Tablets RBI Security Policies
In Step With the Times RBI is leaving no stone unturned to ensure that banks evolve from being late users to the best implementors of technology SHILPA SHANBHAG shilpas@cybermedia.co.in (With inputs from Onkar Sharma)
T
echnology has touched lives in more ways than one and the banking sector is one of the recent beneficiaries to vouch for it. Technology has been used across many areas of the banking business in India. Banks have been taking up new projects like data warehousing, customer relation-
KEEPING IN VIEW THE CHANGING THREAT MILIEU AND THE LATEST INTERNATIONAL STANDARDS, IT WAS FELT THAT THERE WAS A NEED TO ENHANCE RBI GUIDELINES RELATING TO THE GOVERNANCE OF IT, SECURITY, ETC 74 | October 31, 2011
visit www.dqindia.com
ship management, and financial inclusion initiatives to further innovate and strategize for the future and to widen the reach of banking. Keeping in view the changing threat milieu and the latest international standards, it was felt that there was a need to enhance RBI guidelines relating to the governance of IT, information secu-
DATAQUEST | A CyberMedia Publication
RBI Security Policies rity measures to tackle cyber fraud apart from enhancing independent assurance about the effectiveness of IT controls.
“RBI guidelines reflect the regulator’s seriousness in maintaining robust cyber security levels in banks and financial institutions”
Viewpoint Corner Prasad CVG, CIO, ING Vysya Bank, says, “The RBI guidelines reflect the regulator’s seriousness in maintaining robust cyber security levels in banks and financial institutions. The document covers most of the concerns in a detailed manner and gives the liberty to banks to implement solutions that fit their working environment. Banks can do a gap analysis to understand and identify which are the solutions they need first. As the guidelines say, banks can implement first the solutions that do not require a lot of investment.” “Information is the blood of any society and hence this highlights the reason to safeguard it the most. The information security policies are in sync with those being followed across the developed nations. This report is a right step at the right time and in the right direction,” says Dr Gandhi PC Kaza, chairman, expert board (former IGP & director, APFSL), Truth Labs. “The report can be described as a timely step as most of the institutions are aligned to either verticals or businesses. This report lays down the framework for a uniform model of IT governance which is the need of the hour. It will surely lead to a collaborative effort,” says Muralidharan R, chief operating officer, Dhanlaxmi Bank. “It can be described as an IT vision document for 2011-17 and is recommendatory in nature,” says B Murali Nair, chief technology officer, Lakshmi Vilas Bank.
Finer Aspects The report mentions use of emerging technologies such as data center hosting, applications as a service, DATAQUEST | A CyberMedia Publication
Prasad CVG, CIO, ING Vysya Bank
“Information is the blood of any society and hence this highlights the reason to safeguard it the most” Dr Gandhi P C Kaza, chairman, expert board (former IGP & director, APFSL), Truth Labs
and cloud computing have given rise to unique legal jurisdictions for data and cross-border regulations. It was felt that banks are required to clarify the jurisdiction of their data and applicable regulations at the outset of an outsourcing arrangement. This information should be reviewed periodically and in case of significant changes performed by the service provider, it notes. It also contains provisions in relation to use of data warehousing. “The newer banks will not face a challenge in relation to the new data warehousing guidelines as they are in line as far as automation is concerned. Meanwhile, it will be a challenge for the older banks that will have to deal with reams of data and leaps of technology to be implemented. The report requires all transactions to be done on HTP mode and discourages manual feeding of data. With 60-70 applications visit www.dqindia.com
being operated at a time and having to deal with a large quantum of data and staff alike where many may be required to be trained also, it would be a big challenge for the older banks,” says Nair. The need for new guidelines in relation to data warehousing is to ensure that RBI can gain access to the bank’s systems when it requires. Considering the fact that the BFSI segment has been a late and hesitant adopter of technology owing to the crucial data that it deals with, this is not going to be easy. But it needs to be borne in mind that in the future such an automated system will help in the decision support system as it will enable to take information backed decisions. Currently, banks are taking decisions based on information that is either 2 or 3 years old but access to reams of data will help in taking better informed decisions. October 31, 2011 | 75
RBI Security Policies Technology is not the challenge but using existing infrastructure and leveraging on the same to match steps with the guidelines is going to be a challenge, especially in banks where there are less investments allocated for the purpose of technology. The need of the hour is to balance investment with IT in a witty manner. “We would like to leverage on our existing technology to ensure that we are in step with the RBI report,” says Nair. The report also highlights the need for a CIO in a bank to play a key role in the executive decisionmaking function. The key role of the CIO would be to act as a bridge between the IT function and the management. It has also set the guidelines for a senior level official of the rank of GM/DGM/AGM to be designated as the chief information security officer (CISO) who would be responsible for articulating and enforcing the policies that a bank uses to protect its information assets apart from coordinating the information security related issues/implementation within the organization as well as relevant external agencies. Guidelines have been formulated in relation for the CISO to report directly to the head of the risk management function and should not have a direct reporting relationship with the CIO. “The provisions regarding creation of a function of CIO and IVO positions can be labeled as a good move as they can play a critical role in risk management,” says Prasad. On a cautious note, Nair says, “The CIO should be a part of the IT
“This report lays down the framework for a uniform model of IT governance which is the need of the hour” Muralidharan R, chief operating officer, Dhanlaxmi Bank
“It can be described as an IT vision document for 2011-17”
B Murali Nair, chief technology officer, Lakshmi Vilas Bank
department as he is well equipped for making informed decisions and also explain the needs of the IT department well.” “It is a very good move to create a full-fledged responsibility as the CIO who will act as a bridge between the technology and business functions. Meanwhile, the CISO will be designated to protect all the crucial assets of the bank. We have kept information security as an independent function but if it becomes a part of the IT department, there will be temptations for IT infrastructure use. For small banks,
THE REPORT ALSO HIGHLIGHTS THE NEED FOR A CIO IN A BANK TO PLAY A KEY ROLE IN THE EXECUTIVE DECISION-MAKING FUNCTION. THE KEY ROLE OF THE CIO WOULD BE TO ACT AS A BRIDGE BETWEEN THE IT FUNCTION AND THE MANAGEMENT 76 | October 31, 2011
visit www.dqindia.com
AGM-IT will be responsible for the same functions as the CISO. We expect that the use of technologies will enable banks to leapfrog into a new era as IT is the backbone,” says Muralidharan. Dr Gandhi says, “Banks can take advantage of software that enables digital analysis of fraud even when faced with the issue of limited budgets and employees. Banks can also undergo audit procedures by an individual authorized by the Government of India or Department of Information Technology. The CISO of these banks can develop software attuned to their specific interests and then undergo the process of scrutiny. They could also use forensic accounting software or fiber forensic, which we use. Use of such software will ensure that more than half of the scrutiny job is catered to. This report can be termed as the right step in the prevention and control of data security.” n DATAQUEST | A CyberMedia Publication