Add to collection(s) Add to saved
  1. Business
  2. Management

Umesh Jain President & CIO Yes Bank, India

advertisement 
“How banks can frame an IT Security Strategy”
Umesh Jain
President & CIO
Yes Bank, India
Challenges





Management Awareness
Employee Awareness
Focus on IT and Systems
Quantification of Risks
Costs & Budgets
Management Awareness


Success stories of other institutions esp. viz.
business benefits
Easy to read independent research papers from
‘select’ credible and respected sources


IS Council comprising Leadership team




Gartner, Mckinsey, Forrester etc
Being member makes them interested & responsible
Highlight low risk high cost items as well and trade them
off
Highlight high risk and low cost items and prioritize them
ISO/BS Certification, Awards

Customer and shareholder benefits
Management Awareness

News on other organizations’ failures and its
implications on that organization


Dossiers on regulatory requirements



Eye Opener esp. when contextualized
Benchmark your organization
Get IS Council to sign off on Risk Acceptances!
Independent Internal Audit
Employee Awareness

Training & Education





Periodic Quizzes
Periodic flyers


Make them interesting and interactive with videos etc
Real life stories
Focus on both IT & non-IT
Make IS a top of the memory recall subject
Rewards & Recognition

For compliance & leading from the front
Employee Awareness

Penalties



For non-compliance
Directly proportional to severity of issue
Surprise checks and ethical breach attempts



Clean desk audits
Password sharing
Any breach to be recorded, linked to Performance
Management
Focus on Technology

Problem both ways – Inside Out & Outside IN


Mindsets of both IT & non-IT need to change
Awareness programs should focus on non-IT related
security even more than IT related security

Data Classification of non-IT assets/documents






Information on pin-boards, walls, desks, drawers
Tail Gating, Password Sharing
Physical security – Lock and Key!
Mobile devices
Awareness programs should talk about IT only to
limited extent & in layman’s terms
CISO outside IT management, equal focus on nonIT
Quantification of Risks

Lack of historical or industry data or formal methods
to quantify the IS Risk




Can vary from 0 to infinite
Actualization of one risk can be disastrous and not
contained
CBA or ROI cannot be obtained, work on TCO
Use industry benchmarks, apply factor based on






Scale
Maturity
Risk appetite
Model
Geographic spread
Product & service offering
Costs & Budgets

In principle agreement on total spend on IS risk




As a % of Total Operating Expense
Work out a multi year roadmap to accommodate
budgets
Force ranking of risks that need to be prioritized
Outsourcing


Security as a Managed Service – brings in industry wide
expertise, economies of scale, IPR tools that are bundled
with services
Security as a service


Pay per use models
Keep pace with dynamically changing threat landscape
Key Success Factors





Leadership Direction and Management support
Close alignment with corporate culture
User awareness as security control
Consistent and standardized risk mgmt processes
supported by tools & technology
Measurable results
Initiatives at YBL

Information Security Council





Representatives from Yes Bank leadership team
Meets once a quarter
Think tank & decision making forum
Strategic alignment with business
Identity and Access management







Unique identification on all systems
Auto creation of ID on joining & auto deletion on exit
Semi-automated provisioning & de-provisioning
Automated Quarterly Entitlement reviews
Almost Zero Cost, simple, effective and efficient
All new applications to use LDAP features
File System security using Windows & Exchange
Initiatives at YBL

Comprehensive Coverage






Employees, Consultants etc
Internal Reviews and Independent Audits
Third Party Information Security Assessments
IS involved in project lifecycle with signoffs at various
stages
Data classification of non-IT Assets
Robust Processes



SIRT, Risk Acceptance, Deviations
Reviews & surprise Audits
Hardening Standards & Deviations
Initiatives at YBL

Outsourcing




Managed Services
One man team of CISO
Cost efficient (70% saves, no capex)
Effective




Best practices
Reacting to dynamically changing threat landscape
Tools for management
First movers

Dual Factor Authentication
Related documents
DO&IT Seminar Series Speaker: Date:
DO&IT Seminar Series Speaker: Date:
Barrie R. Nault DO&IT Seminar Series Speaker:
Barrie R. Nault DO&IT Seminar Series Speaker:
Japan’s Potential Growth in a World Perspective by Dale W. Jorgenson Harvard University
Japan’s Potential Growth in a World Perspective by Dale W. Jorgenson Harvard University
Chapter 1 The Information Technology Dilemma Learning Objectives
Chapter 1 The Information Technology Dilemma Learning Objectives
HR Services
HR Services
Information Technology and the World Economy
Information Technology and the World Economy
A Call for Collaborative Action for the New Millennium
A Call for Collaborative Action for the New Millennium
PowerPoint Presentation - Road Safety Audit - Vej
PowerPoint Presentation - Road Safety Audit - Vej
IEEE 730-eng
IEEE 730-eng
CMU Project Highlight Report Template
CMU Project Highlight Report Template
Word Analysis and Vocabulary Development
Word Analysis and Vocabulary Development
Engaging Non-IT Executives in IT Infrastructure Decisions MIT Sloan School of Management
Engaging Non-IT Executives in IT Infrastructure Decisions MIT Sloan School of Management
Moving Beyond (Local) Alignment : Creating Value Through IT-Business Engagement Agenda
Moving Beyond (Local) Alignment : Creating Value Through IT-Business Engagement Agenda
Download
advertisement