A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,

Slides:



Advertisements
Similar presentations
Confidential & Proprietary to Cooper Compliance Corporation Revised September 8, 2014 AUDiT-READY TM.
Advertisements

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
The Future of the IT Department Exploring the impact of Cloud on IT Roles and Responsibilities.
SL21 Information Security Board Mission, Goals and Guiding Principles.
Security and Personnel
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.
Security Controls – What Works
Information Security Policies and Standards
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Network security policy: best practices
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models
Information Technology Audit
Peer Information Security Policies: A Sampling Summer 2015.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
DSCI Framework- Pilot Implementation. Operational Locations Different project groups Different client Geographies Different services Exposes PI through.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Auditing Information Systems (AIS)
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Enterprise Architecture, Enterprise Data Management, and Data Standardization Efforts at the U.S. Department of Education May 2006 Joe Rose, Chief Architect.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
G:\99Q3\9220\PD\AJD2.PPT 1 Harriet P. Pearson Chief Privacy Officer IBM February 7, 2003 IBM.
MOSCOW, NOVEMBER 12 – 14, THE RESEARCH 1.Respondents 8 respondents from SAI Indonesia : auditor, investigator, R &D 2.Time 3 weeks (Sept to Oct.
Example Incident Mgmt Initiation No recording of Incidents Users can approach different departments Solutions of previous incidents are not available.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
SecSDLC Chapter 2.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Chapter 8 Auditing in an E-commerce Environment
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Blackboard Security System
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Security Standard: “reasonable security”
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
IT Development Initiative: Status and Next Steps
General Counsel and Chief Privacy Officer
Red Flags Rule An Introduction County College of Morris
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Contents subject to change.
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Microsoft Data Insights Summit
Presentation transcript:

A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection, DSCI 19 th April, 2011

A NASSCOM ® Initiative State of Data Security and Privacy in the Banking Industry Coverage:PSU, Private and Foreign Banks Areas of Survey: Contemporary to Industry need |Current Challenges| Practices |Technology Trends |Compliance Expectations Objective of Survey: In-depth assessment of the area under coverage Insights into the state of security and privacy Understand characteristics and structure of the initiatives Evaluation of maturity of practices and approach Benchmarking with security and privacy trends Execution:Comprehensive questionnaire Industry consultation | Project Advisory Group | Interaction with Professionals Interview- Personal, and Telephonic

A NASSCOM ® Initiative Executive Director (ED) Chief Risk Officer (CRO) Chief Financial Officer (CFO) Chief Information Officer (CIO) / Chief Technology Officer (CTO) Chief Operating Officer (COO) Reporting to Top Management - 45% 9:30 Review security reports coming from different tools, solutions& operational groups 10:30 Participate in business strategy meetings for security implication of new initiatives 11:30 Interact with lines-of-business on their security requirements 12:00 Interact with IT teams for installation, admin & maintenance of security devices 12:30 Interact with support functions like HR, Finance and Admin for enforcing measures in their respective departments 14:00 Review state of security in Lines-of-business, their applications and systems 15:00 Oversee undergoing security projects 15:30 Review & approve change requests 16:00 Check for new issues, threats and vulnerabilities 17:00 Take review of operational teams 17:30 Issue guidelines to enterprise units on specific or general security measures CISO Role & Time Spent Operational Tactical Strategic Security Organization

A NASSCOM ® Initiative Security TasksCISOComplianceIT Security IT Infra Exter nal Security strategy plan Preparing security policies & procedures Implementation of the policies & procedures Defining & managing the security architecture Security solutions evaluation and procurement Install security solutions, products and tools Administration of security technologies- Application security testing, code review, etc Security monitoring Report, investigate and close security incidents Keep track of the evolving regulatory requirements Security Organization Task Distribution

A NASSCOM ® Initiative Maturity – Security and Privacy Practices Constant review to assess security posture in the wake of new threats & vulnerabilities Significant efforts are dedicated to ensure collaboration with external sources & internal functions Focus given to innovation in the security initiatives Security Solutions are provided with an architectural treatment Techniques such as threat modeling, threat tree, and principles such as embedding ‘security in design’ are proactively adopted 90 % 65% 60 % 40 % 35 % An understanding of different roles, entities (data subject, Controller, etc) PIA is performed for new initiatives & change Understanding about Privacy Principles and their applicability Technology, solutions and processes are deployed for privacy A dedicated policy initiative for privacy Processes reviewed regularly from privacy perspective Scope of audit charter is extended to include privacy Embedding privacy in the design 58 % 53% 47 % 43 % 32 % 26 % 16% SecurityPrivacy

A NASSCOM ® Initiative Customer notification for change in the policy The policy clearly spells the restriction in disclosure of the information to third party Users are given access to their information & provision to correct/update their data The links to the policy is available on all important user centric data forms Customer acceptance on privacy policy is taken before providing banking services. Limitation imposed for collection and usage of the PI 53 % 47% 37 % 26 % 11 % Providing demo for secure usage of banking services Real time security messages while executing transactions Publishing security messages on different communications channels Spreading awareness through public media Conducting dedicated customer awareness programs 53 % 47% 37 % 26 % 11 % SecurityPrivacy Customer Awareness

A NASSCOM ® Initiative Masking the card number (PAN ) in all user communication & transaction notification The scope of card security is extended to the designated merchants also Card expiry date is not printed and stored at the merchant side Storing the card data in logs files in encrypted form Encryption of stored authorization information 53 % 47% 40 % 27 % Involvement of process owners and lines of business is ensured in the data security initiatives For each of the partner/third-party relationships or processes, the awareness exists of how the data is managed in its life cycle Data classification techniques have been deployed and followed rigorously Uniformity of controls is maintained when data is moving in different environments A granular level visibility exists over the financial and sensitive data 80 % 75% 65 % 55 % 50 % Data Security Card Data Data & Card Security

A NASSCOM ® Initiative Transaction Security

A NASSCOM ® Initiative Security testing of application includes code review A mechanism to identify criticality of each application Application Security (AS) is derived out of well defined security architecture Lines of businesses are involved in AS initiatives AS is integrated with incident management Compliance requirements mapped to in scope applications Dedicated application security function exists Techniques such as Threat modeling & threat tree are adopted Developers community involved in AS initiatives AS is integral part of Application lifecycle management 65 % 60 % 55 % 40 % 35 % 15 % Enterprise tools to integrate security in application lifecycle Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) 30 % 25% 10 % Application Security Subscribing to Analysts reports Security research reports Mandating the vendors / third parties Security forums on the Internet Subscribing to vuln, exploits databases. 65 % 60% 50 % 40 % Application Security Program Tool Adoption Threat Tracking

A NASSCOM ® Initiative Inventory of all the possible scenarios that lead to incident and fraud Collaborate with CERT-IN Support forensic capabilities Integrated with organization IT processes for remedial actions Collaboration with external knowledge sources Scope has been extended to third parties Real time monitoring mechanisms exist that can proactively detect anomalies Mechanism that generate incident based on patterns and business rule exceptions Mechanism to define detective and investigative requirements 74 % 68 % 58 % 53 % 47 % Developing a strong forensic investigation capabilities Identify the personal information flow to the organization Revising organization’s security policy Identifying and making an inventory of scenarios Creating awareness amongst contractors/third-party employees Incident & Fraud Management Response to IT (Amendment) Act, % 35 % 20 % 15 % Incident, Fraud and Compliance

A NASSCOM ® Initiative Bench Marking

A NASSCOM ® Initiative Bench Marking Bank XYZ

A NASSCOM ® Initiative THANK YOU