Excerpted from the inaugural address by Dr K C Chakrabarty, Deputy
Governor, Reserve Bank of India], at the IBA-DSCI Conference on 'Security Framework in Indian Banks', in Mumbai on April 26, 2010.
Information is at the heart of today's business, and the all-pervasive impact of
information technology in harnessing, collating and processing huge volumes of
information is definitive.
In this scenario, the need for ensuring that information is kept confidential
adhering to accepted norms of privacy and making it available to authorized
users at the appropriate time assumes great significance.
This is particularly valid for the banking sector where day-to-day operations
are centered on information and information processing, which in turn is highly
dependent on technology.
Banking as a business involves the management of risks based on a repository of
trust extended by the customers. If this objective has to be accomplished, it
becomes imperative for all security concerns especially customer sensitive data
to be addressed in an effective way so as to ensure that the trust levels are
well preserved and information assets perform the role that they are supposed
to. In addition, banking is poised to be omnipresent through facilities such as
'Anywhere and Anytime Banking', proliferation of services offered through ATM
networks, IT enabled instant remittances across banks, customer payments, mobile
payments and many more.
The giant project of ICT-supported financial inclusion is all set to change the
face of Indian banking by making banking services fully inclusive.The last decade witnessed a sea change in the way banking services are made
available to customers. With the interlinking of ATMs, the customer has been
further transformed into constituent of the financial sector rather than a bank.
The time is now appropriate to review the adequacy of the measures taken by
banks. As the banks and IT industry came up with layers of protection for their
systems, fraudsters, hackers and a bewildering variety of other such entities
made voracious attempts at breaking the security layers. When the application layer was fortified, the attention was on to break the
network layer. When the network equipment manufacturers hardwired the security
protocol making it extremely difficult to break them, the attack switched over
to the internet servers.
Activities like phishing require customers and bankers to migrate to the higher
levels of security. While these examples relate to Internet-based banking, the
latest dimension relates to security for mobile banking. It is to be recognized that information security has two important dimensions,
namely:Protection of investment in information assets and to the actual information thereon, and, Availability of assets for use whenever and wherever required.It is necessary to address basic concerns relating to safety and security of
information and communication technology (ICT) assets, to data and to information pertaining to the bank as a whole and the customer in particular.Against this background, I thought that it would be
appropriate to define a set of best practices which would enhance the value of IT security.
I prefer to christen them as the 'Ten Commandments of IT security/management in
banks'. I shall dwell briefly on each of these now.
1. Thou shall take adequate care of the human factor in IT implementation
IT security is more often than not a people related aspect than a technical
issue. This is applicable to both insiders and customers of banks as well. There
is a need to be vigilant against an insider who may know more than what is
required and when aided with unfettered access, could wreak havoc on the bank
concerned. Equally important is a customer who exploits technology loop holes for malafide
intentions. It is thus imperative that IT Security parameters provide adequate
focus on the set of people directly related to the systems in addition to the
targeted audience as well. In this connection, communication in a language
understood by these stakeholders assumes critical importance.
2. Thou shall ensure permeation of IT security throughout the organisation
World over, it has been recognized and accepted that IT security is optimal if
the implementation is top driven. The cue for this is that the top management of banks need to provide a
missionary zeal for implementing IT security; their efforts would automatically
ensure that the IT security related procedures are effectively implemented
across all levels in the banks.
3. Thou shall have clear IT security policies and procedures
One of the main characteristics of banking in India relates to the existence of
well documented policies and procedures pertaining to their areas of operation.
The IT security domain, however, cannot boast of a similar level of compliance.
Well laid down processes and procedures not only enhance employee efficiency but
also aid a great deal in ensuring that there is clarity of objective apart from
acting as a veritable guide to the conduct of operations in a safe and secure
manner. It is also imperative that these procedural requirements are fully
disseminated to all sections of the staff for their unflinching compliance at
4. Thou shall take action at the appropriate time
It is almost impossible to achieve complete IT security in any organisation.
Addressing IT security related concerns and breaches thus assume significance.
The watch word here is timeliness; it is only those banks which take quick
corrective action which can survive the onslaught of security breaches.
Such prompt action is possible only if the banks have already put in place well
defined systems and procedures. The need to focus on attempted security
violations also needs to be taken care of since these offer themselves as
excellent early warning signals which, if left unattended or improperly
attended, may result in substantial losses and a small lapse often becomes a
mega event due to lack of right decision at the right time.
5. Thou shall ensure that adequate resource capability is provided for
An effective IT security framework cannot be implemented in isolation. It is
imperative that all resources which facilitate the accomplishment of this
objective are adequately provided for. These include adequate personnel, effective and efficient IT systems, good
vendor management policies, and sound IT / ARE Audit mechanisms. Costs are
certainly associated with these but the benefits accruing on account of reduced
impact of IT security breaches more than compensates for the costs incurred in
6. Thou shall provide for optimal business process re-engineering
Most IT implementations in the Indian Banking scenario are replicas of the
manual work processes which have been only tweaked to perform in an IT-enabled
environment. The result is the existence of redundant processes and loss of
Business process re-engineering leads to cost savings, better work flows,
improved efficiency and better customer service levels as business process
systems are cross-functional, i.e. the system boundary is not within a single
function but actually goes across boundary lines.
7. Thou shall take care of obsolescence issues for IT security as well
Perhaps the only industry in today's world where advancements are very rapid and
every advancement brings in its wake reduced costs for adoption is the ICT
Network based communication has reached rock-bottom levels as far as costs are
concerned while the prices of IT systems have exponentially reduced. The rapid degree of product and feature obsolescence in the IT industry is a
formidable challenge for banks. Such obsolescence needs to be tackled in a
systematic and proactive manner for mutual benefit of the banks and their
Care needs to be, taken in such a way that upgradation to take care of
technology obsolescence is performed in a scientific manner and on a need-to-upgrade basis. This would help banks avoid falling into the
technology-obsolescence trap requiring huge sums of money for to come out.
8. Thou shall provide a framework for incident management
Security related incidents cannot be wished away. The best tool towards an
effective IT security framework would thus be one which acknowledges such
security instances and provides for a framework for appropriate incident
reporting within the organisation and to the regulators.
Such a mechanism would provide insights into the security violations and other
such attempts, but the single largest beneficial factor would be the development
of a set of knowledge workers who hold the key to success of any IT based
initiative by banks in a country which can boast of some of the best IT
companies runs by effective IT czars.
9. Thou shall take care of data quality and integrity
The most vital component of IT security is the data which forms part of the IT
enables business processing system. Data is hard to get or create, easy for
misuse and is tough to be channeled towards beneficial interpretation resulting
in meaningful analysis.
To this end, banks need to work out effective standards aimed at high levels of
data quality and integrity. I am reminded at this juncture of a book called
Database Nation written by Simson Garfinkel which outlines the death of privacy
in the twenty-first century.
The author skillfully elucidates the various facets governing data piracy while
concluding that the owner of one's own private information is not himself! Banks
cannot afford to fall into this category and data refinement is one approach
which would facilitate good data management with adequate levels of protective
10. Thou shall provide for IT security as a way of life
The last commandment is more like a synopsis but is at the heart of all IT
security related initiatives. IT security cannot be viewed in isolation; neither
can it be implemented in fits and starts.
Examples of good IT security implementation reveal that good IT security
features are impregnated as essential requirements in a normal way of life. As
banks, we need to imbibe the security culture in our normal day-to-day
This is a challenging and daunting task since the normal human mind is more
attuned towards an easy, laissez faire approach towards reduced security so as
to enhance convenience.
IT security does add on to inconvenience as it does towards increased costs, but
it is economical in the long run.While there have been conscious efforts on the part of the regulator as well as
regulated entities, I still feel there is considerable scope in working towards
having a uniformly accepted standards and practices for operational risks
especially information security risks across all financial institutions.
It is in this context that I have attempted to set out the standards for IT
security. I am sure that in the world of today where only the fittest have any
chances of survival, our banks will not only survive but also grow in prosperity
and mature as well, using the best of information and communication technology.
I am sure that the conference would be thought stimulating, packed with high
energy contents and be rewarding to you all. Let me conclude now by wishing the
conference all success.
K C Chakrabarty