 "Kotak Mahindra Bank Charts Information Security Map")
The foremost requirement for a close-to-foolproof information security system within enterprises is charting out a Risk Management Programme. One must have a thorough knowledge about the kind of cyber threats that are hovering in the ecosystem; the next step is to make employees aware about those threats.
Another area that sometimes remains missing from the realms of Information Security Management is the risk prevalent in Project Management and Service Delivery. An information security strategy should be comprehensive enough to cover all the aspects of the IT environment. It should go beyond the data centre and cut through business processes.
Network security is another component to be taken care of as a part of the Risk Management Framework. Usually, firewalls and Intrusion Prevention Systems are considered to be standard armaments for network security; however, as cyber attacks become more organised, the line-of-defense should also be strengthened further. A ’layered defense approach’ is suggested where all the points of presence are given an independent security layer, right from a unit as small as the desktop to the data centre.
The Kotak Experience
Ramesh Lakshminarayan, executive vice president and group head, Information Technology & Infrastructure, Kotak Mahindra Bank, shares the experience of the massive Information Security exercise undertaken at the bank.
“Initially, the challenges before us were manifold. We realised that the information leakage points existed in the form of every individual machine as we lacked a specific set of rules for handling various types of hardware like USBs, floppy disks etc,” says Lakshminarayan.
It was decided to design a framework around IT for tightening the IT environment. The objective was to put a system in place to identify and plug the loopholes that could compromise the information security of the organisation. “We wanted to make every employee realise his/ her responsibility towards security of the organisation,” says Lakshminarayan.
The bank started with a review of the Information Security landscape, as it existed, along with a study of the business processes.
Security partners were engaged and a novel way was thought of to engage with the management and the employees to bring forth the threat the organisation faced due to lack of rules.
The partners were asked to collect whatever they could from different areas including work areas, server rooms, dust bins, trash areas, etc over twenty days. The exercise concluded with some startling revelations. To everybody’s surprise, it was found that important documents like customer files, strategy documents etc were not being handled effectively enough. When the documents reached a point when they were not needed, they were not destroyed or disposed off properly.
Post this exercise, an Information Security team of 60-70 officers was constituted to do a review of all business processes across all the units of Kotak including insurance, brokerage, banking etc.
The team conducted training sessions, made presentations, showed videos (during lunch and tea-breaks), etc. “We also organised Q&A sessions for educating employees to conduct their respective activities with security on top of their minds,” says Lakshminarayan. Some of the educational activities covered included day-to-day stuff like securing a laptop, kick-starting a safe boot-up process etc.
The entire programme was aimed at understanding the business processes and simultaneously educating employees on Information Security.
After nine months of sustained efforts, Kotak Mahindra Bank identified the risks associated with various business processes. The processes were classified into three categories, viz. those having high risk, medium risk and low risk. The related threats were listed out and solutions then obtained on a strategic basis.