Information Security And Risk Management For Banks In India

15,177 views
14,723 views

Published on

Published in: Technology, Business
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
15,177
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
812
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Information Security And Risk Management For Banks In India

  1. 1. ‘“INFORMATION SECURITY RISK MANAGEMENT IN BANKS” Presented to TASMAC & University of Wales On 9th FEBRUARY, 2007 By KAUSTUBH D. GONDHALEKAR WM/JO5/004 MBA III (Information Management Specialisation) Total Number of Words: 19,897 WORDS
  2. 2. DECLARATION This work has not previously been accepted in substance for any degree and is not being concurrently submitted in candidature for any degree. Signed___________________________________________ (candidate) Date ____________________________________________ STATEMENT 1 This dissertation is being submitted in partial fulfillment of the requirements for the degree of _________________________________________ (i.e. MA, MSc, MBA etc.) Signed____________________________________________ Date _____________________________________________ STATEMENT 2 This dissertation is the result of my own independent work and investigation, except where otherwise treated. Other sources are acknowledged footnotes giving explicit references. A bibliography is appended. Signed____________________________________________ Date _____________________________________________ STATEMENT 3 I hereby give consent for my dissertation, if accepted, to be available for photocopying and for inter-library loan, and for the title and summary to be made available to outside organizations. Signed____________________________________________ Date _____________________________________________
  3. 3. TABLE OF CONTENTS SR.NO. CONTENTS PAGE (S) DECLARATION i LIST OF TABLES ii LIST OF FIGURES iii EXECUTIVE SUMMARY 1 1 CHAPTER:1 – INTRODUCTION 3 – 11 1.1 Background 3 1.2 Purpose Of The Study 5 1.3 Importance Of The Study 6 1.4 Statement Of The Problem 9 1.5 Research Questions 9 1.6 Hypotheses 9 1.7 Research Methodology 10 1.8 Limitations 10 1.9 Overview of the Study 11 2 CHAPTER : 2 - LITERATURE REVIEW 12 – 46 2.1 History of Information Security and Risk Management 13 2.2 Scope of IS 14 2.3 How is IS applicable in Banks 15 2.4 The IS Scenario in India 37 2.5 Understanding Information Security (IS) 42 2.6 Spending Patterns (Technologically and Financially) 43 2.7 CTO / CIO’s view point 45
  4. 4. 2.8 Summary 47 3 Chapter : 3 – METHODOLOGY 48 – 54 3.1 Introduction 48 3.2 Research Questions and Research Hypotheses 48 – 49 3.3 Data Collection / Collected 49 3.4 Location of the Data 52 3.5 Pilot Test 53 3.6 Method of Inquiry 54 3.7 Analysis performed on the data 55 3.8 Summary 55 4 Chapter : 4 – ANALYSIS 56 – 73 4.1 Introduction 56 4.2 Key Findings 57 4.3 Detailed Survey Results 58 5 Chapter : 5 – CONCLUSION 75 – 93 5.1 General Password Guidelines 84 5.2 Password Protection 86 5.3 Changing Passwords 87 5.4 Security Breach Examples 87 5.5 Bank Procedures 88 5.6 Downloading Software 88 5.7 Laptop Security 89 5.8 Fax Machines 89 5.9 Internet Security Concerns 90
  5. 5. 5.10 Physical Security 90 5.11 Monitoring and Inspections 90 6 Chapter : 6 – BIBLIOGRAPHY 94 Appendix I 104 Appendix II 119 Appendix III 124 Appendix IV 125
  6. 6. List of Figures SR.NO. CONTENTS PAGE (S) CHAPTER:1 – INTRODUCTION 1.3 Figure No. 1 – IS Risks 7 CHAPTER : 2 - LITERATURE REVIEW 2.2 Figure No. 2: Security Management process 14 2.3 Figure No. 3 Occupations of Computer Crime 23 Defendants 2.3 Figure No. 4 Types of Computer Crimes 24 2.3 Figure No. 5 Average Computer Crime Losses 24 2.3 Figure No. 6 Victims of Computer Crimes 25 2.3 Figure No. 7 Computer Crime Cases in Courts 26 2.3 Figure No.8: TCO Analysis 31 2.6 Figure No. 9: IT Spending Patterns 43 Chapter : 3 – METHODOLOGY 3.3 Figure No.10: Selection of Data Collection Method 50 Chapter : 4 – ANALYSIS 4.3 58 Figure No.11:- Respondents based on the type of organisation 4.3 59 Figure No.12:- Respondents based on the location of the organisation 4.3 60 Figure No.13:- Respondents by Job Description 4.3 61 Figure No.14:- IT spending as a part of budget 4.3 63 Figure No.15:-Percentage of IS functions outsourced 4.3 64 Figure No.16:-Risk Mitigation Policies
  7. 7. 4.3 65 Figure No.17:-Unauthorised access in the recent past 4.3 66 Figure No.18:-Security Technologies used 4.3 68 Figure No.19:-Security Audits 4.3 69 Figure No.19:- IS Awareness Training 4.3 71 Figure No.20:- Critical Issues 4.3 73 Figure No.21:- Responses based on the Age Groups 4.3 74 Figure No.22:- Respondents based on Income group. Chapter : 5 – CONCLUSION 5.1 81 Figure No.23:- Suspicious Activity Investigation Report 5.1 83 Figure No.23:- ATM / Debit card Fraud Claim Format
  8. 8. List of Tables SR.NO. CONTENTS PAGE (S) CHAPTER : 2 - LITERATURE REVIEW 2.3 Table No.1: Types of Attacks 16 2.7 Table No.2: Risk Mitigation Strategy 45
  9. 9. Executive Summary The Environmental Challenges Most organisations recognize the critical role that information technology (IT) plays in supporting their business objectives. But today's highly connected IT infrastructures exist in an environment that is increasingly hostile—attacks are being mounted with increasing frequency and are demanding ever shorter reaction times. Often, organisations are unable to react to new security threats before their business is impacted. Managing the security of their infrastructures—and the business value that those infrastructures deliver—has become a primary concern for IT departments. Furthermore, new legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organisations to manage their IT infrastructures more closely and effectively than in the past. Many government agencies and organisations that do business with those agencies are mandated by law to maintain a minimum level of security oversight. Failure to proactively manage security may put executives and whole organisations at risk due to breaches in fiduciary and legal responsibilities. A Better Way The holistic roadmap to security risk management provides a proactive approach that can assist organisations of all sizes with their response to the requirements presented by these environmental and legal challenges. A formal security risk management process enables enterprises to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives organisations a consistent, clear path to organise and prioritise limited resources in order to manage risk. The benefits of using security risk management would be realised when the cost-effective controls that lower risk to an acceptable level are implemented. The definition of acceptable risk, and the approach to manage risk, varies for every organisation. There is no right or wrong answer; there are many risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Investing in a risk management process—with a solid framework and clearly defined roles and responsibilities—prepares the organisation to
  10. 10. articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the organisation to make significant progress toward meeting new legislative requirements. During a risk assessment process, qualitative steps identify the most important risks quickly. A quantitative process based on carefully defined roles and responsibilities follows next. Together, the qualitative and quantitative steps in the risk assessment process provide the basis on which you can make solid decisions about risk and mitigation, following an intelligent business process. Critical Success Factors There are many keys to successful implementation of a security risk management program throughout an organization. First, security risk management will fail without executive support and commitment. When security risk management is led from the top, organizations can articulate security in terms of value to the business. Next, a clear definition of roles and responsibilities is fundamental to success. The Information Security Group owns identifying the probability that the risk will occur by taking current and proposed controls into account. The Information Technology group is responsible for implementing controls that the Security Steering Committee has selected when the probability of an exploit presents an unacceptable risk. Investing in a security risk management program—with a solid, achievable process and defined roles and responsibilities—prepares an organization to articulate priorities, plan to mitigate threats, and address critical business threats and vulnerabilities.
  11. 11. Executive Summary The Environmental Challenges Most organisations recognise the critical role that Information Technology (IT) plays in supporting their business objectives. But today's highly connected IT infrastructures exist in an environment that is increasingly hostile where attacks are being mounted with increasing frequency and are demanding ever shorter reaction times. Often, organisations are unable to react to new security threats prior to their business being impacted. Managing the security of their infrastructures and the business value that those infrastructures deliver, has become a primary concern for IT departments. Furthermore, new legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organisations to manage their IT infrastructures more closely and more effectively than in the past. Many government agencies and organisations that do business with those agencies are mandated by law to maintain a minimum level of security oversight. Failure to proactively manage security may put executives and entire organisations at risk due to breaches in fiduciary and legal responsibilities. A Better Way The holistic roadmap to security risk management provides a proactive approach that can assist organisations of all sizes with their response to the requirements presented by these environmental and legal challenges. A formal security risk management process enables enterprises to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives organisations a consistent, clear path to organise and prioritise limited resources in order to manage risk. The benefits of using security risk management would be realised when the cost-effective controls that lower risk to an acceptable level are implemented. The definition of acceptable risk, and the approach to manage risk, varies for every organisation. Even so, there is no absolute right or wrong answers, inspite of the various risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Investing in a risk management process,
  12. 12. with a solid framework and clearly defined roles and responsibilities, prepares the organisation to articulate priorities, mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the organisation to make significant progress toward meeting new legislative requirements. During a risk assessment process, qualitative steps identify the most important risks quickly. A quantitative process based on carefully defined roles and responsibilities follows next. Together, the qualitative and quantitative steps in the risk assessment process provide the basis on which you can make solid decisions regarding risk and its mitigation, following an intelligent business process. Critical Success Factors There are many keys to the successful implementation of a security risk management program throughout an organisation. First, security risk management will fail without executive support and commitment. When security risk management is led from the top, organizations can articulate security in terms of value to the business. Next, a clear definition of roles and responsibilities is fundamental to its success. The IS Group acknowledges and identifies the ‘risk - probability factor’ that the risk will occur by taking into account the current and proposed controls. The Information Technology group is responsible for implementing controls that the Security Steering Committee has selected when the probability of an exploit presents an unacceptable risk. Investing in a security risk management program that translates into a solid, achievable process with defined roles and responsibilities prepares an organisation to articulate priorities, mitigate threats, and address critical business threats and vulnerabilities.
  13. 13. CHAPTER 1 INTRODUCTION 1.1 Background Information is an asset that, like other important business assets, is essential to an organisation’s business and therefore needs to be updated regularly and suitably protected. Since most of the businesses in the present and recent past have been electronically connected in networks, the IS and its management plays a major role. As a result of this existing and ever-increasing interconnectivity, information is now exposed to a growing number and a wide variety of threats and vulnerabilities. Businesses are vulnerable to various kinds of information risks inflicting varied damage and resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers or facilities. To control IS risks, the management needs to anticipate and be aware of the potential threats, risks and resultant loss and accordingly deploy the necessary controls across the environment. IS is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise the return on investment (ROI) and thereby extend the business opportunities. “Security is like oxygen; when you have it, you take it for granted, But when you don’t, getting it becomes the immediate and pressing priority” ----- Joseph Nye, Harvard University. An IS Risk can be defined as any activity or event which threatens the achievement of identified business objectives by compromising ‘Confidentiality’, ‘Integrity’, ‘Availability’ of the business information1. 1: NASSCOM – KPMG IS GUIDE BOOK- http://www.nasscom.org/download/Nasscom_Cover.pdf Access date: January 07, 2006.
  14. 14. It is essential for the organisations to observe, review and analyse their electronic systems, due to the advent of the Internet era, such that any malicious activity which occurs becomes predictable. Keeping this in mind, ‘IS Risk Management’ in large corporations such as Banks is essential since they are reliant on Information Technology (IT) and IT systems in the processing, storage and transmission of company and customer data. As a consequence, in the event of an IT System failure, be it through the malicious or technical event of system failure or information loss, it would not be feasible to use manual processing as an alternative or solution to the problems. There are also a number of security issues surrounding IS like the increased mobility of banks has resulted in remote access from wireless and through the internet. Access to a bank’s information assets are no longer limited to its internal employees, working from a fixed known location or fixed environment. The value of the computers and hardware may be valued in thousands of dollars, however the information which may be contained as data, could be more in value. There's probably not a business owner out there who doesn't make sure with some regularity that the locks intended to keep intruders off the premises are doing their job. But owners of small and medium-size businesses tend to be much less vigilant when it comes to IS Management— even though the potential risks of an IS breach can be far more staggering than those posed by a burglar. Destructive viruses, worms and hackers don't discriminate by the size of an organisation. Data loss, lost productivity, decreased profits, opportunity costs, privacy concerns and corporate liability are some of the areas where companies are vulnerable. Publicly held companies have an additional accountability for the integrity of their financial reporting data and systems under laws and acts such as the Sarbanes-Oxley Act, etc.
  15. 15. 1.2 Purpose of the Study IS is a continual imperative for banks as vulnerabilities in IS / Information Availability are continuously being exploited in new ways. Security of new technologies / channels need to be focused, for e.g., E-commerce, online banking and debit cards. This becomes even more essential in the light of increase in fraud related losses in these areas along with the existing technologies and manual transaction processing risks. Banks have always been and are one of the most important targets for hackers, crackers and cyber criminals, as IS breach may lead to potential losses. These losses may lead to downfall of the banking industry and thus have its impact on the economy. The actual losses on account of IS issues are difficult to estimate. However, 639 companies that responded to the 2005 CSI/FBI Computer Crime and Security Comment [s1]: Was it a country Survey ,reported total losses of $130 million with viruses, unauthorised access specific survey? If so, please mention country and theft of proprietary information accounting for 80% of it. Given the risks, IS should be a top priority of any organisation — and not just for its IT department. That's where a formal IS Management Program comes in.
  16. 16. Case Study: Newspaper clipping – Banks notify customers of data theft.2 Placed below is a news item that appeared in the money and business section of the website http://home.netscape.com. The summary of the news item is presented below: Summary: • More than 100,000 customers of Wachovia Corp. and Bank of America Corp. have been notified that their financial records may have been stolen by bank employees and sold to collection agencies. • So far, Bank of America has alerted about 60,000 customers whose names were discovered by police, while Wachovia has identified 48,000 current and former account holders whose accounts may have been breached. • Both banks are providing the affected customers with free credit reporting services. • In a separate case with a potential for identity theft, laptop containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen last month from the car of an MCI financial analyst. MCI would not comment on whether the data was encrypted. • The bank record theft was exposed last month when police in Hackensack, N.J., charged 9 people, including 7 bank workers in an alleged plot to steal financial records of thousands of bank customers. Money and Business: http://channels.netscape.com/ns/pf/story.jsp?floc. Access Date: July 07, 2006. 1.3 Importance of the Study All organisations today face a certain level of security risk. In fact, the deployment of technologies such as ‘Intrusion Detection and Monitoring’ acknowledges that a certain level of suspicious or malicious activity is likely to get through. It also acknowledges that there are internal threats (maybe from disgruntled employees, or simply human error) which have to be countered with skill and imagination.
  17. 17. It is important to recognise that all organisations accept some level of risk. Risk is, after all, a trade off between the amount of money you wish to spend on counter-measures, against the perceived level of threat and vulnerability, to protect the estimated value of your assets. The important thing is that risk is identified, and either a) mitigated, b) transferred, c) insured, or d) clearly documented as a risk acceptance. Figure No. 1 – IS Risks 2: http://channels.netscape.com/ns/pf/story.jsp? Access date: March 20, 2006.
  18. 18. Security risk is also heavily influenced by time. For example, if a new virus is released, for which no patch is available, then the rate of infection is critical. All organisations are subject to security threats, as these expose their vulnerabilities. For this increases significantly with factors, such as their need to do business over the Internet, the profile of the organisation, and the value of their assets. High profile corporations are under constant threat because of the possible infamy associated with security breaches. Some of the key threats to organisations include: • Virus, Trojans and Worms • Phishing • Pharming • Email SPAM • Web Site Defacements • Denial of Service Attacks (DoS) • Spoofing • Identity theft • War walking, War driving, etc., (Wireless Network Threats) • Theft of information (e.g. credit card details, source code, biotechnology secrets), etc., Hence, this study may prove important and extremely significant as it would provide better in-sights with regards to updating security personnel. This would definitely enable them to handle any kind of security issues at any given point of time.
  19. 19. 1.4 Statement of the Problem Based on the problem definition, the objectives of the research will be: • To identify and examine the current IS landscape prevailing in various Banks. • To identify the information risks and security concerns threatening the Banks. Comment [R2]: Kindly suggest what • To determine the loss of revenue because of the information loss due to can be done here. Are there any metric for the same? various reasons such as virus attacks, unauthorised access, theft, pilferage, Comment [s3]: Will you quantify this is amount? If not, what is the metric security breach or by calamity / disaster. used to measure loss? • To determine the cost in the IRSMS implementation. Comment [s4]: In my opinion, these Research Questions 1.5 should b Comment [R5]: Would it ok if we don not include questions 2 and 8 … … marked in red. OR kindly suggest what The research will address the questions such as: amendments can be done? • What are the information risks and security threats involved in the Banks? • What benefits will be derived by implementing these systems in the existing scenario? • What should be the ideal characteristics of the IRSMS? • What functions in security and risk management must be accomplished by an IRSMS to support Banks? • What would be the Total Cost of Ownership (TCO) for the institution? Hypotheses 1.6 • The security policies in the same organisation (Bank) may differ based on the geographic location. • Many Banks prefer accepting the security risk rather than mitigating, transferring or avoiding it. • IRSMS policies show wide variations across all types of financial institutions (here the type of bank would be considered, i.e. Apex / Public
  20. 20. Sector Commercial / Private Commercial / Co-operative / Foreign bank.) Research Methodology 1.7 The method of inquiry involved both primary as well as secondary data collection. Questionnaire was prepared taking into account the necessity of qualitative as well as quantitative analysis. Primary data collection is done by inviting responses through means of a questionnaire, from the IS Officers/ IT officers, Certified Information Systems Auditors, Certified Information Systems Managers, Compliance officers, etc., with a minimum of 1-3 years of experience in the ‘IS Risk Management’ field. Secondary data was gathered from various published sources, authentic journals, past research papers, newspapers, magazines and articles. 1.8 Limitations • The findings are based entirely upon the research conducted in India and hence may not be applicable to other countries of the world on counts of technological diversity and contextual forces. • These kind of researches need to be done periodically to gauge the authenticity of the security risk management program designed in an organisation such as banks, due to the constant changing technology and its vulnerabilities. • To prove the hypotheses “The security policies in the same organisation (Bank) may differ based on the geographic location”, the research may not have considered several banks of similar type. It may be limited to same bank with different locations. • The research may not be able to provide the exact financial figures or the financial impact due to the occurrence of the IS Threats and the Risk that is followed because of the reputation risk involved in it. The respondents might not provide complete, incomplete, partial or authentic information regarding the questions posed for the survey.
  21. 21. 1.9 Overview of the Paper An introduction to the topic of research “IS Risk Management” is provided in Chapter 1. The introduction focuses on aspects such as: • Background of the Research Study, • Purpose and Importance of the Study, • Problem Statement, • Research Questions With Certain Assumptions, • Research Methodology. It also throws light on the limitations of the study research. In the Literature Review, the research provides a close look and feel of the similar incidents in the past and in the present amongst various banks across the country and the globe. The basic intention of this academic report is to spread awareness regarding IS Threats and the Risk which follows them. The researcher has tried to collect several examples from within the country or across the globe which are on similar lines. Chapter 3 is dedicated to the methodology of the research. It points towards to sources of the data and information collection through surveys, questionnaires, personal interviews, authentic articles on the web, magazines, etc. This chapter re-visits the research questions, research hypotheses, etc. mentioned in Chapter 1. This chapter also highlights the method of inquiry and the method of analysis when the data is collected. Chapter 4 illustrates the analysis performed on the data to obtain the desired results. The analysis also throws more light on the key findings which I came across while performing the analysis. Chapter 5 provides the overall findings and the conclusions based on the survey, the analysis and also from the management perspective. This chapter also mentions, what needs to be done in order to prevent the IS Threats from recurring and the steps taken to prevent them. Infact, the steps need to be incorporated in the initial procedures of both, personnel management, and sourcing and change management decisions. The bottom-line being “Prevention is always better than cure”.
  22. 22. CHAPTER 2 LITERATURE REVIEW Introduction The chapter provides further insights regarding the traditional definition of IS and Risk Management along with its historical background. This also puts light on the makeover or the phase shift which has occurred in the field of IT. The chapter also defines the scope of Information Systems and IS. The literature review shows how the IS and Risk Management is applicable to the banks. Why is it essential to take the responsibility and subdue the threats causing the financial losses to the business sector as well as to the national and world economies? In order to achieve this feat it becomes even more important to understand what kinds of attacks are possible and the manner in which they should be dealt with? Due to the scope and limited constraint, this academic research is unable to throw light on all the threats or mention the remedies for them. But, even so, a wide range of threats have been mentioned below with some actual facts. The literature review also attempts to focus on the computer frauds that have occurred and their repercussions. It also points out the reason why computer crimes are difficult to prove in a court of law. The types of computer crimes, their impacts or effects and the victims are explained in the review. The review also focuses on drawing the readers’ attention towards the understanding of IS at length. The focus area for all the organisations, including banks, is the IT spending pattern, which is already considered and explained in the review.
  23. 23. History of IS and Risk Management 2.1 • IS Management – A Concept IS Management is the process used to identify and understand risks to the Confidentiality, Integrity, and Availability of Information and Information Systems. • Phase Shift of IS The role of IS has changed during the past few years. ‘The Traditional definition of protecting networks and the datacenters has undergone a shift in focus resulting in the enablement of the businesses with security solutions actually moving the business forward or even to the next step. Security is now a way of life and a must-do for businesses in order to survive. Hence, it has become obvious that, wherever the information goes, security follows.’ No longer can IS be an afterthought. An increased need for efficiency and productivity, reducing costs, reaching multiple markets and faster time- to- market are few business benefits which are driving organisations to make IS a part of the organisational DNA.
  24. 24. 2.2 Scope of IS “IS Management defines the controls we must implement to ensure we sensibly manage computer related risk”3 Not just technology, but people and processes too – “defense in depth”. An ongoing, continuous activity ~ you don’t just “do” security as a one-off event. © Source: Deloitte Touche Tohmatsu Figure No. 2: Security Management process IS is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities. 3: Driving an IS Program in the Tertiary Environment; www.auckland.ac.nz/security; access date: November 28, 2005. 4: http://www.keyitsolutions.com/information_security_management.htm ; access date: November 28, 2005
  25. 25. A basic IS model should encompass Confidentiality, Integrity and Availability; however there are also additions such as Accountability and Auditability.2 In other words, “The objective and focus of the IS Management is to protect and manage the Information assets”. How is IS Applicable to Banks? 2.3 quot;IS is definitely a journey, not a destination--there are always new challenges to meet.quot; -- Chief IS officer at a major financial services corporation Banking Institutions have become ‘critical centers of gravity’. A collapse in the banking institution can lead to collapse in the banking sector and cause a huge setback to economy of the nation, which would also concern world at large. This makes them more attractive targets for potential adversaries. Potential adversaries could be either malicious or non-malicious. Among the malicious adversaries would be hackers (including phreakers, crackers, trashers and pirates), terrorists/ cyber terrorists, organised crime, other criminal elements, competitors and disgruntled employees. On the other hand, careless or poorly trained employees would be non-malicious adversaries, who, either through lack of training, lack of concern, or lack of attentiveness, poses a threat to the Information Systems. Adversaries would employ attack techniques that could be classified as passive or active, insider, close-in or distribution attacks. Some of them explained below. ‘Passive attacks’ involve passive monitoring of communications sent over public media and include monitoring plaintext, decrypting weakly encrypted traffic, and password sniffing and traffic analysis. 5 : Source: http://www.securesynergy.com/library/artcles/125-2003.php; 6: Defining Information Threats, Felix Mohan, CEO - Secure synergy; access date: May 05, 2006.
  26. 26. Active attacks would include attempts to: Serial No. Type of attack 1 Circumvent or break security features 2 Introduce malicious code (such as computer viruses, trojans or worms) 3 Subvert data or system integrity 4 Modify data in transit 5 Replay (insertion of data) 6 Hijack sessions 7 Masquerade as authorised user 8 Exploit vulnerabilities in software that runs with system privileges 9 Exploit network trust 10 Set in denial of service Table No.1: Type of Attacks In ‘Close-in attacks’ an unauthorised individual gains close physical proximity to the networks, systems, or facilities for the purpose of modifying, gathering, or denying access to, information. Gaining such proximity is accomplished through surreptitious entry, open access, or both. Close-in attacks include modification of data, information gathering, system tampering, and physical destruction of the local system. A person who is either authorised to be within the physical boundaries of the IS processing system or has direct access to the IS processing system can be responsible for the insider attacks. Insider attacks are usually difficult to detect and to defend against. ‘Distribution attacks’ maliciously modify hardware or software between the time of its production by a developer and its installation, or when it is in transit from one site to another. The risks of serious IS failures are all around us. Breaches, such as teenage hackers and e-mail viruses which were once a nuisance only for information technology professionals now pose a significant risk for executives and can
  27. 27. threaten intellectual property and brand equity. Each new lapse in security is highlighted by glaring media coverage, amplifies consumer awareness and concern. The disclosure by Master-Card that 40million of its credit and debit card account details had been exposed is yet another more indication of the magnitude scale of the problem. Certainly, the growing fear of identity theft is a matter of concern for executives in industries that interact directly with consumers. A recent survey conducted in conjunction with the Merchant Risk Council, in the US, revealed that over 90 per cent of retailers agreed that consumers make purchasing or transaction decisions based on their trust in the company’s ability to secure their data. Also, almost 90 per cent felt that IS is or will become a point of competition in the retail sector. IS is not just an issue for retailers and banks – all companies face new risks, ranging from industrial espionage to sabotage. Compounding these concerns, compliance fears generated by Sarbanes- Oxley and the forthcoming Basel II accord have fostered an environment of risk aversion inside many organisations. Of course, there are plenty of risks to fear. The process of opening companies to the internet has exposed a multitude of software vulnerabilities, especially as many older systems were not developed with this security in mind. Building stronger walls around enterprise systems can help to keep out some unwanted visitors, but those clever invaders or disloyal insiders who find their way into the fortress discover a treasure trove of information once they have gained access. To make matters worse, many risks lie deeply hidden within the extended enterprise. While most large companies have taken significant actions to beef up their own internal security, their smaller partners often harbour risks that open the entire enterprise to vulnerability. Every day, business partner’s take unseen risks and, when partners experience security failures, it has the same devastating impact. In the case of MasterCard, the loss arose out of a security breach at the Card Systems Solutions – a small, private payment processor with only about 100 employees. Card Systems quickly felt the pain of the mistake as both Visa and American Express promptly withdrew their business, pushing Card Systems into a
  28. 28. financial crisis. Yet the fact that the problem was not within Visa or MasterCard made little difference to consumers, who rightly saw the problem as the responsibility of the credit card companies. The escalation of security breaches and the painful surprise many executives feel when a failure occurs in their business have brewed a culture of fear within many organisations. Vendors within the security industry have quickly capitalised on this fear along with the confusion around new compliance measures, such as Sarbanes-Oxley. But before tossing money at a cure in the hope that it will eliminate these new risks, managers should first work to incorporate information risk into an overall enterprise risk management strategy. Like any other risk within the company, security risks must be identified and balanced against the benefits and costs of mitigation. Unfortunately, in contrast to many other business risks, the discussion about IS risk has focused solely on the negative experiences. Of course, no one likes a bad outcome. A hurricane, like a security failure that exposes sensitive customer information, results in damage and cost. However, in other areas of business, risk is associated with return – higher risks yield higher returns. This is also true for IS risk. Very often, IT risks arise from sloppiness or corner-cutting, such as the failure to follow best software development practice or to test and audit new systems. In some instances, this notion is true. However, many IT risks occur within the context of a larger business strategy with associated rewards. For example: • Working with a small innovative start-up company whose promising software solution could generate significant returns, but could also harbour the associated risk of the small company’s IT environment • Starting or acquiring operations in low-cost countries where the infrastructure is less secure • Outsourcing business processes to suppliers with lower-cost structures but unknown or hard-to-monitor security practices
  29. 29. • Exposing internal business data to customers and partners to help with the creation of new services or reduce operating costs. All of these create security risk, even with the best practices. Becoming aware of the risks is just the first step in building an effective management strategy. In our survey of retailers, over 85 per cent said that the level of IS offered by their suppliers was important to them. Yet we find that companies in each industry are struggling to develop effective ways to measure and manage security risks across their extended enterprise. A simple way to reduce security risk is to limit business innovation – to avoid partnering, pull systems offline and lock down the fort. This is a serious mistake. Instead, risk should be balanced with reward. Embedding IT risk into your overall enterprise risk management strategy implies establishing a risk posture that does not seek to eliminate security risk, but rather manages it. The key is first to understand the vulnerabilities, threats and consequences. Vulnerabilities are areas that can be exploited by malicious individuals or organisations. Examples could include poorly maintained software (such as failing to patch known security holes), poor security practices (such as inadequate password and identity management), or the exposure of older systems with an unknown security to the internet. Given these vulnerabilities, what are the threats? Are there outsiders who are motivated and capable of exploiting the vulnerability? Or are there insiders who may be tempted to steal intellectual property? Finally, if the security was breached, what are the consequences? Would they be primarily internally observed or would they impact external groups, such as customers or business partners? Internal failures, like viruses, generate real operational costs for the IT department but rarely put the company into a catastrophic tailspin. On the other hand, external failures, such as a breach of customer information, can be much more painful, warranting far greater attention. To manage risk in the most effective way possible, companies should include IS in the broader perspective of business risk management, where the board of directors governs the company’s
  30. 30. overall risk posture. This same perspective must also be applied to business partners. For many companies, measuring supplier risk will require new tools for supplier security qualification. Like those tools used to assess a supplier’s product quality, supply chain reliability, or its long-term financial viability, suppliers should be qualified using a technical assessment of security and an assessment of the supplier’s information risk management practices. Risks of working with a new partner can then be balanced against the benefit that the partner delivers. Most importantly, managing information risk is everyone’s responsibility – not simply the job of IT executives. Rather than viewing IT executives as security guards, technology- savvy executives – from corporate directors to line managers – should act as consultants to the entire organisation. CIO’s with strong business and technical skills are uniquely qualified to help educate the organisation and chart a course to bring IT risk into the overall risk management strategy. Bringing IT into the enterprise risk management strategy will not only protect against catastrophic operational surprises, but will empower managers to seize the exciting opportunities before them. Computers have been in existence in European and American countries for a long time. Consequently, frauds associated with the computer environment have also been in existence for a long time. The American Institute of Certified Public Accountants (AICPA) was commissioned to conduct a study of EDP- related frauds in the banking and insurance sectors. The study, Report on the Study of EDP-Related Fraud in the Banking and Insurance Industries, revealed many shocking findings, the more significant of which are: • In some cases, fraud occurred during normal transaction process cycle; • Many took advantage of the weaknesses in the system of internal controls; • Most frauds were in input area; • Input was either unauthorised or proper input was manipulated; • File maintenance was common method;
  31. 31. • Manipulation involved extending due dates on loans / or changing names and addresses; • Loss from reported cases worked up to several million US dollars; • In all cases, perpetrators were employees. Dawn P. Parker, Senior Management Systems Consultant and Researcher on computer crime and security in a report for the National Institute of Justice, US Department of Justice, identified 17 crime techniques, the more significant of which are • Eavesdropping or Spying: This involves wire-tapping and monitoring radio frequency emissions. • Scanning: Scanning prevents sequential change of information to automated system to identify those items that receive a positive response, such as: • Telephone Numbers • User IDs • Passwords • Credit Cards • Masquerading: In this, the perpetrator assumes the identity of an authorised computer user. • Piggy - backing: This can occur when the user signs off or a session terminates improperly. The terminal is left in an active state or in a state where it is assumed that the user is still active. • Data Diddling: It involves changing data before or during their input into the computer. • Trojan horse: It is a convert placement or alteration of computer instructions or data in a program so that the computer performs unauthorised functions. It is primary method for inserting abusive acts, as in salami techniques.
  32. 32. • Logic Bomb: It is an unauthorised act of program instructions inserted into a regular program such that an unauthorised or malicious act is perpetrated at a predetermined time. • Data Leakage: It involves removal of data from a computer system or facility. The National Center for Computer Crime Data, a Los Angeles-based research organisation, has been providing information on computer crimes. The statistics relate to: • Average computer crime losses; • Victims of the computer crimes; • Occupations of the computer crime defendants; • Types of computer crime; • Computer crime cases in courts.
  33. 33. Occupations of Computer Crime Defendants 30 26 26 25 20 19 No. of Cases 15 10 10 6 6 6 5 1 0 Ex-employees of Unemployeed or Employees (Acc. To Miscellaneous Law Enforcers Students Professionals Accomplices Computer Criminals Victims Comp.) Sources of Crimes Figure No. 3 Occupations of Computer Crime Defendants
  34. 34. Damage to Theft of softwareExtortion information Harrasment Alternation of Theft of services Data Damage of Hardware Theft of money Figure No. 4 Types of Computer Crimes It was seen that computer crime losses were very high, with theft of services and money contributing the maximum. Commercial users topped the list of computer crime victims. $100,000 $93,600 $80,000 $55,166 $60,000 $40,000 $20,000 $10,517 $0 Theft of money Theft of Damage to program / data system /data Figure No. 5 Average Computer Crime Losses
  35. 35. 40 36 35 30 25 20 17 17 15 % of cases 12 12 10 5 4 2 0 Banks Miscellaneous Individuals Commercial users Universities Government Telecommunications Victims of Computer Crimes Figure No. 6 Victims of Computer Crimes Technology improvements provide greater sophistication for users. However, they also create significant security and control concerns. It is also of great concern that a computer criminal is less likely to be caught than a bank robber. Parker conducted two studies on general and computer bank frauds and embezzlement respectively in 1976. The two studies revealed that average losses from computer bank frauds and embezzlement were approximately six times higher than those from general bank frauds. • Computer crimes in India In India, although computers made an entry much later, we are catching up fast in the area of computer frauds, too. However, most of the crimes do not get reported as the organisations are hesitant to file a report as it might affect their credibility.
  36. 36. Found not guilty, Found Guilty, 8% 16% Pleaded Guilty, 76% Figure No. 7 Computer Crime Cases in Courts Few of the reported cases in the press are mentioned below • The Hindu, on March 7, 1996 carried a report, ‘Quantum jump in the number of bank frauds, according to which Mr. R Janakiraman, former deputy governor, Reserve Bank of India, while addressing a session on frauds in banks and other financial institutions – prevention and detection organised by the Institute of Criminological Research, Education and Services (ICRES), observed that the frauds committed by the bank employees in collusion with outsiders accounted for the largest number of frauds rather than those committed single-handedly either by the bank employees or outsiders’.
  37. 37. • India today, in its February 28, 1999 issue carried a report, ‘High-tech frauds – Thieving with technology’ • The Economic Times report, ‘Banks feel techno-crime byte’ dated December 19, 1996 – mentioned how Sanjay Subharwal and his accomplice who cracked the Automatic Teller Machine (ATM) code of his sister-in-law’s account after 99 attempts and siphoned off Rs. 1.52 lakh. • The Economic Times dated January 12, 1997 stated “The days of Nagarwallas using VVIP names to withdraw millions from a bank are old hat.” • India Today in one of its issues reported, “Hacking New Frontiers” wrote “R. Srinivasan’s employers, a stock broking firm in Chennai, were very happy with him and his proficiency in their new computers. He brought in new clients and increased the volume of shares traded. But the company was losing heavily on share transactions. A few months later, the managers found out why: Srinivasan’s “clients” were no more than electronic entities, existing only on the pathways of their computers. Losses: Rs. 50 lakh.” Giving another example, the report says: “No one knew when account no. 20456 became active. The Bank of India’s computer at Mumbai’s Mulund branch only recorded that its owner Ganesh Rao had drawn Rs. 76,700 since February. So when Rao was overdrawing on April 3, they took a second look at him. Before them was Sanjay Rajbhar, a computer professional who ran a network controlling accounts. In a bank that still maintains huge, yellowing ledgers. Rajbhar had found a defunct account and resurrected it with a few key-strokes.
  38. 38. Technology is a strategic resource available at a cost albeit with an altered risk-benefit matrix. --- Ashok Bhattacharya General Manager – Technology, State Bank of Mysore. Technology has become the backbone of human civilisation. Technology, its concepts, gadgets and formulations are matters of common use spanning drawing rooms of our residences to board rooms of corporates, to halls of deliberations at the United Nations (UN). Though technology and its applications have remained the subject of debates from time to time, contribution of technology in the field of business, health, education, entertainment, information and communication and , of course, banking are growing day by day. For most of us, it is no more a question of whether to use technology or not, it is more a question of how to exercise our options in using technology. Which, when and what-if are some of the major questions that banks and financial services industry have to consider to roll out technology, maintain it and upgrade the same. Indeed, strategic use of IT is the vital part of business intelligence that banks are relying upon for growth and viability to face the competition, and this reliance will be sharpened in the days to come in order to handle Customer Relationship Management (CRM) issues effectively. Public Sector Banks (PSBs), which have large portfolios in terms of business and employment, are in various stages of migrating to new systems. As a matter of fact, this new strategic system may generally be identified with “Core Banking” aided by ATM networks and other e-process. Some of the important features of such migration / upgradation are: • From distributed / stand alone banking to core baking / anywhere banking. • Alternative delivery channels like ATMs, Internet Banking, Credit Cards, Smart Cards and Kiosks. • Cross-selling products like insurance, money market and other financial products.
  39. 39. • Use of multimedia, online help and assistance. • Electronic Fund Transfers (EFT). • Digitisation of data, online encryption and straight-through processing. • Business Continuity and Risk Mitigation including KYC (Know Your Customers) and AML (Anti-Money Laundering) implementation. • Online trading, settlement, treasury, domestic and cross-border transactions. • Data Warehousing, MIS and Business Intelligence – Decision Support System. • Intra-Bank email systems, which incidentally revolutionised banks’ internal communications, introducing online knowledge repository, training / applicable instructions / job cards, etc. • Considering that technology is a risk multiplier both in operations and business, properly manned, and a sophisticated disaster recovery process are in place. These quanta jump in technology, envelopes the whole organisational entity, its activities, interfaces and all stakeholders. For a large organisation like a PSB, on the backdrop of which the present article is based, having about 650 retail branches, business transactions exceeding Rs. 30,000 cr., providing direct employment to about 10,000 persons, automation decisions are size-oriented. Sizes of operations have a critical bearing on choice, cost and consequences of the IT projects. The general method adopted by PSBs is to make a preliminary survey of actual functional systems in various other banks, appoint consultants and arrive at desired specifications of the system to be procured and then go for tendering for a suitable software/ hardware and related services. All PSBs follow Central Vigilance Commission’s (CVC) guidelines in selecting the final vendor for software, hardware accessories and maintenance thereof. It may be mentioned here that a precise cost benefit analysis may not be always feasible as
  40. 40. technological upgradation, new technology, etc. are mostly required to remain in the market and / or to retain the market share. Notwithstanding the same, while selecting technology and finalizing roll out plan, PSBs do take care of the following factors • New technology will bring in new risks and accordingly, the cost benefit and risks of the new technology need to be considered and optimised for maximum productivity, • The life of the technology is also becoming shorter and shorter. For this reason banks / financial institutions also need to be ready with resources and plough back of revenue enhancements so that systems can be replaced before they become totally obsolete, • The agreement to purchase / hire services level agreements; each must be legal besides technologically feasible so that buyers can use the system as required by them and vendor failures are avoided. • At this stage, banks / financial institutions may also finalise the process of User Acceptance Test (UAT) that they would like to follow before commercial roll out of the system at the branches / offices. This is very important and must be developed with a professional approach as otherwise banks will suffer avoidable pangs and costs of customisation with high risk situations. • If the system purchased is on a turnkey basis, then confidence level of such UAT should be very high. • It would also be appropriately pragmatic for the bank to prepare an action plan of converting fixed costs to take full advantage of new technology / upgradation. Suitable steps to remove road blocks which prevent such conversion / replacement be tackled. Based on the above components, below are the schematic triangles of concerns that bankers / financial institutions would do well to keep in mind while selecting / rolling out expensive and all encompassing technologies.
  41. 41. Figure No. 8: - TCO Analysis Figure No.8: TCO Analysis No doubt, the implementation of a new system, say, Core Banking Solutions (CBS), that is now being set up in most of the banks will enhance banking services in a visible manner. The customers of a branch now become the customers of the whole bank. Speed and accuracy of the transaction processing, money transfers, remittances, local and national clearing, all get enhanced enabling the bank to handle more transactions with the cost of transactions with the cost of transaction coming down to a great extent. Thus, CBS coupled with ATM network and Internet Banking and Real Time Gross Settlement (RTGS) gives the customer the facility of doing business with the bank round the clock without visiting the bank’s branch. Internet Banking is very popular with young clientele as utility payments, travel arrangements, bill payments and even purchase of cinema tickets can be done sitting at home or at office.
  42. 42. As RTGS has also been enabled in many commercial bank branches, the reach of Electronic Funds Transfers System (EFTS) now stand highly enhanced. It is clearly visible that technology is a strategic resource available at a cost, albeit with an altered risk – benefit matrix. As a matter of fact, every upgradation of technology may become a risk multiplier if appropriate risk mitigation steps have not been embedded in the system and provided in the handling procedure itself. One of the risk areas is “outsourcing”, in which because of consideration of core competency and costs, outsourcing all technological inputs including hiring of hardware, software livewire are resorted. Business Process Outsourcing (BPO) has become a mantra in most of the private enterprises, which have high adaptability to new technologies. Even there, appropriate levels of agreement are reached and roadblocks set up to prevent control of the business passing on from hands of management to hands of BPO. In commercial banks, outsourcing is mainly done to obtain assistance wherever they lack core competency to handle highly technological jobs including troubleshooting of IT systems. Here also, many banks have tried to use in-house people to maintain their systems, but this mostly resulted in legacy of problems creating handicaps for the bank to move speedily to new technology platforms. Outsourcings of technological services, at least to launch an IT project, are quite common in today’s banking industry. Banks have asked by regulators to finalise a policy of outsourcing so that risks of outsourcing critical basic applications are managed properly. Further, the salary structures of PSBs also do not permit employment of highly qualified experts in the area of technology. Recently, SBI and TCS have joined hands to float a separate company, which presumably will not have such salary and perquisites / constraints and would, therefore, be able to retain the technical experts for a reasonable time. It may also be noted that new technologies invariably give rise to new opportunities, which can be harnessed under the general expression of Business Process Re-engineering (BPR). The CBS, which is
  43. 43. operating on a centralized data and information reservoir, has the ability to convert a branch customer into a bank customer and, thereby, make it possible to process many hitherto distributed banking activities into centralized activity. Banks are coming up with outlets, Centralised Processing Units (CPUs), where all loan processing, renewal, and documentation for all branches are done, leaving branches free for marketing and business of cross-selling. Banks that have rolled out CBS find a grand by product opportunity to take such B2C initiatives, which have vastly improved credit appraisal, disbursement, documentation, deposit mobilization, cheque and customer instruction processing. As an example, it may be elaborated that, previously, all cheques in clearing would come to the branches for verification of signature, balances and payment thereof. But now, service branches are having all this information on the screen itself and cheques need out travel to the branches, thus, eliminating time and ensuring quality. This new technology or new system is highly successful when it meets the following criteria: • Increase in revenue / volume of business • Reduction of cost of operations • Reduction in delivery time for most B2C transactions. • Improving general customer service and loyalty of customers. Most of the banks and financial institutions and even insurance companies that are using high level of IT are endeavoring to measure success of their investment decisions by actual movement of the above factors. The beneficial impact of modern day technology has ushered in a new era in services available to bank customers. Some such features are: Transacting from any branch; specialised collections, remittances and fund transfers; 24 / 7; banking through ATMs and Internet banking; Automated payments; Automated Standing Instructions (ASIs); Using bank’s Web portals for latest rates, new products and terms; Submission of stock and other statements for loan account customers; with RTGS facility, funds transfer to accounts with other banks has also become possible.
  44. 44. While technology (to be more precise information and Internet technology) has brought in metamorphic changes in the area of banking and financial services, problems do persist in various areas – some are new, some also suffer from aggregation of risk owing to change in technology. Having rolled out CBS – latest in banking technology – in 100% of our branches along with a network of ATMs, Internet Banking, RTGS, etc., we find many problems, if handled either before installation or immediately on roll out, would strengthen the banks delivery, customer satisfaction and bottom line. Some such problem areas are as under: • Biometric Access Control In spite of decades of history of full computerisation in banks even under CBS, most banks’ internal access control is based on individual ID and password. Abuse of this system in a large organisation is well- known and difficult to combat; thus, it needs to replace the system by biometric system – preferably, the ID of individual employee of the bank should be replaced by his / her fingerprints. It would then be easier to track and eliminate all possible abuses or mistakes. • UAT We have mentioned the importance of UAT earlier. It is reiterated that through PSBs know fully well their inputs and the required outputs, data for testing comprehensively new systems are not generally available. Banks are depending on the vendor’s expertise in these matters and generally mistakes are rectified through trial and error. In this context, Auditability of systems assumes considerable importance. • MIS Data Warehousing Generally, CBS available in the market may not come with a full blow MIS or data warehousing capability. These need to be developed or the existing one has to be integrated. • Input Control / Output Reports The CBS is a platform mainly for handling Bank to Customer (B2C) transactions. Normally, no problem is envisaged from transactions to reporting level which has gone through a proper UAT. But large banks always find it quite
  45. 45. difficult to ensure full accuracy at the input levels. An error of input, mapping and legacy problems at the granular level creates data integrity problems. • Variability of Cost The success of new technology lies in harnessing its ability to cut down transaction cost, as also replacing fixed cost b variable cost. But this is not happening at the required place and time and often new technology represent additional cost without reduction of fixed cost already existing. • Captive users Some of the major problems have come up in the fact that banks that have selected, and installed new technology have become captive users of the vendors. This problem may further accentuate in the absence of proper service level agreements. • Attrition Many of the bank staff members who have adopted and quickly master new technology may be leaving the bank with better offers, creating gaps for day - to - day management. • Service Level Agreements (SLAs) However, many of these problems are not insurmountable, but definitely controllable. With appropriate planning and consultation they can be managed, subject to the existence of appropriate agreement of hiring / purchasing / outsourcing and SLAs. A professional arrangement in this area will ensure continuity of vendor’s stake, which is important. • Systems and operation, Documentation / Manuals In the new system, fully developed documentation should be available. Online help generally does not meet the requirement of users. Sometimes, these are not available and vendors themselves suffer from the attrition, thus creating a somewhat a chaotic situation during commercial run of the system, which may degenerate unless appropriate control and administration is exercised. Prevention is always better than cure.
  46. 46. • B2B / Government Business, etc. A large part of a bank’s business is treasury management, and bank to bank transactions, including multi- currency transactions. Some of the PSBs are also entrusted to do government business. Most of these core banking systems do not have proper modules where such transactions and transactional MIS can be processed simultaneously. The additional requirements need to be anticipated and negotiated with the vendors at the opportune time. Suitable middleware can be used in this regard. “India is a software powerhouse. But its IT security practices are pathetic and consumers should beware” --- Sucheta Dalal – Consulting Editor of MONEYLIFE Last June an employee with Hong Kong Bank in Bangalore was arrested following an investigation into a theft of pound sterling 230,000 from a British customer’s account. Earlier this month, Channel 4 of London controversially claimed that “credit card data, along with the passport and driving license numbers, are being stolen from call centers in India and sold to the highest bidder”. A survey on the Global State of the IS 2006, by www.CSOonline.com says: “Most executives with security responsibilities have made little or no progress in implementing strategic measures that could have prevented many of the security mishaps reported this year. Only 37% of respondents said they have an overall security strategy”. Worse, “a large proportion of security executives admitted they are not in compliance with regulations that specifically dictate security measures their organisation must undertake” even though the consequences were stiff penalties, including prison sentences, for the executives. The study by CSO, CIO and PricewaterhouseCoopers (PwC) covered 7,791 respondents in 50 countries.
  47. 47. While things are pretty bad on the global IT security front, things are worse in India. The study says: “Our of the most unsettling findings in this year’s study is the sad state of security in India, by a wide margin the world’s primary locus for IT outsourcing. India lags far behind the rest of the biggest IT powerhouses in the world; these findings should cause considerable concern. Many survey respondents in India admitted to not adhering to the most routine security practices. Extortion, fraud and intellectual property theft occurred last year are double and even quadruple those of the rest of the world. Nearly one in three Indian organisations suffered some financial loss because of a cyber attack last year, compared with one of five worldwide and one out of eight in the United States.” According to CSOonline.com, “The problem is obvious, but right now it’s apparently easier to ignore than to address. Harder to ignore is the constant news of large organisations losing laptops packed with unencrypted personal data on millions of customers. Every report that such incidents should motivate companies to tighten security, but every year the survey indicates that’s not happening.” The IS Scenario in India 2.4 Banking institutions are getting more and more conscious about the IS taking into consideration the scams that have occurred in the past and continued to do so even today. A flood of new security attacks targeting banking customers over the last twelve months has forced organisation or regulatory bodies to introduce new directives and methodologies such as the recommended use of two- factor authentication by online banks by the end of 2006. These groups believe that single-factor authentication (the use of a username and password) is now inadequate to protect users against recent internet scams such as Phishing, Pharming and RAT attacks. By the end of 2006, many Asian online banks will be required to implement the new directives covering two-factor authentication, which relies on something the consumer has, such as a token or smartcard. This would help identify the individual more specifically. Introducing the methodology
  48. 48. in relatively short span of time would be the next big challenge faced by the banks. This would also have to ensure that the chosen method is convenient enough for broad consumer adoption while keeping costs down. Banks in India need to be complimented on the inculcation of technology in a large way in their day-to-day operations. In a short span of less than two decades, customers of the banks have felt the positive impact of technological solutions implemented by banks. The customer in a bank has a virtual menu of options as far as delivery channels are concerned and all these are the benefits of technology, with the most visible benefits happening in the areas of payments for retail transactions. A variety of Cards, Automated Teller Machines (ATM’s), Electronic Based Fund Transfers (EFT), Internet Banking, Mobile Banking are all some of the latest technology based payment solutions, which have gained large acceptance amongst Indian Banking arena. While addressing a critical topic such as technology which has today become a basic necessity rather than a luxury in the banking sector, the various components must be examined which comprise the building blocks on which the banking would be functioning in the morrow. I would, therefore, enlist some of the major aspects which appear to be the corner stones in the road that we are paving so that the highway would ensure free, safe and secure conduct of the banking services and business. Technology implementation comes with its attendant requirements too. A few major aspects which need to be reckoned relate to the • Need for standardization – across hardware, operating systems, system software and application software to facilitate inter- connectivity of systems across branches. • Need for high levels of security – in an environment which requires high levels of confidentiality; IS is an important requirement. • Need for a technology plan which has to be periodically monitored and also upgraded consequent upon changes in the technology itself.
  49. 49. • Need for business process re-engineering with a large scale usage of computers – the objective is not merely mechanise activities but to result in holistic benefits of computerization for both the customer and the staff at the branches. • Sharing of technology experiences and expertise so as to reap the benefits of the technology implementation across a wider community. With technological solutions rapidly evolving, more new products and services may soon become the order of the day. This technology evolution needs to be thoroughly supported by the IS practices and procedures in order to avoid the chaotic situation otherwise. Prominent among the attendant challenges is the paradigm shift in the concept of security. With the delivery of channels relating to funds based services, such as, movement of funds electronically between different accounts of customers taking place with the use of technology, the requirements relating to security also need to undergo metamorphosis at a rapid pace. Various concepts, such as, digital signatures, certification, storage of information in a secure and tamper- proof manner all assume significance and have to be a futuristic part of the practices and procedures in the day-to-day functioning of banks of tomorrow. Security requirements have to be provided from a two pronged perspective - first for the internal requirements of the banks themselves and the second relating to the legal precincts of the laws of the land. It is indeed a matter of satisfaction that the ‘INFINET’ (Indian Financial Network) is a safe, secure and efficient communications network for the exclusive use of the banking sector, which provides for the inter-bank communication. 7: Abstract from the Address by Shri. V. Leeladhar, Deputy Governor, Reserve Bank of India at the IT@BFSI- 200 Conclave, Bangalore, on June 9, 2005.
  50. 50. The key advantage of ‘INFINET’ is its own security framework in the form of the ‘PUBLIC KEY INFRASTRUCTURE’ (PKI), which is in conformity to the provisions of the Information Technology Act, 2000. Several large financial institutions are now starting to implement two-factor authentication, to re- establish trust with their users, fearing that if nothing is done profits will be lost, customer confidence will drop, and the leading to a loss of brand image in a long run. “At YES BANK, our priority is delivering solutions that take into account present and future customer needs,” said H. Srikrishnan, CIO and Executive Director, YES BANK. “We identified that current and prospective customers have access to a PC with a reliable bandwidth connection, but a key concern was the ability for us to guarantee a high level of security, giving them the confidence to use Internet banking without the worry of fraud or theft. Thus, our priority was addressing this issue and identifying a solution, which would improve customer confidence and provide a reliable and user-friendly experience.” According to recent surveys conducted by various IS organisations, identity theft has seen looms over any other kind of crime worldwide. Currently the IS implementation in banks suffers from deficiencies such as: • A comprehensive Security Risk Assessment is not being conducted before drafting a security policy for the bank. • The Acceptable Usage Policy (AUP) is not communicated to all staff of the bank. • The scope of Information Systems Audit at branches is restricted to checklist audits. • Defined Vulnerability Assessment Policy has not been set out for the data centers of banks. 8: http://www.securitypark.co.uk/article.asp?articleid=25068andCategoryID=1; access date: August 26, 2006
  51. 51. ICICI Bank Phishing scam targets customers in India Phishing is a relatively new phenomenon in India, though united States, South America and Europe have reeling under its impact for years now. The new scam mail targeting the rather soft Indian customer who in terms of awareness on such activities, goes ahead and tries a contemporary trend in international online arena. It tells users that a popular bank is updating their online security mechanism, so the user should key – in his information in the website that fake email leads them to! Security Analysts at (name undisclosed) an Internet Security company warn that a Phishing mail in the name of one of India’s leading Banks, ICICI, has been found to be spammed to targeted user groups for the last couple of weeks, aiming sensitive financial Information. The mail reads that the ICICI bank is upgrading to a new SSL Server to insulate customers against online theft and other related criminal activities. Users are told to confirm their personal banking information following the given mail. It also warns that if the user does not complete the form, the online bank account will be suspended till further notification. Once the user clicks on the link, he is taken to a bogus website that looks identical to the original one, where he is made to part with his account number, password and PIN number. Phishing is the cyber form of ‘Identity Theft’ using fake spam emails and fake websites of reputed financial organisations. You receive an email that seems to be coming from a reputed bank, credit card firm, Auction website or any other financial institution. The message tries one of the several tricks to induce you to click on the link provided in the email and gets you to reveal your personal information. This stolen information is used for sophisticated Online Robbery, Identity theft and other Internet related crimes. The Anti-Phishing Working Group, an industry consortium formed to fight this mode of crime, says the attacks in recent months where double that of what were reported in the same months last year. With commerce growing rapidly, Phishing attempts may grow multifold this year, faking more brands and institutional loot more victims around the globe.
  52. 52. 2.5 Understanding Information Security (IS) In view of the critical implications of Information Security (IS) for banks and financial institutions, it is necessary to emphasise that the management of the bank should have a good understanding of the IS risks. • IS is not only the concern of the Information Technology Department but for the entire organisation. It is said that “Security in an organisation is as strong as its weakest link”. Hence, each and every user of information, right from the senior management to the clerk in the branch has to be involved in any security initiative taken by the bank. This will mean that they have to be aware of the security threats and should practice the laid down policies and procedures. • IS Policy has to be aligned to the business objectives by a proper IS Risk Assessment. This means that the risks identified and measured during structured IS Risk Assessment should be mitigated with effective security policy and procedures. • IS Policy cannot be the same for all banks despite there being similarities in their business function. This is due to the reason that each bank has its unique risks which might be multidimensional considering their locations, their services, their business goals and their technical infrastructure. • Banks can optimize their resource spending in IS by strategising their security spending to mitigate their high impact risks identified during there IS Risk Assessment. Hence, IS should be seen as an investment. • Security Audits at branches need to be conducted by qualified personnel as it needs to encompass an audit through the computer.
  53. 53. • IS consists of CIA principle. Hence in every decision, the security requirement of CIA has to be observed. • IS Risk Assessment is not only restricted to Vulnerability Assessment of technical infrastructure but extends to identifying critical assets, their threats and organisational vulnerabilities. It also includes Business Impact Analysis (BIA), measuring risks and suggesting appropriate controls. 2.6 Spending patterns (Technologically and Financially) According to the Gartner report on IT spending of financial services, the worldwide financial sector spends about US$ 129 billion annually on IT services. The Worldwide Financial Services Industry Spends about $129 billion Annually on IT Services WORLDWIDE FINANCIAL SERVICES IT SERVICES SPENDING ($ Billion) 154 CAGR 145 6 3% 136 129 123 114 Financial Services IT Services – Key Facts FY 02 FY 03 FY 04 FY 05 FY 06 FY 07 Source – Gartner Figure No. 9: IT Spending Patterns
  54. 54. According to a report from Indian Institute of Information Technology - The application of Information and Communication technology to the banking sector has been growing in the recent past. IT spending by the BFSI segment, jumped by a healthy 18 percent during 2002-03 to touch Rs. 60 billion (US $1.24 billion). Indian Banks on an average spend an estimated amount of Rs. 1.5 billion on software and hardware for core and internet banking services, on an average. According to industry estimates, the BFSI segment accounts for around 10 percent of the total IT industry and about 28 percent of the domestic IT market. Spending by the BFSI segment is expected to jump to Rs. 98 billion during 2004- 05 fiscal. The main driver for the increasing use of IT in banking is the need to cater to the growing and changing expectations of the customers who relentlessly demand continuous improvement in the quality of services offered, reduction in charges and access to new products. In the context of global competition, the banks have to use other factors to facilitate the increasing IT investments. The Centre Vigilance Commission lays down certain statutory requirements for banks in this regard i.e. achieve 100% branch computerization, availability of certification services for ensuring the security of electronic transactions with an eye on the growing size, complexity and integrity of the financial markets. Technological advancements bring along concerns on the privacy, confidentiality and integrity of information. It is being seen that such concerns have a major impact on the functioning and existence of banks and financial institutions. While many banks in India have taken steps to improve their IS much still remains to be achieved It is often perceived by the management of banks that IS is technical and complex. Contrary to this is that IS is similar to any other area of managerial decision. Further, IS investment should also have a return on investment. This is to be achieved by an effective IS Risk Assessment. 9: Implementing IS in Banks---- http://www.sisa.co.in/images/PDF/WhitePaper_ImplementingISinBanks.pdf
  55. 55. 2.7 CTO/ CIO’s viewpoint “The best way to approach IS is from the business side – ask what the business need is, assess the risk and fashion a risk mitigation strategy that fits”. -- S Krishna Kumar, GM (IT) and CISO, SBI. The devising of an appropriate and suitable security strategy depends upon several aspects such as breadth of the organisations business, volume of transactions per day/ month, scale of operation, (no. of years in the current business) necessity of data migration, competition in the sector, etc. Processes • Upper management buy – in • Concept of six pillars of safety: governance, structure, risk assessment, risk management, communication and compliance. • Policy approval at board level • Risk mitigation processes • Documented standards and procedures • Management overview for controllers • Service Level Agreement (SLA) monitoring Technology • Firewall • Anti-virus • IDS (Intrusion Detection Systems) • Management Tools Table No.2: Risk Mitigation Strategy The security strategy must be in-line with the business needs and the complexities, so as to prove holistic in approach and should include all the components needed for the IS program.
  56. 56. “IS has commitment and support at the highest level in the organisation. The state of IS is periodically reviewed by the top management.” All the pillars are equally critical in providing IS assurance, rather than merely focusing on the security products and penetration tests. IS derives its strength from the highest authority, the board, which has approved the bank’s IS policies and provided direction and support mechanisms to evolve the required standards and procedures. “Risk mitigation is not a one-size-fits-all process, and takes different routes depending on the risk and business imperatives. This needs to be devised after considering business needs vis-à-vis security controls. Being a financial organisation, the banks are subject to a number of regulations, both internal and external in nature. These are considered an integral part of the Security Architecture. “It is necessary that all the personnel across the business understand the underlying philosophy and basis of the security policy. Merely writing a security policy and sending it to the different departments will never succeed.” “It is not good enough to have just the performance levels specified in a Service Level Agreement (SLA). The organisation should also be able to measure service levels, use appropriate measurement metrics, build adequate deterrents against under-performance and monitor the performance of all the outsourcing agreements.” Business Continuity and Disaster planning bear a lot of importance in the IS Strategy or Program. On this, Mr. Kumar observes “that a Disaster Recovery (DR) system has been set up for critical applications in a different city and periodic mock drills are conducted.” “An important but often neglected aspect of the DR plan is to shuffle a core team of operations personnel between production and DR sites periodically. This ensures the availability of skilled resources at the DR site. They are current with the latest state of the production application”, says Kumar.
  57. 57. 2.8 Summary The basic IS needs of banks and financial institutions are very similar to those of most large organisations. The problem in the banks is that they are fairly high value targets. Gaining unauthorised access to a bank’s customer records can make identity theft easy on a large scale. Unauthorised access to customer records creates operational, legal and reputational risks for banks. Currently banks are spending approx 5-6% of their total IT Budget on security and this amount of money may prove to be inadequate to ensure effective ISRM considering the threats existing in the e-world today. Not only should the banks spend more on IS but also ensure that their IS risks are mitigated. A structured IS Risk Assessment will enable banks to accomplish this objective. A Return on Investment (ROI) in IS should be demanded by the management. Further banks should approach IS in a structured manner.

×