally identifiable
information, growth of these new channels will be driven by the increased
customer confidence and innovative security practices, which banks
undertake to make banking secure, yet convenient.
We are pleased to be a part of this one of its kind survey, which attempts to
highlight the current state of information security and privacy in banking
industry in India. With these insightful survey findings, banks should be able
to learn and adopt best practices. We hope that the survey will also help
banks benchmark their security and privacy practices with that of the industry
players and also help develop roadmaps for enhancing the security posture.
We thank all the participants of this survey for their valuable time and insights
to make this survey meaningful for the industry.
Dr. Kamlesh BajajCEO, DSCI
Akhilesh TutejaExecutive Director, KPMG in India
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
Contents
Highlights 01
Introduction 03
Data Security and Privacy 06
Security Governance 14
Security in Service Delivery 20
Internal Processes 30
Regulatory Requirements 42
Way Forward 47
Contents
Highlights 01
Introduction 03
Data Security and Privacy 06
Security Governance 14
Security in Service Delivery 20
Internal Processes 30
Regulatory Requirements 42
Way Forward 47
The survey provides insights into the data security and privacy
environment of Indian Banking industry. There is evidence that
validates general perceptions about security and privacy practices
and then there are some outliers that do not align to the seemingly
obvious.
?External threats and the increasing usage of online & mobile channels
along with regulatory requirements are driving banks in India to invest in
information security.
?Banks drive inputs from international standards such as ISO 27001 to
establish their security function. However, there is a need to focus on
proactive mechanisms such as threat modeling and bringing innovation in
the security initiatives.
?Information security is still seen as an IT centric function with reporting of
the CISO to CTO/CIO of the bank.
?? Absence of collaboration and synergy between Security and Fraud
Management functions leaves a significant gap in banks’ effort to curb
financial frauds. Customer awareness on information security along with
insecure customer end points is one of the most significant challenges
faced by the banks.
?CISOs are still spending significant time on operational activities, making it
difficult to focus on strategic initiatives.
?When executing security related responsibilities, the focus is still on
arranging in-house resources except for few specialized areas like
Application Security testing.
01
Highlights
?Privacy has started to gain relevance with increased customer awareness
and introduction of IT (Amendment) Act, 2008 (ITAA 2008), but measures
advocated for customers’ privacy protection are yet to be implemented by
many banks.
?The adoption of measures that have been strongly advocated for
transaction security such as One-Time-Password (dynamic token), identity
grid and risk based authentication are still at nascent stages.
?Security of cards transaction is lagging - even basic measures for ensuring
card security have not been adopted by many of the banks.
?Managing security is more challenging in online banking and phone (IVR)
banking as compared to other service delivery channels.
?Majority of the banks continue to remain largely dependent on incidents
being reported by their customers and/or employees, highlighting the
need for a real time, automated and intelligent incident management
mechanism.
?? ITAA 2008 is becoming a significant driver for investments in technology
solutions.
02
The survey provides insights into the data security and privacy
environment of Indian Banking industry. There is evidence that
validates general perceptions about security and privacy practices
and then there are some outliers that do not align to the seemingly
obvious.
?External threats and the increasing usage of online & mobile channels
along with regulatory requirements are driving banks in India to invest in
information security.
?Banks drive inputs from international standards such as ISO 27001 to
establish their security function. However, there is a need to focus on
proactive mechanisms such as threat modeling and bringing innovation in
the security initiatives.
?Information security is still seen as an IT centric function with reporting of
the CISO to CTO/CIO of the bank.
?? Absence of collaboration and synergy between Security and Fraud
Management functions leaves a significant gap in banks’ effort to curb
financial frauds. Customer awareness on information security along with
insecure customer end points is one of the most significant challenges
faced by the banks.
?CISOs are still spending significant time on operational activities, making it
difficult to focus on strategic initiatives.
?When executing security related responsibilities, the focus is still on
arranging in-house resources except for few specialized areas like
Application Security testing.
01
Highlights
?Privacy has started to gain relevance with increased customer awareness
and introduction of IT (Amendment) Act, 2008 (ITAA 2008), but measures
advocated for customers’ privacy protection are yet to be implemented by
many banks.
?The adoption of measures that have been strongly advocated for
transaction security such as One-Time-Password (dynamic token), identity
grid and risk based authentication are still at nascent stages.
?Security of cards transaction is lagging - even basic measures for ensuring
card security have not been adopted by many of the banks.
?Managing security is more challenging in online banking and phone (IVR)
banking as compared to other service delivery channels.
?Majority of the banks continue to remain largely dependent on incidents
being reported by their customers and/or employees, highlighting the
need for a real time, automated and intelligent incident management
mechanism.
?? ITAA 2008 is becoming a significant driver for investments in technology
solutions.
02
Information Technology (IT) revolution has ushered a paradigm shift in the banking
industry. The model of banking has transformed from brick and mortar to all-
pervading through ‘Anywhere and Anytime Banking’. Though the fundamentals of
banking might have remained the same, customers’ perception of ‘value’ and,
therefore, ‘business models’ are evolving in an ever increasing velocity. Today, if a
bank can assure its customer of a viable 24X7 interface, it has the hope of
retaining the customer for longer time.
IT has evolved and enabled the industry in many domains vis-à-vis customer
service, enhanced product delivery, cross-sell, multi-channel real time transaction
processing, minimal transaction costs, and increased operational efficiency,
therefore, impacting the overall profitability & productivity in the sector. The fast
evolving trends of technology in the sector have blurred the boundaries of
information ecosystems to include service providers and customers. To illustrate,
in an electronic card payment system, data is directly accessed and processed by
customers; service providers as well as other partner institutions. While, this
integrated environment has exponentially enhanced the service capability of
banks and experience of customers, it has introduced a new gamut of risks.
In the currently prevailing global economic conditions, organized threats are being
increasingly perpetrated against financial institutions. In line with expectations,
survey results indicate that banks are constantly being exposed to sophisticated,
organized and financially motivated threats. Increasing targeting of customers
through phishing, vishing, smishing attacks is also one of the important elements
of threat landscape.
Banking industry, recognizing these risks, has taken several initiatives in the area
of cyber security and data protection. Governments and Regulators have
introduced mandatory guidelines and protocols towards security and privacy of
data. Some of the initiatives include: The IT (Amendment) Act 2008, Guidelines
for Information Systems Security/Audit-2001, RBI’s guidelines on Mobile Banking
and pre-paid Value Cards and guidelines on Internet Banking.
Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERT-
In (DIT), jointly conducted a survey to assess current state of data security and
privacy practices being adopted by the Indian Banking industry and to gain
insights into how the industry is addressing the concerns.
03
As part of this initiative, 20 banks were surveyed covering the following areas:
?Positioning of security and privacy in the banking organizations - analyzing
CISO’s role and the tasks performed by the security organization
?Transaction security, customer centric security and privacy, emerging
threats, card security & payment gateway security
?Maturity and characteristics of key security disciplines such as ‘Threat &
Vulnerability Management’, ‘Application Security’ and ‘Incident
Management’ in the wake of rising cyber crimes
?Strategic options adopted by banks in Business Continuity and Disaster
Recovery
?Impact of IT (Amendment) Act, 2008 on the Banking industry
?Evolution of Physical Security and its integration with Information
Technology
In order to ensure that the survey results represent the industry at large, we
interviewed CISOs and their equivalents across the industry.
The survey results highlight trends and insights into the state of data security and
privacy in the industry – many ‘generally known’ practices are validated, yet
certain unexpected insights are revealed. Survey reveals that ‘Data Security’ and
‘Data Privacy’ in banks are driven by ITAA 2008 and stringent regulatory
requirement by the Central Bank. The survey further indicates that banks in India
are lagging in areas like security of cards transaction, as compared to their global
counterparts.
Introduction
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
04
Information Technology (IT) revolution has ushered a paradigm shift in the banking
industry. The model of banking has transformed from brick and mortar to all-
pervading through ‘Anywhere and Anytime Banking’. Though the fundamentals of
banking might have remained the same, customers’ perception of ‘value’ and,
therefore, ‘business models’ are evolving in an ever increasing velocity. Today, if a
bank can assure its customer of a viable 24X7 interface, it has the hope of
retaining the customer for longer time.
IT has evolved and enabled the industry in many domains vis-à-vis customer
service, enhanced product delivery, cross-sell, multi-channel real time transaction
processing, minimal transaction costs, and increased operational efficiency,
therefore, impacting the overall profitability & productivity in the sector. The fast
evolving trends of technology in the sector have blurred the boundaries of
information ecosystems to include service providers and customers. To illustrate,
in an electronic card payment system, data is directly accessed and processed by
customers; service providers as well as other partner institutions. While, this
integrated environment has exponentially enhanced the service capability of
banks and experience of customers, it has introduced a new gamut of risks.
In the currently prevailing global economic conditions, organized threats are being
increasingly perpetrated against financial institutions. In line with expectations,
survey results indicate that banks are constantly being exposed to sophisticated,
organized and financially motivated threats. Increasing targeting of customers
through phishing, vishing, smishing attacks is also one of the important elements
of threat landscape.
Banking industry, recognizing these risks, has taken several initiatives in the area
of cyber security and data protection. Governments and Regulators have
introduced mandatory guidelines and protocols towards security and privacy of
data. Some of the initiatives include: The IT (Amendment) Act 2008, Guidelines
for Information Systems Security/Audit-2001, RBI’s guidelines on Mobile Banking
and pre-paid Value Cards and guidelines on Internet Banking.
Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERT-
In (DIT), jointly conducted a survey to assess current state of data security and
privacy practices being adopted by the Indian Banking industry and to gain
insights into how the industry is addressing the concerns.
03
As part of this initiative, 20 banks were surveyed covering the following areas:
?Positioning of security and privacy in the banking organizations - analyzing
CISO’s role and the tasks performed by the security organization
?Transaction security, customer centric security and privacy, emerging
threats, card security & payment gateway security
?Maturity and characteristics of key security disciplines such as ‘Threat &
Vulnerability Management’, ‘Application Security’ and ‘Incident
Management’ in the wake of rising cyber crimes
?Strategic options adopted by banks in Business Continuity and Disaster
Recovery
?Impact of IT (Amendment) Act, 2008 on the Banking industry
?Evolution of Physical Security and its integration with Information
Technology
In order to ensure that the survey results represent the industry at large, we
interviewed CISOs and their equivalents across the industry.
The survey results highlight trends and insights into the state of data security and
privacy in the industry – many ‘generally known’ practices are validated, yet
certain unexpected insights are revealed. Survey reveals that ‘Data Security’ and
‘Data Privacy’ in banks are driven by ITAA 2008 and stringent regulatory
requirement by the Central Bank. The survey further indicates that banks in India
are lagging in areas like security of cards transaction, as compared to their global
counterparts.
Introduction
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
04
Data Security and Privacy
06
State of Data Security and Privacy in the Indian Banking Industry
Data Security and Privacy
06
State of Data Security and Privacy in the Indian Banking Industry
Finding its placeSurvey reveals that ‘Data Security’ in banks continues to be driven by External Threats and Regulatory Requirements whereas ‘Data Privacy’ is slowly beginning to gain relevance. Information Security is still seen as an IT centric function with minimal coordination with Fraud Management function. Lack of customer awareness on information security and the threat from insecure customer end points are key challenges faced by the banks.
Drivers for data security
External threats and the increasing usage of online & mobile channels along with
dependency on third parties are driving banks in India to invest in information
security.
There has been a conscious effort from the Central Bank to emphasize the need
for information security by means of providing frameworks and guidelines. In
addition, the IT (Amendment) Act, 2008 has laid the foundation for strengthening
cyber security and data protection in India. This will have implications on the
existing regulatory landscape of the banking industry especially with introduction
of section 43A that mandates body corporates to implement ‘reasonable security
practices’ for protecting ‘sensitive personal information’.
Drivers (Data security) (% respondents)
08
Critical Important Less Important
State of Data Security and Privacy in the Indian Banking Industry
07
Finding its placeSurvey reveals that ‘Data Security’ in banks continues to be driven by External Threats and Regulatory Requirements whereas ‘Data Privacy’ is slowly beginning to gain relevance. Information Security is still seen as an IT centric function with minimal coordination with Fraud Management function. Lack of customer awareness on information security and the threat from insecure customer end points are key challenges faced by the banks.
Drivers for data security
External threats and the increasing usage of online & mobile channels along with
dependency on third parties are driving banks in India to invest in information
security.
There has been a conscious effort from the Central Bank to emphasize the need
for information security by means of providing frameworks and guidelines. In
addition, the IT (Amendment) Act, 2008 has laid the foundation for strengthening
cyber security and data protection in India. This will have implications on the
existing regulatory landscape of the banking industry especially with introduction
of section 43A that mandates body corporates to implement ‘reasonable security
practices’ for protecting ‘sensitive personal information’.
Drivers (Data security) (% respondents)
08
Critical Important Less Important
State of Data Security and Privacy in the Indian Banking Industry
07
Characteristics of security initiatives (% respondents)
Characteristics of security initiatives
The focus of security initiatives seems to be concentrated on keeping continuous
vigilance over security issues & vulnerabilities and review of the environment
against the new age threats. Almost two third of the respondent banks drive
inputs from international standards such as ISO 27001 to establish their security
function and have mechanisms for conducting regular risk assessments.
However, banks need to provide more focus on proactive mechanisms such as
threat modeling and bring innovation in the security initiatives that helps address
evolving challenges. In light of the increasing sophistication of new age threats
and rising complexity of the banking environment, some of the banks have
started to collaborate with external and internal sources for information security.
09
Security function
Information security is predominantly a central function in banks. This reflects the
ongoing consolidation in the banking infrastructure and adoption of core banking
solutions. The involvement of business functions through their representatives for
coordination of security in their respective units seems to be lacking. It is
interesting to note that the information security has no or minimal role in fraud
management. The silo in the security and fraud management role would lead to a
significant gap in banks effort to curb financial frauds as security compromises
are seen as a tool for committing financial frauds.
Information security is still seen as an IT centric function with almost half of the
respondents indicating the reporting of the CISO to CTO/CIO of the bank. In
contrast to global trend of positioning security as an important corporate function,
CISOs of banks in India do not seem to be acquiring their respective position in
an organizational hierarchy as only few of them are reporting to their
CEOs/COOs/EDs.
Although privacy has emerged in the discussion landscape in India, its reflection
in organizational response is still not visible. This is revealed by the survey as 80%
of the banks do not have a separate privacy function.
10
Positioning of security function (% respondents) CISO reporting (% respondents)
Size of privacy team(% respondents)
Size of security team(% respondents)
75%
10%
15%
Less than 10 10-20 More than 20
80%
10%
10%
Not ApplicablePart of security teams2-5 people
100
90
75
70
70
65
65
60
60
60
60
50
45
40
40
40
35
Continuous vigilance on evolving security issues and vulnerabilities
Constant review of the environment is undertaken to assess security posture in the wake of new threats and vulnerabilities
Risk assessment is carried out
Security strategy plan follows Plan-Do-Check -Act approach
Risk metrics adopted is:Qualitative
Organization’s security takes major strength from ISO 27001 certification and processes
Security solutions are provided with an architectural treatment
Significant effort dedicated on compliance documentation
Top management is aware of the risks and liabilities at granular level
Enterprise portal is used to manage security requirements, enforce policies, educate employees and report security incidents
Review of all applicable regulations/ circulars till date have been performed at a granular level for compliance
-Management reporting involves non compliance to ISO 27001 standards
Significant efforts are dedicated to ensure collaboration with external sources and internal functions
Security officers’ main role is to ensure compliance with ISO 27001
Risk metrics adopted is: Quantitive
Specific focus is given to innovation in the security initiatives
Techniques such as threat modeling, threat tree, and principles such as embedding ‘security in design’ are proactively adopted
95
47
25
16
15
10
Central security function
Fraud Management handled by separate group
Central security function for monitoring remote information
processing locations
Primary role in fraud management
Each Line of Businesshas a representative
Spread across differentgeographical locations
50
25
1055
0
10
20
30
40
50
60
Chief Information Officer (CIO)
/Chief Technology
Officer (CTO)
Chief Risk Officer (CRO)
Executive Director
(ED)
Chief Financial
Officer (CFO)
Chief Operating
Officer
(COO)
Separate privacy function (% respondents)
Yes, 20% No, 80%
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
Characteristics of security initiatives (% respondents)
Characteristics of security initiatives
The focus of security initiatives seems to be concentrated on keeping continuous
vigilance over security issues & vulnerabilities and review of the environment
against the new age threats. Almost two third of the respondent banks drive
inputs from international standards such as ISO 27001 to establish their security
function and have mechanisms for conducting regular risk assessments.
However, banks need to provide more focus on proactive mechanisms such as
threat modeling and bring innovation in the security initiatives that helps address
evolving challenges. In light of the increasing sophistication of new age threats
and rising complexity of the banking environment, some of the banks have
started to collaborate with external and internal sources for information security.
09
Security function
Information security is predominantly a central function in banks. This reflects the
ongoing consolidation in the banking infrastructure and adoption of core banking
solutions. The involvement of business functions through their representatives for
coordination of security in their respective units seems to be lacking. It is
interesting to note that the information security has no or minimal role in fraud
management. The silo in the security and fraud management role would lead to a
significant gap in banks effort to curb financial frauds as security compromises
are seen as a tool for committing financial frauds.
Information security is still seen as an IT centric function with almost half of the
respondents indicating the reporting of the CISO to CTO/CIO of the bank. In
contrast to global trend of positioning security as an important corporate function,
CISOs of banks in India do not seem to be acquiring their respective position in
an organizational hierarchy as only few of them are reporting to their
CEOs/COOs/EDs.
Although privacy has emerged in the discussion landscape in India, its reflection
in organizational response is still not visible. This is revealed by the survey as 80%
of the banks do not have a separate privacy function.
10
Positioning of security function (% respondents) CISO reporting (% respondents)
Size of privacy team(% respondents)
Size of security team(% respondents)
75%
10%
15%
Less than 10 10-20 More than 20
80%
10%
10%
Not ApplicablePart of security teams2-5 people
100
90
75
70
70
65
65
60
60
60
60
50
45
40
40
40
35
Continuous vigilance on evolving security issues and vulnerabilities
Constant review of the environment is undertaken to assess security posture in the wake of new threats and vulnerabilities
Risk assessment is carried out
Security strategy plan follows Plan-Do-Check -Act approach
Risk metrics adopted is:Qualitative
Organization’s security takes major strength from ISO 27001 certification and processes
Security solutions are provided with an architectural treatment
Significant effort dedicated on compliance documentation
Top management is aware of the risks and liabilities at granular level
Enterprise portal is used to manage security requirements, enforce policies, educate employees and report security incidents
Review of all applicable regulations/ circulars till date have been performed at a granular level for compliance
-Management reporting involves non compliance to ISO 27001 standards
Significant efforts are dedicated to ensure collaboration with external sources and internal functions
Security officers’ main role is to ensure compliance with ISO 27001
Risk metrics adopted is: Quantitive
Specific focus is given to innovation in the security initiatives
Techniques such as threat modeling, threat tree, and principles such as embedding ‘security in design’ are proactively adopted
95
47
25
16
15
10
Central security function
Fraud Management handled by separate group
Central security function for monitoring remote information
processing locations
Primary role in fraud management
Each Line of Businesshas a representative
Spread across differentgeographical locations
50
25
1055
0
10
20
30
40
50
60
Chief Information Officer (CIO)
/Chief Technology
Officer (CTO)
Chief Risk Officer (CRO)
Executive Director
(ED)
Chief Financial
Officer (CFO)
Chief Operating
Officer
(COO)
Separate privacy function (% respondents)
Yes, 20% No, 80%
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
Drivers for data privacy
Data privacy in India is slowly beginning to gain relevance. Customers are becoming aware
and increasingly conscious of their rights and the banks’ obligations towards personal
information protection. The IT (Amendment) Act, 2008 outlines the need for stronger data
protection measures for customers as well as employee data privacy. The results of the
survey indicate that reputational and financial loss arising out of a data breach is also driving
importance of data privacy in banks.
11
Characteristics of banks' privacy initiatives
Banks must align internal policies, procedures and deploy technology safeguards for
protecting sensitive personal information. Survey results reveal that understanding of data
privacy in the banking sector is beginning to emerge with a little more than half of the
respondents being aware of privacy principles and roles and entities for data protection.
However, data privacy has not yet fully permeated in the banking sector. Implementation of
specific measures such as formulation of privacy policies, privacy impact assessments and
embedding of data privacy in the business processes have not gained significant traction.
Major challenges faced by banks
Information Security in banking has assumed significant importance and the top
management of banks in India are fully committed to providing support. The survey reveals
that banks in India do not feel constrained due to inadequate budgets or technical skills for
information security. However, with increasing omnipresence of banking services and
endeavor to enhance customer experience undermines the security posture.
One of the most significant information security challenges highlighted by the banks in the
survey is lack of customer awareness on information security and the threat from insecure
customer end points. The boundary-less cyber space exposes the banks to internationally
organized crimes and new age threats. Further, with banks increasingly working with third
parties and in the process, sharing business information, management of third party risks is
also becoming a challenging task.
Factors driving data privacy (% respondents)
60
60
55
53
50
42
32
35
35
35
37
30
42
42
5
5
10
10
20
16
26
Rising concerns of end customers / consumers
Direct and indirect financial loss arising out of a data breach
Increased digitization of personal information of customers
Bad publicity in the media in case of the data breach
ITAA 2008 requirements
Protecting privacy of employee data
Global data protection regulations
Critical Important Less Important
Characteristics of banks' privacy initiatives (% respondents)
Major challenges faced by banks (% respondents)
There exists an understanding of different roles and entities that exist for data protection (data subject, data controller, data processor, etc.)
Significant level of understanding exists about Privacy Principles and their applicability
Organization’s processes are reviewed regularly from privacy perspective
Organization has a dedicated policy initiative for privacy
Specific technology, solutions and processes are deployed for privacy
The scope of audit charter is extended to include privacy.
Privacy has just appeared on the organization’s agenda
Focus on embedding privacy in the design of systems and processes
Privacy is seriously lacking as compared to security
Privacy impact assessment is performed whenever new initiatives are undertaken
58
53
47
42
32
32
32
26
26
16
89
84
79
78
65
60
47
50
50
47
45
41
39
32
27
19
14
11
16
16
22
35
40
47
33
33
41
35
47
56
58
33
56
36
0
0
5
0
0
0
5
17
17
12
20
12
6
11
40
25
50
Lack of end customer’s awareness on threats and vulnerabilities
Increasing threats from insecure customers’ end points
New age threats and vulnerabilities
Organized and international nature of cyber crimes targeted against the banking industry
Managing third party risks
Rising complexity of the transactions that expand possibilities of attack
Difficult to get a uniform level of assurance from various service delivery channels
Increased volume and complexity of data heavy transactions
Endeavor to enhance customer experience, undermining security posture of the bank
Non seriousness of employees for security and privacy related initiatives
Meeting multiple regulatory requirements
Business exigencies take precedence over security
Business demand for flexibility complicating underlying infrastructure
Managing competence of the staff to withstand evolving challenges
Lack of support from top /senior management
Inadequacy of technical skill
Inadequate budget allocation for data security & privacy
Critical Important Less Important
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
12
Drivers for data privacy
Data privacy in India is slowly beginning to gain relevance. Customers are becoming aware
and increasingly conscious of their rights and the banks’ obligations towards personal
information protection. The IT (Amendment) Act, 2008 outlines the need for stronger data
protection measures for customers as well as employee data privacy. The results of the
survey indicate that reputational and financial loss arising out of a data breach is also driving
importance of data privacy in banks.
11
Characteristics of banks' privacy initiatives
Banks must align internal policies, procedures and deploy technology safeguards for
protecting sensitive personal information. Survey results reveal that understanding of data
privacy in the banking sector is beginning to emerge with a little more than half of the
respondents being aware of privacy principles and roles and entities for data protection.
However, data privacy has not yet fully permeated in the banking sector. Implementation of
specific measures such as formulation of privacy policies, privacy impact assessments and
embedding of data privacy in the business processes have not gained significant traction.
Major challenges faced by banks
Information Security in banking has assumed significant importance and the top
management of banks in India are fully committed to providing support. The survey reveals
that banks in India do not feel constrained due to inadequate budgets or technical skills for
information security. However, with increasing omnipresence of banking services and
endeavor to enhance customer experience undermines the security posture.
One of the most significant information security challenges highlighted by the banks in the
survey is lack of customer awareness on information security and the threat from insecure
customer end points. The boundary-less cyber space exposes the banks to internationally
organized crimes and new age threats. Further, with banks increasingly working with third
parties and in the process, sharing business information, management of third party risks is
also becoming a challenging task.
Factors driving data privacy (% respondents)
60
60
55
53
50
42
32
35
35
35
37
30
42
42
5
5
10
10
20
16
26
Rising concerns of end customers / consumers
Direct and indirect financial loss arising out of a data breach
Increased digitization of personal information of customers
Bad publicity in the media in case of the data breach
ITAA 2008 requirements
Protecting privacy of employee data
Global data protection regulations
Critical Important Less Important
Characteristics of banks' privacy initiatives (% respondents)
Major challenges faced by banks (% respondents)
There exists an understanding of different roles and entities that exist for data protection (data subject, data controller, data processor, etc.)
Significant level of understanding exists about Privacy Principles and their applicability
Organization’s processes are reviewed regularly from privacy perspective
Organization has a dedicated policy initiative for privacy
Specific technology, solutions and processes are deployed for privacy
The scope of audit charter is extended to include privacy.
Privacy has just appeared on the organization’s agenda
Focus on embedding privacy in the design of systems and processes
Privacy is seriously lacking as compared to security
Privacy impact assessment is performed whenever new initiatives are undertaken
58
53
47
42
32
32
32
26
26
16
89
84
79
78
65
60
47
50
50
47
45
41
39
32
27
19
14
11
16
16
22
35
40
47
33
33
41
35
47
56
58
33
56
36
0
0
5
0
0
0
5
17
17
12
20
12
6
11
40
25
50
Lack of end customer’s awareness on threats and vulnerabilities
Increasing threats from insecure customers’ end points
New age threats and vulnerabilities
Organized and international nature of cyber crimes targeted against the banking industry
Managing third party risks
Rising complexity of the transactions that expand possibilities of attack
Difficult to get a uniform level of assurance from various service delivery channels
Increased volume and complexity of data heavy transactions
Endeavor to enhance customer experience, undermining security posture of the bank
Non seriousness of employees for security and privacy related initiatives
Meeting multiple regulatory requirements
Business exigencies take precedence over security
Business demand for flexibility complicating underlying infrastructure
Managing competence of the staff to withstand evolving challenges
Lack of support from top /senior management
Inadequacy of technical skill
Inadequate budget allocation for data security & privacy
Critical Important Less Important
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
12
Security Governance
14
State of Data Security and Privacy in the Indian Banking Industry
13
Security Governance
14
State of Data Security and Privacy in the Indian Banking Industry
13
AreaBusiness Manager
Corporate Compliance
CISO IT Security IT Infra Team Audit TeamExternal
Consultant
External Service Provider
Security gap/ baseline assessment 11% 0% 39% 56% 11% 39% 22% 11%
Security strategy plan 5% 0% 84% 37% 0% 5% 16% 0%
Security requirements of business 22% 11% 78% 44% 0% 0% 6% 0%
Preparing security policies & procedures 5% 5% 84% 47% 0% 5% 16% 5%
Implementation of the policies & procedures 22% 6% 61% 67% 33% 17% 6% 6%
Defining & managing the security architecture 0% 0% 68% 63% 42% 5% 5% 5%
Compliance reporting to clients 0% 0% 50% 0% 25% 25% 0% 0%
Advisory to the relationship vis-à-vis data security and privacy issues
0% 11% 74% 37% 5% 5% 11% 0%
Security solutions evaluation and procurement 0% 5% 68% 63% 32% 0% 5% 0%
Install security solutions, products and tools 0% 6% 33% 61% 56% 0% 6% 11%
Administration of security technologies- Antivirus, Patch Mgmt, IPS, Firewall, etc.
0% 5% 25% 55% 55% 0% 0% 15%
Security testing- VA and PT 0% 5% 30% 45% 10% 20% 15% 15%
Application security testing, code review, etc 0% 5% 26% 42% 16% 21% 11% 26%
Conducting and managing internal audits/assessments 0% 0% 22% 33% 6% 83% 11% 6%
Security monitoring 0% 0% 63% 63% 11% 5% 0% 16%
Security authorization of change requests 11% 0% 56% 50% 17% 0% 0% 6%
Report, investigate and close security incidents 6% 11% 67% 50% 11% 11% 0% 6%
Keep track of the evolving threats and vulnerabilities 6% 0% 89% 44% 11% 0% 0% 11%
Strategies for protecting the organization against new threats and vulnerabilities
6% 0% 100% 39% 6% 0% 0% 6%
Keep track of the evolving regulatory requirements 6% 44% 78% 22% 6% 11% 0% 0%
Participate in initial client meetings to understand clients' security requirements
14% 0% 71% 57% 14% 7% 7% 0%
Administration & testing BCP/DR plans 50% 0% 60% 25% 50% 5% 0% 0%
Security tasks
The age old adage “Security is everyone’s responsibility” is beginning to get realized in
the banking sector in India. While most of the information security responsibilities lie
with the dedicated information security teams of the banks, business users,
compliance, and audit teams are important contributors. Division of the work between
IT Infrastructure, IT Security and CISO is well aligned to their responsibilities.
Except Business Continuity and Disaster Recovery Planning, the involvement of
business in security initiatives especially defining security requirements of their
business and security strategy plan is surprisingly minimal.
The banks do not seem too keen on availing the services of external consultants and
service providers except for specialized services such as application security testing,
gap assessment, VA/PT and security policy formulation.
16
Where do we focusSurvey reveals that there seems to be lack of understanding on CISOs roles and responsibilities because CISOs are spending their time on all security related activities irrespective of their strategic importance. It also reveals that banks avail the services of external consultants and service providers essentially for certain specialized services.
Security tasks
State of Data Security and Privacy in the Indian Banking Industry
15
AreaBusiness Manager
Corporate Compliance
CISO IT Security IT Infra Team Audit TeamExternal
Consultant
External Service Provider
Security gap/ baseline assessment 11% 0% 39% 56% 11% 39% 22% 11%
Security strategy plan 5% 0% 84% 37% 0% 5% 16% 0%
Security requirements of business 22% 11% 78% 44% 0% 0% 6% 0%
Preparing security policies & procedures 5% 5% 84% 47% 0% 5% 16% 5%
Implementation of the policies & procedures 22% 6% 61% 67% 33% 17% 6% 6%
Defining & managing the security architecture 0% 0% 68% 63% 42% 5% 5% 5%
Compliance reporting to clients 0% 0% 50% 0% 25% 25% 0% 0%
Advisory to the relationship vis-à-vis data security and privacy issues
0% 11% 74% 37% 5% 5% 11% 0%
Security solutions evaluation and procurement 0% 5% 68% 63% 32% 0% 5% 0%
Install security solutions, products and tools 0% 6% 33% 61% 56% 0% 6% 11%
Administration of security technologies- Antivirus, Patch Mgmt, IPS, Firewall, etc.
0% 5% 25% 55% 55% 0% 0% 15%
Security testing- VA and PT 0% 5% 30% 45% 10% 20% 15% 15%
Application security testing, code review, etc 0% 5% 26% 42% 16% 21% 11% 26%
Conducting and managing internal audits/assessments 0% 0% 22% 33% 6% 83% 11% 6%
Security monitoring 0% 0% 63% 63% 11% 5% 0% 16%
Security authorization of change requests 11% 0% 56% 50% 17% 0% 0% 6%
Report, investigate and close security incidents 6% 11% 67% 50% 11% 11% 0% 6%
Keep track of the evolving threats and vulnerabilities 6% 0% 89% 44% 11% 0% 0% 11%
Strategies for protecting the organization against new threats and vulnerabilities
6% 0% 100% 39% 6% 0% 0% 6%
Keep track of the evolving regulatory requirements 6% 44% 78% 22% 6% 11% 0% 0%
Participate in initial client meetings to understand clients' security requirements
14% 0% 71% 57% 14% 7% 7% 0%
Administration & testing BCP/DR plans 50% 0% 60% 25% 50% 5% 0% 0%
Security tasks
The age old adage “Security is everyone’s responsibility” is beginning to get realized in
the banking sector in India. While most of the information security responsibilities lie
with the dedicated information security teams of the banks, business users,
compliance, and audit teams are important contributors. Division of the work between
IT Infrastructure, IT Security and CISO is well aligned to their responsibilities.
Except Business Continuity and Disaster Recovery Planning, the involvement of
business in security initiatives especially defining security requirements of their
business and security strategy plan is surprisingly minimal.
The banks do not seem too keen on availing the services of external consultants and
service providers except for specialized services such as application security testing,
gap assessment, VA/PT and security policy formulation.
16
Where do we focusSurvey reveals that there seems to be lack of understanding on CISOs roles and responsibilities because CISOs are spending their time on all security related activities irrespective of their strategic importance. It also reveals that banks avail the services of external consultants and service providers essentially for certain specialized services.
Security tasks
State of Data Security and Privacy in the Indian Banking Industry
15
CISO spends time on (% respondents)
17 20
Significant Not Significant Not Responsible
CISO spends time on
There seems to be lack of clarity on CISOs roles and responsibilities. Survey response
indicates that CISOs are spending their time across strategic and operational activities,
which may lead to challenge in time availability of them. This may pose a challenge to
CISOs in effectively utilizing their time. Ideally, CISO should be a business leader who
engages himself/herself into communicative, collaborative and integrative activities
rather than operational tasks.
95
90
90
85
85
85
85
84
80
80
70
68
65
63
47
47
40
5
10
5
15
15
10
10
16
15
10
20
27
30
32
42
41
55
0
0
5
0
0
5
5
0
5
10
10
5
5
5
11
12
5
Review & respond on security alerts, incidents, issues
Review security reports
Issue guidelines to enterprise units
Review reports of security scan, assessment and audits
Plan for remedial measures
Oversee security policy enforcement & non-compliance issues
Check for new issues, threats and vulnerabilities
Prepare reports for higher management’s consumption
Oversee security projects
Convene a meeting of security forum
Interact with IT teams
Oversee security training of employees
Review state of security in service delivery channels
Participate in business strategy meetings
Review and approve change request
Approve official request of reporting officers
Interact with support functions for enforcing measures
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
18
CISO spends time on (% respondents)
17 20
Significant Not Significant Not Responsible
CISO spends time on
There seems to be lack of clarity on CISOs roles and responsibilities. Survey response
indicates that CISOs are spending their time across strategic and operational activities,
which may lead to challenge in time availability of them. This may pose a challenge to
CISOs in effectively utilizing their time. Ideally, CISO should be a business leader who
engages himself/herself into communicative, collaborative and integrative activities
rather than operational tasks.
95
90
90
85
85
85
85
84
80
80
70
68
65
63
47
47
40
5
10
5
15
15
10
10
16
15
10
20
27
30
32
42
41
55
0
0
5
0
0
5
5
0
5
10
10
5
5
5
11
12
5
Review & respond on security alerts, incidents, issues
Review security reports
Issue guidelines to enterprise units
Review reports of security scan, assessment and audits
Plan for remedial measures
Oversee security policy enforcement & non-compliance issues
Check for new issues, threats and vulnerabilities
Prepare reports for higher management’s consumption
Oversee security projects
Convene a meeting of security forum
Interact with IT teams
Oversee security training of employees
Review state of security in service delivery channels
Participate in business strategy meetings
Review and approve change request
Approve official request of reporting officers
Interact with support functions for enforcing measures
State of Data Security and Privacy in the Indian Banking IndustryState of Data Security and Privacy in the Indian Banking Industry
18
Security in Service Delivery
20
State of Data Security and Privacy in the Indian Banking Industry
19
Security in Service Delivery
20
State of Data Security and Privacy in the Indian Banking Industry
19
Customer centric security initiatives
As expected, the survey reveals that basic hygiene factors such as enforcement of
password policy, password change at first login, account lockout and session timeout
have been implemented across all banks for end-customer applications. However,
some of these banks do not enforce expiry of password after stipulated time.
Technology systems in 37% of surveyed banks require download of external
application systems/ mobile code leading to higher probability of unplugged
vulnerabilities. Interestingly, banks are beginning to adopt security measures such as
captcha implementation for login.
22
Customer centric security initiatives (% respondents)
100
100
100
100
95
84
79
79
63
58
47
37
37
21
Password policy is enforced
Password change at first login is mandated
Account locking after unsuccessful attempts
Session timeout after stipulated time
Use strong SSL certificate
Strong logout process (e.g. closing browser window to delete the cache)
System generated Unique ID for account access
Password expiry after stipulated time is implemented
Password hashed while sending the HTTP request
Password policy is guiding in nature
User selected ID for account access
Active X control is required to be installed on the customer machine
External application like JRE (Java Run Time) required to be installed on customer machine
Captcha implementation while login
Educate and communicateSurvey reveals that banks have recognized that customer awareness on security issues is not only a hygiene factor but also a key pillar of information security. The survey also reveals that the banks in India are lagging in security of card transactions.
State of Data Security and Privacy in the Indian Banking Industry
21
Customer centric security initiatives
As expected, the survey reveals that basic hygiene factors such as enforcement of
password policy, password change at first login, account lockout and session timeout
have been implemented across all banks for end-customer applications. However,
some of these banks do not enforce expiry of password after stipulated time.
Technology systems in 37% of surveyed banks require download of external
application systems/ mobile code leading to higher probability of unplugged
vulnerabilities. Interestingly, banks are beginning to adopt security measures such as
captcha implementation for login.
22
Customer centric security initiatives (% respondents)
100
100
100
100
95
84
79
79
63
58
47
37
37
21
Password policy is enforced
Password change at first login is mandated
Account locking after unsuccessful attempts
Session timeout after stipulated time
Use strong SSL certificate
Strong logout process (e.g. closing browser window to delete the cache)
System generated Unique ID for account access
Password expiry after stipulated time is implemented
Password hashed while sending the HTTP request
Password policy is guiding in nature
User selected ID for account access
Active X control is required to be installed on the customer machine
External application like JRE (Java Run Time) required to be installed on customer machine
Captcha implementation while login
Educate and communicateSurvey reveals that banks have recognized that customer awareness on security issues is not only a hygiene factor but also a key pillar of information security. The survey also reveals that the banks in India are lagging in security of card transactions.
State of Data Security and Privacy in the Indian Banking Industry
21
Solution for security of transactions
Against the backdrop of increased focus of external threats to compromise the
security of banking transactions, it is interesting to take a note of security measures
implemented by banks for some of the key banking transactions. While measures such
as SMS alert, separate transaction password, virtual keyboard seem to be more
popular, adoption of the strongly advocated measures such as One-Time-Password
(dynamic token), identity grid and risk based authentication are still at a nascent stage.
Customer education and awareness
Banks have recognized that customer awareness on security issues is not only a
hygiene factor but also a key pillar of information security. All of the banks have
published information related to Do’s and Don’ts for secure transactions on their
websites. It is encouraging to note that a number of banks have begun to use public
media and forums for spreading awareness and this may be a direction which other
banks shall be following.
100
95
74
68
53
53
47
37
21
Publishing do's and dont’s for secure transactions
Special instructions for avoiding phishing
Publishing consumer centric security policy on bank’s website
Publishing security messages on different communications channels
Providing demo for secure usage of banking services
Spreading awareness through public forums
Real time security messages while executing transactions
Conducting dedicated customer awareness programs
Spreading awareness through public media
Customers education and awareness (% respondents)
State of Data Security and Privacy in the Indian Banking Industry
Customer centric privacy initiatives
Measures advocated for customers’ privacy protection such as privacy policy on
corporate website, link of privacy policy on user data forms, disclosure of information
to third parties and privacy policy notice to the customer are not being widely adopted
by banks in India.
23
Solution for security of transactions
Customer centric privacy initiatives (% respondents)
The contact details are available for the customers to report any breach
Users are given access to their information and provision to correct/update their data
Customer acceptance on privacy policy is taken before providing banking services. The privacy policy clearly
states the limitation imposed for collection and usage
Privacy policy is displayed on the corporate website of the bank
The policy clearly spells the restriction in disclosure of the information to third party
The links to the policy is available on all important user centric data forms
The policy lists the security countermeasures deployed to secure the information
Customers are notified of the changes in the policy
63
53
47
42
37
26
26
11
…
TasksLogin ID/
PasswordVirtual
KeyboardRisk based
Authent-ication
Separate Transaction Password
Dynamic Token (OTP)
Identity GridSMS
verificationSMS Alert
Account logging 89% 67% 11% 28% 11% 11% 17% 28%
Checking A/C statements 88% 47% 0% 6% 6% 0% 0% 0%
Register payee 78% 56% 6% 39% 22% 6% 44% 50%
Profile change 88% 56% 6% 31% 13% 6% 19% 38%
Money transfer to self account 82% 53% 0% 47% 18% 6% 0% 59%
Money transfer to other’s account 76% 59% 6% 65% 29% 6% 24% 71%
Paying utility bills 65% 53% 0% 47% 18% 6% 18% 47%
Online purchases 76% 53% 6% 59% 12% 12% 18% 65%
Service 82% 59% 0% 24% 6% 6% 0% 29%
State of Data Security and Privacy in the Indian Banking Industry
24
Solution for security of transactions
Against the backdrop of increased focus of external threats to compromise the
security of banking transactions, it is interesting to take a note of security measures
implemented by banks for some of the key banking transactions. While measures such
as SMS alert, separate transaction password, virtual keyboard seem to be more
popular, adoption of the strongly advocated measures such as One-Time-Password
(dynamic token), identity grid and risk based authentication are still at a nascent stage.
Customer education and awareness
Banks have recognized that customer awareness on security issues is not only a
hygiene factor but also a key pillar of information security. All of the banks have
published information related to Do’s and Don’ts for secure transactions on their
websites. It is encouraging to note that a number of banks have begun to use public
media and forums for spreading awareness and this may be a direction which other
banks shall be following.
100
95
74
68
53
53
47
37
21
Publishing do's and dont’s for secure transactions
Special instructions for avoiding phishing
Publishing consumer centric security policy on bank’s website
Publishing security messages on different communications channels
Providing demo for secure usage of banking services
Spreading awareness through public forums
Real time security messages while executing transactions
Conducting dedicated customer awareness programs
Spreading awareness through public media
Customers education and awareness (% respondents)
State of Data Security and Privacy in the Indian Banking Industry
Customer centric privacy initiatives
Measures advocated for customers’ privacy protection such as privacy policy on
corporate website, link of privacy policy on user data forms, disclosure of information
to third parties and privacy policy notice to the customer are not being widely adopted
by banks in India.
23
Solution for security of transactions
Customer centric privacy initiatives (% respondents)
The contact details are available for the customers to report any breach
Users are given access to their information and provision to correct/update their data
Customer acceptance on privacy policy is taken before providing banking services. The privacy policy clearly
states the limitation imposed for collection and usage
Privacy policy is displayed on the corporate website of the bank
The policy clearly spells the restriction in disclosure of the information to third party
The links to the policy is available on all important user centric data forms
The policy lists the security countermeasures deployed to secure the information
Customers are notified of the changes in the policy
63
53
47
42
37
26
26
11
…
TasksLogin ID/Password
Virtual Keyboard
Risk based Authent-ication
Separate Transaction Password
Dynamic Token (OTP)
Identity GridSMS
verificationSMS Alert
Account logging 89% 67% 11% 28% 11% 11% 17% 28%
Checking A/C statements 88% 47% 0% 6% 6% 0% 0% 0%
Register payee 78% 56% 6% 39% 22% 6% 44% 50%
Profile change 88% 56% 6% 31% 13% 6% 19% 38%
Money transfer to self account 82% 53% 0% 47% 18% 6% 0% 59%
Money transfer to other’s account 76% 59% 6% 65% 29% 6% 24% 71%
Paying utility bills 65% 53% 0% 47% 18% 6% 18% 47%
Online purchases 76% 53% 6% 59% 12% 12% 18% 65%
Service 82% 59% 0% 24% 6% 6% 0% 29%
State of Data Security and Privacy in the Indian Banking Industry
24
Security of Payment Gateway
The main issue concerned with Payment Gateway is Security i.e. encrypting the crucial
and sensitive card details like card numbers of the customer during card transaction.
The survey reveals that most of the respondent banks have implemented steps to
ensure security of payment gateway application programming interface and
communication channel through use of appropriate security protocols. Banks also
encrypt card number and other card confidential information during storage and transit.
Banks conduct periodic security testing of underlying payment infrastructure.
Security of Payment Gateway (% respondents)
93
93
93
87
87
80
73
73
60
Ensure communication channel security through secure protocol
Encryption of card information during transmission and storage
Security is ensured in the Payment Gateway API
No storage of authorization information: CVV2 value/PIN
Regular security testing of the underlying infrastructure is performed
Enforce input validation for user data entries
Sensitive data captured in the variables for authorization is not stored by the entities that
are involved in the transaction
Assuring message integrity during transit
Web services that facilitate execution of the transactions are tested for known security flaws
State of Data Security and Privacy in the Indian Banking Industry
67
67
60
53
53
47
47
47
40
40
40
33
33
33
27
27
CVV2/CID/and PIN never gets stored/printed at merchant side
Educate and aware customers, merchants and employees on the importance of card security
Use of secure protocol to transmit/receive card information
Do not print card numbers on hard copies without a valid business need such as reconciliation. Hard copies are physically secured
Regular vulnerability assessment of the infrastructure that stores and transmits card data
The stored card authorization information is encrypted
Storing the card data in log files in plain text
Monitor the card transactions
Masking the card number (PAN) in all user communication and transaction notification
Encrypting the stored card information: File encryption for encrypting card information stored in files
Card expiry date is not printed and stored at the merchant side
In the process of deploying PCI -DSS standards
Encrypting the stored card information: Database encryption for encrypting database fields storing card information
The POS at merchants do not create the card records in plain
PCI -DSS certified
The scope of card security is extended to the designated merchants also
Card security initiatives (% respondents)
Card security initiatives
The survey reveals that the banks in India are lagging in security of cards transaction.
Against the backdrop of well known global cases of card breaches, it is surprising to
note that the basic measures for ensuring card security have not been adopted by
many of the banks. The practices such as storing and printing authorization information
like CVV and expiry date, merchants creating plain text card records, non masking of
card number (PAN) followed by banks are non-conformant to globally accepted
practices for card security.
State of Data Security and Privacy in the Indian Banking Industry
25 26
Security of Payment Gateway
The main issue concerned with Payment Gateway is Security i.e. encrypting the crucial
and sensitive card details like card numbers of the customer during card transaction.
The survey reveals that most of the respondent banks have implemented steps to
ensure security of payment gateway application programming interface and
communication channel through use of appropriate security protocols. Banks also
encrypt card number and other card confidential information during storage and transit.
Banks conduct periodic security testing of underlying payment infrastructure.
Security of Payment Gateway (% respondents)
93
93
93
87
87
80
73
73
60
Ensure communication channel security through secure protocol
Encryption of card information during transmission and storage
Security is ensured in the Payment Gateway API
No storage of authorization information: CVV2 value/PIN
Regular security testing of the underlying infrastructure is performed
Enforce input validation for user data entries
Sensitive data captured in the variables for authorization is not stored by the entities that
are involved in the transaction
Assuring message integrity during transit
Web services that facilitate execution of the transactions are tested for known security flaws
State of Data Security and Privacy in the Indian Banking Industry
67
67
60
53
53
47
47
47
40
40
40
33
33
33
27
27
CVV2/CID/and PIN never gets stored/printed at merchant side
Educate and aware customers, merchants and employees on the importance of card security
Use of secure protocol to transmit/receive card information
Do not print card numbers on hard copies without a valid business need such as reconciliation. Hard copies are physically secured
Regular vulnerability assessment of the infrastructure that stores and transmits card data
The stored card authorization information is encrypted
Storing the card data in log files in plain text
Monitor the card transactions
Masking the card number (PAN) in all user communication and transaction notification
Encrypting the stored card information: File encryption for encrypting card information stored in files
Card expiry date is not printed and stored at the merchant side
In the process of deploying PCI -DSS standards
Encrypting the stored card information: Database encryption for encrypting database fields storing card information
The POS at merchants do not create the card records in plain
PCI -DSS certified
The scope of card security is extended to the designated merchants also
Card security initiatives (% respondents)
Card security initiatives
The survey reveals that the banks in India are lagging in security of cards transaction.
Against the backdrop of well known global cases of card breaches, it is surprising to
note that the basic measures for ensuring card security have not been adopted by
many of the banks. The practices such as storing and printing authorization information
like CVV and expiry date, merchants creating plain text card records, non masking of
card number (PAN) followed by banks are non-conformant to globally accepted
practices for card security.
State of Data Security and Privacy in the Indian Banking Industry
25 26
Managing security in service delivery channels
The survey reveals that amongst all the service delivery channels used by banks,
online banking is still considered the most challenging in terms of managing security.
Interestingly, phone (IVR) banking is also considered a difficult to manage service
channel from security perspective. Channels such as TV (DTH) and online chat are
being scarcely used by the banks.
Mobile based channels are primarily being currently used to provide information and
consequently its not considered to be difficult to manage. However, with increased
mCommerce transactions expected, there may be increased security challenges for
mobile based channels.
Managing security in service delivery channels (% respondents)
Difficult to Manage Easy to Manage Not Implemented
37
32
21
21
21
16
11
5
5
5
5
58
32
74
74
58
37
26
68
42
37
11
5
37
5
5
21
47
63
26
53
58
84
Online
Phone (IVR)
Branch Banking
ATM
SMS
Mobile: Mobile WAP based Application
Online chat
Email (Account/ transaction information communication)
Mobile: Instant Menu based
Mobile: Query based request
TV (DTH)
State of Data Security and Privacy in the Indian Banking Industry
27 28
Managing security in service delivery channels
The survey reveals that amongst all the service delivery channels used by banks,
online banking is still considered the most challenging in terms of managing security.
Interestingly, phone (IVR) banking is also considered a difficult to manage service
channel from security perspective. Channels such as TV (DTH) and online chat are
being scarcely used by the banks.
Mobile based channels are primarily being currently used to provide information and
consequently its not considered to be difficult to manage. However, with increased
mCommerce transactions expected, there may be increased security challenges for
mobile based channels.
Managing security in service delivery channels (% respondents)
Difficult to Manage Easy to Manage Not Implemented
37
32
21
21
21
16
11
5
5
5
5
58
32
74
74
58
37
26
68
42
37
11
5
37
5
5
21
47
63
26
53
58
84
Online
Phone (IVR)
Branch Banking
ATM
SMS
Mobile: Mobile WAP based Application
Online chat
Email (Account/ transaction information communication)
Mobile: Instant Menu based
Mobile: Query based request
TV (DTH)
State of Data Security and Privacy in the Indian Banking Industry
27 28
Internal Processes
30
State of Data Security and Privacy in the Indian Banking Industry
29
Internal Processes
30
State of Data Security and Privacy in the Indian Banking Industry
29
Data centric approach in security and privacy initiatives
Majority of respondent banks have put in place a process for discovering and
identifying critical data elements within the organization though only 50% of the
respondent banks follow data classification techniques rigorously.
There is also an added stress on involvement of process owners and lines of business
in the data security initiatives. However, only 55% of the respondent banks said that
uniformity of controls is maintained when data is moving in different environments.
Hence, there is a need for increased emphasis on standardization and strengthening of
the organizations processes with respect to data handling.
32
Data centric approach in security and privacy initiatives(% respondents)
80
75
75
75
70
65
55
50
Involvement of process owners and lines of business is ensured in the data security initiatives
There exists a process for discovering and identifying the critical data elements within the organization
Adequate controls are applied on the data repositories, as per the sensitivity of data
For each of the outsourcing partner / third-party relationships or processes, the security organization is aware of how the data is managed in its life cycle
Strength of the countermeasures deployed is proportional to the sensitivity of the data
A granular level visibility exists over the financial and sensitive data used, stored, transmitted and disposed by various processes and repository is
maintained
Uniformity of controls is maintained when data is moving in different environments (Organization’s and its service providers’ environment)
Data classification techniques have been deployed and followed rigorously
State of Data Security and Privacy in the Indian Banking Industry
How do we align ourselves Survey reveals that some banks need to create more robust processes to manage data security and privacy related threats. Majority of the banks still use traditional method of risk based internal or external audits for keeping track of threats & vulnerabilities. Survey also reveals that while most banks have implemented backup data centers, usage of mature practices such as Run Book automation are still at nascent stages of adoption.
31
Data centric approach in security and privacy initiatives
Majority of respondent banks have put in place a process for discovering and
identifying critical data elements within the organization though only 50% of the
respondent banks follow data classification techniques rigorously.
There is also an added stress on involvement of process owners and lines of business
in the data security initiatives. However, only 55% of the respondent banks said that
uniformity of controls is maintained when data is moving in different environments.
Hence, there is a need for increased emphasis on standardization and strengthening of
the organizations processes with respect to data handling.
32
Data centric approach in security and privacy initiatives(% respondents)
80
75
75
75
70
65
55
50
Involvement of process owners and lines of business is ensured in the data security initiatives
There exists a process for discovering and identifying the critical data elements within the organization
Adequate controls are applied on the data repositories, as per the sensitivity of data
For each of the outsourcing partner / third-party relationships or processes, the security organization is aware of how the data is managed in its life cycle
Strength of the countermeasures deployed is proportional to the sensitivity of the data
A granular level visibility exists over the financial and sensitive data used, stored, transmitted and disposed by various processes and repository is
maintained
Uniformity of controls is maintained when data is moving in different environments (Organization’s and its service providers’ environment)
Data classification techniques have been deployed and followed rigorously
State of Data Security and Privacy in the Indian Banking Industry
How do we align ourselves Survey reveals that some banks need to create more robust processes to manage data security and privacy related threats. Majority of the banks still use traditional method of risk based internal or external audits for keeping track of threats & vulnerabilities. Survey also reveals that while most banks have implemented backup data centers, usage of mature practices such as Run Book automation are still at nascent stages of adoption.
31
Tracking evolving threats and vulnerabilities
The banks keep vigilant track of new issues, vulnerability and threats by collaborating
with agencies like CERT-In and other knowledge sources such as the website of
security vendors, subscribing to vulnerability & exploits database, research reports,
newsletters and analyst reports. However, the majority of the banks still use traditional
method of risk based internal or external audits for keeping track of threats &
vulnerabilities. Also, banks are increasingly adopting methods such as discussions on
security forums and information through peers/ competition.
82
78
78
53
53
53
44
31
12
22
22
40
40
35
31
44
6
0
0
7
7
12
25
25
Malware based attacks such as Zeus Malware that raids business accounts
Man in the Browser (MITB) - Trojans in browser that modify user transactions
Web is a channel for phishing attack
Botnet command and control targeting
Cross channel and multilayered fraud that uses multiple channels to perpetrate
Man in the Middle (MITM) that modifies customer generated transactions
Unsecured APIs in mobile banking
Phishing through SMS
New age threats (% respondents)
Critical Significant Less Significant
New age threats
In the currently prevailing global economic conditions, organized threats are being
increasingly perpetrated against financial institutions. In line with expectations, survey
results indicate that banks are constantly being exposed to sophisticated, organized
and financially motivated threats. Increasing targeting of customers through phishing,
vishing, smishing attacks is also one of the important elements of threat landscape.
With the emergence of mobile banking, banks are also concerned about their
interfaces with mobile applications. As the control requirements for information
security spread beyond the boundaries of the banks and newer threats emerge, it will
be imperative for bankers to use threat modeling techniques and deploy effective
responses.
an attack
State of Data Security and Privacy in the Indian Banking Industry
33
Characteristics of threat and vulnerability management (% respondents)
Characteristics of threat and vulnerability management
As external threats continue to be a key driver for the security initiatives of banking
industry, banks seem to be fairly mature in their threat and vulnerability management
practices. However, heterogeneous IT infrastructure and challenges in integrating
threat and vulnerability management processes with IT infrastructure management
processes are still seen as a hurdle.
Tracking evolving threats and vulnerabilities (% respondents)
90
75
70
70
65
60
55
53
40
35
The security organization keeps vigilant track of newissues, vulnerability and threats
The version of each critical asset is up to date, all theavailable & applicable security patches are applied
Organization collaborates with agencies like CERT - other knowledge sources
In and
Scope of function is extended to mobile computing devices, third party & externally provisioned applications
There exists a mechanism that test the relevance of these issues swiftly, without delays
An architectural treatment is given to threat and vulnerability management solutions deployed
Threat and vulnerability management is integrated with IT infrastructure management processes
IT infrastructure is heterogeneous making threat and vulnerability management cumbersome
IT infrastructure is homogeneous and standardized that help manage threats and vulnerability swiftly
Compelling reasons such as compatibility of business application and cost escalation for version upgrades hinder to make the asset up to date
95
85
70
65
65
60
60
60
50
40
Risk based internal or external audits
Subscribing to CERT -In alerts
Through websites of data security vendors
Security research reports of product and professional organizations
Through peers/competitors
Subscribing to vulnerability, exploits databases, etc
Subscribing to newsletters
Mandating the vendors/third parties to report new threats and vulnerabilities in their products/services
Through discussions on security forums on the internet
Subscribing to Analysts reports
State of Data Security and Privacy in the Indian Banking Industry
34
Tracking evolving threats and vulnerabilities
The banks keep vigilant track of new issues, vulnerability and threats by collaborating
with agencies like CERT-In and other knowledge sources such as the website of
security vendors, subscribing to vulnerability & exploits database, research reports,
newsletters and analyst reports. However, the majority of the banks still use traditional
method of risk based internal or external audits for keeping track of threats &
vulnerabilities. Also, banks are increasingly adopting methods such as discussions on
security forums and information through peers/ competition.
82
78
78
53
53
53
44
31
12
22
22
40
40
35
31
44
6
0
0
7
7
12
25
25
Malware based attacks such as Zeus Malware that raids business accounts
Man in the Browser (MITB) - Trojans in browser that modify user transactions
Web is a channel for phishing attack
Botnet command and control targeting
Cross channel and multilayered fraud that uses multiple channels to perpetrate
Man in the Middle (MITM) that modifies customer generated transactions
Unsecured APIs in mobile banking
Phishing through SMS
New age threats (% respondents)
Critical Significant Less Significant
New age threats
In the currently prevailing global economic conditions, organized threats are being
increasingly perpetrated against financial institutions. In line with expectations, survey
results indicate that banks are constantly being exposed to sophisticated, organized
and financially motivated threats. Increasing targeting of customers through phishing,
vishing, smishing attacks is also one of the important elements of threat landscape.
With the emergence of mobile banking, banks are also concerned about their
interfaces with mobile applications. As the control requirements for information
security spread beyond the boundaries of the banks and newer threats emerge, it will
be imperative for bankers to use threat modeling techniques and deploy effective
responses.
an attack
State of Data Security and Privacy in the Indian Banking Industry
33
Characteristics of threat and vulnerability management (% respondents)
Characteristics of threat and vulnerability management
As external threats continue to be a key driver for the security initiatives of banking
industry, banks seem to be fairly mature in their threat and vulnerability management
practices. However, heterogeneous IT infrastructure and challenges in integrating
threat and vulnerability management processes with IT infrastructure management
processes are still seen as a hurdle.
Tracking evolving threats and vulnerabilities (% respondents)
90
75
70
70
65
60
55
53
40
35
The security organization keeps vigilant track of newissues, vulnerability and threats
The version of each critical asset is up to date, all theavailable & applicable security patches are applied
Organization collaborates with agencies like CERT - other knowledge sources
In and
Scope of function is extended to mobile computing devices, third party & externally provisioned applications
There exists a mechanism that test the relevance of these issues swiftly, without delays
An architectural treatment is given to threat and vulnerability management solutions deployed
Threat and vulnerability management is integrated with IT infrastructure management processes
IT infrastructure is heterogeneous making threat and vulnerability management cumbersome
IT infrastructure is homogeneous and standardized that help manage threats and vulnerability swiftly
Compelling reasons such as compatibility of business application and cost escalation for version upgrades hinder to make the asset up to date
95
85
70
65
65
60
60
60
50
40
Risk based internal or external audits
Subscribing to CERT -In alerts
Through websites of data security vendors
Security research reports of product and professional organizations
Through peers/competitors
Subscribing to vulnerability, exploits databases, etc
Subscribing to newsletters
Mandating the vendors/third parties to report new threats and vulnerabilities in their products/services
Through discussions on security forums on the internet
Subscribing to Analysts reports
State of Data Security and Privacy in the Indian Banking Industry
34
Characteristics of application security program
There seems a shift of security attacks towards application layer requiring a holistic
approach towards application security. On being asked about the state of application
security measures, more than half of the respondent banks indicated that they had
formulated a dedicated application security function. Majority of the banks have set up
measures for proactive application vulnerability management. Banks have started to
use Static Application Security Testing (SAST) and Dynamic Application Security Testing
(DAST) tools. Due to the requirement of specialized skills for conducting blackbox and
greybox testing, banks are increasingly availing these services from external service
providers. However, enterprise-wide focus on application security, which has been
globally adopted and enabled by enterprise tools to integrate application security in life
cycle processes, has not gained significant attention of banks operating in India.
Moreover, the involvement of developer community in application security is lagging.
An organizations’ application portfolio is characterized by the externally provisioned
applications, third party applications and packaged applications along with in-house
applications. The banks seem to be managing the security of their application portfolio
adequately except for externally provisioned applications.
Security incident and fraud management (% respondents)
84
79
74
74
74
74
68
68
68
63
58
58
53
47
47
A mechanism exits for internal employees and customers to report incidents and fraud
There exist a formal reporting mechanism to report incident and fraud to the and regulatory authorities
management
The scope of security monitoring is extended to all the critical log sources
The incident management mechanism takes inputs from external knowledge on vulnerabilities, anomalous patterns and threats
sources
Collaborate with CERT-In for incident reporting and response
The logs are securely managed and archived in accordance with compliance requirements
Business rules are defined to identify incidents and frauds
Automated solution is implemented for log management, security monitoring
The scope of the incident management has been extended to third parties
The incident management mechanisms support forensic capabilities
Real time monitoring mechanisms exist that can proactively detect anomalies
Incident management mechanism is integrated with organization IT processes for remedial actions (e.g. integration through service management tools)
There exist a mechanism to define detective and investigative requirements
There exists an inventory of all the possible scenarios that can lead to incident and fraud
There exist a mechanism that generate an incident based on patterns and business rule exceptions
State of Data Security and Privacy in the Indian Banking Industry
70
70
65
65
65
65
65
60
55
55
45
45
40
35
30
25
10
Application security knowledge and information is effectively managed
Application vulnerability management to proactively focus remediation of the vulnerability
There exist a mechanism to identify criticality of each application
Compliance requirements are mapped to in -scope applications
Application security is derived out of well defined/ conceived security architecture
Application security is an integral part of lifecycle management
Application vulnerability management is integrated with security governance
Lines of businesses are involved in application security initiatives
Dedicated application security function exists in the organization
Application security is integrated with incident management mechanism
Enterprise guidelines or standards are established for secure coding
Explicitly define trusted messages between subsystems
Developers community are involved in application security initiatives
Security testing of application includes code review
Application security capability entails: Static Application Security Testing (SAST) tool e.g. Security code review
Application security capability entails: Dynamic Application Security Testing (DAST) tool e.g. Vulnerability Scanning
Enterprise tools to integrate security in application lifecycle have been implemented
Characteristics of application security program (% respondents)
55
40
30
15
Black box and grey box testing
Architectural planning
Security code review
Threat modeling and threat tree
Services availed from external service providers (% respondents)
65
60
25
Packaged applications like CBS, ERP and CRM
Third party applications
Externally provisioned applications (e.g. cloud based
applications)
Scope of application security isextended to (% respondents)
State of Data Security and Privacy in the Indian Banking Industry
35 36
Characteristics of application security program
There seems a shift of security attacks towards application layer requiring a holistic
approach towards application security. On being asked about the state of application
security measures, more than half of the respondent banks indicated that they had
formulated a dedicated application security function. Majority of the banks have set up
measures for proactive application vulnerability management. Banks have started to
use Static Application Security Testing (SAST) and Dynamic Application Security Testing
(DAST) tools. Due to the requirement of specialized skills for conducting blackbox and
greybox testing, banks are increasingly availing these services from external service
providers. However, enterprise-wide focus on application security, which has been
globally adopted and enabled by enterprise tools to integrate application security in life
cycle processes, has not gained significant attention of banks operating in India.
Moreover, the involvement of developer community in application security is lagging.
An organizations’ application portfolio is characterized by the externally provisioned
applications, third party applications and packaged applications along with in-house
applications. The banks seem to be managing the security of their application portfolio
adequately except for externally provisioned applications.
Security incident and fraud management (% respondents)
84
79
74
74
74
74
68
68
68
63
58
58
53
47
47
A mechanism exits for internal employees and customers to report incidents and fraud
There exist a formal reporting mechanism to report incident and fraud to the and regulatory authorities
management
The scope of security monitoring is extended to all the critical log sources
The incident management mechanism takes inputs from external knowledge on vulnerabilities, anomalous patterns and threats
sources
Collaborate with CERT-In for incident reporting and response
The logs are securely managed and archived in accordance with compliance requirements
Business rules are defined to identify incidents and frauds
Automated solution is implemented for log management, security monitoring
The scope of the incident management has been extended to third parties
The incident management mechanisms support forensic capabilities
Real time monitoring mechanisms exist that can proactively detect anomalies
Incident management mechanism is integrated with organization IT processes for remedial actions (e.g. integration through service management tools)
There exist a mechanism to define detective and investigative requirements
There exists an inventory of all the possible scenarios that can lead to incident and fraud
There exist a mechanism that generate an incident based on patterns and business rule exceptions
State of Data Security and Privacy in the Indian Banking Industry
70
70
65
65
65
65
65
60
55
55
45
45
40
35
30
25
10
Application security knowledge and information is effectively managed
Application vulnerability management to proactively focus remediation of the vulnerability
There exist a mechanism to identify criticality of each application
Compliance requirements are mapped to in -scope applications
Application security is derived out of well defined/ conceived security architecture
Application security is an integral part of lifecycle management
Application vulnerability management is integrated with security governance
Lines of businesses are involved in application security initiatives
Dedicated application security function exists in the organization
Application security is integrated with incident management mechanism
Enterprise guidelines or standards are established for secure coding
Explicitly define trusted messages between subsystems
Developers community are involved in application security initiatives
Security testing of application includes code review
Application security capability entails: Static Application Security Testing (SAST) tool e.g. Security code review
Application security capability entails: Dynamic Application Security Testing (DAST) tool e.g. Vulnerability Scanning
Enterprise tools to integrate security in application lifecycle have been implemented
Characteristics of application security program (% respondents)
55
40
30
15
Black box and grey box testing
Architectural planning
Security code review
Threat modeling and threat tree
Services availed from external service providers (% respondents)
65
60
25
Packaged applications like CBS, ERP and CRM
Third party applications
Externally provisioned applications (e.g. cloud based
applications)
Scope of application security isextended to (% respondents)
State of Data Security and Privacy in the Indian Banking Industry
35 36
BCP/DR program
The survey revealed that two-third of the respondent banks surveyed have Business
Continuity Management as part of their Information Security Framework. Most of the
banks have line of businesses involved in BCM planning and operations. The survey
also revealed that respondents have a mature BC/DR planning process in place
wherein the scope of BCP/DRP covers strategies for business processes and recovery
objectives of each business process. The scope of the BCP/DRP for most organizations
extends to all externalities: network service provider, partners, vendors, and technical
support.
47
42
37
26
21
21
16
11
11
11
5
5
5
0
0
0
32
32
16
42
42
32
42
47
42
26
47
42
21
37
37
37
21
26
47
32
37
47
42
42
47
63
47
53
74
63
63
63
Use backup data center
Automated backup management
Use managed backup services
Data dependency mapping tool to get assurance over RPO
Automation of IT services failover
IT services dependency mapping tool
Tool for Business Continuity Planning
Outsourcing of DR operations
Tool for crisis/incident management
Service level management for mobile computing devices
Virtualization for DR
Emergency notification system
Hosting provider for co-location services
Build private cloud infrastructure
Cloud based DR services
Runbook automation
With respect to preparedness, which of the following options you plan to BCP/DRPimplement/already implemented?
Implemented Plan to Implement Not Planned
State of Data Security and Privacy in the Indian Banking Industry
Security incident and fraud management
There seems to be a need for developing intelligence in incident management
mechanisms as many of the respondent banks do not have in place measures like ‘real
time monitoring mechanisms that can proactively detect anomalies’, ‘incident
generation based on patterns and business rules’ and ‘integration with organization IT
processes for remedial actions’. Banks continue to remain largely dependent on
incidents being reported by their customers and/or employees.
Business Continuity Management and Disaster Recovery Program(% respondents)
Resiliency measures have been adopted for (% respondents)
Yes63%
No37%
BCM is part of information security (% respondents)
83
72
67
61
61
39
28
Data center planning
Systems and servers
Network
Application layers
Security infrastructure
Endpoints
Messaging platform
83
78
78
72
72
72
72
67
67
61
61
56
56
50
50
50
33
28
Recovery Time Objectives (RTO) for each business process are defined
Architectural planning exists for DR and BC preparedness
Continuity plan is documented and actionable
Line of business is involved in BCM planning and operations
Recovery Point Objectives (RPO) for each business process are defined
A formal crisis communication mechanism exists
Adequate resources and efforts are dedicated to the DR and BCpreparedness
Knowledge and information generated out of DR and BC operations are managed effectively
Scope of the DR and BCP is extended to all externalities: network service providers, partners, vendors, and technical support
Scenarios such as ‘city outages’, ‘terrorist threats’ are incorporated in thescope
DR and BC is managed as an operational practice
An inventory of scenarios that could lead to disaster is maintained
Frequent resiliency testing is undertaken
Dependency map of all business processes with IT assts exists
There exists a recovery service catalogue for systematic recovery
DR and BCP program incorporates means to collaborate with public servicesand local bodies
DR and BC is managed as a project
Service Delivery Objectives (SDO) for each process are defined
State of Data Security and Privacy in the Indian Banking Industry
37 38
BCP/DR program
The survey revealed that two-third of the respondent banks surveyed have Business
Continuity Management as part of their Information Security Framework. Most of the
banks have line of businesses involved in BCM planning and operations. The survey
also revealed that respondents have a mature BC/DR planning process in place
wherein the scope of BCP/DRP covers strategies for business processes and recovery
objectives of each business process. The scope of the BCP/DRP for most organizations
extends to all externalities: network service provider, partners, vendors, and technical
support.
47
42
37
26
21
21
16
11
11
11
5
5
5
0
0
0
32
32
16
42
42
32
42
47
42
26
47
42
21
37
37
37
21
26
47
32
37
47
42
42
47
63
47
53
74
63
63
63
Use backup data center
Automated backup management
Use managed backup services
Data dependency mapping tool to get assurance over RPO
Automation of IT services failover
IT services dependency mapping tool
Tool for Business Continuity Planning
Outsourcing of DR operations
Tool for crisis/incident management
Service level management for mobile computing devices
Virtualization for DR
Emergency notification system
Hosting provider for co-location services
Build private cloud infrastructure
Cloud based DR services
Runbook automation
With respect to preparedness, which of the following options you plan to BCP/DRPimplement/already implemented?
Implemented Plan to Implement Not Planned
State of Data Security and Privacy in the Indian Banking Industry
Security incident and fraud management
There seems to be a need for developing intelligence in incident management
mechanisms as many of the respondent banks do not have in place measures like ‘real
time monitoring mechanisms that can proactively detect anomalies’, ‘incident
generation based on patterns and business rules’ and ‘integration with organization IT
processes for remedial actions’. Banks continue to remain largely dependent on
incidents being reported by their customers and/or employees.
Business Continuity Management and Disaster Recovery Program(% respondents)
Resiliency measures have been adopted for (% respondents)
Yes63%
No37%
BCM is part of information security (% respondents)
83
72
67
61
61
39
28
Data center planning
Systems and servers
Network
Application layers
Security infrastructure
Endpoints
Messaging platform
83
78
78
72
72
72
72
67
67
61
61
56
56
50
50
50
33
28
Recovery Time Objectives (RTO) for each business process are defined
Architectural planning exists for DR and BC preparedness
Continuity plan is documented and actionable
Line of business is involved in BCM planning and operations
Recovery Point Objectives (RPO) for each business process are defined
A formal crisis communication mechanism exists
Adequate resources and efforts are dedicated to the DR and BCpreparedness
Knowledge and information generated out of DR and BC operations are managed effectively
Scope of the DR and BCP is extended to all externalities: network service providers, partners, vendors, and technical support
Scenarios such as ‘city outages’, ‘terrorist threats’ are incorporated in thescope
DR and BC is managed as an operational practice
An inventory of scenarios that could lead to disaster is maintained
Frequent resiliency testing is undertaken
Dependency map of all business processes with IT assts exists
There exists a recovery service catalogue for systematic recovery
DR and BCP program incorporates means to collaborate with public servicesand local bodies
DR and BC is managed as a project
Service Delivery Objectives (SDO) for each process are defined
State of Data Security and Privacy in the Indian Banking Industry
37 38
Physical security of information processing areas
More than half of the respondent banks have physical security integrated with IT
security. The respondents realize that risk of data leakage increases with physical
access to the operational facility. Therefore, organizations have established strong
physical security controls for perimeter, entry points and interior areas along with
mechanisms for identification & authorization of employees. Banks also aim for
significant level of collaboration between physical security, information security and
other functions. However, the centralized monitoring of physical security seems
absent in most of the banks.
State of Data Security and Privacy in the Indian Banking Industry
BCP/DRP preparedness
The 24X7 operations of banks and concentration of technology and processes have
significantly increased the need for business continuity/ disaster recovery capabilities.
The Central Bank through guidelines and circulars emphasizes on the need for
establishing effective capabilities. While many banks have implemented backup data
centers, usage of mature practices such as Run Book automation, Tools for Business
Continuity Planning, IT service failover, Emergency Notification system are still at
nascent stages of adoption.
Physical security of information processing areas
90
85
85
85
85
85
75
75
75
55
40
35
Process exists for provisioning and de - provisioning access of visitors, vendors, partners, and support services
There exists a mechanism for identification and authorization of employee
Process exists for asset movement
Scope of security review is extended to cover physical security controls
Physical security mechanisms like CCTV are deployed and monitored for all information processing/critical areas like branches and ATMs
Physical security function is owned by the Admin department
Physical security is part of information security
Significant level of collaboration exists between physical security, information security and other functions of the organization
The scope of the security monitoring and incident management mechanism is extended to integrate the physical security incidents
Physical security is integrated with IT security through competent solutions
There exists centralized monitoring of physical security across various locations by Physical Security Operations Center (PSOC)
Physical security function is owned by the IT department
State of Data Security and Privacy in the Indian Banking Industry
39 40
Physical security of information processing areas
More than half of the respondent banks have physical security integrated with IT
security. The respondents realize that risk of data leakage increases with physical
access to the operational facility. Therefore, organizations have established strong
physical security controls for perimeter, entry points and interior areas along with
mechanisms for identification & authorization of employees. Banks also aim for
significant level of collaboration between physical security, information security and
other functions. However, the centralized monitoring of physical security seems
absent in most of the banks.
State of Data Security and Privacy in the Indian Banking Industry
BCP/DRP preparedness
The 24X7 operations of banks and concentration of technology and processes have
significantly increased the need for business continuity/ disaster recovery capabilities.
The Central Bank through guidelines and circulars emphasizes on the need for
establishing effective capabilities. While many banks have implemented backup data
centers, usage of mature practices such as Run Book automation, Tools for Business
Continuity Planning, IT service failover, Emergency Notification system are still at
nascent stages of adoption.
Physical security of information processing areas
90
85
85
85
85
85
75
75
75
55
40
35
Process exists for provisioning and de - provisioning access of visitors, vendors, partners, and support services
There exists a mechanism for identification and authorization of employee
Process exists for asset movement
Scope of security review is extended to cover physical security controls
Physical security mechanisms like CCTV are deployed and monitored for all information processing/critical areas like branches and ATMs
Physical security function is owned by the Admin department
Physical security is part of information security
Significant level of collaboration exists between physical security, information security and other functions of the organization
The scope of the security monitoring and incident management mechanism is extended to integrate the physical security incidents
Physical security is integrated with IT security through competent solutions
There exists centralized monitoring of physical security across various locations by Physical Security Operations Center (PSOC)
Physical security function is owned by the IT department
State of Data Security and Privacy in the Indian Banking Industry
39 40
Regulatory Requirements
42
State of Data Security and Privacy in the Indian Banking Industry
41
Regulatory Requirements
42
State of Data Security and Privacy in the Indian Banking Industry
41
Banks' response to ITAA 2008
The survey reveals that although more than half of the banks are working towards
creating awareness among senior management, employees and board members, very
few are creating awareness amongst contractors and third parties. ITAA 2008 has also
resulted in banks internalizing the Act by updating their policies, reviewing vendor
contracts and implementing measures to strengthen monitoring and incident
management. However, the trend suggests that developing strong forensic capabilities
that support data breach investigation is not seen as a priority in response to ITAA
2008.
44
65
65
60
50
50
50
50
50
45
40
35
35
30
20
15
Creating awareness amongst top / senior management
Strengthening monitoring and incident management mechanism
Creating awareness amongst employees
Creating awareness amongst board members
Identify the personal information flow to the organization
Revising organization’s security policy
Scope of security & privacy to also cover employees' personal data
Review vendor contracts
Collaborating with competitors / peers
Activating legal function
Creating awareness amongst contractors / third party employees
Contacting external information sources
Creating awareness amongst customers
Identifying and making an inventory of scenarios
Developing a strong forensic investigation capabilities
Banks' response to ITAA 2008 (% respondents)
Influence of ITAA 2008 on adoption of new technology solutions(% respondents)
Influence of ITAA 2008 on adoption of new technology solutions
The survey reveals that banks have realized the importance of ITAA 2008 and 2 out
of 3 banks are influenced by requirements of ITAA 2008 while taking technology
investment decisions.
65
15
30
ITAA 2008 has recently acquired a place in the discussion related to the technology
investment
ITAA 2008 is becoming a significant driver for investment in technology solutions
ITAA 2008 does not have any bearings on technology related investment decisions
State of Data Security and Privacy in the Indian Banking Industry
What benchmark do we need to achieveSurvey reveals that in majority of banks, technology investment decisions are getting influenced by ITAA 2008. Survey also reveals that there seems to be strong clarity amongst responding banks regarding applicability of ITAA 2008.
43
Banks' response to ITAA 2008
The survey reveals that although more than half of the banks are working towards
creating awareness among senior management, employees and board members, very
few are creating awareness amongst contractors and third parties. ITAA 2008 has also
resulted in banks internalizing the Act by updating their policies, reviewing vendor
contracts and implementing measures to strengthen monitoring and incident
management. However, the trend suggests that developing strong forensic capabilities
that support data breach investigation is not seen as a priority in response to ITAA
2008.
44
65
65
60
50
50
50
50
50
45
40
35
35
30
20
15
Creating awareness amongst top / senior management
Strengthening monitoring and incident management mechanism
Creating awareness amongst employees
Creating awareness amongst board members
Identify the personal information flow to the organization
Revising organization’s security policy
Scope of security & privacy to also cover employees' personal data
Review vendor contracts
Collaborating with competitors / peers
Activating legal function
Creating awareness amongst contractors / third party employees
Contacting external information sources
Creating awareness amongst customers
Identifying and making an inventory of scenarios
Developing a strong forensic investigation capabilities
Banks' response to ITAA 2008 (% respondents)
Influence of ITAA 2008 on adoption of new technology solutions(% respondents)
Influence of ITAA 2008 on adoption of new technology solutions
The survey reveals that banks have realized the importance of ITAA 2008 and 2 out
of 3 banks are influenced by requirements of ITAA 2008 while taking technology
investment decisions.
65
15
30
ITAA 2008 has recently acquired a place in the discussion related to the technology
investment
ITAA 2008 is becoming a significant driver for investment in technology solutions
ITAA 2008 does not have any bearings on technology related investment decisions
State of Data Security and Privacy in the Indian Banking Industry
What benchmark do we need to achieveSurvey reveals that in majority of banks, technology investment decisions are getting influenced by ITAA 2008. Survey also reveals that there seems to be strong clarity amongst responding banks regarding applicability of ITAA 2008.
43
Technology response to ITAA 2008 (deployed / planning to deploy)
ITAA 2008 has resulted in most of the banks strengthening / planning to strengthen
their security incident and event monitoring by implementation of solutions to address
the same. Some of the other solutions adopted / planning to adopt are to address
privileged access management, network access control, WAN data encryption,
database activity monitoring and fraud management. However, adoption of solutions
to address key areas such as data loss prevention, hard disk encryption, email
encryption and mobile security has been low.
46
84
84
79
79
74
74
63
58
53
53
47
42
42
21
21
16
5
5
Privilege access management
Network access control
Security Incident and Event Monitoring (SIEM)
Encryption of data over WAN
Database activity monitoring
Fraud management
Data masking
Legal and compliance management
Cross channel transaction monitoring
Mobile data protection
Email encryption
Data Loss Prevention (DLP)
Hard disk encryption
Computer forensic
Threat management for mobile computing devices
Compliance notification services
Not planning to invest in new technology initiatives
Sufficient budget not being available currently
Technology response to ITAA 2008 (deployed / planning to deploy) (% respondents)
State of Data Security and Privacy in the Indian Banking Industry
Awareness on ITAA 2008
Measures to mitigate risks arising from use of third party services
There is clarity and awareness amongst responding banks regarding applicability of
ITAA 2008 as most banks have responded ‘Yes’ with respect to their liabilities under
ITAA 2008.
The survey reveals that almost all responding banks use traditional risk mitigation
techniques for third party vendors, such as engaging into contracts and non disclosure
agreements. However, banks must also adopt and implement proactive mechanisms
like third party risk assessment framework, which can assist in continuous monitoring
of the risk exposure.
45
My organization can be sued under ITAA 2008 (% respondents)
95%
5% 0%
78%
11% 11%
0%
20%
40%
60%
80%
100%
Yes No Not Sure
For customer related liabilities For employee related liabilities
95
95
80
80
60
30
Using contract as an instrument to make the third party liable for any security breach
Signing non disclosure agreement with the third parties
agreement/confidentiality
Deploying technical and organizational safeguards
Making employees aware of the risks arising from use of third party services
Conducting vendor risk management exercise
Controls deployed as per "Third Party RiskAssessment Framework" development by organization
Measures to mitigate risks arising from use of third party services (% respondents)
State of Data Security and Privacy in the Indian Banking Industry
Technology response to ITAA 2008 (deployed / planning to deploy)
ITAA 2008 has resulted in most of the banks strengthening / planning to strengthen
their security incident and event monitoring by implementation of solutions to address
the same. Some of the other solutions adopted / planning to adopt are to address
privileged access management, network access control, WAN data encryption,
database activity monitoring and fraud management. However, adoption of solutions
to address key areas such as data loss prevention, hard disk encryption, email
encryption and mobile security has been low.
46
84
84
79
79
74
74
63
58
53
53
47
42
42
21
21
16
5
5
Privilege access management
Network access control
Security Incident and Event Monitoring (SIEM)
Encryption of data over WAN
Database activity monitoring
Fraud management
Data masking
Legal and compliance management
Cross channel transaction monitoring
Mobile data protection
Email encryption
Data Loss Prevention (DLP)
Hard disk encryption
Computer forensic
Threat management for mobile computing devices
Compliance notification services
Not planning to invest in new technology initiatives
Sufficient budget not being available currently
Technology response to ITAA 2008 (deployed / planning to deploy) (% respondents)
State of Data Security and Privacy in the Indian Banking Industry
Awareness on ITAA 2008
Measures to mitigate risks arising from use of third party services
There is clarity and awareness amongst responding banks regarding applicability of
ITAA 2008 as most banks have responded ‘Yes’ with respect to their liabilities under
ITAA 2008.
The survey reveals that almost all responding banks use traditional risk mitigation
techniques for third party vendors, such as engaging into contracts and non disclosure
agreements. However, banks must also adopt and implement proactive mechanisms
like third party risk assessment framework, which can assist in continuous monitoring
of the risk exposure.
45
My organization can be sued under ITAA 2008 (% respondents)
95%
5% 0%
78%
11% 11%
0%
20%
40%
60%
80%
100%
Yes No Not Sure
For customer related liabilities For employee related liabilities
95
95
80
80
60
30
Using contract as an instrument to make the third party liable for any security breach
Signing non disclosure agreement with the third parties
agreement/confidentiality
Deploying technical and organizational safeguards
Making employees aware of the risks arising from use of third party services
Conducting vendor risk management exercise
Controls deployed as per "Third Party RiskAssessment Framework" development by organization
Measures to mitigate risks arising from use of third party services (% respondents)
State of Data Security and Privacy in the Indian Banking Industry
DSCI Core Team
KPMG Core Team
KPMG Survey Team
DSCI Project Advisory Group
Vinayak Godse Director – Data Protection
Vikram Asnani Senior Consultant – Security Practices
Rahul Jain Senior Consultant – Security Practices
Alok Choubey
Deepti Karnik
Glyn Crasto
Lekha Ragupathi
Monami Banerjee
Nikhil Kulkarni
Preetam Hazarika
Srirang Srikantha
Sundar Ramaswamy
Sweta Nalwaya
Syamala Raju Peketi
N. Balakrishnan Chairman, DSCI and Associate Director, IISc Bangalore
BJ Srinath Senior Director, CERT-In
Anjali Kaushik MDI Gurgaon
Akhilesh Tuteja Executive Director, KPMG
Kartik Shahani Country Manager, India and SAARC, RSA
Satish Das CSO, Cognizant
Baljinder Singh Global Head of Technology, InfoSec & BCM, EXL Service
Vishal Salvi CISO, HDFC Bank
Ashwani Tikoo CIO, CSC
PVS Murthy Global Head – Information Risk Management Advisory, TCS
Deepak Rout CISO, Uninor
Seema Bangera DGM – Information Security, Intelenet Global
Navin Agrawal Executive Director
Nitin Khanapurkar Executive Director
Kunal Pande Director
Atul Gupta Director
Vidur Gupta Associate Director
Pallavi Mantrao Manager
Tushar Surekha Consultant
Deepak Agarwal Consultant
Acknowledgments
State of Data Security and Privacy in the Indian Banking Industry
Banks in India have strategically adopted new technologies to deliver better customer
services, cut costs and gain competitive advantage. While the benefits of technology
adoption are visible across the public and private sector banks, the technology risks
emerging from these technologies have also grabbed attention in the recent years.
Although external threats have remained a key driver for banking security, the Central
Bank's leadership through guidance and compliance norms, has also contributed to the
strengthening of security culture in the banks. Apart from these two factors, the
recent amendment to Information Technology Act is also emerging as an important
regulatory factor that is driving the security as well as privacy initiatives in the banks.
Banking industry is responding to the contemporary security challenges through a
formal security function that derives inspiration from leading security standards for
overseeing security initiatives in the banks. Along with aligning the security initiatives
to these leading security standards, banks need to invest their energies on providing
architectural treatment to security, continuously assessing their exposure to threats
through exercises such as threat modeling, and imbibing the practice of ‘security in
design.’ This will bring a structured approach in their defense strategies and programs
for efficiently & effectively mitigating the real threats by ensuring that security is
considered right from the design phase of any product or service.
Though the security initiatives in banks are primarily driven by a centralized security
function, the responsibility of security is fairly distributed among the different
functions, realizing the old adage of ‘security is every body’s responsibility’. The focus
is still on arranging in-house resources except for few specialized services like
Application Security testing. There is a significant scope for banks to further outsource
these services, leveraging the expertise of external service providers and consultants.
The primary motivation behind the new age attacks is to make financial gains and
therefore the focus of these attacks is on obtaining sensitive information like login ids
,transaction passwords, credit card information, etc. This necessitates the banks to
take a data-centric approach when designing and implementing their security and
privacy initiatives and build synergies between their fraud management and
information security functions. Also, against the backdrop of increasing card related
frauds, banks need to make investments in improving security of card transactions.
The banking customers continue to be the ‘soft target’ of the new age attacks. Lack of
customer awareness, insecure customer endpoints and their likely impact on security
of banking systems remain as important areas of concern. To address these concerns,
efforts by individual banks alone may not prove to be sufficient. The entire banking
industry, with guidance from the Central Bank, needs to collaborate for enhancing the
security awareness of banking customers. On the other hand, banks need to enhance
their maturity in the area of customer centric security. While basic measures for
transaction security have been adopted, very few of them have implemented new
generation authentication solutions like dynamic token, identity grid and risk based
authentication.
With increased digitization of customer information, increased levels of customer
awareness on privacy and notification of IT (Amendment) Act, 2008, privacy has
emerged as an important focus area for the banks in India. However, privacy is yet to
be factored in the banking ecosystem. In response to these developments, banks in
India need to undertake a comprehensive privacy program that ensures protection of
their customers’ information throughout its lifecycle.
Way Forward
47
State of Data Security and Privacy in the Indian Banking Industry
48
DSCI Core Team
KPMG Core Team
KPMG Survey Team
DSCI Project Advisory Group
Vinayak Godse Director – Data Protection
Vikram Asnani Senior Consultant – Security Practices
Rahul Jain Senior Consultant – Security Practices
Alok Choubey
Deepti Karnik
Glyn Crasto
Lekha Ragupathi
Monami Banerjee
Nikhil Kulkarni
Preetam Hazarika
Srirang Srikantha
Sundar Ramaswamy
Sweta Nalwaya
Syamala Raju Peketi
N. Balakrishnan Chairman, DSCI and Associate Director, IISc Bangalore
BJ Srinath Senior Director, CERT-In
Anjali Kaushik MDI Gurgaon
Akhilesh Tuteja Executive Director, KPMG
Kartik Shahani Country Manager, India and SAARC, RSA
Satish Das CSO, Cognizant
Baljinder Singh Global Head of Technology, InfoSec & BCM, EXL Service
Vishal Salvi CISO, HDFC Bank
Ashwani Tikoo CIO, CSC
PVS Murthy Global Head – Information Risk Management Advisory, TCS
Deepak Rout CISO, Uninor
Seema Bangera DGM – Information Security, Intelenet Global
Navin Agrawal Executive Director
Nitin Khanapurkar Executive Director
Kunal Pande Director
Atul Gupta Director
Vidur Gupta Associate Director
Pallavi Mantrao Manager
Tushar Surekha Consultant
Deepak Agarwal Consultant
Acknowledgments
State of Data Security and Privacy in the Indian Banking Industry
Banks in India have strategically adopted new technologies to deliver better customer
services, cut costs and gain competitive advantage. While the benefits of technology
adoption are visible across the public and private sector banks, the technology risks
emerging from these technologies have also grabbed attention in the recent years.
Although external threats have remained a key driver for banking security, the Central
Bank's leadership through guidance and compliance norms, has also contributed to the
strengthening of security culture in the banks. Apart from these two factors, the
recent amendment to Information Technology Act is also emerging as an important
regulatory factor that is driving the security as well as privacy initiatives in the banks.
Banking industry is responding to the contemporary security challenges through a
formal security function that derives inspiration from leading security standards for
overseeing security initiatives in the banks. Along with aligning the security initiatives
to these leading security standards, banks need to invest their energies on providing
architectural treatment to security, continuously assessing their exposure to threats
through exercises such as threat modeling, and imbibing the practice of ‘security in
design.’ This will bring a structured approach in their defense strategies and programs
for efficiently & effectively mitigating the real threats by ensuring that security is
considered right from the design phase of any product or service.
Though the security initiatives in banks are primarily driven by a centralized security
function, the responsibility of security is fairly distributed among the different
functions, realizing the old adage of ‘security is every body’s responsibility’. The focus
is still on arranging in-house resources except for few specialized services like
Application Security testing. There is a significant scope for banks to further outsource
these services, leveraging the expertise of external service providers and consultants.
The primary motivation behind the new age attacks is to make financial gains and
therefore the focus of these attacks is on obtaining sensitive information like login ids
,transaction passwords, credit card information, etc. This necessitates the banks to
take a data-centric approach when designing and implementing their security and
privacy initiatives and build synergies between their fraud management and
information security functions. Also, against the backdrop of increasing card related
frauds, banks need to make investments in improving security of card transactions.
The banking customers continue to be the ‘soft target’ of the new age attacks. Lack of
customer awareness, insecure customer endpoints and their likely impact on security
of banking systems remain as important areas of concern. To address these concerns,
efforts by individual banks alone may not prove to be sufficient. The entire banking
industry, with guidance from the Central Bank, needs to collaborate for enhancing the
security awareness of banking customers. On the other hand, banks need to enhance
their maturity in the area of customer centric security. While basic measures for
transaction security have been adopted, very few of them have implemented new
generation authentication solutions like dynamic token, identity grid and risk based
authentication.
With increased digitization of customer information, increased levels of customer
awareness on privacy and notification of IT (Amendment) Act, 2008, privacy has
emerged as an important focus area for the banks in India. However, privacy is yet to
be factored in the banking ecosystem. In response to these developments, banks in
India need to undertake a comprehensive privacy program that ensures protection of
their customers’ information throughout its lifecycle.
Way Forward
47
State of Data Security and Privacy in the Indian Banking Industry
48
KPMG Contact
Director, IT Advisory Services
KPMG in India
T: +91 22 3090 1959
Kunal Pande
www.kpmg.com/in
DSCI Contact
Director, Data Protection
DSCI
T: +91 11 2615 5071
Vinayak Godse
www.dsci.in
© 2011 KPMG, an Indian Partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks
or trademarks of KPMG International Cooperative (“KPMG International”), a Swiss
entity.
Printed in India.Copyright © 2011 DSCI. All rights reserved.