Download presentation
Presentation is loading. Please wait.
Published byFranklin Byrd Modified over 9 years ago
1
A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection, DSCI 19 th April, 2011
2
A NASSCOM ® Initiative State of Data Security and Privacy in the Banking Industry Coverage:PSU, Private and Foreign Banks Areas of Survey: Contemporary to Industry need |Current Challenges| Practices |Technology Trends |Compliance Expectations Objective of Survey: In-depth assessment of the area under coverage Insights into the state of security and privacy Understand characteristics and structure of the initiatives Evaluation of maturity of practices and approach Benchmarking with security and privacy trends Execution:Comprehensive questionnaire Industry consultation | Project Advisory Group | Interaction with Professionals Interview- Personal, Email and Telephonic
3
A NASSCOM ® Initiative Executive Director (ED) Chief Risk Officer (CRO) Chief Financial Officer (CFO) Chief Information Officer (CIO) / Chief Technology Officer (CTO) Chief Operating Officer (COO) Reporting to Top Management - 45% 9:30 Review security reports coming from different tools, solutions& operational groups 10:30 Participate in business strategy meetings for security implication of new initiatives 11:30 Interact with lines-of-business on their security requirements 12:00 Interact with IT teams for installation, admin & maintenance of security devices 12:30 Interact with support functions like HR, Finance and Admin for enforcing measures in their respective departments 14:00 Review state of security in Lines-of-business, their applications and systems 15:00 Oversee undergoing security projects 15:30 Review & approve change requests 16:00 Check for new issues, threats and vulnerabilities 17:00 Take review of operational teams 17:30 Issue guidelines to enterprise units on specific or general security measures CISO Role & Time Spent Operational Tactical Strategic Security Organization
4
A NASSCOM ® Initiative Security TasksCISOComplianceIT Security IT Infra Exter nal Security strategy plan Preparing security policies & procedures Implementation of the policies & procedures Defining & managing the security architecture Security solutions evaluation and procurement Install security solutions, products and tools Administration of security technologies- Application security testing, code review, etc Security monitoring Report, investigate and close security incidents Keep track of the evolving regulatory requirements Security Organization Task Distribution
5
A NASSCOM ® Initiative Maturity – Security and Privacy Practices Constant review to assess security posture in the wake of new threats & vulnerabilities Significant efforts are dedicated to ensure collaboration with external sources & internal functions Focus given to innovation in the security initiatives Security Solutions are provided with an architectural treatment Techniques such as threat modeling, threat tree, and principles such as embedding ‘security in design’ are proactively adopted 90 % 65% 60 % 40 % 35 % An understanding of different roles, entities (data subject, Controller, etc) PIA is performed for new initiatives & change Understanding about Privacy Principles and their applicability Technology, solutions and processes are deployed for privacy A dedicated policy initiative for privacy Processes reviewed regularly from privacy perspective Scope of audit charter is extended to include privacy Embedding privacy in the design 58 % 53% 47 % 43 % 32 % 26 % 16% SecurityPrivacy
6
A NASSCOM ® Initiative Customer notification for change in the policy The policy clearly spells the restriction in disclosure of the information to third party Users are given access to their information & provision to correct/update their data The links to the policy is available on all important user centric data forms Customer acceptance on privacy policy is taken before providing banking services. Limitation imposed for collection and usage of the PI 53 % 47% 37 % 26 % 11 % Providing demo for secure usage of banking services Real time security messages while executing transactions Publishing security messages on different communications channels Spreading awareness through public media Conducting dedicated customer awareness programs 53 % 47% 37 % 26 % 11 % SecurityPrivacy Customer Awareness
7
A NASSCOM ® Initiative Masking the card number (PAN ) in all user communication & transaction notification The scope of card security is extended to the designated merchants also Card expiry date is not printed and stored at the merchant side Storing the card data in logs files in encrypted form Encryption of stored authorization information 53 % 47% 40 % 27 % Involvement of process owners and lines of business is ensured in the data security initiatives For each of the partner/third-party relationships or processes, the awareness exists of how the data is managed in its life cycle Data classification techniques have been deployed and followed rigorously Uniformity of controls is maintained when data is moving in different environments A granular level visibility exists over the financial and sensitive data 80 % 75% 65 % 55 % 50 % Data Security Card Data Data & Card Security
8
A NASSCOM ® Initiative Transaction Security
9
A NASSCOM ® Initiative Security testing of application includes code review A mechanism to identify criticality of each application Application Security (AS) is derived out of well defined security architecture Lines of businesses are involved in AS initiatives AS is integrated with incident management Compliance requirements mapped to in scope applications Dedicated application security function exists Techniques such as Threat modeling & threat tree are adopted Developers community involved in AS initiatives AS is integral part of Application lifecycle management 65 % 60 % 55 % 40 % 35 % 15 % Enterprise tools to integrate security in application lifecycle Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) 30 % 25% 10 % Application Security Subscribing to Analysts reports Security research reports Mandating the vendors / third parties Security forums on the Internet Subscribing to vuln, exploits databases. 65 % 60% 50 % 40 % Application Security Program Tool Adoption Threat Tracking
10
A NASSCOM ® Initiative Inventory of all the possible scenarios that lead to incident and fraud Collaborate with CERT-IN Support forensic capabilities Integrated with organization IT processes for remedial actions Collaboration with external knowledge sources Scope has been extended to third parties Real time monitoring mechanisms exist that can proactively detect anomalies Mechanism that generate incident based on patterns and business rule exceptions Mechanism to define detective and investigative requirements 74 % 68 % 58 % 53 % 47 % Developing a strong forensic investigation capabilities Identify the personal information flow to the organization Revising organization’s security policy Identifying and making an inventory of scenarios Creating awareness amongst contractors/third-party employees Incident & Fraud Management Response to IT (Amendment) Act, 2008 50 % 35 % 20 % 15 % Incident, Fraud and Compliance
11
A NASSCOM ® Initiative Bench Marking
12
A NASSCOM ® Initiative Bench Marking Bank XYZ
13
A NASSCOM ® Initiative THANK YOU
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.