Allahabad Bank is implementing data/ information security through continuous improvement and enrichment of processes. Necessary level of awareness is being created among employees for prudent handling of data/ information during processing, transmission and at rest (storage), while keeping a vigil on activities, which may impact bank’s information security, says Vivek Gupta, Deputy General Manager and Chief Information Security Officer, Allahabad Bank, in conversation with Elets News Network (ENN).
C-Suite Officers are emerging as the new gamechangers across the BFSI sector. How significant is their role in Public Sector Banks?
Chief Officers in various verticals of Public Sector Banks are the most experienced executives who are key decision-makers, and also entrusted with the highest level of responsibilities. They act as C-Suite Officers, irrespective of their cadre or pay scale and discharge their duties with their actual command and expertise in the respective domain.
C-Suite Officers are directly responsible for their functional area viz. Information Security, Technology, Information Systems, Finance, Compliance, Risk, Security etc are thus more effective than the traditional in-charges, who were assigned the role based on their allotment of the portfolio/ department/ cadre/ pay scale.
C-Suite Officers are holding direct responsibilities and are interacting directly with RBI, Govt., Board, Committees. The regulator also prescribes the role and responsibilities of C-Suite officers in banks and expects the implementation to be in true spirits, without dilution of the objectives.
They are better able to explain issues, being faced down the line, to discuss practical solutions and decide a proper execution plan. The change in management methodology and practices is now clearly visible in BFSI sector. In case of public sector banks, the same wave of change is being experienced and it may be further strengthened, with empowerment and direct involvement of C-Suite Officers in decision making, providing more autonomy for pro-active actions.
A quick and meaningful recognition and reward system for holding extra key responsibilities by C-Suite Officers would not only make the system more effective but would also set a positive view, thereby more competent people would come forward for such roles.
Thus C-Suite Officers are proving themselves as gamechangers across the BFSI sector, including in Public Sector Banks!
How vital is building an effective Data Loss Prevention Programme for a bank?
Banks are dealing with huge stock of data covering customers’ Personally Identifiable Information (PII) data, their financial and other transactional data. This data is primarily of proprietary, confidential and sensitive category. Bank’s systems are accessible not only from branches but also through the internet, though selectively. Management Information System (MIS) and Report Servers also contain huge chunk of past and current data, both of private and confidential in nature.
Many services in banks are either outsourced or involve the processing of data through external entities. Even audits are to be outsourced for external and independent assurance. Though NonDisclosure Agreements (NDAs) are executed in all the cases and due diligence is exercised, there is always rise in surface area of data and information sharing, as the data is handled by various users, systems and processes at all the respective entities.
The data is real “crown jewel” for any organisation and it is the “oil” which is used, every now and then, processed and reprocessed, time and again to derive more business and more profits! Data is the basic building block of information, on which we all survive through various means of processes and lookouts.
However, losing this vital data/ information is just a matter of unplugged small gaps in controls and within minutes, huge chunk of data can be leaked through various ways and means, as systems are connected with network, selectively enabled with USB/ CD/ DVD drives and having internet connection.
Data can be pilferaged through e-mails, malware attack, unpatched vulnerabilities in systems, gaps in configuration rules and disposal of old media/ devices/ systems. In addition to the above highly sensitive data like passwords, logs, configuration files, firewall rules etc, are another set of key information, liable to be protected with utmost care and at all costs.
Therefore, a robust Data Loss Prevention Policy and Solution should be carefully built in banks and any gaps or scope for Data Leakage should be blocked as a mission of Information Security, though ensuring that legitimate users are not at discomfort.
Similarly, all the users should also be very mindful in dealing with data, as data leakage is a huge risk for any organisation, especially for banks who deal with public’ money. A detailed and conservative approach for data loss prevention, unqualified support of top management in achieving the same through all the stakeholders, strict and periodic focused audits against data loss/ leakage should be conducted.
The data classification policies and rules should be updated, as and when required. Additionally, a solution with enterprise level implementation of DRM (Digital Rights Management) would be a step ahead, but the huge costs need to come down and there should be more industry players to offer practical enterprise level solutions, suitable for BFSI sector.
What measures and mechanisms did Allahabad Bank deploy to secure data and information?
Security is always implemented through all the layers involved. Security is also meant to be upgraded with pace of time, matching with the discovery of newer risks. Allahabad Bank has recently implemented Cyber Security Operation Centre with 12 solutions viz SIEM, DLP, WAF, DAM, PROXY, PIM, VAS, NAC, MDM, Anti APT, EPP and Anti DDoS. The purpose of information security is to provide reasonable assurance of protection to information assets of the organisation, in which data/ information is a prime object.
The bank has disabled USB ports for media access in all the systems, except for authorised systems for the bonafide need of media access. Bank has also implemented Domain Policy for login which also ensures that unauthorised software cannot be used. Systems IPs binded with original MAC are whitelisted to access outside the local offices, even for intranet.
The bank is also ISO27001 certified for ISMS practices at DC and DR centres.
What role does Cloud in business play in risk mitigation?
Implementation of centralised controls and recovery methods are used in Risk Mitigation approaches in computing environments. Cloud Computing provides various means of use of vast IT Infrastructure, Process, Administration, Security Controls with required segregation of data, security of data, systems/ processes etc.
Therefore, ensuring standard checklist based controls, high standard of encryptions, deploying best administrators and adopting best industry standards is much easier and affordable. Scalability, cost reduction, pay as per use are other intangible benefits of cloud computing.
How important is social media in ensuring asset management for business?
Usage of social media has very rapidly evolved in recent years and users of banking services are not an exception. Social media provides an escalated level of interaction between bank and the customers.
Social media provides vital insight into customer’s preferences, expectations and creating such channel dedicated to handle customers investment and service related requests, account management for payment solutions would result in effective asset management for business.
With self-servicing model of Apps/ Internet-enabled services, the cost to organisations has also come down drastically. There is no need for opening offices/ branches to run the business. Presence of variety, quality, ease and innovation of internet/ app-based services are key differentiators.
Digital marketing is very dynamic and quick due to social media. Thus, in a hyper-connected world, where customers are already inter-connected with various social media & e-commerce options, they can “make or brake” any online business in almost no time, based on sharing of their experience not only among themselves, but also online with Government, Regulator and Competitors already available on social media, as people are the main asset of any business.