New Paradigms in IT Security in Indian Banks - RBI - Reserve Bank of India
New Paradigms in IT Security in Indian Banks
Dr. K.C. Chakrabarty, Deputy Governor, Reserve Bank of India
Delivered on Apr 26, 2010
Shri M. V. Nair, Chairman, IBA and CMD, Union Bank of India, Shri B. Sambamurthy, Director, IDRBT, Shri Shyamal Ghosh, Chairman, DSCI, Dr. K. Ramakrishnan, CEO, IBA, distinguished speakers and panelists, IT and IT Security professionals, distinguished guests, ladies and gentlemen. 2. Information is at the heart of today’s business, and the all-pervasive impact of Information Technology in harnessing, collating and processing huge volumes of information is definitive. In this scenario, the need for ensuring that information is kept confidential adhering to accepted norms of privacy and making it available to authorized users at the appropriate time assumes great significance. This is particularly valid for the banking sector where day-to-day operations are centered on information and information processing, which in turn is highly dependent on Technology. This conference on “ Security Framework in Indian Banks” jointly organized by the Indian Banks’ Association, the Data Security Council of India in collaboration with the Institute for Development and Research in Banking Technology as the Knowledge partner is thus not only appropriate but also of topical relevance to banks. This joint effort on the subject is extremely laudable and I deem it a privilege to be present amidst this distinguished gathering for sharing my thoughts on the theme of today’s conference. 3. Banking as a business involves the management of risks based on a repository of trust extended by the customers. If this objective has to be accomplished, it becomes imperative for all security concerns especially customer sensitive data to be addressed in an effective way so as to ensure that the trust levels are well preserved and information assets perform the role that they are supposed to. While every banker understands the implications of financial risks, the risks arising out of the large scale implementation of technology and IT is not so well defined. Security in banks thus assumes significant proportions, comprising physical security in addition to the factors relating to security of Information and Information Systems, all of which have an impact on the reputational risk faced by banks. 4. Technology has augmented the scope, reach and coverage of banking through significant networking and the availability of a wide variety of new delivery channels to such an extent that the death of distances and death of identity has already been accomplished. In addition, banking is poised to be omnipresent through facilities such as ‘Anywhere and Anytime Banking’, proliferation of services offered through ATM networks, IT enabled instant remittances across banks, customer payments, mobile payments and many more. The giant project of ICT supported Financial Inclusion is all set to change the face of Indian banking by making banking services fully inclusive. 5. Technology implementation has benefited the banks also due to the facilitation of the Reserve Bank – both from the operational and legal perspectives. In addition, the Reserve Bank had provided the broad framework for many innovative technology based systems. The guidelines on Internet Banking, and the Guidelines for Information Systems Security / Audit in 2001 were early initiatives aimed at ensuring safe and secure technology based operations by banks. Keeping pace with time and marshalling international practices, RBI has issued broad guidelines on mobile banking and prepaid (stored) value cards. These, along with the setting up of systemically important payment and settlement systems such as Real Time Gross Settlement System (RTGS) and other retail payment systems like the Electronic Clearing Systems (Credit and Debit Clearing), the National Electronic Funds Transfer (NEFT) System, National Electronic Clearing System (NECS), Regional Electronic Clearing System (RECS), have transformed the way of banking and today’s customers have a wide array of options to choose from. All these have safety and security at the heart of the respective systems. 6. A major area where IT security assumes significance pertains to the transmission of information using IT as a channel for communication. Traditionally, paper based systems have been subject to certain controls to ensure that the basic requirements pertaining to genuineness, authenticity, etc. are met with. These included verification of signatures, ensuring that there are no corrections, or if there are corrections, these are authenticated properly and so on. In the IT-based scenario, these aspects gain greater importance not only because of the speed with which IT based electronic information flows but also on account of the potential havoc that could arise on account of incorrect instructions. 7. The last decade witnessed a sea change in the way banking services are made available to customers. The implementation of Core Banking Systems has proven to be a big boon in providing anywhere access to banking services and the treatment of a customer as that of a bank and not as a constituent of a specific branch. With the interlinking of ATMs, the customer has been further transformed into constituent of the financial sector rather than a bank. Alongside, the banking sector has made significant efforts to identify security gaps in an IT enabled scenario and have addressed them effectively as well. The time is now appropriate to review the adequacy of the measures taken by banks. As the banks and IT industry came up with layers of protection for their systems, fraudsters, hackers and a bewildering variety of other such entities made voracious attempts at breaking the security layers. When the application layer was fortified, the attention was on to break the network layer. When the network equipment manufacturers hardwired the security protocol making it extremely difficult to break them, the attack switched over to the internet servers. Activities like phishing require customers and bankers to migrate to the higher levels of security. While these examples relate to Internet-based banking, the latest dimension relates to security for mobile banking. As the horizon of ICT keeps widening, the security gaps also keep rising, leaving the banks and customers lagging. It becomes essential that bankers, regulators, ICT manufacturers and system providers, software professionals and auditors all work in unison to proactively identify, anticipate and plug the gaps as a regular activity instead of acting after fraudulent attempts fructify. It is to be recognized that Information Security has two important dimensions, namely:–
8. Management of fraud or attempted fraud throws open the challenge of response time in reacting which is very critical to avert further frauds and loss of valuable customer information. With advancement and globalization, cross border banking, cyber crimes from specific geographic zones would take deep roots if the cyber crimes are not responded in quick time. The entire industry would be benefited by swift action and system of reporting under a common umbrella, for which set standards specifying the action to be initiated at such times is clearly indicated. . Though compliance to CERT (i.e Computer Emergency Response Team) requirements would address this issue to some extent, it would be preferable to have a dedicated institutional set-up for the financial sector to report security breaches, quick responding team for major breaches, monitoring compliance and reporting to the regulators. I believe that IDRBT can play a nodal role towards building such a set up. The major challenge would be to foresee the possibility of a fraud taking place and to have systems in place to avert them let alone responding to them after the event. It is necessary to address basic concerns relating to safety and security of Information and Communication Technology (ICT) assets, to data and to information pertaining to the bank as a whole and the customer in particular. 9. Against this background, I thought that it would be appropriate to define a set of best practices which would enhance the value of IT security. I prefer to christen them as the ‘Ten Commandments of IT Security/Management in Banks’. I shall dwell briefly on each of these now.
10. Having set out the commandments; let me share a few thoughts of immediate operational relevance to banks. We have seen that the security standards has been evolving over the years and maturing along with the advancement of hardware and software applications. Financial sector has also been fine tuning and catching up with the global standards. All regulated entities have IT policy driven by their board and this policy has various sub-policies such as Information Security Policy. The latest is the security standards for mobile banking. Banks have also put in place mechanism for IS Audits and these are seriously reviewed by the Audit Committee of the Board of the banks. While there have been conscious efforts on the part of the regulator as well as regulated entities, I still feel there is considerable scope in working towards having a uniformly accepted standards and practices for operational risks especially information security risks across all financial institutions. It is in this context that I have attempted to set out the standards for IT security. These are not intended to add on to the existing complexities facing banks in their normal operational levels; on the other hand, those banks which follow these would be well insulated against future shocks arising out IT security related outages. I am sure that in the world of today where only the fittest have any chances of survival, our banks will not only survive but also grow in prosperity and mature as well, using the best of Information and Communication Technology. The deliberations during the Conference would add value to the audience and I am sure that all of you would be more enlightened and be the better knowledge workers of tomorrow. It is this goal which we would have to achieve and to this end, I wish each and every one of you God speed and success. I am sure that the Conference would be thought stimulating, packed with high energy contents and be rewarding to you all. Let me conclude now by wishing the Conference all success. Thank you. . Inaugural Address by Dr K C Chakrabarty, Deputy Governor, Reserve Bank of India, at the IBA – DSCI Conference on :Security Framework in Indian Banks”, Mumbai, India, April 26, 2010. Assistance provided by Shri G Padmanabhan, Shri S Ganesh Kumar, and Shri A Madhavan is gratefully acknowledged. |