DSCI-KPMG Survey 2010

A NASSCOM® Initiative

DSCI-KPMG Survey 2010

State Of Data Security and Privacy in the Indian Banking Industry

Vinayak GodseDirector- Data Protection, DSCI

19th April, 2011


State of Data Security and Privacy in the Banking Industry

Coverage: PSU, Private and Foreign Banks

Areas of Survey:

Contemporary to

Industry need |Current Challenges| Practices |Technology Trends |Compliance Expectations

Objective of Survey:

In-depth assessment of the area under coverage

Insights into the state of security and privacy

Understand characteristics and structure of the initiatives

Evaluation of maturity of practices and approach

Benchmarking with security and privacy trends

Execution: Comprehensive questionnaireIndustry consultation | Project Advisory Group | Interaction with Professionals

Interview- Personal, Email and Telephonic


50

25

10

5

5

0 20 40 60 80 100

Executive Director (ED)

Chief Risk Officer (CRO)

Chief Financial Officer (CFO)

Chief Information Officer (CIO) / Chief Technology Officer (CTO)

Chief Operating Officer (COO)

Reporting to Top Management - 45%

9:30 Review security reports coming from different tools, solutions& operational groups

10:30 Participate in business strategy meetings for security implication of new initiatives

11:30 Interact with lines-of-business on their security requirements

12:00 Interact with IT teams for installation, admin & maintenance of security devices

12:30 Interact with support functions like HR, Finance and Admin for enforcing measures in their respective departments

14:00 Review state of security in Lines-of-business, their applications and systems

15:00 Oversee undergoing security projects

15:30 Review & approve change requests

16:00 Check for new issues, threats and vulnerabilities

17:00 Take review of operational teams

17:30 Issue guidelines to enterprise units on specific or general security measures

CISO Role & Time Spent

Operational

Tactical

Strategic

Security Organization


Security Tasks CISO Compliance IT Security

IT Infra

External

Security strategy plan

Preparing security policies & procedures

Implementation of the policies & procedures

Defining & managing the security architecture

Security solutions evaluation and procurement

Install security solutions, products and tools

Administration of security technologies-

Application security testing, code review, etc

Security monitoring

Report, investigate and close security incidents

Keep track of the evolving regulatory requirements

Security OrganizationTask Distribution


Maturity – Security and Privacy Practices

Constant review to assess security posture in the wake of new threats & vulnerabilities

Significant efforts are dedicated to ensure collaboration with external sources & internal functions

Focus given to innovation in the security initiatives

Security Solutions are provided with an architectural treatment

Techniques such as threat modeling, threat tree, and principles such as embedding ‘security in design’ are proactively adopted

90 %

65%

60 %

40 %

35 %

An understanding of different roles, entities (data subject, Controller, etc)

PIA is performed for new initiatives & change

Understanding about Privacy Principles and their applicability

Technology, solutions and processes are deployed for privacy

A dedicated policy initiative for privacy

Processes reviewed regularly from privacy perspective

Scope of audit charter is extended to include privacy

Embedding privacy in the design

58 %

53%

47 %

43 %

32 %

32 %

26 %

16%

Security Privacy


Customer notification for change in the policy

The policy clearly spells the restriction in disclosure of the information to third party

Users are given access to their information & provision to correct/update their data

The links to the policy is available on all important user centric data forms

Customer acceptance on privacy policy is taken before providing banking services. Limitation imposed for collection and usage of the PI

53 %

47%

37 %

26 %

11 %

Providing demo for secure usage of banking services

Real time security messages while executing transactions

Publishing security messages on different communications channels

Spreading awareness through public media

Conducting dedicated customer awareness programs

53 %

47%

37 %

26 %

11 %

Security Privacy

Customer Awareness


Masking the card number (PAN) in all user communication & transaction notification

The scope of card security is extended to the designated merchants also

Card expiry date is not printed and stored at the merchant side

Storing the card data in logs files in encrypted form

Encryption of stored authorization information

53 %

47%

40 %

40 %

27 %

Involvement of process owners and lines of business is ensured in the data security initiatives

For each of the partner/third-party relationships or processes, the awareness exists of how the data is managed in its life cycle

Data classification techniques have been deployed and followed rigorously

Uniformity of controls is maintained when data is moving in different environments

A granular level visibility exists over the financial and sensitive data

80 %

75%

65 %

55 %

50 %

Data Security Card Data

Data & Card Security


Transaction Security

Transaction

Login ID/Password

Virtual Keybo

ard

Risk based

Authent-ication

Separate Transaction Password

OTP Identity Grid

SMS verifica

tion

SMS Alert

Account Logging 89% 67% 11% 28% 11% 11% 17% 28%Checking A/C Statements 88% 47% 0% 6% 6% 0% 0% 0%Register Payee 78% 56% 6% 39% 22% 6% 44% 50%Profile change 88% 56% 6% 31% 13% 6% 19% 38%Money transfer to self 82% 53% 0% 47% 18% 6% 0% 59%Money transfer to other 76% 59% 6% 65% 29% 6% 24% 71%Paying utility bills 65% 53% 0% 47% 18% 6% 18% 47%Online purchases 76% 53% 6% 59% 12% 12% 18% 65%Service Requests 82% 59% 0% 24% 6% 6% 0% 29%


Security testing of application includes code review

A mechanism to identify criticality of each application

Application Security (AS) is derived out of well defined security architecture

Lines of businesses are involved in AS initiatives

AS is integrated with incident management

Compliance requirements mapped to in scope applications

Dedicated application security function exists

Techniques such as Threat modeling & threat tree are adopted

Developers community involved in AS initiatives

AS is integral part of Application lifecycle management

65 %

65%

65 %

65 %

60 %

55 %

55 %

40 %

35 %

15 %

Enterprise tools to integrate security in application lifecycle

Static Application Security Testing (SAST)

Dynamic Application Security Testing (DAST)

30 %

25%

10 %

Application Security

Subscribing to Analysts reports

Security research reports

Mandating the vendors / third parties

Security forums on the Internet

Subscribing to vuln, exploits databases.

65 %

60%

60 %

50 %

40 %

Application Security Program Tool Adoption

Threat Tracking


Inventory of all the possible scenarios that lead to incident and fraud

Collaborate with CERT-IN

Support forensic capabilities

Integrated with organization IT processes for remedial actions

Collaboration with external knowledge sources

Scope has been extended to third parties

Real time monitoring mechanisms exist that can proactively detect anomalies

Mechanism that generate incident based on patterns and business rule exceptions

Mechanism to define detective and investigative requirements

74 %

74%

68 %

68 %

58 %

58 %

53 %

47 %

47 %

Developing a strong forensic investigation capabilities

Identify the personal information flow to the organization

Revising organization’s security policy

Identifying and making an inventory of scenarios

Creating awareness amongst contractors/third-party employees

Incident & Fraud Management

Response to IT (Amendment) Act , 2008

50 %

50 %

35 %

20 %

15 %

Incident, Fraud and Compliance


45%

75%

75%

60%

70%

45%

75%

35%

30%

50%

30%

45%

30%

65%

40%

30%

25%

25%

20%

35%

20%

20%

20%

55%

40%

30%

50%

40%

45%

10%

45%

35%

30%

10%

35%

5%

10%

30%

20%

20%

15%

25%

25%

15%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Security Maturity

Position of Security Function

Customer Centric Privacy

Customer Education & Awareness

Card Security Initiatives

Security of Payment Gateway

Response to ITAA 2008

Customer Centric Security

Data Centric Approach

Threat Tracking

Threat & Vulnerability Mgmt

Application Security Program

Incident & Fraud Management

BCP/DRP Preparedness

Resiliency Measures

Physical Security

Low Maturity Medium Maturity High Maturity

Bench Marking


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Low Maturity

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Low Maturity Medium Maturity

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Low Maturity Medium Maturity High Maturity

Bench Marking Bank XYZ


THANK YOU

DSCI-KPMG Survey 2010

Documents

Transcript of DSCI-KPMG Survey 2010