 "Kotak Group Arrests Information Risks With 'Aristi'")
Managing information explosion is a challenge for every enterprise and securing it is more of a concern. So, how can companies avoid massive security breaches, especially those who are involved in a host of businesses and have diverse requirements? Kotak Group has recently implemented a comprehensive risk management programme called ‘Aristi,’ to secure each company in the group.
In order to have a successful and apt risk management programme, the Kotak Group studied close to 4000 business processes across the group to identify loopholes and plug them for better risk management. Earlier, according to the company’s assessment, the risk management and information security was loosely handled.
The Challenge
Ramesh Lakshminarayanan, Former Exe. VP and Group Head, IT & Infra - Kotak Mahindra Bank said, “As an organisation- risk management, information security and compliance was focused on more from a technology angle. While this was a good practice it was not enough to fulfil the holistic needs of the group. The final objective of ‘Aristi’ was to make business drive information security in the organisation.”
For the project, Kotak Group wanted to garner business participation from all for inculcating information security as a part of their functional responsibilities; however the prevalent security posture was not up to the mark. The CIOs office wanted to convince the management for a comprehensive risk management programme, which was a compelling task. So, how did they get the buy-in?
A Novel Way of Getting the Buy-In
Mahindra Special Services Group (MSSG) helped do a quick dipstick test of the entire Kotak landscape (interestingly the MSSG was given complete freedom to visit Kotak Group’s building to look for loosely lying important documents, classified information written on pieces of paper, customer files with call centres, etc.). Post this exercise the group gauged the health of the organisation from a business security point of view. The results (filed with the management committee) of the dipstick test revealed that the group had a long way to go in managing information security.
The revelations were startling – it was found that data was copied in floppies, CDs (basically in external storage devices), files were freely available on cabinets and information was easily passed within the organisation and above all customer information was found available with tele-calling agencies.
Five Point Risk Management Programme – ‘Aristi’
After realising the trouble that the group was in, a five point Risk Management Programme, ‘Aristi’ was decided to be instituted.
The first point on the agenda was to get a by-in from the senior management, followed by creating an educational programme and building channels for training. Thirdly, the group wanted to identify the information and security departments and identify loopholes in the processes. After identifying the processes, the fourth track was to put in the right controls to remediate the issues. Lastly, the group wanted to make the programme a part of the daily business operations. This programme was subject to tweaking as the situations demanded.
‘Aristi’– Putting it Into Practice
The implementation process required a human touch. The CIOs office along with the senior management; organised a team meet at an offsite location and conducted workshops that detailed on how information and security issues should be approached in the organisation.
The workshops were interactive and it gave cases and situational studies to the senior management, and they then came up with solutions for the same by putting the value of the asset to the incident and understanding the potential loss from them.
After the workshop, the group focused more on knowledge and educating others across various levels in the organisation. They actually set up a demonstration in the office during tea and lunch breaks, which included a video of the MSSG exercise, the risk points and the controls to remediate the risks.
“The Business Information Security Officers (BISOs) and others from the information security team were provided small tools to strengthen the information security,” said Lakshminarayanan. These include encryption tools for email, entitlement tools to ascertain the right people are authorised to access files and the like. The importance of authorisation increases, given the fact that in spite of a secure file system configuration, loopholes do exist.
Kotak’s heterogeneity of line of businesses (LOBs) was a challenge. Every business has a distinct business process cycle and thus the treatment has to be in accordance as well. There is no one size all fits approach.
For example, the importance of research and M&A documents in an investment banking LOB is far higher than a retail LOB. “I am not saying it’s not important, but the kind of controls would be different,” said Lakshminarayanan. The respective LOB head has to be communicated accordingly.
“LOB heads were taken into confidence while mapping the business process cycle, risk identification and remediation,” explained Lakshminarayanan.
Sustaining the Programme is The Real Challenge
“We had a thorough debate about this in our last audit committee meeting,” said Lakshminarayanan.
Audit is a key part of ‘Aristi’. The audit team is informed about the top ten risks of all the LOBs and they the scan through these risks during their regular audits.
“Secondly, to back the audit process we have a self-assessment programme in place too,” informed Lakshminarayanan. The LOBs certify themselves on a quarterly basis after following the procedures of the programme which is looped back again into the audit process.
With such an extensive project at hand, the Kotak Group is seriously thinking about information security and has taken steps to secure its group from a 360 degree perspective. This is especially important in today’s scenario where with data theft and fraud has become an everyday thing.
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
