Information Security

Sundar Murthi
DGM, CAB
 Session Plan
Information security as a Governance
requirement
IS setup
Putting an IS Policy in place
IS Audit
Challenges

4/25/2013
 Information Security
Protecting Information and Information assets
- from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection,
recording or destruction.
- It includes media on which information is
recorded including Hard disks, Floppy Disks,
CDs, Tapes as also paper documents

4/25/2013
 Information Security Principals
• Accountability
• Assurance Confidentiality
• Authentication
• Authorization
• Identification

Integrity Availability

4/25/2013
 Information Security – Does it make
business sense?
• Cost of loss/breach of information is very high
• Data privacy required by law and contracts
• More and more customers are asking for
Information Security
• Requirements of Basel II & III
(Operational Risk)

4/25/2013
 What’s being protected?

4/25/2013 Source: IDRBT – Information Security Framework 2012

 Objectives of IS Governance
• Protecting critical data of bank and customers
• Management and Mitigation of IT related risk
• Optimizing Information Security Investments
• Management of IS Governance through
proper metrics

4/25/2013
 Organizing for effective ISMS
Information Security Committee
Board of
Directors
- CEO

-CIO
CMD
-CFO

- Legal, HR, Audit

Head of Risk Business
Management Heads
- CISO (Member Secretary)

CISO

4/25/2013
 Defining Stakeholders
• Information Owner
• Information Custodian
• Application Owner
• User-manager
• Security Administrator
• End User

4/25/2013
 ISO 27001
ISO27001

ISO/IEC 27001:2005 Auditable Standard

Clauses: Mandatory Processes Annex A: Control Objectives

The ISMS
11 Domains
Management Responsibility
39 Control Objectives
Internal ISMS Audits
133 controls
Management Review

ISMS Improvement
4/25/2013
 ISMS Implementation:
6 Steps in Planning
Information Security
Step 1 Define the Policy
policy

Step 2 Define the Scope of ISMS

scope
Information assets
Organisation’s approach to
Step 3 risk management Prep and Risk acceptance criteria

Threats vulnerabilities and undertake RA Risk assessment

impacts Results and conclusions
Step 4 Degree of assurance Manage the risk Risks to be accepted
required

Risks to be managed
ISO27001 Annex A:
Step 5 control objectives and Select control Risk treatment
controls plan
objectives
Additional controls & controls
Selected controls and objectives
Step 6 Statement of Statement of

4/25/2013 Applicability Applicability

 Main Security Categories

Security policy
Compliance Organization of
info security

Business continuity Asset

Integrity Confidentiality management
management

Information
Info Sec Incident HR security
management

Availability Physical and

Info systems
development & environmental
maintenance security
Communications
Access control and operations
management
4/25/2013
 Identifying Sub-Policies
1. Physical Access Control
2. (Logical) Access Control
3. Password
4. Internet Access
5. Corporate e-mail
6. Anti-virus
7. Network Security
8. Software
9. Firewall
10. Incident Reporting
11. System Administration
12. Database Administration
13. Data backup
14. Outsourcing
15. Audit

4/25/2013
 IS Audit
Scope of IS Audit includes
• Determining effectiveness of planning and
oversight of IT activities
• Evaluating adequacy of operating process and
internal controls
• Determining adequacies of compliance efforts
• Identifying shortcomings in systems

4/25/2013
 IS Audit
• To be a part of internal audit systems
• To be reviewed by the Audit Committee of the
Board
• Needs qualified/experienced auditors – either
internal or external

4/25/2013
 Information Security Challenges
• Technology moved faster than controls
• Lack of institutional and social culture of
security
• New trends
– Mobile banking
– Cloud computing
– Virtualization
– Multiple channel of banking

4/25/2013
4/25/2013