Excerpted from the inaugural address by Dr K C Chakrabarty, Deputy Governor, Reserve Bank of India, at the IBA-DSCI Conference on 'Security Framework in Indian Banks', in Mumbai on April 26.
Information is at the heart of today's business, and the all-pervasive impact of information technology in harnessing, collating and processing huge volumes of information is definitive.
In this scenario, the need for ensuring that information is kept confidential adhering to accepted norms of privacy and making it available to authorized users at the appropriate time assumes great significance.
This is particularly valid for the banking sector where day-to-day operations are centered on information and information processing, which in turn is highly dependent on technology.
Banking as a business involves the management of risks based on a repository of trust extended by the customers. If this objective has to be accomplished, it becomes imperative for all security concerns especially customer sensitive data to be addressed in an effective way so as to ensure that the trust levels are well preserved and information assets perform the role that they are supposed to.
In addition, banking is poised to be omnipresent through facilities such as 'Anywhere and Anytime Banking', proliferation of services offered through ATM networks, IT enabled instant remittances across banks, customer payments, mobile payments and many more.
The giant project of ICT-supported financial inclusion is all set to change the face of Indian banking by making banking services fully inclusive.
The last decade witnessed a sea change in the way banking services are made available to customers. With the interlinking of ATMs, the customer has been further transformed into constituent of the financial sector rather than a bank.
The time is now appropriate to review the adequacy of the measures taken by banks. As the banks and IT industry came up with layers of protection for their systems, fraudsters, hackers and a bewildering variety of other such entities made voracious attempts at breaking the security layers.
When the application layer was fortified, the attention was on to break the network layer. When the network equipment manufacturers hardwired the security protocol making it extremely difficult to break them, the attack switched over to the internet servers.
Activities like phishing require customers and bankers to migrate to the higher levels of security. While these examples relate to Internet-based banking, the latest dimension relates to security for mobile banking.
It is to be recognized that information security has two important dimensions, namely:
It is necessary to address basic concerns relating to safety and security of information and communication technology (ICT) assets, to data and to information pertaining to the bank as a whole and the customer in particular.
Against this background, I thought that it would be appropriate to define a set of best practices which would enhance the value of IT security.
I prefer to christen them as the 'Ten Commandments of IT security/management in banks'. I shall dwell briefly on each of these now.
1. Thou shall take adequate care of the human factor in IT implementation
IT security is more often than not a people related aspect than a technical issue. This is applicable to both insiders and customers of banks as well. There is a need to be vigilant against an insider who may know more than what is required and when aided with unfettered access, could wreak havoc on the bank concerned.
Equally important is a customer who exploits technology loop holes for malafide intentions. It is thus imperative that IT Security parameters provide adequate focus on the set of people directly related to the systems in addition to the targeted audience as well. In this connection, communication in a language understood by these stakeholders assumes critical importance.
2. Thou shall ensure permeation of IT security throughout the organisation
World over, it has been recognized and accepted that IT security is optimal if the implementation is top driven.
The cue for this is that the top management of banks need to provide a missionary zeal for implementing IT security; their efforts would automatically ensure that the IT security related procedures are effectively implemented across all levels in the banks.
3. Thou shall have clear IT security policies and procedures
One of the main characteristics of banking in India relates to the existence of well documented policies and procedures pertaining to their areas of operation. The IT security domain, however, cannot boast of a similar level of compliance.
Well laid down processes and procedures not only enhance employee efficiency but also aid a great deal in ensuring that there is clarity of objective apart from acting as a veritable guide to the conduct of operations in a safe and secure manner. It is also imperative that these procedural requirements are fully disseminated to all sections of the staff for their unflinching compliance at all times.
4. Thou shall take action at the appropriate time
It is almost impossible to achieve complete IT security in any organisation. Addressing IT security related concerns and breaches thus assume significance. The watch word here is timeliness; it is only those banks which take quick corrective action which can survive the onslaught of security breaches.
Such prompt action is possible only if the banks have already put in place well defined systems and procedures. The need to focus on attempted security violations also needs to be taken care of since these offer themselves as excellent early warning signals which, if left unattended or improperly attended, may result in substantial losses and a small lapse often becomes a mega event due to lack of right decision at the right time.
5. Thou shall ensure that adequate resource capability is provided for
An effective IT security framework cannot be implemented in isolation. It is imperative that all resources which facilitate the accomplishment of this objective are adequately provided for.
These include adequate personnel, effective and efficient IT systems, good vendor management policies, and sound IT / ARE Audit mechanisms. Costs are certainly associated with these but the benefits accruing on account of reduced impact of IT security breaches more than compensates for the costs incurred in this regard.
6. Thou shall provide for optimal business process re-engineering
Most IT implementations in the Indian Banking scenario are replicas of the manual work processes which have been only tweaked to perform in an IT-enabled environment. The result is the existence of redundant processes and loss of efficiency.
Business process re-engineering leads to cost savings, better work flows, improved efficiency and better customer service levels as business process systems are cross-functional, i.e. the system boundary is not within a single function but actually goes across boundary lines.
7. Thou shall take care of obsolescence issues for IT security as well
Perhaps the only industry in today's world where advancements are very rapid and every advancement brings in its wake reduced costs for adoption is the ICT industry.
Network based communication has reached rock-bottom levels as far as costs are concerned while the prices of IT systems have exponentially reduced.
The rapid degree of product and feature obsolescence in the IT industry is a formidable challenge for banks. Such obsolescence needs to be tackled in a systematic and proactive manner for mutual benefit of the banks and their customers.
Care needs to be, taken in such a way that upgradation to take care of technology obsolescence is performed in a scientific manner and on a need-to-upgrade basis. This would help banks avoid falling into the technology-obsolescence trap requiring huge sums of money for to come out.
8. Thou shall provide a framework for incident management
Security related incidents cannot be wished away. The best tool towards an effective IT security framework would thus be one which acknowledges such security instances and provides for a framework for appropriate incident reporting within the organisation and to the regulators.
Such a mechanism would provide insights into the security violations and other such attempts, but the single largest beneficial factor would be the development of a set of knowledge workers who hold the key to success of any IT based initiative by banks in a country which can boast of some of the best IT companies runs by effective IT czars.
9. Thou shall take care of data quality and integrity
The most vital component of IT security is the data which forms part of the IT enables business processing system. Data is hard to get or create, easy for misuse and is tough to be channeled towards beneficial interpretation resulting in meaningful analysis.
To this end, banks need to work out effective standards aimed at high levels of data quality and integrity. I am reminded at this juncture of a book called Database Nation written by Simson Garfinkel which outlines the death of privacy in the twenty-first century.
The author skillfully elucidates the various facets governing data piracy while concluding that the owner of one's own private information is not himself! Banks cannot afford to fall into this category and data refinement is one approach which would facilitate good data management with adequate levels of protective covers.
10. Thou shall provide for IT security as a way of life
The last commandment is more like a synopsis but is at the heart of all IT security related initiatives. IT security cannot be viewed in isolation; neither can it be implemented in fits and starts.
Examples of good IT security implementation reveal that good IT security features are impregnated as essential requirements in a normal way of life. As banks, we need to imbibe the security culture in our normal day-to-day activities.
This is a challenging and daunting task since the normal human mind is more attuned towards an easy, laissez faire approach towards reduced security so as to enhance convenience.
IT security does add on to inconvenience as it does towards increased costs, but it is economical in the long run.
While there have been conscious efforts on the part of the regulator as well as regulated entities, I still feel there is considerable scope in working towards having a uniformly accepted standards and practices for operational risks especially information security risks across all financial institutions.
It is in this context that I have attempted to set out the standards for IT security. I am sure that in the world of today where only the fittest have any chances of survival, our banks will not only survive but also grow in prosperity and mature as well, using the best of information and communication technology.
I am sure that the conference would be thought stimulating, packed with high energy contents and be rewarding to you all. Let me conclude now by wishing the conference all success.
Thank you.