You are on page 1of 101


TABLE OF CONTENTS SR.NO. DECLARATION LIST OF TABLES LIST OF FIGURES EXECUTIVE SUMMARY 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 CHAPTER:1 INTRODUCTION Background Purpose Of The Study Importance Of The Study Statement Of The Problem Research Questions Hypotheses Research Methodology Limitations Overview of the Study CHAPTER : 2 - LITERATURE REVIEW History of Information Security and Risk Management Scope of IS How is IS applicable in Banks The IS Scenario in India Understanding Information Security (IS) Spending Patterns (Technologically and Financially) CTO / CIOs view point CONTENTS PAGE (S) i ii iii 1 3 11 3 5 6 9 9 9 10 10 11 12 46 13 14 15 37 42 43 45

2.8 3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 4 4.1 4.2 4.3 5 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9

Summary Chapter : 3 METHODOLOGY Introduction Research Questions and Research Hypotheses Data Collection / Collected Location of the Data Pilot Test Method of Inquiry Analysis performed on the data Summary Chapter : 4 ANALYSIS Introduction Key Findings Detailed Survey Results Chapter : 5 CONCLUSION General Password Guidelines Password Protection Changing Passwords Security Breach Examples Bank Procedures Downloading Software Laptop Security Fax Machines Internet Security Concerns

47 48 54 48 48 49 49 52 53 54 55 55 56 73 56 57 58 75 93 84 86 87 87 88 88 89 89 90

5.10 5.11

Physical Security Monitoring and Inspections

90 90

List of Figures SR.NO. CONTENTS CHAPTER:1 INTRODUCTION 1.3 Figure No. 1 IS Risks CHAPTER : 2 - LITERATURE REVIEW 2.2 2.3 Figure No. 2: Security Management process Figure No. 3 Occupations of Computer Crime Defendants 2.3 2.3 2.3 2.3 2.3 2.6 Figure No. 4 Types of Computer Crimes Figure No. 5 Average Computer Crime Losses Figure No. 6 Victims of Computer Crimes Figure No. 7 Computer Crime Cases in Courts Figure No.8: TCO Analysis Figure No. 9: IT Spending Patterns Chapter : 3 METHODOLOGY 3.3 Figure No.10: Selection of Data Collection Method Chapter : 4 ANALYSIS 4.3 4.3
Figure No.11:- Respondents based on the type of organisation Figure No.12:- Respondents based on the location of the organisation


14 23

24 24 25 26 31 43


58 59

4.3 4.3 4.3 4.3

Figure No.13:- Respondents by Job Description Figure No.14:- IT spending as a part of budget Figure No.15:-Percentage of IS functions outsourced Figure No.16:-Risk Mitigation Policies

60 61 63 64

4.3 4.3 4.3 4.3 4.3 4.3 4.3

Figure No.17:-Unauthorised access in the recent past Figure No.18:-Security Technologies used Figure No.19:-Security Audits Figure No.19:- IS Awareness Training Figure No.20:- Critical Issues Figure No.21:- Responses based on the Age Groups Figure No.22:- Respondents based on Income group.

65 66 68 69 71 73 74

Chapter : 5 CONCLUSION 5.1 5.1

Figure No.23:- Suspicious Activity Investigation Report Figure No.23:- ATM / Debit card Fraud Claim Format

81 83

List of Tables SR.NO. CONTENTS CHAPTER : 2 - LITERATURE REVIEW 2.3 2.7 Table No.1: Types of Attacks Table No.2: Risk Mitigation Strategy 16 45 PAGE (S)

Executive Summary
The Environmental Challenges Most organisations recognize the critical role that information technology (IT) plays in supporting their business objectives. But today's highly connected IT infrastructures exist in an environment that is increasingly hostileattacks are being mounted with increasing frequency and are demanding ever shorter reaction times. Often, organisations are unable to react to new security threats before their business is impacted. Managing the security of their infrastructuresand the business value that those infrastructures deliverhas become a primary concern for IT departments. Furthermore, new legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organisations to manage their IT infrastructures more closely and effectively than in the past. Many government agencies and organisations that do business with those agencies are mandated by law to maintain a minimum level of security oversight. Failure to proactively manage security may put executives and whole organisations at risk due to breaches in fiduciary and legal responsibilities. A Better Way The holistic roadmap to security risk management provides a proactive approach that can assist organisations of all sizes with their response to the requirements presented by these environmental and legal challenges. A formal security risk management process enables enterprises to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives organisations a consistent, clear path to organise and prioritise limited resources in order to manage risk. The benefits of using security risk management would be realised when the cost-effective controls that lower risk to an acceptable level are implemented. The definition of acceptable risk, and the approach to manage risk, varies for every organisation. There is no right or wrong answer; there are many risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Investing in a risk management processwith a solid framework and clearly defined roles and responsibilitiesprepares the organisation to

articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the organisation to make significant progress toward meeting new legislative requirements. During a risk assessment process, qualitative steps identify the most important risks quickly. A quantitative process based on carefully defined roles and responsibilities follows next. Together, the qualitative and quantitative steps in the risk assessment process provide the basis on which you can make solid decisions about risk and mitigation, following an intelligent business process. Critical Success Factors There are many keys to successful implementation of a security risk management program throughout an organization. First, security risk management will fail without executive support and commitment. When security risk management is led from the top, organizations can articulate security in terms of value to the business. Next, a clear definition of roles and responsibilities is fundamental to success. The Information Security Group owns identifying the probability that the risk will occur by taking current and proposed controls into account. The Information Technology group is responsible for implementing controls that the Security Steering Committee has selected when the probability of an exploit presents an unacceptable risk. Investing in a security risk management programwith a solid, achievable process and defined roles and responsibilitiesprepares an organization to articulate priorities, plan to mitigate threats, and address critical business threats and vulnerabilities.

Executive Summary
The Environmental Challenges Most organisations recognise the critical role that Information Technology (IT) plays in supporting their business objectives. But today's highly connected IT infrastructures exist in an environment that is increasingly hostile where attacks are being mounted with increasing frequency and are demanding ever shorter reaction times. Often, organisations are unable to react to new security threats prior to their business being impacted. Managing the security of their infrastructures and the business value that those infrastructures deliver, has become a primary concern for IT departments. Furthermore, new legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organisations to manage their IT infrastructures more closely and more effectively than in the past. Many government agencies and organisations that do business with those agencies are mandated by law to maintain a minimum level of security oversight. Failure to proactively manage security may put executives and entire organisations at risk due to breaches in fiduciary and legal responsibilities. A Better Way The holistic roadmap to security risk management provides a proactive approach that can assist organisations of all sizes with their response to the requirements presented by these environmental and legal challenges. A formal security risk management process enables enterprises to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives organisations a consistent, clear path to organise and prioritise limited resources in order to manage risk. The benefits of using security risk management would be realised when the cost-effective controls that lower risk to an acceptable level are implemented. The definition of acceptable risk, and the approach to manage risk, varies for every organisation. Even so, there is no absolute right or wrong answers, inspite of the various risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Investing in a risk management process,

with a solid framework and clearly defined roles and responsibilities, prepares the organisation to articulate priorities, mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the organisation to make significant progress toward meeting new legislative requirements. During a risk assessment process, qualitative steps identify the most important risks quickly. A quantitative process based on carefully defined roles and responsibilities follows next. Together, the qualitative and quantitative steps in the risk assessment process provide the basis on which you can make solid decisions regarding risk and its mitigation, following an intelligent business process. Critical Success Factors There are many keys to the successful implementation of a security risk management program throughout an organisation. First, security risk management will fail without executive support and commitment. When security risk management is led from the top, organizations can articulate security in terms of value to the business. Next, a clear definition of roles and responsibilities is fundamental to its success. The IS Group acknowledges and identifies the risk - probability factor that the risk will occur by taking into account the current and proposed controls. The Information Technology group is responsible for implementing controls that the Security Steering Committee has selected when the probability of an exploit presents an unacceptable risk. Investing in a security risk management program that translates into a solid, achievable process with defined roles and responsibilities prepares an organisation to articulate priorities, mitigate threats, and address critical business threats and vulnerabilities.



Information is an asset that, like other important business assets, is essential to an organisations business and therefore needs to be updated regularly and suitably protected. Since most of the businesses in the present and recent past have been electronically connected in networks, the IS and its management plays a major role. As a result of this existing and ever-increasing interconnectivity, information is now exposed to a growing number and a wide variety of threats and vulnerabilities. Businesses are vulnerable to various kinds of information risks inflicting varied damage and resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers or facilities. To control IS risks, the management needs to anticipate and be aware of the potential threats, risks and resultant loss and accordingly deploy the necessary controls across the environment. IS is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise the return on investment (ROI) and thereby extend the business opportunities.

Security is like oxygen; when you have it, you take it for granted, But when you dont, getting it becomes the immediate and pressing priority ----- Joseph Nye, Harvard University. An IS Risk can be defined as any activity or event which threatens the achievement of identified business objectives by compromising Confidentiality, Integrity, Availability of the business information1.

It is essential for the organisations to observe, review and analyse their electronic systems, due to the advent of the Internet era, such that any malicious activity which occurs becomes predictable. Keeping this in mind, IS Risk Management in large corporations such as Banks is essential since they are reliant on Information Technology (IT) and IT systems in the processing, storage and transmission of company and customer data. As a consequence, in the event of an IT System failure, be it through the malicious or technical event of system failure or information loss, it would not be feasible to use manual processing as an alternative or solution to the problems. There are also a number of security issues surrounding IS like the increased mobility of banks has resulted in remote access from wireless and through the internet. Access to a banks information assets are no longer limited to its internal employees, working from a fixed known location or fixed environment. The value of the computers and hardware may be valued in thousands of dollars, however the information which may be contained as data, could be more in value. There's probably not a business owner out there who doesn't make sure with some regularity that the locks intended to keep intruders off the premises are doing their job. But owners of small and medium-size businesses tend to be much less vigilant when it comes to IS Management even though the potential risks of an IS breach can be far more staggering than those posed by a burglar. Destructive viruses, worms and hackers don't discriminate by the size of an organisation. Data loss, lost productivity, decreased profits, opportunity costs, privacy concerns and corporate liability are some of the areas where companies are vulnerable. Publicly held companies have an additional accountability for the integrity of their financial reporting data and systems under laws and acts such as the Sarbanes-Oxley Act, etc.


Purpose of the Study

IS is a continual imperative for banks as vulnerabilities in IS / Information Availability are continuously being exploited in new ways. Security of new technologies / channels need to be focused, for e.g., E-commerce, online banking and debit cards. This becomes even more essential in the light of increase in fraud related losses in these areas along with the existing technologies and manual transaction processing risks. Banks have always been and are one of the most important targets for hackers, crackers and cyber criminals, as IS breach may lead to potential losses. These losses may lead to downfall of the banking industry and thus have its impact on the economy. The actual losses on account of IS issues are difficult to estimate. However, 639 companies that responded to the 2005 CSI/FBI Computer Crime and Security Survey ,reported total losses of $130 million with viruses, unauthorised access and theft of proprietary information accounting for 80% of it. Given the risks, IS should be a top priority of any organisation and not just for its IT department. That's where a formal IS Management Program comes in.
Comment [s1]: Was it a country specific survey? If so, please mention country

It is important to recognise that all organisations accept some level of risk. Risk is, after all, a trade off between the amount of money you wish to spend on counter-measures, against the perceived level of threat and vulnerability, to protect the estimated value of your assets. The important thing is that risk is identified, and either a) mitigated, b) transferred, c) insured, or d) clearly documented as a risk acceptance.

Figure No. 1 IS Risks

Security risk is also heavily influenced by time. For example, if a new virus is released, for which no patch is available, then the rate of infection is critical. All organisations are subject to security threats, as these expose their vulnerabilities. For this increases significantly with factors, such as their need to do business over the Internet, the profile of the organisation, and the value of their assets. High profile corporations are under constant threat because of the possible infamy associated with security breaches.

Some of the key threats to organisations include: Virus, Trojans and Worms Phishing Pharming Email SPAM Web Site Defacements Denial of Service Attacks (DoS) Spoofing Identity theft War walking, War driving, etc., (Wireless Network Threats) Theft of information (e.g. credit card details, source code, biotechnology secrets), etc., Hence, this study may prove important and extremely significant as it would provide better in-sights with regards to updating security personnel. This would definitely enable them to handle any kind of security issues at any given point of time.


Statement of the Problem

Based on the problem definition, the objectives of the research will be: To identify and examine the current IS landscape prevailing in various Banks. To identify the information risks and security concerns threatening the Banks. To determine the loss of revenue because of the information loss due to various reasons such as virus attacks, unauthorised access, theft, pilferage, security breach or by calamity / disaster. To determine the cost in the IRSMS implementation.
Comment [s4]: In my opinion, these should b Comment [R5]: Would it ok if we don not include questions 2 and 8 marked in red. OR kindly suggest what amendments can be done? Comment [R2]: Kindly suggest what can be done here. Are there any metric for the same? Comment [s3]: Will you quantify this is amount? If not, what is the metric used to measure loss?


Research Questions
The research will address the questions such as: What are the information risks and security threats involved in the Banks? What benefits will be derived by implementing these systems in the existing scenario? What should be the ideal characteristics of the IRSMS? What functions in security and risk management must be accomplished by an IRSMS to support Banks? What would be the Total Cost of Ownership (TCO) for the institution?


The security policies in the same organisation (Bank) may differ based on the geographic location. Many Banks prefer accepting the security risk rather than mitigating, transferring or avoiding it. IRSMS policies show wide variations across all types of financial institutions (here the type of bank would be considered, i.e. Apex / Public

Sector Commercial / Private Commercial / Co-operative / Foreign bank.)


Research Methodology
The method of inquiry involved both primary as well as secondary data collection. Questionnaire was prepared taking into account the necessity of qualitative as well as quantitative analysis. Primary data collection is done by inviting responses through means of a questionnaire, from the IS Officers/ IT officers, Certified Information Systems Auditors, Certified Information Systems Managers, Compliance officers, etc., with a minimum of 1-3 years of experience in the IS Risk Management field. Secondary data was gathered from various published sources, authentic journals, past research papers, newspapers, magazines and articles.


The findings are based entirely upon the research conducted in India and hence may not be applicable to other countries of the world on counts of technological diversity and contextual forces. These kind of researches need to be done periodically to gauge the authenticity of the security risk management program designed in an organisation such as banks, due to the constant changing technology and its vulnerabilities. To prove the hypotheses The security policies in the same organisation (Bank) may differ based on the geographic location, the research may not have considered several banks of similar type. It may be limited to same bank with different locations. The research may not be able to provide the exact financial figures or the financial impact due to the occurrence of the IS Threats and the Risk that is followed because of the reputation risk involved in it. The respondents might not provide complete, incomplete, partial or authentic information regarding the questions posed for the survey.


Overview of the Paper

An introduction to the topic of research IS Risk Management is provided in Chapter 1. The introduction focuses on aspects such as: Background of the Research Study, Purpose and Importance of the Study, Problem Statement, Research Questions With Certain Assumptions, Research Methodology.

It also throws light on the limitations of the study research. In the Literature Review, the research provides a close look and feel of the similar incidents in the past and in the present amongst various banks across the country and the globe. The basic intention of this academic report is to spread awareness regarding IS Threats and the Risk which follows them. The researcher has tried to collect several examples from within the country or across the globe which are on similar lines. Chapter 3 is dedicated to the methodology of the research. It points towards to sources of the data and information collection through surveys, questionnaires, personal interviews, authentic articles on the web, magazines, etc. This chapter re-visits the research questions, research hypotheses, etc. mentioned in Chapter 1. This chapter also highlights the method of inquiry and the method of analysis when the data is collected. Chapter 4 illustrates the analysis performed on the data to obtain the desired results. The analysis also throws more light on the key findings which I came across while performing the analysis. Chapter 5 provides the overall findings and the conclusions based on the survey, the analysis and also from the management perspective. This chapter also mentions, what needs to be done in order to prevent the IS Threats from recurring and the steps taken to prevent them. Infact, the steps need to be incorporated in the initial procedures of both, personnel management, and sourcing and change management decisions. The bottom-line being Prevention is always better than cure.


Introduction The chapter provides further insights regarding the traditional definition of IS and Risk Management along with its historical background. This also puts light on the makeover or the phase shift which has occurred in the field of IT. The chapter also defines the scope of Information Systems and IS. The literature review shows how the IS and Risk Management is applicable to the banks. Why is it essential to take the responsibility and subdue the threats causing the financial losses to the business sector as well as to the national and world economies? In order to achieve this feat it becomes even more important to understand what kinds of attacks are possible and the manner in which they should be dealt with? Due to the scope and limited constraint, this academic research is unable to throw light on all the threats or mention the remedies for them. But, even so, a wide range of threats have been mentioned below with some actual facts. The literature review also attempts to focus on the computer frauds that have occurred and their repercussions. It also points out the reason why computer crimes are difficult to prove in a court of law. The types of computer crimes, their impacts or effects and the victims are explained in the review. The review also focuses on drawing the readers attention towards the understanding of IS at length. The focus area for all the organisations, including banks, is the IT spending pattern, which is already considered and explained in the review.


History of IS and Risk Management IS Management A Concept

IS Management is the process used to identify and understand risks to the Confidentiality, Integrity, and Availability of Information and Information Systems.

Phase Shift of IS
The role of IS has changed during the past few years. The

Traditional definition of protecting networks and the datacenters has undergone a shift in focus resulting in the enablement of the businesses with security solutions actually moving the business forward or even to the next step. Security is now a way of life and a must-do for businesses in order to survive. Hence, it has become obvious that, wherever the information goes, security follows. No longer can IS be an afterthought. An increased need for efficiency and productivity, reducing costs, reaching multiple markets and faster time- to- market are few business benefits which are driving organisations to make IS a part of the organisational DNA.


Scope of IS
IS Management defines the controls we must implement to ensure we sensibly manage computer related risk3

Not just technology, but people and processes too defense in depth. An ongoing, continuous activity ~ you dont just do security as a one-off event.

Source: Deloitte Touche Tohmatsu

Figure No. 2: Security Management process IS is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities.

A basic IS model should encompass Confidentiality, Integrity and Availability; however there are also additions such as Accountability and Auditability.2 In other words, The objective and focus of the IS Management is to protect and manage the Information assets. 2.3

How is IS Applicable to Banks?

"IS is definitely a journey, not a destination--there are always new challenges to meet."
-- Chief IS officer at a major financial services corporation

Banking Institutions have become critical centers of gravity. A collapse in the banking institution can lead to collapse in the banking sector and cause a huge setback to economy of the nation, which would also concern world at large. This makes them more attractive targets for potential adversaries. Potential adversaries could be either malicious or non-malicious. Among the malicious adversaries would be hackers (including phreakers, crackers, trashers and pirates), terrorists/ cyber terrorists, organised crime, other criminal elements, competitors and disgruntled employees. On the other hand, careless or poorly trained employees would be non-malicious adversaries, who, either through lack of training, lack of concern, or lack of attentiveness, poses a threat to the Information Systems. Adversaries would employ attack techniques that could be classified as passive or active, insider, close-in or distribution attacks. Some of them explained below. Passive attacks involve passive monitoring of communications sent over public media and include monitoring plaintext, decrypting weakly encrypted traffic, and password sniffing and traffic analysis.

Active attacks would include attempts to:

Serial No. Type of attack

1 2 3 4 5 6 7 8 9 10

Circumvent or break security features Introduce malicious code (such as computer viruses, trojans or worms) Subvert data or system integrity Modify data in transit Replay (insertion of data) Hijack sessions Masquerade as authorised user Exploit vulnerabilities in software that runs with system privileges Exploit network trust Set in denial of service

Table No.1: Type of Attacks

In Close-in attacks an unauthorised individual gains close physical proximity to the networks, systems, or facilities for the purpose of modifying, gathering, or denying access to, information. Gaining such proximity is accomplished through surreptitious entry, open access, or both. Close-in attacks include modification of data, information gathering, system tampering, and physical destruction of the local system. A person who is either authorised to

be within the physical boundaries of the IS processing system or has direct access to the IS processing system can be responsible for the insider attacks. Insider attacks are usually difficult to detect and to defend against. Distribution attacks maliciously modify hardware or software between the time of its production by a developer and its installation, or when it is in transit from one site to another. The risks of serious IS failures are all around us. Breaches, such as teenage hackers and e-mail viruses which were once a nuisance only for information technology professionals now pose a significant risk for executives and can

threaten intellectual property and brand equity. Each new lapse in security is highlighted by glaring media coverage, amplifies consumer awareness and concern. The disclosure by Master-Card that 40million of its credit and debit card account details had been exposed is yet another more indication of the magnitude scale of the problem. Certainly, the growing fear of identity theft is a matter of concern for executives in industries that interact directly with consumers. A recent survey conducted in conjunction with the Merchant Risk Council, in the US, revealed that over 90 per cent of retailers agreed that consumers make purchasing or transaction decisions based on their trust in the companys ability to secure their data. Also, almost 90 per cent felt that IS is or will become a point of competition in the retail sector. IS is not just an issue for retailers and banks all companies face new risks, ranging from industrial espionage to sabotage. Compounding these concerns, compliance fears generated by Sarbanes- Oxley and the forthcoming Basel II accord have fostered an environment of risk aversion inside many organisations. Of course, there are plenty of risks to fear. The process of opening companies to the internet has exposed a multitude of software vulnerabilities, especially as many older systems were not developed with this security in mind. Building stronger walls around enterprise systems can help to keep out some unwanted visitors, but those clever invaders or disloyal insiders who find their way into the fortress discover a treasure trove of information once they have gained access. To make matters worse, many risks lie deeply hidden within the extended enterprise. While most large companies have taken significant actions to beef up their own internal security, their smaller partners often harbour risks that open the entire enterprise to vulnerability. Every day, business partners take unseen risks and, when partners experience security failures, it has the same devastating impact. In the case of MasterCard, the loss arose out of a security breach at the Card Systems Solutions a small, private payment processor with only about 100 employees. Card Systems quickly felt the pain of the mistake as both Visa and American Express promptly withdrew their business, pushing Card Systems into a

financial crisis. Yet the fact that the problem was not within Visa or MasterCard made little difference to consumers, who rightly saw the problem as the responsibility of the credit card companies. The escalation of security breaches and the painful surprise many executives feel when a failure occurs in their business have brewed a culture of fear within many organisations. Vendors within the security industry have quickly capitalised on this fear along with the confusion around new compliance measures, such as Sarbanes-Oxley. But before tossing money at a cure in the hope that it will eliminate these new risks, managers should first work to incorporate information risk into an overall enterprise risk management strategy. Like any other risk within the company, security risks must be identified and balanced against the benefits and costs of mitigation. Unfortunately, in contrast to many other business risks, the discussion about IS risk has focused solely on the negative experiences. Of course, no one likes a bad outcome. A hurricane, like a security failure that exposes sensitive customer information, results in damage and cost. However, in other areas of business, risk is associated with return higher risks yield higher returns. This is also true for IS risk. Very often, IT risks arise from sloppiness or corner-cutting, such as the failure to follow best software development practice or to test and audit new systems. In some instances, this notion is true. However, many IT risks occur within the context of a larger business strategy with associated rewards.

For example: Working with a small innovative start-up company whose promising software solution could generate significant returns, but could also harbour the associated risk of the small companys IT environment Starting or acquiring operations in low-cost countries where the infrastructure is less secure Outsourcing business processes to suppliers with lower-cost structures but unknown or hard-to-monitor security practices

Exposing internal business data to customers and partners to help with the creation of new services or reduce operating costs.

All of these create security risk, even with the best practices. Becoming aware of the risks is just the first step in building an effective management strategy. In our survey of retailers, over 85 per cent said that the level of IS offered by their suppliers was important to them. Yet we find that companies in each industry are struggling to develop effective ways to measure and manage security risks across their extended enterprise. A simple way to reduce security risk is to limit business innovation to avoid partnering, pull systems offline and lock down the fort. This is a serious mistake. Instead, risk should be balanced with reward. Embedding IT risk into your overall enterprise risk management strategy implies establishing a risk posture that does not seek to eliminate security risk, but rather manages it. The key is first to understand the vulnerabilities, threats and consequences. Vulnerabilities are areas that can be exploited by malicious individuals or organisations. Examples could include poorly maintained software (such as failing to patch known security holes), poor security practices (such as inadequate password and identity management), or the exposure of older systems with an unknown security to the internet. Given these vulnerabilities, what are the threats? Are there outsiders who are motivated and capable of exploiting the vulnerability? Or are there insiders who may be tempted to steal intellectual property? Finally, if the security was breached, what are the consequences? Would they be primarily internally observed or would they impact external groups, such as customers or business partners? Internal failures, like viruses, generate real operational costs for the IT department but rarely put the company into a catastrophic tailspin. On the other hand, external failures, such as a breach of customer information, can be much more painful, warranting far greater attention. To manage risk in the most effective way possible, companies should include IS in the broader perspective of business risk management, where the board of directors governs the companys

overall risk posture. This same perspective must also be applied to business partners. For many companies, measuring supplier risk will require new tools for supplier security qualification. Like those tools used to assess a suppliers product quality, supply chain reliability, or its long-term financial viability, suppliers should be qualified using a technical assessment of security and an assessment of the suppliers information risk management practices. Risks of working with a new partner can then be balanced against the benefit that the partner delivers. Most importantly, managing information risk is everyones responsibility not simply the job of IT executives. Rather than viewing IT executives as security guards, technology- savvy executives from corporate directors to line managers should act as consultants to the entire organisation. CIOs with strong business and technical skills are uniquely qualified to help educate the organisation and chart a course to bring IT risk into the overall risk management strategy. Bringing IT into the enterprise risk management strategy will not only protect against catastrophic operational surprises, but will empower managers to seize the exciting opportunities before them. Computers have been in existence in European and American countries for a long time. Consequently, frauds associated with the computer environment have also been in existence for a long time. The American Institute of Certified Public Accountants (AICPA) was commissioned to conduct a study of EDP- related frauds in the banking and insurance sectors. The study, Report on the Study of EDP-Related Fraud in the Banking and Insurance Industries, revealed many shocking findings, the more significant of which are: In some cases, fraud occurred during normal transaction process cycle; Many took advantage of the weaknesses in the system of internal controls; Most frauds were in input area; Input was either unauthorised or proper input was manipulated; File maintenance was common method;

Manipulation involved extending due dates on loans / or changing names and addresses; Loss from reported cases worked up to several million US dollars; In all cases, perpetrators were employees.

Dawn P. Parker, Senior Management Systems Consultant and Researcher on computer crime and security in a report for the National Institute of Justice, US Department of Justice, identified 17 crime techniques, the more significant of which are Eavesdropping or Spying: This involves wire-tapping and monitoring radio frequency emissions. Scanning: Scanning prevents sequential change of information to automated system to identify those items that receive a positive response, such as: Telephone Numbers User IDs Passwords Credit Cards

Masquerading: In this, the perpetrator assumes the identity of an authorised computer user. Piggy - backing: This can occur when the user signs off or a session terminates improperly. The terminal is left in an active state or in a state where it is assumed that the user is still active.

Data Diddling: It involves changing data before or during their input into the computer. Trojan horse: It is a convert placement or alteration of computer instructions or data in a program so that the computer performs unauthorised functions. It is primary method for inserting abusive acts, as in salami techniques.

Logic Bomb: It is an unauthorised act of program instructions inserted into a regular program such that an unauthorised or malicious act is perpetrated at a predetermined time.

Data Leakage: It involves removal of data from a computer system or facility.

The National Center for Computer Crime Data, a Los Angeles-based research organisation, has been providing information on computer crimes. The statistics relate to: Average computer crime losses; Victims of the computer crimes; Occupations of the computer crime defendants; Types of computer crime; Computer crime cases in courts.

Occupations of Computer Crime Defendants

30 26 25 26



No. of Cases 15

10 6 5 1 Ex-employees of Victims 6 6


Unemployeed or Criminals

Sources of Crimes

Figure No. 3 Occupations of Computer Crime Defendants

Employees (Acc. To Comp.)

0 Miscellaneous

Law Enforcers

Computer Professionals



Theft of information Harrasment Alternation of Data Damage of Hardware

Damage to softwareExtortion

Theft of services

Theft of money

Figure No. 4 Types of Computer Crimes

It was seen that computer crime losses were very high, with theft of services and money contributing the maximum. Commercial users topped the list of computer crime victims.

$100,000 $80,000 $60,000 $40,000 $20,000 $0 Theft of money

$10,517 $55,166


Theft of Damage to program / data system /data

Figure No. 5 Average Computer Crime Losses

40 35 30 25 20
17 17 36

% of cases

12 12

10 5
2 4



Victims of Computer Crimes

Figure No. 6 Victims of Computer Crimes Technology improvements provide greater sophistication for users. However, they also create significant security and control concerns. It is also of great concern that a computer criminal is less likely to be caught than a bank robber. Parker conducted two studies on general and computer bank frauds and embezzlement respectively in 1976. The two studies revealed that average losses from computer bank frauds and embezzlement were approximately six times higher than those from general bank frauds.

Computer crimes in India In India, although computers made an entry much later, we are catching up fast in the area of computer frauds, too. However, most of the crimes do not get reported as the organisations are hesitant to file a report as it might affect their credibility.


Commercial users




Found not guilty, 16%

Found Guilty, 8%

Pleaded Guilty, 76%

Figure No. 7 Computer Crime Cases in Courts

Few of the reported cases in the press are mentioned below

The Hindu, on March 7, 1996 carried a report, Quantum jump in the number of bank frauds, according to which Mr. R Janakiraman, former deputy governor, Reserve Bank of India, while addressing a session on frauds in banks and other financial institutions prevention and detection organised by the Institute of Criminological Research, Education and Services (ICRES), observed that the frauds committed by the bank employees in collusion with outsiders accounted for the largest number of frauds rather than those committed single-handedly either by the bank employees or outsiders.

India today, in its February 28, 1999 issue carried a report, High-tech frauds Thieving with technology The Economic Times report, Banks feel techno-crime byte dated December 19, 1996 mentioned how Sanjay Subharwal and his accomplice who cracked the Automatic Teller Machine (ATM) code of his sister-in-laws account after 99 attempts and siphoned off Rs. 1.52 lakh.

The Economic Times dated January 12, 1997 stated The days of Nagarwallas using VVIP names to withdraw millions from a bank are old hat.

India Today in one of its issues reported, Hacking New Frontiers wrote R. Srinivasans employers, a stock broking firm in Chennai, were very happy with him and his proficiency in their new computers. He brought in new clients and increased the volume of shares traded. But the company was losing heavily on share transactions. A few months later, the managers found out why: Srinivasans clients were no more than electronic entities, existing only on the pathways of their computers. Losses: Rs. 50 lakh.

Giving another example, the report says: No one knew when account no. 20456 became active. The Bank of Indias computer at Mumbais Mulund branch only recorded that its owner Ganesh Rao had drawn Rs. 76,700 since February. So when Rao was overdrawing on April 3, they took a second look at him. Before them was Sanjay Rajbhar, a computer professional who ran a network controlling accounts. In a bank that still maintains huge, yellowing ledgers. Rajbhar had found a defunct account and resurrected it with a few key-strokes.

Technology is a strategic resource available at a cost albeit with an altered risk-benefit matrix. --- Ashok Bhattacharya General Manager Technology, State Bank of Mysore.

Technology has become the backbone of human civilisation. Technology, its concepts, gadgets and formulations are matters of common use spanning drawing rooms of our residences to board rooms of corporates, to halls of deliberations at the United Nations (UN). Though technology and its applications have remained the subject of debates from time to time, contribution of technology in the field of business, health, education, entertainment, information and communication and , of course, banking are growing day by day. For most of us, it is no more a question of whether to use technology or not, it is more a question of how to exercise our options in using technology. Which, when and what-if are some of the major questions that banks and financial services industry have to consider to roll out technology, maintain it and upgrade the same. Indeed, strategic use of IT is the vital part of business intelligence that banks are relying upon for growth and viability to face the competition, and this reliance will be sharpened in the days to come in order to handle Customer Relationship Management (CRM) issues effectively.

Public Sector Banks (PSBs), which have large portfolios in terms of business and employment, are in various stages of migrating to new systems. As a matter of fact, this new strategic system may generally be identified with Core Banking aided by ATM networks and other e-process. Some of the important features of such migration / upgradation are: From distributed / stand alone banking to core baking / anywhere banking. Alternative delivery channels like ATMs, Internet Banking, Credit Cards,

Smart Cards and Kiosks. Cross-selling products like insurance, money market and other financial


Use of multimedia, online help and assistance. Electronic Fund Transfers (EFT). Digitisation of data, online encryption and straight-through processing. Business Continuity and Risk Mitigation including KYC (Know Your

Customers) and AML (Anti-Money Laundering) implementation. Online trading, settlement, treasury, domestic and cross-border

transactions. Data Warehousing, MIS and Business Intelligence Decision Support

System. Intra-Bank email systems, which incidentally revolutionised banks

internal communications, introducing online knowledge repository, training / applicable instructions / job cards, etc. Considering that technology is a risk multiplier both in operations and

business, properly manned, and a sophisticated disaster recovery process are in place.

These quanta jump in technology, envelopes the whole organisational entity, its activities, interfaces and all stakeholders. For a large organisation like a PSB, on the backdrop of which the present article is based, having about 650 retail branches, business transactions exceeding Rs. 30,000 cr., providing direct employment to about 10,000 persons, automation decisions are size-oriented. Sizes of operations have a critical bearing on choice, cost and consequences of the IT projects.

The general method adopted by PSBs is to make a preliminary survey of actual functional systems in various other banks, appoint consultants and arrive at desired specifications of the system to be procured and then go for tendering for a suitable software/ hardware and related services. All PSBs follow Central Vigilance Commissions (CVC) guidelines in selecting the final vendor for software, hardware accessories and maintenance thereof. It may be mentioned here that a precise cost benefit analysis may not be always feasible as

technological upgradation, new technology, etc. are mostly required to remain in the market and / or to retain the market share. Notwithstanding the same, while selecting technology and finalizing roll out plan, PSBs do take care of the following factors New technology will bring in new risks and accordingly, the cost benefit and risks of the new technology need to be considered and optimised for maximum productivity, The life of the technology is also becoming shorter and shorter. For this reason banks / financial institutions also need to be ready with resources and plough back of revenue enhancements so that systems can be replaced before they become totally obsolete, The agreement to purchase / hire services level agreements; each must be legal besides technologically feasible so that buyers can use the system as required by them and vendor failures are avoided. At this stage, banks / financial institutions may also finalise the process of User Acceptance Test (UAT) that they would like to follow before commercial roll out of the system at the branches / offices. This is very important and must be developed with a professional approach as otherwise banks will suffer avoidable pangs and costs of customisation with high risk situations. If the system purchased is on a turnkey basis, then confidence level of such UAT should be very high. It would also be appropriately pragmatic for the bank to prepare an action plan of converting fixed costs to take full advantage of new technology / upgradation. Suitable steps to remove road blocks which prevent such conversion / replacement be tackled.

Based on the above components, below are the schematic triangles of concerns that bankers / financial institutions would do well to keep in mind while selecting / rolling out expensive and all encompassing technologies.

Figure No. 8: - TCO Analysis Figure No.8: TCO Analysis

No doubt, the implementation of a new system, say, Core Banking Solutions (CBS), that is now being set up in most of the banks will enhance banking services in a visible manner. The customers of a branch now become the customers of the whole bank. Speed and accuracy of the transaction processing, money transfers, remittances, local and national clearing, all get enhanced enabling the bank to handle more transactions with the cost of transactions with the cost of transaction coming down to a great extent. Thus, CBS coupled with ATM network and Internet Banking and Real Time Gross Settlement (RTGS) gives the customer the facility of doing business with the bank round the clock without visiting the banks branch. Internet Banking is very popular with young clientele as utility payments, travel arrangements, bill payments and even purchase of cinema tickets can be done sitting at home or at office.

As RTGS has also been enabled in many commercial bank branches, the reach of Electronic Funds Transfers System (EFTS) now stand highly enhanced. It is clearly visible that technology is a strategic resource available at a cost, albeit with an altered risk benefit matrix. As a matter of fact, every upgradation of technology may become a risk multiplier if appropriate risk mitigation steps have not been embedded in the system and provided in the handling procedure itself. One of the risk areas is outsourcing, in which because of consideration of core competency and costs, outsourcing all technological inputs including hiring of hardware, software livewire are resorted. Business Process Outsourcing (BPO) has become a mantra in most of the private enterprises, which have high adaptability to new technologies. Even there, appropriate levels of agreement are reached and roadblocks set up to prevent control of the business passing on from hands of management to hands of BPO.

In commercial banks, outsourcing is mainly done to obtain assistance wherever they lack core competency to handle highly technological jobs including troubleshooting of IT systems. Here also, many banks have tried to use in-house people to maintain their systems, but this mostly resulted in legacy of problems creating handicaps for the bank to move speedily to new technology platforms. Outsourcings of technological services, at least to launch an IT project, are quite common in todays banking industry. Banks have asked by regulators to finalise a policy of outsourcing so that risks of outsourcing critical basic applications are managed properly.

Further, the salary structures of PSBs also do not permit employment of highly qualified experts in the area of technology. Recently, SBI and TCS have joined hands to float a separate company, which presumably will not have such salary and perquisites / constraints and would, therefore, be able to retain the technical experts for a reasonable time. It may also be noted that new technologies invariably give rise to new opportunities, which can be harnessed under the general expression of Business Process Re-engineering (BPR). The CBS, which is

operating on a centralized data and information reservoir, has the ability to convert a branch customer into a bank customer and, thereby, make it possible to process many hitherto distributed banking activities into centralized activity. Banks are coming up with outlets, Centralised Processing Units (CPUs), where all loan processing, renewal, and documentation for all branches are done, leaving branches free for marketing and business of cross-selling. Banks that have rolled out CBS find a grand by product opportunity to take such B2C initiatives, which have vastly improved credit appraisal, disbursement, documentation, deposit mobilization, cheque and customer instruction processing.

As an example, it may be elaborated that, previously, all cheques in clearing would come to the branches for verification of signature, balances and payment thereof. But now, service branches are having all this information on the screen itself and cheques need out travel to the branches, thus, eliminating time and ensuring quality. This new technology or new system is highly successful when it meets the following criteria: Increase in revenue / volume of business Reduction of cost of operations Reduction in delivery time for most B2C transactions. Improving general customer service and loyalty of customers.

Most of the banks and financial institutions and even insurance companies that are using high level of IT are endeavoring to measure success of their investment decisions by actual movement of the above factors. The beneficial impact of modern day technology has ushered in a new era in services available to bank customers. Some such features are: Transacting from any branch; specialised collections, remittances and fund transfers; 24 / 7; banking through ATMs and Internet banking; Automated payments; Automated Standing Instructions (ASIs); Using banks Web portals for latest rates, new products and terms; Submission of stock and other statements for loan account customers; with RTGS facility, funds transfer to accounts with other banks has also become possible.

While technology (to be more precise information and Internet technology) has brought in metamorphic changes in the area of banking and financial services, problems do persist in various areas some are new, some also suffer from aggregation of risk owing to change in technology. Having rolled out CBS latest in banking technology in 100% of our branches along with a network of ATMs, Internet Banking, RTGS, etc., we find many problems, if handled either before installation or immediately on roll out, would strengthen the banks delivery, customer satisfaction and bottom line. Some such problem areas are as under: Biometric Access Control

In spite of decades of history of full computerisation in banks even under CBS, most banks internal access control is based on individual ID and password. Abuse of this system in a large organisation is well- known and difficult to combat; thus, it needs to replace the system by biometric system preferably, the ID of individual employee of the bank should be replaced by his / her fingerprints. It would then be easier to track and eliminate all possible abuses or mistakes. UAT

We have mentioned the importance of UAT earlier. It is reiterated that through PSBs know fully well their inputs and the required outputs, data for testing comprehensively new systems are not generally available. Banks are depending on the vendors expertise in these matters and generally mistakes are rectified through trial and error. In this context, Auditability of systems assumes considerable importance. MIS Data Warehousing

Generally, CBS available in the market may not come with a full blow MIS or data warehousing capability. These need to be developed or the existing one has to be integrated. Input Control / Output Reports

The CBS is a platform mainly for handling Bank to Customer (B2C) transactions. Normally, no problem is envisaged from transactions to reporting level which has gone through a proper UAT. But large banks always find it quite

difficult to ensure full accuracy at the input levels. An error of input, mapping and legacy problems at the granular level creates data integrity problems. Variability of Cost

The success of new technology lies in harnessing its ability to cut down transaction cost, as also replacing fixed cost b variable cost. But this is not happening at the required place and time and often new technology represent additional cost without reduction of fixed cost already existing. Captive users

Some of the major problems have come up in the fact that banks that have selected, and installed new technology have become captive users of the vendors. This problem may further accentuate in the absence of proper service level agreements. Attrition

Many of the bank staff members who have adopted and quickly master new technology may be leaving the bank with better offers, creating gaps for day - to - day management. Service Level Agreements (SLAs)

However, many of these problems are not insurmountable, but definitely controllable. With appropriate planning and consultation they can be managed, subject to the existence of appropriate agreement of hiring / purchasing / outsourcing and SLAs. A professional arrangement in this area will ensure continuity of vendors stake, which is important. Systems and operation, Documentation / Manuals

In the new system, fully developed documentation should be available. Online help generally does not meet the requirement of users. Sometimes, these are not available and vendors themselves suffer from the attrition, thus creating a somewhat a chaotic situation during commercial run of the system, which may degenerate unless appropriate control and administration is exercised. Prevention is always better than cure.

B2B / Government Business, etc.

A large part of a banks business is treasury management, and bank to bank transactions, including multi- currency transactions. Some of the PSBs are also entrusted to do government business. Most of these core banking systems do not have proper modules where such transactions and transactional MIS can be processed simultaneously. The additional requirements need to be anticipated and negotiated with the vendors at the opportune time. Suitable middleware can be used in this regard.

India is a software powerhouse. But its IT security practices are pathetic and consumers should beware --- Sucheta Dalal Consulting Editor of MONEYLIFE

Last June an employee with Hong Kong Bank in Bangalore was arrested following an investigation into a theft of pound sterling 230,000 from a British customers account. Earlier this month, Channel 4 of London controversially claimed that credit card data, along with the passport and driving license numbers, are being stolen from call centers in India and sold to the highest bidder. A survey on the Global State of the






While things are pretty bad on the global IT security front, things are worse in India. The study says: Our of the most unsettling findings in this years study is the sad state of security in India, by a wide margin the worlds primary locus for IT outsourcing. India lags far behind the rest of the biggest IT powerhouses in the world; these findings should cause considerable concern. Many survey respondents in India admitted to not adhering to the most routine security practices. Extortion, fraud and intellectual property theft occurred last year are double and even quadruple those of the rest of the world. Nearly one in three Indian organisations suffered some financial loss because of a cyber attack last year, compared with one of five worldwide and one out of eight in the United States. According to, The problem is obvious, but right now its apparently easier to ignore than to address. Harder to ignore is the constant news of large organisations losing laptops packed with unencrypted personal data on millions of customers. Every report that such incidents should motivate companies to tighten security, but every year the survey indicates thats not happening.


The IS Scenario in India

Banking institutions are getting more and more conscious about the IS taking into consideration the scams that have occurred in the past and continued to do so even today. A flood of new security attacks targeting banking customers over the last twelve months has forced organisation or regulatory bodies to introduce new directives and methodologies such as the recommended use of twofactor authentication by online banks by the end of 2006. These groups believe that single-factor authentication (the use of a username and password) is now inadequate to protect users against recent internet scams such as Phishing, Pharming and RAT attacks. By the end of 2006, many Asian online banks will be required to implement the new directives covering two-factor authentication, which relies on something the consumer has, such as a token or smartcard. This would help identify the individual more specifically. Introducing the methodology

in relatively short span of time would be the next big challenge faced by the banks. This would also have to ensure that the chosen method is convenient enough for broad consumer adoption while keeping costs down. Banks in India need to be complimented on the inculcation of technology in a large way in their day-to-day operations. In a short span of less than two decades, customers of the banks have felt the positive impact of technological solutions implemented by banks. The customer in a bank has a virtual menu of options as far as delivery channels are concerned and all these are the benefits of technology, with the most visible benefits happening in the areas of payments for retail transactions. A variety of Cards, Automated Teller Machines (ATMs), Electronic Based Fund Transfers (EFT), Internet Banking, Mobile Banking are all some of the latest technology based payment solutions, which have gained large acceptance amongst Indian Banking arena. While addressing a critical topic such as technology which has today become a basic necessity rather than a luxury in the banking sector, the various components must be examined which comprise the building blocks on which the banking would be functioning in the morrow. I would, therefore, enlist some of the major aspects which appear to be the corner stones in the road that we are paving so that the highway would ensure free, safe and secure conduct of the banking services and business. Technology implementation comes with its attendant requirements too. A few major aspects which need to be reckoned relate to the Need for standardization across hardware, operating systems, system software and application software to facilitate interconnectivity of systems across branches. Need for high levels of security in an environment which requires high levels of confidentiality; IS is an important requirement. Need for a technology plan which has to be periodically monitored and also upgraded consequent upon changes in the technology itself.

Need for business process re-engineering with a large scale usage of computers the objective is not merely mechanise activities but to result in holistic benefits of computerization for both the customer and the staff at the branches.

Sharing of technology experiences and expertise so as to reap the benefits of the technology implementation across a wider community.

With technological solutions rapidly evolving, more new products and services may soon become the order of the day. This technology evolution needs to be thoroughly supported by the IS practices and procedures in order to avoid the chaotic situation otherwise. Prominent among the attendant challenges is the paradigm shift in the concept of security. With the delivery of channels relating to funds based services, such as, movement of funds electronically between different accounts of customers taking place with the use of technology, the requirements relating to security also need to undergo metamorphosis at a rapid pace. Various concepts, such as, digital signatures, certification, storage of information in a secure and tamper- proof manner all assume significance and have to be a futuristic part of the practices and procedures in the day-to-day functioning of banks of tomorrow. Security requirements have to be provided from a two pronged perspective - first for the internal requirements of the banks themselves and the second relating to the legal precincts of the laws of the land. It is indeed a matter of satisfaction that the INFINET (Indian Financial Network) is a safe, secure and efficient communications network for the exclusive use of the banking sector, which provides for the inter-bank communication.

The key advantage of INFINET is its own security framework in the form of the PUBLIC KEY INFRASTRUCTURE (PKI), which is in conformity to the provisions of the Information Technology Act, 2000. Several large financial institutions are now starting to implement two-factor authentication, to reestablish trust with their users, fearing that if nothing is done profits will be lost, customer confidence will drop, and the leading to a loss of brand image in a long run. At YES BANK, our priority is delivering solutions that take into account present and future customer needs, said H. Srikrishnan, CIO and Executive Director, YES BANK. We identified that current and prospective customers have access to a PC with a reliable bandwidth connection, but a key concern was the ability for us to guarantee a high level of security, giving them the confidence to use Internet banking without the worry of fraud or theft. Thus, our priority was addressing this issue and identifying a solution, which would improve customer confidence and provide a reliable and user-friendly experience. According to recent surveys conducted by various IS organisations, identity theft has seen looms over any other kind of crime worldwide.

Currently the IS implementation in banks suffers from deficiencies such as: A comprehensive Security Risk Assessment is not being conducted before drafting a security policy for the bank. The Acceptable Usage Policy (AUP) is not communicated to all staff of the bank. The scope of Information Systems Audit at branches is restricted to checklist audits. Defined Vulnerability Assessment Policy has not been set out for the data centers of banks.

ICICI Bank Phishing scam targets customers in India Phishing is a relatively new phenomenon in India, though united States, South America and Europe have reeling under its impact for years now. The new scam mail targeting the rather soft Indian customer who in terms of awareness on such activities, goes ahead and tries a contemporary trend in international online arena. It tells users that a popular bank is updating their online security mechanism, so the user should key in his information in the website that fake email leads them to! Security Analysts at (name undisclosed) an Internet Security company warn that a Phishing mail in the name of one of Indias leading Banks, ICICI, has been found to be spammed to targeted user groups for the last couple of weeks, aiming sensitive financial Information. The mail reads that the ICICI bank is upgrading to a new SSL Server to insulate customers against online theft and other related criminal activities. Users are told to confirm their personal banking information following the given mail. It also warns that if the user does not complete the form, the online bank account will be suspended till further notification. Once the user clicks on the link, he is taken to a bogus website that looks identical to the original one, where he is made to part with his account number, password and PIN number. Phishing is the cyber form of Identity Theft using fake spam emails and fake websites of reputed financial organisations. You receive an email that seems to be coming from a reputed bank, credit card firm, Auction website or any other financial institution. The message tries one of the several tricks to induce you to click on the link provided in the email and gets you to reveal your personal information. This stolen information is used for sophisticated Online Robbery, Identity theft and other Internet related crimes. The Anti-Phishing Working Group, an industry consortium formed to fight this mode of crime, says the attacks in recent months where double that of what were reported in the same months last year. With commerce growing rapidly, Phishing attempts may grow multifold this year, faking more brands and institutional loot more victims around the globe.


Understanding Information Security (IS)

In view of the critical implications of Information Security (IS) for banks and financial institutions, it is necessary to emphasise that the management of the bank should have a good understanding of the IS risks.

IS is not only the concern of the Information Technology Department but for the entire organisation. It is said that Security in an organisation is as strong as its weakest link. Hence, each and every user of information, right from the senior management to the clerk in the branch has to be involved in any security initiative taken by the bank. This will mean that they have to be aware of the security threats and should practice the laid down policies and procedures.

IS Policy has to be aligned to the business objectives by a proper IS Risk Assessment. This means that the risks identified and measured during structured IS Risk Assessment should be mitigated with effective security policy and procedures.

IS Policy cannot be the same for all banks despite there being similarities in their business function. This is due to the reason that each bank has its unique risks which might be multidimensional considering their locations, their services, their business goals and their technical infrastructure.

Banks can optimize their resource spending in IS by strategising their security spending to mitigate their high impact risks identified during there IS Risk Assessment. Hence, IS should be seen as an investment.

Security Audits at branches need to be conducted by qualified personnel as it needs to encompass an audit through the computer.

IS consists of CIA principle. Hence in every decision, the security requirement of CIA has to be observed.

IS Risk Assessment is not only restricted to Vulnerability Assessment of technical infrastructure but extends to identifying critical assets, their threats and organisational vulnerabilities. It also includes Business Impact Analysis (BIA), measuring risks and suggesting appropriate controls.


Spending patterns (Technologically and Financially)

According to the Gartner report on IT spending of financial services, the worldwide financial sector spends about US$ 129 billion annually on IT services.

The Worldwide Financial Services Industry Spends about $129 billion Annually on IT Services


CAGR 6 3%

154 145 136

123 114


Financial Services IT Services Key Facts

FY 02

FY 03

FY 04

FY 05

FY 06

FY 07

Source Gartner

Figure No. 9: IT Spending Patterns

According to a report from Indian Institute of Information Technology The application of Information and Communication technology to the banking sector has been growing in the recent past. IT spending by the BFSI segment, jumped by a healthy 18 percent during 2002-03 to touch Rs. 60 billion (US $1.24 billion). Indian Banks on an average spend an estimated amount of Rs. 1.5 billion on software and hardware for core and internet banking services, on an average. According to industry estimates, the BFSI segment accounts for around 10 percent of the total IT industry and about 28 percent of the domestic IT market. Spending by the BFSI segment is expected to jump to Rs. 98 billion during 200405 fiscal. The main driver for the increasing use of IT in banking is the need to cater to the growing and changing expectations of the customers who relentlessly demand continuous improvement in the quality of services offered, reduction in charges and access to new products. In the context of global competition, the banks have to use other factors to facilitate the increasing IT investments. The Centre Vigilance Commission lays down certain statutory requirements for banks in this regard i.e. achieve 100% branch computerization, availability of certification services for ensuring the security of electronic transactions with an eye on the growing size, complexity and integrity of the financial markets. Technological advancements bring along concerns on the privacy, confidentiality and integrity of information. It is being seen that such concerns have a major impact on the functioning and existence of banks and financial institutions. While many banks in India have taken steps to improve their IS much still remains to be achieved It is often perceived by the management of banks that IS is technical and complex. Contrary to this is that IS is similar to any other area of managerial decision. Further, IS investment should also have a return on investment. This is to be achieved by an effective IS Risk Assessment.


CTO/ CIOs viewpoint

The best way to approach IS is from the business side ask what the business need is, assess the risk and fashion a risk mitigation strategy that fits.
-- S Krishna Kumar, GM (IT) and CISO, SBI.

The devising of an appropriate and suitable security strategy depends upon several aspects such as breadth of the organisations business, volume of transactions per day/ month, scale of operation, (no. of years in the current business) necessity of data migration, competition in the sector, etc.

Processes Upper management buy in Concept of six pillars of safety: governance, structure, risk assessment, risk management, communication and compliance. Policy approval at board level Risk mitigation processes Documented standards and procedures Management overview for controllers Service Level Agreement (SLA) monitoring

Technology Firewall Anti-virus IDS (Intrusion Detection Systems) Management Tools Table No.2: Risk Mitigation Strategy The security strategy must be in-line with the business needs and the complexities, so as to prove holistic in approach and should include all the components needed for the IS program.

IS has commitment and support at the highest level in the organisation. The state of IS is periodically reviewed by the top management.

All the pillars are equally critical in providing IS assurance, rather than merely focusing on the security products and penetration tests. IS derives its strength from the highest authority, the board, which has approved the banks IS policies and provided direction and support mechanisms to evolve the required standards and procedures. Risk mitigation is not a one-size-fits-all process, and takes different routes depending on the risk and business imperatives. This needs to be devised after considering business needs vis--vis security controls. Being a financial organisation, the banks are subject to a number of regulations, both internal and external in nature. These are considered an integral part of the Security Architecture. It is necessary that all the personnel across the business understand the underlying philosophy and basis of the security policy. Merely writing a security policy and sending it to the different departments will never succeed. It is not good enough to have just the performance levels specified in a Service Level Agreement (SLA). The organisation should also be able to measure service levels, use appropriate measurement metrics, build adequate deterrents against under-performance and monitor the performance of all the outsourcing agreements. Business Continuity and Disaster planning bear a lot of importance in the IS Strategy or Program. On this, Mr. Kumar observes that a Disaster Recovery (DR) system has been set up for critical applications in a different city and periodic mock drills are conducted. An important but often neglected aspect of the DR plan is to shuffle a core team of operations personnel between production and DR sites periodically. This ensures the availability of skilled resources at the DR site. They are current with the latest state of the production application, says Kumar.


The basic IS needs of banks and financial institutions are very similar to those of most large organisations. The problem in the banks is that they are fairly high value targets. Gaining unauthorised access to a banks customer records can make identity theft easy on a large scale. Unauthorised access to customer records creates operational, legal and reputational risks for banks. Currently banks are spending approx 5-6% of their total IT Budget on security and this amount of money may prove to be inadequate to ensure effective ISRM considering the threats existing in the e-world today. Not only should the banks spend more on IS but also ensure that their IS risks are mitigated. A structured IS Risk Assessment will enable banks to accomplish this objective. A Return on Investment (ROI) in IS should be demanded by the management. Further banks should approach IS in a structured manner.

3.1 Introduction
This chapter elaborately discusses the methodology of this study. The research questions and assumptions (hypotheses) proposed in Chapter 1 are presented here. All phases of the research design, data collection, location of the research performed, method of inquiry and statistical analysis are reviewed. Finally, summary of the whole chapter is done. The research can be categorised as a combination of exploratory and descriptive study seeking insights into the IS and Risk Management in banks in India.


Research Questions and Research Hypotheses

The research assumptions (hypotheses) framed in the study posses a strong background of the literature review. The combination of the research assumptions (hypotheses) and the literature review prove their importance in the study for answering the research questions. The answers to the research questions would provide a good in-sight for the IS professionals and executives regarding various scenarios and complexities posed prior to designing an IS and Risk Management System. Research Questions The research will address the questions as mentioned below What are the information risks and security threats involved in the Banks? What benefits will be derived by implementing these systems in the existing scenario? What should be the ideal characteristics of the Information Risk and Security Management Systems?

What functions in security and risk management must be accomplished by an IRSMS to support Banks? What would be the Total Cost of Ownership (TCO) for the institution?

Hypotheses The security policies in the same organization (Bank) may differ based on the geographic location. Many Banks prefer accepting the security risk rather than mitigating, transferring or avoiding it. IRSMS policies show wide variations across all types of financial institutions (here the type of bank would be considered, i.e. Apex/ Public Sector Commercial/ Private Sector Commercial/ Co-operative/ Foreign bank, etc.


Data Collection / Collected

Primary data collection is done on the basis of personal interviews along with responses based on the questionnaire filled by the IS / Management personnel, Information Systems Auditors, Information Systems Inspection Personnel, Network Security Professional, Network Administrators, Information Systems Administrators, etc. The data is also collected from the customers of the banks in order to understand the awareness among them, which might instigate quick development, deployment and improvement in the IS and Management methodologies and techniques in the respective banks. The data collected from the customers is a value addition to the research in order to achieve certain insights regarding the IS threats which might have been overlooked as they might not have been informed or not registered. These customer inputs would also help us analyse the overall success of the banks in terms of IS and Risk Management. The choice of an adequate data collection method should mainly be based on the type of research problem investigated (Kiplinger 1986). Figure 3.1 indicates which choices were made at various decision levels related to the data collection method. At each level, the option selected is shaded.

Data Collection

Longitudinal research


Experimental research








Figure No.10: Selection of Data Collection Method Cross-Sectional Research Research can either be cross-sectional or longitudinal. In this study, a cross-sectional design research has been applied. Cross-sectional research involves the collection of information from any given sample of population elements. Longitudinal research on the other hand provides an in-depth view of the situation and the changes that take place over time. Scholars recognise that representative sampling and response biases are serious problems of longitudinal research. In longitudinal research, the cooperation of panels is required. Respondents refusal to co-operate, panel mortality, and payment of panel members increase the lack of representative sampling. Furthermore, response bias is increased as a result of the fact that panel members more consciously perform the investigated behaviors and that new panel members tend to increase the investigated behavior. Finally, longitudinal research implicitly requires long data collection periods. Based on these arguments and

the objective of this study, a cross-sectional research is considered to be adequate in order to provide the required information in a valid and representative way. Non-Experimental Research In this study, a non-experimental method as opposed to an experimental research method is used. Non-experimental research is generally defined as systematic, empirical inquiry in which the scientist does not have direct control of independent variables because their manifestations have already occurred or because they are inherently not manipulable. While experimental research generally allows obtaining high levels of internal validity as a result of the possibility to control, randomly assign, and manipulate, its lower external validity and artificiality are considered to be weaker elements. As this study aims at generating generalizable results for a wide range of IS and Risk Management situations, external validity is an important, additional evaluation criterion. Consequently, the use of non-experimental research is suitable for the purpose of this study. Survey Research Survey methods are generally classified into mail, internet, telephone, and personal surveys. Non-experimental research designs can consist of observation as well as survey methods of data collection. In this study, survey research design was chosen, which is defined as interviews with a large number of respondents using a pre-designed questionnaire.

Personal Interviewing In this study, personal surveys were conducted in order to gather the required data. A personal interview is generally defined as a questionnaire administration method in which the interviewer and respondent have a face-toface contact. According to many experts, the personal interview far overshadows the others as perhaps the most powerful and useful tool of social scientific survey research. Personal interviews outperform mail, internet, and telephone surveys on nearly all criteria, except for interviewer control and bias, cost, and social desirability. Several efforts were made in order to overcome these potential weaknesses. The use of structured questionnaires that included detailed respondent instructions automatically diminished the risk of interviewer bias. Further, interviewers were not aware of the underlying hypotheses of the study and could therefore not consciously influence the responses. Thus the data collection involved in this study used non-experimental research based personal surveys and telephonic interviews on a cross-sectional basis.


Location of the Data

The data was collected with relative difficultly from Inspection Departments of various banks, IS and Risk Management cells, Information Systems Auditors, Network administrators, Information Systems Administrators, IS Specialist (Project Managers, Quality Assurance, Development Head for any IS software or hardware solutions), etc., Apart from this the data is also collected from the customers regarding their awareness about the IS threats in banks. With a

responsible and critical team of intellectuals forming the basis of this research, the remaining part of the questionnaires was filled by a large number of customers (common man) of the banks. It was based on the domicile status of the customer, to his staying in Mumbai or having moved into the city recently. This research gave further insights regarding the depth of IS awareness in other parts of the country. The data collected was obtained from a fair mix of gender, age groups, educational background and income class.


Pilot Test
Pilot tests are often conducted to improve the content of questionnaires. Respondents helped to evaluate the structure, wording, difficulty or ease of answering questions as well as the time necessary to complete the questionnaire. Feedback regarding the format and structure of the questionnaire was considered and changes were made to the questionnaire. Suggestions were taken to clarify the survey instructions, using less technical words. A preliminary study was conducted to test the questionnaire. With respect to the topic of research the pilot test was done with people from varied backgrounds. The respondents gave their valuable suggestions during the personal meetings or discussions regarding the questionnaires and also regarding the technique of mining more information with tactful personal interviews. These interactions have really helped in shaping up the actual questionnaire. Participants of the pilot study were not included in the main study.

3.6 Method of Inquiry

A self-administered survey was utilised to collect data. The questions were developed in a manner, which would help in analysing the various IS threats and the Risk Management methodologies used to mitigate, transfer, avoid or accept the risks. Based on past researches, the data was gathered from both primary as well as secondary sources. The questionnaire was a blend of open and closed ended questions, which provided a range of possible responses to almost all questions, which made it easy for the respondent to select from a range of possible answers. The questionnaires were distributed to a convenience sample of 150 in various banks in India, with varied locations and to a sample of 100 customers of various banks in India, but limited only to the Mumbai region. Among the 150 respondents few of them had less than 1 year of experience in the IS and Risk Management area, and hence those who had not managed these kinds of responsibilities were removed for a usable sample size of 133. Among the 133 respondents, 8 respondents did not fill all the details asked in the questionnaire, and hence were not considered for the study and thus a usable sample of 125 was used for evaluation. Among the 100 customer respondents few of them did not have any inclination towards the IS nor were they interested in the new things. They were really satisfied with all the traditional means of transactions with the banks.

3.7 Analysis Performed on the Data

Different statistical methods were used for the data analysis using Microsoft Excel and Statistical Package for the Social Sciences (SPSS). Descriptive statistics were generated to evaluate the distribution of variables and appropriate statistical techniques were used to study the data collected.


This methodology chapter has provided a discussion related to the methods and procedures applied in this dissertation. The chapter has discussed the objectives of this dissertation, research questions in order to fulfill the objectives, and methods used to collect and analyse the data required by the research questions. Survey respondents were delineated by appropriate sampling process. To analyse the data collected, a set of data analysis methods were used. The results from all of the analysis methods have been discussed in detail in the following chapter.


4.1 Introduction
The questionnaires from the respondents surveyed has been analysed in two parts, the first part contains the responses of the Security Professionals, Certified Information Systems Auditors / Managers and the personnel who are directly responsible for drafting, evaluating, maintaining and enhancing the IS. A fair percentage of the respondents are actually involved in the day to day activities pertaining to the IS policy implementation and the remaining are the third party individuals who have contributed their views on the IS implementation. The second part contains the responses from the customers of the banks from Mumbai region.

4.2 Key Findings

Some of the key findings from the participants in the survey are summarized below: Virus attacks continue to be the source of greatest financial losses. Unauthorised access, hacking, etc., are the second greatest threat / source of financial losses. The third greatest source of the financial loss are considered to be the ones related to laptops (or mobile hardware) and the theft of proprietary information. The fourth source of the financial losses these days is being the social engineering Pharming, etc.) These four categories amount to more than 50% of financial losses. The losses due to the lack of physical security have decreased considerably in the recent past. The use of PKI infrastructure and encryption increasing methodologies and being is (e.g. Phishing, words, if the financial losses are minimised, then effectively it will account in the increase in the profit of the banks. According to respondents, the management in the banks is still not very much keen on

outsourcing the IS procedures. They prefer to have in-house IS Officer for handling the

procedures or many a times it is preferred to accept the risk. At the most an external consultant to advise the policies is appointed to assist the in-house IS Officer. The no. of IS Audits is increasing in the recent past. Co-operative banks are also trying to get themselves certified from the

Quality, Audit and Compliance institutions such as DNV, BVQI, etc.


widely, according to most of the respondents. The annual investment done by the BFSI segment should be focused and have to be marginally increased in order to have much more secured environment for operations. In other

4.3 Detailed Survey Results

Respondents Area (Banks) Information on the organisations and the individuals representing those organisations that responded to this survey are summarised below. To encourage respondents to share information about occasions when their defences were overrun and, in particular, to provide data regarding financial damages, the survey was conducted anonymously. A necessary result of this is that direct longitudinal analyses are not possible.

Respondents based on the type of organisation Apex Body 13% Nationalised Banks 16% Co operative Banks 19% Private Banks 10%
Foreign Banks operating in India 13% Third Party Views (CISA, CISM, Network Administrators, etc.) 29% (Rounded off to the nearest %)

30 25 20 15 10 5 0 Apex Body Nationalised Co-op Private Foreign Third Party

Figure No.11:- Respondents based on the type of organisation

As shown in the figure above, the type of organisations covered by the survey include many areas from both the private and public sectors. The largest no. of responses came from the third party viewers (CISA, CISM, Network Administrators, external Auditors, etc.). It accounted for almost a one third of the entire responses received through the questionnaire. The second largest responses were achieved medium and small co-operative banks which totaled to almost one fifth of the total responses. The third largest no. of responses was from the public sector Nationalised banks which accounted for almost 16% of the responses. Private Banks were the lowest respondents. It may be because of the cut throat competition existing in the BFSI sector among all the private banks. Respondents based on the location of the organisation Metro Cities 45% B Class Cities 22% C Class Cities 13% Rural Areas 6% Branches across the country 14% (Also considered foreign banks operating in India)
(Rounded off to the nearest whole %)

45 40 35 30 25 20 15 10 5 0 Metro Cities B-class C-Class Rural Areas Branches across the country

Figure No.12:- Respondents based on the location of the organisation

The figure above shows the responses of organisations having their presence in various parts of the country. The largest no. of responses came from the Metro Cities which was evident and expected. It accounted for almost a one half of the entire responses received through the questionnaire. The second largest responses were achieved from the B Class Cities which totaled to more than one fifth of the total responses. The third largest no. of responses was from the banks (Indian + Foreign) having their branch offices all over India which accounted for almost 14% of the responses. Banks in the rural areas were the lowest respondents. The primary reason behind this was the scarce use of technology for the day to day transactions, might be due to the heavy investments which are required or due to less acceptance by the rural customers.

Respondents by Job Description Internal IS Officers 5% Certified Information Systems Auditors 29% Certified Information Systems Managers 12% Network Administrators 21% Project Managers (IS Sectors) 7% Systems Administrators 18% Others 8%
30 25 20 15 10 5 0
lS r na Inte taff s M rs rs ger ato CIS istrato ana istr tM inin min jec Ad dm Pro tems rk A two ys S Ne A CIS er s Oth

Figure No.13:- Respondents by Job Description

The figure above shows the responses obtained by the survey based on the job descriptions / designations of the respondents in various organisations having their presence in various parts of the country. The largest no. of responses came from the Certified Information Systems Auditors, which accounted for almost one third of the total responses. The second largest responses were achieved from the Network Administrators, which totaled to more than one fifth of the total responses. The third largest no. of responses was from the Systems Administrators, who are responsible for maintaining and proper functioning of the Information Systems in the banks (Indian + Foreign) having their branch offices all over India which accounted for almost 18% of the responses. Internal IS Officers in the banks were the lowest respondents. The primary reason behind this was the confidentiality of the information. The information leakage to the outside world might be a source of reputation loss and would attract the malicious threats which would in turn be a source of financial loss. The other respondents included a few Chief IS Officers (CISOs), Quality Assurance personnel, external auditors, etc.

Percentage of IT Budget Spent on the IS

Not Aware 10% 5-6% 3-4% 1-2% 0 5 10 15 20 25 30 35 40 45 50

Figure No.14:- IT spending as a part of budget

The budgeting and financial issues are the concerns most of the times, when it comes to the IS Risk Management as it is an on going process and needs continuous updating. The respondents very hesitantly provided the information on

the IT expenditure on the IS Risk Management as apart of the IT Budget. As illustrated in the figure above, a 46% of the respondents indicated that their organisation allocated only 1 - 2% for the IS Risk Management from the total IT budget. Around 10% indicated a figure ranging from 3 - 4% as the amount spent on the IS. A 5 6% budget was indicated by 4% of the respondents. A major portion of the respondent community claimed that their organisation spent a relatively huge amount on the IS Risk Management. This portion amounted to almost 23% who claimed of spending around 10% of the IT budget on the IS issue. The remaining (17%) group of respondents was either not aware of the expenditure on IS or preferred not to answer the question. They amounted for almost 1/5th of the total respondents.

Percentage of IS Functions Outsourced IT outsourcing has become a trend in BFSI as well as some other sectors. Along with the generic IT outsourcing, responsibility of Information Management and Security has also seen its future into outsourced environment. Off-late, it has been noticed that many banks have outsourced these jobs to IT giants, in order to cut down on the operating costs and the resources required for handling them. The Service Level Agreements (SLAs) are signed among the outsourcing company and the outsourced company for a specific period and based on the minimum service criteria. The result of the survey makes it evident.

40% 35% 30% 25% 20% 15% 10% 5% 0% 100% 50-75% 25-50% 100%, 20% 25-50%, 14% 50-75%, 26%

0%, 40%


Figure No.15:-Percentage of IS functions outsourced

Among the results, 20% respondents have indicated that the IT and IS functions are completely (100%) outsourced to the third party vendors by entering into the SLAs. Around 26% of the respondents have mentioned that partial agreement is in place for the IT outsourcing and external auditing of the Information Systems. The Information Systems Management and the Security is internally taken care off, and only third party auditors (external auditors) are appointed to verify genuine operations, claimed 14% of the respondents. The remaining group (40%) of the respondents mentioned that no outsourcing is done and have a team of internal auditors for verifying genuine operations.

Policies to mitigate the risks externally Regardless of the measures an organisation may take to protect its systems using technical computer security measures such as the use of passwords, biometrics, antivirus software and the like, there will be risks of financial loss that still remain. As mentioned in the earlier chapters, that the IS Risks can be identified, and either a) mitigated, b) transferred, c) insured, or d) clearly documented as a risk acceptance. Insuring the Physical Assets as well as Information Assets is a method of mitigating the risk, externally. Hence, purchasing Cyber Insurance, the organisations might reduce the remaining

risks. As per the survey conducted, 40% respondents claim that their organisations have purchased the Cyber Insurance Cover, while remaining 60% lack this cover. There is a phenomenal increase in the Cyber Insurance Cover subscription, since past few years, added some of the respondents.

70 60 50 40 30 20 10 0 Insured Insured , 40

Not Insured, 60

Not Insured

Figure No.16:-Risk Mitigation Policies

Unauthorised access to the Information Systems in the recent past (last 5 years) The figure below shows that there has been a decline of the overall frequency of successful attacks on the computer systems. Furthermore, the percentage of respondents answering that there was no unauthorised use of their organisations computer systems was around 1/3rd of the total respondents. The percentage of respondents who indicated not knowing if such unauthorised use occurred, was a small amount, which also indicates that employees are aware of these kinds of attacks. The managements have taken up this issue seriously in several organisations and are providing in-house as well as external training to the employees to understand the importance and necessity of IS and Risk Management, according to various respondents. The data reported in the table below, also paints the picture of a slow decline in the frequency of attacks on the computer systems.

2006 2005 2004 2003 2002 2001 0 10 20 23 26 30 24 27

34 35



Figure No.17:-Unauthorised access in the recent past

Security Technologies used Respondents were asked to identity the types of security technology used by their organisations. The reports were similar to the observation done before getting the responses from the respondents. Almost all the organisations use the Anti- Virus softwares for the protection of their Information Systems and the much valued Information, from the viruses, trojans or similar malicious content, etc. The second most used solution was Firewalls. Although, the Firewall solution is used in a mixed pattern i.e. as software solution as well as a hardware appliance, it has not been segregated taking into consideration that this is an academic research. This also amounted for almost 98% of the organisations. The category of anti-spy ware showed up as the third most used security technology with more than 4/5th of the respondents reporting its use. Intrusion Detection Systems (IDS) were being used by almost 70% of the organisations. The emerging technologies like the Biometrics had fewer acceptances comparatively, at this point in time because of several reasons such as installation and maintenance and the cost to implement it. But it would really interesting to see that if the use of biometrics will continue to grow at a rapid rate in years to come. The other technologies / policies such as reusable

account / login passwords, encryption for data (transit and storage), RFID, public key infrastructure (PKI), Forensic tools, log management software, application- level firewalls, intrusion prevention systems (IPS), specialised wireless security systems, etc., had a considerable usage in various organisations all around the country. There were many limitations in finding this data as the respondents are either not aware of what technologies are being used or they were reluctant in expressing their views about the same.

Anti - Virus Firewall Anti - Spyware Intrusion Detection System Encryption Reusable password Intrusion Prevention System Application Level firewall Smart cards Forensics tools Public key Infrastructure Specialised wireless security system Biometrics Other







Figure No.18:-Security Technologies used

Security Audits Traditional security metrics are haphazard at best; at worst they give a false impression of security that leads to inefficient or unsafe implementation of security measures. It is very important to evaluate the effectiveness of the IS done in the organisations. To evaluate the same, the respondents were asked a question,

What techniques are used by your organisation to assist in the evaluation of the effectiveness of its IS? The respondents were comfortable answering this question and indicated that there are many techniques such as Security Audits (Internal or External), Penetration Testing, etc. which are being used by their organisations. The details are illustrated in the figure below. Approx. 75% of the respondents mentioned that their organisations use Security Audits conducted by their internal staff, making Security Audits the most popular technique in the evaluation of IS. The Security Audits extensively done by the external organisations were indicated as about 55%. Some other techniques Penetration Testing (45%), Automated Tools (40%), email Monitoring software (48%) or the Web Activity Monitoring software (50%) are also used, but comparatively less, for the evaluation of the effectiveness of the IS activities. These activities range from 40 - 50% in different organisations.

Penetration Testing Security Audits (Internal) Automated tools Security Audits (External) E-Mail Monitoring Software Web Activity Monitoring Software 40

45 75

55 48 50









Figure No.19:-Security Audits

IS Awareness Training The participants in the survey were also asked to rate the importance of

the security awareness training to their organisations in each of the several areas. The percentages of the respondents indicating that security awareness was very important are shown in the figure below.

The top five rated areas in IS Awareness Training were: Understanding the Security Policy (82%) Understanding the IS Management Systems (70%) Understanding the IS related threats (66%) Understanding the Business Continuity and Disaster Recovery Planning and implementations (68%) Understanding of the IS softwares and appliances (55%) Apart from these five, there are many other areas where the IS Awareness Training is required, so that every user ensures that the malicious threats do not attack the most valued Information Systems.

Forensics Investigation Cryptography Information Security softwares & appliances Information Security related threats BCP / DRP Information Security Managements Systems Security Policy 0 10 20

23 38 34 55 66 68 70 82 30 40 50 60 70 80 90

Figure No.19:- IS Awareness Training

Most Critical Issues in next two years Finally, the participants were asked to put across their views on the emerging IS threats which would be affecting the smooth functioning of Information Systems and would challenge the CIA concept. The respondents really came ahead to give their views open heartedly since, this was a generic question which was not a point for the reputation risk, business risk, or financial risk. Data Protection and application software 100% Identity theft and leakage of private and confidential information 98% Virus, Trojans and Worms 100% Access Control (e.g.: passwords) 75% User education, training and awareness 85% Wireless Infrastructure Security 64% Ad ware and Spy ware 66% Key loggers and Root kits 59%

Social Engineering (e.g. Phishing and Pharming) 89% Mobile (handheld) computing devices 67% Patch Management 45% Intrusion Detection Systems 51% E-mail attacks (e.g. spam) 95% Employee misuse 34% Physical security 78% Two- factor authentication 32% DoS Denial of Service 23% PKI implementation 47%

Data protection Identity Theft Virus, Trojans & Worms Access Control User Awareness Wireless Security Adware & Spyware Key loggers & Roott kits Social Engineering Mobile Devices Patch Management Intrusion Detection Email Attacks Employee Misuse Physical Security Two Factor Authentication DoS PKI Implementation 0 20 40 23 47 60 80 32 34 78 45 51 95 67 59 89 64 66 75 85

100 98 100



Figure No.20:- Critical Issues

Respondents Area (Customers) Responses were also invited from 100 customers of the various banks having at least one branch office in the Mumbai region. The 100 customers were also from the Mumbai region. These were done to enhance the study and to understand in depth, whether are the customers aware about IS or they do not bear any relation with IS. The study included the responses from the customers into consideration since; IS Risk Management is a new concept as far as Indian banks are concerned. More over, IS Risk Management should be a joint effort. Not only the banks and their employees are responsible for maintaining the Information Systems and providing IS, but the customers are also a integral part of the entire process. e.g.: A bank has taken due care to prevent / protect against social engineering threats such as Phishing and Pharming, but the customer is not aware of these concepts and reveals his passwords / login names to third party, might be unintentionally, unawareness, etc., even then his account can be hacked. The responses were as per the expectation as far as Mumbai region was concerned. Most of the customers are at least aware regarding the concept named IS. The responses were a mixed bag on the basis of the age group, income levels, education, gender, etc. Out of 100 responses invited the usable were only a sample of 50, since the 40 of the total did not answer all the required questions, and 10 of the total completely not aware of IS Risk Management. Out of the remaining 50 responses 50% fall in the age group of 16 35 years. 30% of 50 fall in the age group of 35 55 years. 20% of 50 fall in the age group of above 55 years. The figure below illustrates the above break up of the responses based on the age group factor. This trend was observed since the respondents in the 16 35 years age group are more inquisitive regarding the Information Technology and use the ATM centers, Internet Banking, Phone banking, Kiosks, Credit cards, debit cards, etc more frequently than the other age group

respondents do. A part of these age group respondents are highly educated, well informed business executives or highly salaried employees, who have broad exposure and inclination towards usage of Internet. Hence, they are aware and concerned regarding the IS, at least for their bank or account.




Total of 50 respondents
Figure No.21:- Responses based on the Age Groups

Out of the remaining 50 responses, 20% fall in the income level of less than Rs. 2, 00,000 p.a. 45% of 50 fall in the income level of more than Rs. 2, 00,000 p.a. Rs. 5, 00,000 p.a. 30% of 50 fall in the income level of Rs. 5, 00, 000 Rs. 15, 00,000 p.a. and the remaining 5% of the 50 responses fall in the income level of more than Rs. 15, 00,000 p.a.

5 20 30


Total of 50 respondents. All figures in %

Figure No.22:- Respondents based on Income group.

Here, the responses are high from the respondents from the income group of Rs. 2, 00,000 p.a. Rs. 5, 00, 000 p.a. These respondents are normally from the working class or salaried employees. Due to the hectic schedule of the jobs, they prefer using Internet banking, Phone Banking, etc., and hence are more used to and aware about IS. The second highest respondents were the again salaried employees at good positions or owners of small businesses. They also use Internet banking for their transactions for credit card bill payment, EFT, share trading, etc. Hence, they are also quite concerned regarding the IS.

The educational factor was also taken into consideration during the invitation of responses to the questionnaires. It was more than obvious that more the education level, more was the respondent aware of concepts such as Information Systems, IS Risk Management, etc. as he had an exposure of the new technologies emerging world wide.


Information related to the Bank and its customers is a highly valuable asset. IS helps in protecting these assets from unauthorised use, disclosure,

modification or destruction, whether accidental or intentional. Protecting Bank and customer information is a responsibility of all employees that requires awareness and diligence. The ultimate responsibility for safeguarding Bank and customer information lies with each individual employee. Therefore, all employees who have access to systems that store and/or access such information are required to understand and comply with any and all specific policies, procedures, standards and guidelines established in support of the IS Program. Taking into consideration the all the analysis in the previous chapter, it is evident that many things have to be taken care off on a continual basis. The IS is a continual process which needs to be specifically monitored and enhanced time and again. In order to implement the IS Risk Management successfully there are many attributes that need to be considered in terms of IT / IS Governance. These attributes include Implementation of ISO 17799 / BS 7799, CobiT, etc., physical security, logical security, access controls, Business Continuity and Disaster Recovery Planning, etc. Within the scope of the academic research, there has an attempt to analyse the varied situations that actually occur in various banks at different security levels.

While this topics can be related to various facets, yet on the basis of this research the following conclusion emerge: Based on the Survey Findings The survey has provided the results regarding the IS awareness based on the type of the organisation, location of the organisation and job description. The responses give us better in-sights regarding the currently existing IS landscape prevailing in various banks, with relation to kind of systems or policies are in place to cater to the ever - increasing demands of the IS sector. The survey has also tried to get in-depth information regarding the currently existing threats and the malicious contents in the cyber world as on date. As an academic research, there were some limitations in this study. The study has revealed that there is an intense need for the banks to have a close watch on the IS threats that concern the bank and its reputation in an attempt to find better ways to transfer, mitigate, prevent or accept the risk involved in the same. The research has been successful to an extent in determining the losses borne by the banks due to the various reasons such as malicious attacks due to virus, trojans, worms, identity theft, unauthorised access, security breach or by un-intentional misuse or mistake due to lack of technical knowhow, expertise or awareness. As mentioned above, there are some limitations to this report. The report has not been able to include any instances regarding the losses which caused due to natural disaster / calamities within the Indian context. The exact cost factor could not be calculated for the implementation of the IS Systems. Most of the security software solutions or appliances are implemented in an assorted manner. There is no standardisation for the IS Systems implemented till date. The entire implementation depends upon several factors like spending pattern or the IT budget for IS, location of the organisation, the intellectual resources available to those banks, etc. The views of all the banks or the branches or the customers of the bank are too varied to reach at a certain conclusion. Infact, it can be said that all banks do take steps that they feel appropriate for preventing, mitigating, transferring or accepting risks.

On the basis of this, it is essential that there should be correctly drafted policies and procedures to face the IS issues. The IS policy must essentially include factors relating to the physical, logical security, access control, Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP). All these factors are very essential as far as the IS threats are concerned. The physical logical security, access control, etc. are the factors generally implemented in order to prevent the risk while the BCP and DRP are implemented after the risk is accepted or after the threats have made their impact. The BCP /DRP concept is used to restart the business mission critical applications within a very short span of time by allowing the organisation to bear the minimum losses. Based on the Information Systems Management Practices Since, IS is the most important attribute of the Information Systems Risk Management Systems, the policies / procedures should be followed and implemented even as the employees are hired. Every organisation (banks in the case of this academic research) needs to have an appropriate Information Systems Management Practices. Since, the Information Systems Management Practices reflect the implementation of the policies and procedures developed for various IS- related management activities. In most organisations, the IS department is a service department and its role is to help other customer centric departments for their effective and efficient operations. IS Management provides the lead role to assure that the organisations information and the information processing resources under its control are properly protected. This would include leading and facilitating the

implementation of an organisation- wide IT Security program, which should include the development of the BCP and DRP related to IS department functions in support of the organisations critical business processes. A major component in establishing such programmes is the application of risk management principles to assess the risk to IT assets, mitigate these risks to an appropriate level as determined by the management and monitor the residual risks.

Management activities to review the policy / procedure formulations and their effectiveness within the IS department should include practices such as personnel management, sourcing and IT change management, etc. Personnel Management Personnel management relates to the organisational policies and procedures for hiring, promotion, retention and termination. The effectiveness of these activities, as they relate to the IS function, impacts the quality of staff and the performance of the IS duties. Hiring An organisations hiring practices are important to ensure that the most effective and efficient staff is chosen and that the bank is in compliance with the legal recruitment process. Some of the common controls should include: Back ground Checks Confidential Agreements Employee Bonding to protect against losses due to theft, mistakes and neglect Conflict of Interest Agreements Non Compete Agreements

Control risks include Staff may not be suitable for the position they are recruited to fill Reference checks may not be carried out Temporary staff and third party contracts may introduce uncontrolled risks Lack of awareness of confidentiality requirements may lead to the compromise of the overall security environment. The above mentioned control risks need to be taken care off / mitigated / accepted / transferred before drafting the hiring policies / procedures for the bank.

Employee Handbook Security policies and procedures Banks expectations Employee benefits Vacation (Holiday policies) Overtime rules Performance Evaluations Emergency procedures Disciplinary actions for: Excessive absence Breach of confidentiality and/ or security Non Compliance with policies

In general, there should be a published code of conduct for the bank that specifies all employees responsibilities towards the bank. Education and Training: Training should be provided on a regular basis to all employees based on the concerned areas where employee expertise is lacking. This should particularly be so for IS professionals, given the rapid rate of change of technology and products. Training not only assures more effective and efficient use of IS resources, but also strengthens employee morale. Training must be provided when new hardware and / or software is being implemented. Training should also include relevant management training, project management and technical training, so as to avoid the mistakes which occur because of lack of knowledge or ignorance. Cross training should involve more than one individual being properly trained to perform a specific job or a procedure. This practice would have the advantage of decreasing dependence on one employee and can be a part of succession planning. It also provides a backup for personnel in the event of their

absence for any reason and, thereby, providing for continuity of operations. However, in using this approach, it would be prudent to first assess the risks regarding employee handling the system. Sourcing Sourcing practices relate to the way in which the organisation will obtain the IS functions required to support the business. Organisations can perform all the IS functions in-house (in sourcing) in a centralised manner, or outsource all functions across the globe. The sourcing strategy should consider each IS function and determine which approach allows the IS function to meet the enterprises goals. Delivery of IS functions should include: In-sourced Fully performed by the organisations staff. Out sourced Fully performed by the vendors staff Hybrid performed by a mix of organisations and vendors staff, can include joint ventures / supplement staff. Organisational Change Management Change Management is managing IT changes for the organisation, where a defined and documented process exists to identify and apply technology improvements at the infrastructure and application(s) level that are beneficial to the organisation thereby involving all levels of the organisation that are impacted by these changes. Apart from all these activities the banks need to have a properly documented, implemented and followed reporting format for each of the Information Systems. Some of the formats have been mentioned below as samples:

Suspicious Activity Investigation Report

Figure No.23:- Suspicious Activity Investigation Report

In the event that an employee discovers a breach of customer information, the following procedures must be completed to report the breach to the senior management. Employee that discovers breach must immediately notify his/her manager. Manager must contact the Banks IS Officer and provide a full report of the incident.

IS Officer will commence a preliminary investigation. The investigation will include an interview of all individuals with knowledge of the breach. The IS Officer will coordinate the investigation with the Banks Director of Information Technology and the Director of Security.

If the investigation determines that a breach has occurred, the IS Officer will inform the Executive Management Committee. Through consultation with the Director of Security and the Executive Management Committee, the IS Officer will determine whether to inform law enforcement authorities.

The IS Officer will provide a detailed incident report to the Board of Directors at the following Board meeting, including a risk assessment related to the breach that includes an assessment of actual damages as well as potential damages.

Prompt reporting of a breach allows the Bank to: Prevent future similar breaches; Determine the source of the breach; and, Involve law enforcement at an early stage, if applicable.

Reporting Suspicious Transactions The Bank places significant responsibility on employees regarding the identification of potential identity theft transactions. This responsibility is placed on employees; particularly branch and customer service employees, because employees are the Banks first and most effective line of defense against fraudulent transactions stemming from identity theft. Through use of the Banks procedures, employees will generally resolve most transactions that may initially appear suspicious. However, on occasion it will not be possible to resolve the suspicious nature of a transaction. Under these circumstances employees must refer these suspicious transactions to the Banks Loss Prevention Officer.

The Bank should develop procedures for reporting suspicious activity. It is important that each employee be familiar with these procedures. Reporting of suspicious transactions is required not only by policy but also by federal regulation. The Bank is subject to punitive actions if the Bank is found negligent in its reporting responsibilities.

Release of ATM or Debit Card Fraud Claim

Figure No.23:- ATM / Debit card Fraud Claim Format

Branch Security Review Checklist (Provided in Appendix I) Night Inspection Evaluation Form Record Retention Policy Monitoring Chart for InfoSec Contract Provisions to Service providers Risk Assessment Matrix Risk Analysis Worksheet Bomb Call Warning Form

The nationwide increase in computer and identity theft crimes makes it likely that customer service employees of the Bank will encounter the customers who have been victimised. If a customer requests assistance in resolving a case of identity theft, employees should provide the following information: Suggest that the customer contact the fraud departments of credit bureaus and request that the credit bureaus place a fraud alert and a victims statement in the customers credit file. The fraud alert puts creditors on notice that the customer has been the victim of fraud and the victims statement asks creditors not to open additional accounts without first contacting the customer. Suggest that the customer

requests a free credit report from the credit bureaus . Suggest that the customer review the credit reports in detail to determine if any fraudulent accounts have been established. The

customer should also determine if any unknown inquiries have been made. Unknown inquiries may be indicators of someone attempting to establish a fraudulent account; Suggest that the customer contact all financial institutions and creditors where the customer has accounts. The customer should

request that they restrict access to the customers account, change any password or close the account altogether, if there is evidence that the account has been the target of identity theft. Suggest that the customer file a police report to document the crime


General Password Guidelines

Bank employees use passwords to access various resources. These resources include access to personal computers, the network, voicemail, the Internet, etc. User IDs and passwords are used to authenticate employees to the particular resource and are used to track user activity while using that resource. Temporary passwords are usually assigned to employees when access is initially granted to a resource. It then becomes the employees responsibility to establish a strong secure password.

Employees must be aware of the characteristics of strong and weak passwords in order to ensure adequate protection of Bank and customer information. If someone obtains an employees User ID and password, that individual can imitate the employee without the system being aware. Any

damage created by the intruder will appear to have been created by the employee. Poor, weak passwords have the following characteristics: The password contains less than eight characters; The password is a word found in a dictionary; The password is a common usage word such as: Names of family, pets, friends, co-workers, sports, teams, movies, shows, license plate number, birth dates, etc.; Computer terms and names, commands, sites, companies, hardware, software; Birthdays, User ID and other personal information such as addresses and phone numbers; Word, number or keyboard patterns like aaabbb, qwerty, 123321; Any of the above spelled backwards; or, All the same characters or digits, or other commonly used or easily guessed formats.

Strong passwords have the following characteristics: Contain both upper and lower case letters; Have digits and punctuation characters as well as letters; Are at least eight characters long; Are not a word in any language, slang, dialect, jargon, etc.; and, Are not based on personal information, names of family, etc.

Employees should refrain from writing down the password.


employees should create passwords that can be easily remembered. One way to accomplish this is to create a password based on a song title, affirmation or other phrase. For example, the phrase might be Everyday I sing one song and the password could be EDIs1s@@g or some other variation.


Password Protection
Refrain from using the same password for Bank accounts as for other nonBank accounts (i.e., personal email account, etc.). When possible, refrain from using the same password for multiple Bank accounts. For example, use a

different password for network and email access. Do not share passwords with anyone, including Bank personnel. All passwords must be treated as highly sensitive information.

List of DONTs for the employees Dont reveal your password over the phone to anyone not even individuals who claim to be calling from the IT Department; Dont reveal your password in an email message; Dont reveal your password to your manager or any other Bank employee; Dont talk about your password in front of others; Dont hint at the format of a password (i.e., my family name); Dont reveal your password on questionnaires or security forms; Dont share your password with family members; Dont reveal your password to co-workers while on vacation; Dont leave your password anywhere on or near your workstation (i.e., post-it notes, under mouse pads, etc.); and, Dont create passwords for group use or shared passwords. Passwords should be unique to each person. Do not provide your password to anyone who requests or demands it. Refer the incident to the Banks IS Officer. Call the IT Department

immediately to change your password if you suspect that your password has been compromised.


Changing Passwords
Bank policy requires passwords to be changed regularly, but an employee may change a password at any time if there is a possibility that the password has been compromised. Generally, the Banks various computer systems do not

permit employees to reuse a previously used password for a minimum period of time, as defined by the system. For example, a system may prevent employees from using the same password in a six-month period. Systems prompt for

password changes when change is required. To save time and effort, passwords should be changed before they expire. If a password has been compromised or forgotten, the user may obtain a new password or have their password reset by contacting the appropriate department (i.e., IT Department, Training Department, etc.).


Security Breach Examples

The following are some examples of security breaches:

A person gains access to a computer terminal and is able to obtain the personal information of a Bank customer(s); Employee emails a file containing personal information to an individual outside the Bank for purposes other than official Bank business;

Employee takes home and subsequently loses a CD containing customer loan information; Employee loses a laptop containing customer loan write-ups and other loan application information; Diskette containing personal information is stolen; and, Employee copies customer personal information to a diskette and uses information for unauthorised purposes.


Bank Procedures
The most effective means of complying with the Privacy Law is to prevent the breach of any customer information. Breaches are prevented by exercising due care when working with customer data or computer systems that access such data.

Examples of due care: Logging off the network when leaving a computer/workstation for an extended period of time; Using password protected screensavers; Refraining from copying customers personal information on disks or CDs; Keeping disks and CDs that contain personal information in a secure location; Never emailing outside the Bank any documents/files that contain confidential information; Ensure your workstation (PC) is positioned in a manner that prevents someone from viewing confidential information; Protecting passwords; and, Being alert to suspicious activity related to the theft/compromise of personal information.

5.6 Downloading Software

Downloading unlicensed software is a violation of copyright laws, and downloading any software from the Internet, including screensavers, without appropriate controls and testing puts the Bank at risk. No software should be downloaded from the Internet without the written approval from the Director of Information Technology. The purchase and installation of any software on Bank computers must be approved by the Director of Information Technology.

5.7Laptop Security
The following are some basic techniques to protect laptop computers and to secure information on laptop computers: Do not disable or alter the anti-virus software that is installed on laptop computers; Do not program passwords, User IDs, private encryption keys or personal information on a laptop; Store back up diskettes or CDs separately from the laptop device; Do not leave the laptop unattended, whether in an unlocked, unattended vehicle, in plain view in hotel rooms, or overnight at your workstation in the office; Exercise caution with laptops in airports, especially at security screening checkpoints; and, Immediately report lost or stolen laptops to the Director of Information Technology.

5.8Fax Machines
Fax machines present a potential IS risk. It is important to ensure that no confidential information is left unattended on a fax machine. Further, fax

machines generally print the first page of any communication sent as the delivery confirmation. If a cover page is not used then the confirmation page may include confidential information that may be forgotten or discarded inappropriately. Confidential messages sent by FAX must be clearly marked with a confidentiality disclaimer.

5.9Internet Security Concerns

Viruses and hackers are active on the Internet and try to create and exploit security vulnerabilities. Security services ensuring confidentiality, integrity and authenticity are not automatically provided when using the Internet or Web. In addition, information from Internet sites cannot be relied upon to be authentic or accurate. As such, employees must exercise common sense and due care when using the Internet.


Physical Security
The Bank should implement physical security procedures to protect the

security of its people and assets. Examples of security measures include the use of keypad access to protected areas, visitor badges for non-employees and keys for entry into secure areas. Secured doors must NEVER be left open or unattended. All visitors to the corporate offices must be sent to the receptionist to obtain a visitor badge. Further, all visitors must be escorted within secured areas. Bank employees should remain diligent at all times in order to identify and report suspicious individuals.


Monitoring and Inspections

To help ensure that Bank employees work in a safe and secure

environment, the Bank reserves the right to take certain actions to protect the safety and security of employees, customers, agents, vendors, and the companys property and premises. These actions, in accordance with applicable law, include recording, monitoring, conducting surveillance, inspecting and/or reviewing:

Company premises and property, or Bank resources, including work areas, lockers, interoffice/business mail, e-mail, computers,

telephones, voice mail, internet, intranet, or any other communication system established for business purpose; Employees personal property located on company premises and employees personal banking transactions at the Bank; and, Employees are expected to cooperate in company inspections, monitoring, and recording. To summarise and conclude the research, the IS threats are revisited below: Data Protection and application software Identity theft and leakage of private and confidential information Virus, Trojans and Worms Access Control (e.g.: passwords) User education, training and awareness Wireless Infrastructure Security Ad ware and Spy ware Key loggers and Root kits Social Engineering (e.g. Phishing and Pharming) Mobile (handheld) computing devices Patch Management Intrusion Detection Systems E-mail attacks (e.g. spam) Employee misuse Physical security Two- factor authentication DoS Denial of Service PKI implementation, etc.,

There are several benefits which can be derived from the implementation of the IS Systems in the existing scenario. They would be as mentioned below: The Information Systems would be protected from the malicious threats existing in the cyber world as on date.

The setup of the IS Systems would prevent or minimise the losses of the valuable information assets of the bank. Would prevent reputation losses. Would provide a secure environment to perform all essential functions, etc.

The research claims to disprove the hypotheses mentioned in Chapter 1. The security policies in the same organisation (Bank) may differ based on the geographic location.

There was no indication or hint from the responses invited from the customers or the employees regarding the difference in the policies, in the same organisation, at different locations. The respondents mentioned that there were some differences in the roles / job descriptions of the employees or the procedures used to implement and follow the policies, but the policies were same throughout the organisation.

Many Banks prefer accepting the security risk rather than mitigating, transferring or avoiding it.

The research survey as well as the observation has shown that the banks are still ready to accept the risk, instead of transferring, preventing or avoiding it. The analysis in Chapter 4 also shows that, when it comes to transferring the risk only 40% of the banks (organisations) are insured and the rest are still not insured. The IT spending pattern also indicates that when it comes to preventing or avoiding risk, most of the banks or organisations lack the funds or focus and hence cannot work on the residual risks. This may also occur because of lack of expertise and awareness regarding IS and the repercussions due to its breach. This is normally observed in the rural branches or branches located in small towns. Then, the banks are left with no option but to accept the risk.

ISMS policies show wide variations across all types of financial institutions (here the type of bank would be considered, i.e. Apex/ Public Sector Commercial/ Private Sector Commercial/ Co-operative/ Foreign bank, etc.

The ISMS policies do not change at large, even though the type of the bank is different. The policies are more or less the same, but the mode of implementation might be different. Since the RBI does not have any transactions with the common public, so the policies might differ here. The only difference between all other banks and the APEX body (Reserve Bank of India) policies would be due to the mode of operation