DSCI KPMG Banking Survey

PROMOTING DATA PROTECTION
Initiative NASSCOM
State of Data Security and Privacy in the Indian Banking Industry

DSCI-KPMG Survey 2010
In association with
Handling Computer Security Incidents
Under the Cyber Security Awareness Program of DIT-NASSCOM
DataSecurityCouncilofIndia(DSCI)isasection25,not-for-profitcompany,setupby NASSCOMasanindependentSelfRegulatoryOrganization(SRO)topromotedataprotection, developsecurityandprivacycodes&standardsandencouragetheIT/BPOindustryto implementthesame.
FormoreinformationaboutDSCIorthisreport,contact: DATASECURITYCOUNCILOFINDIA NiryatBhawan,3rdFloor,RaoTulaRamMarg,NewDelhi-110057,India Phone:+91-11-26155070,Fax:+91-11-26155072 Email:info@dsci.in
PublishedinFebruary2011 Copyright2011DSCI.Allrightsreserved.
Disclaimer ThisdocumentcontainsinformationthatisIntellectualPropertyofDSCI.DSCIexpressly disclaimstothemaximumlimitpermissiblebylaw,allwarranties,expressorimplied, including,butnotlimitingtoimpliedwarrantiesofmerchantability,fitnessforaparticular purposeandnon-infringement.DSCIdisclaimsresponsibilityforanyloss,injury,liabilityor damageofanykindresultingfromandarisingoutofuseofthismaterial/informationorpart thereof.ViewsexpressedhereinareviewsofDSCIand/oritsrespectiveauthorsandshould notbeconstruedaslegaladviceorlegalopinion.Further,thegeneralavailabilityof informationorpartthereofdoesnotintendtoconstitutelegaladviceortocreateaLawyer/ Attorney-Clientrelationship,inanymannerwhatsoever.
Message from CERT-In

Rapidly globalizing world economies invite financial transactions across borders. Increasingly, financial assets exist in the form of digitized information that constantly changes location and may reside anywhere in the world.The security of this digitized information gains prominence due to its susceptibility to compromise in cyberspace. It is natural for banks to rely heavily on IT in this information age and as a consequence, banks are required to ensure the safety of the information, even as individuals the end users -may not be so aware and alert about security. DIT has sponsored the DSCI annual security surveys of the IT/BPO companies in India for the last couple of years. In view of the increasing importance of security in the banking sector, DIT supported DSCIs decision to conduct separate security surveys for the BPO and the banking sector. As before, this survey has been conducted through KPMG, in association with CERT-In.The objective of the DSCI-KPMG security survey was to identify the information security concerns and initiatives in the banking sector.The survey will also help us appreciate the sectors understanding of the privacy protection requirements under the amended InformationTechnology Act. It is a matter of satisfaction for us that several banks came forward to participate in this survey.The findings offer an insight into the banking sector and help establish a ground for improved data security and privacy protection.
Dr. Gulshan Rai DG, CERT-In
Message from DSCI

Information Management is increasingly becoming the very core of banking operations. As more and more financial transactions are conducted without the use of currency, it is only information that is exchanged instead of real money. Electronic banking makes use of the Internet, ATMs, mobiles and a number of other devices, which already have changed the face of banking. Information is clearly one of the more important assets of a bank. It has to be protected to establish and maintain trust between a bank and its customers, even as it complies with, and demonstrates compliance to regulations. Information technology has graduated from being a business enabler to a business driver. Information security is a key function of an organization that enables other business functions to perform their activities effectively. Information security objectives continue to be confidentiality, availability, integrity of information; with accountability and assurance that can be demonstrated. Banks are in the forefront of using cutting edge IT, and information security technology and processes that are similar to those in the IT/BPO sector.This year, DSCI in consultation with Department of InformationTechnology, Government of India, decided to conduct separate security surveys for the BPO, and the banking sector.The survey questionnaire has been specifically designed for the banking industry.The objective was to see how the technologies are helping banks meet customer service expectations, how are they using technologies and processes to meet the challenge of hackers and cyber criminals. Banks need to continuously create security awareness of customers, who are availing of online banking services, and unlike the BPO sector, are not employees, but part of the larger population in the country.The survey covers the following areas of data security and privacy positioning of security and privacy, transaction security, customer centric security initiatives, maturity & characteristics of key security disciplines such as Threat & Vulnerability Management, impact of IT (Amendment) Act, 2008 amongst others. It was gratifying to see that banks from the public sector, private sector and the foreign banks responded enthusiastically to the survey questionnaire.The survey provides some very interesting and in-depth insights. For example, it is interesting to note that with increased digitization of customer information, increased levels of customer awareness on privacy and notification of IT (Amendment) Act, 2008, privacy has emerged as an important focus area for the banks in India though it is yet to be factored in the banking ecosystem through implementation of a comprehensive privacy program. Such findings were possible because of granularity in the design of the questionnaire. We believe that the survey results will be of use to the banking industry in improving their state of data security and privacy protection.
Dr. Kamlesh Bajaj CEO, DSCI
Message from KPMG

Banking and InformationTechnology can hardly be separated.This is one such industry, which not only depends on the technology, but where technology has contributed to its immense development and proliferation. It may not be untrue to conclude that the effectiveness of technology implemented at a bank could determine its profitability and growth potential. Since most of the business operations can simply be accomplished with information exchange, the need to protect integrity of information is of paramount importance.This is why security has to be part of the service delivery and an important hygiene, rather than being a point of differentiation. The unique aspect about information security in banking industry is that the security posture of a bank does not depend solely on the safeguards and practices implemented by the bank, it is equally dependent on the awareness of the users using the banking channel and the quality of end-user terminals. This makes the task for protecting information confidentiality and integrity a greater challenge for the banking industry. The survey reveals that the industry is aware of the challenges it faces and is reasonably prepared to safeguard itself from traditional threats. Since the banking industry of India has grown at a steady pace over the last several years and has also stood tall during the event of global meltdown, experts attribute that one of the key factors for this stability is stronger governance and regulatory control. It is important to note that the Indian banking regulator (RBI) has generally been proactive in advising banks on issues relating to security and has acted as an important institution to drive the importance of this matter at the level of Board of Directors.This has also remained a primary driver for the industry to maintain high standards of information security. The survey indicates that the focus of the data governance processes so far has focused on integrity of data, but there is a need to increase efforts in the direction of data privacy. With IT (Amendment) Act providing stronger penalties for breaches of personal data, banking industry will certainly get impacted and therefore, there is a case of stronger focus on this dimension going forward. With newer delivery channels and increased extension of banking boundaries, there is an equal increase in threats. While banks continue to remain focused on ensuring security of information and protection of personally identifiable information, growth of these new channels will be driven by the increased customer confidence and innovative security practices, which banks undertake to make banking secure, yet convenient. We are pleased to be a part of this one of its kind survey, which attempts to highlight the current state of information security and privacy in banking industry in India. With these insightful survey findings, banks should be able to learn and adopt best practices. We hope that the survey will also help banks benchmark their security and privacy practices with that of the industry players and also help develop roadmaps for enhancing the security posture. We thank all the participants of this survey for their valuable time and insights to make this survey meaningful for the industry.
AkhileshTuteja Executive Director, KPMG in India
Contents
Highlights Introduction Data Security and Privacy Security Governance Security in Service Delivery Internal Processes Regulatory Requirements Way Forward 01 03 06 14 20 30 42 47
Highlights
The survey provides insights into the data security and privacy environment of Indian Banking industry.There is evidence that validates general perceptions about security and privacy practices and then there are some outliers that do not align to the seemingly obvious.
? External threats and the increasing usage of online & mobile channels
along with regulatory requirements are driving banks in India to invest in information security. Banks drive inputs from international standards such as ISO 27001 to establish their security function. However, there is a need to focus on proactive mechanisms such as threat modeling and bringing innovation in the security initiatives.
? Information security is still seen as an IT centric function with reporting of
the CISO to CTO/CIO of the bank.

? Absence of collaboration and synergy between Security and Fraud
Management functions leaves a significant gap in banks effort to curb financial frauds. Customer awareness on information security along with insecure customer end points is one of the most significant challenges faced by the banks.
?
CISOs are still spending significant time on operational activities, making it difficult to focus on strategic initiatives. When executing security related responsibilities, the focus is still on arranging in-house resources except for few specialized areas like Application Security testing.
01
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Privacy has started to gain relevance with increased customer awareness and introduction of IT (Amendment) Act, 2008 (ITAA 2008), but measures advocated for customers privacy protection are yet to be implemented by many banks. The
? adoption of measures that have been strongly advocated for
transaction security such as One-Time-Password (dynamic token), identity grid and risk based authentication are still at nascent stages.
? Security of cards transaction is lagging - even basic measures for ensuring
card security have not been adopted by many of the banks.

? Managing security is more challenging in online banking and phone (IVR)
banking as compared to other service delivery channels.

? Majority of the banks continue to remain largely dependent on incidents
being reported by their customers and/or employees, highlighting the need for a real time, automated and intelligent incident management mechanism. ITAA ? 2008 is becoming a significant driver for investments in technology solutions.
02
Introduction
InformationTechnology (IT) revolution has ushered a paradigm shift in the banking industry.The model of banking has transformed from brick and mortar to allpervading through Anywhere and Anytime Banking.Though the fundamentals of banking might have remained the same, customers perception of value and, therefore, business models are evolving in an ever increasing velocity.Today, if a bank can assure its customer of a viable 24X7 interface, it has the hope of retaining the customer for longer time. IT has evolved and enabled the industry in many domains vis--vis customer service, enhanced product delivery, cross-sell, multi-channel real time transaction processing, minimal transaction costs, and increased operational efficiency, therefore, impacting the overall profitability & productivity in the sector.The fast evolving trends of technology in the sector have blurred the boundaries of information ecosystems to include service providers and customers.To illustrate, in an electronic card payment system, data is directly accessed and processed by customers; service providers as well as other partner institutions. While, this integrated environment has exponentially enhanced the service capability of banks and experience of customers, it has introduced a new gamut of risks. In the currently prevailing global economic conditions, organized threats are being increasingly perpetrated against financial institutions. In line with expectations, survey results indicate that banks are constantly being exposed to sophisticated, organized and financially motivated threats. Increasing targeting of customers through phishing, vishing, smishing attacks is also one of the important elements of threat landscape. Banking industry, recognizing these risks, has taken several initiatives in the area of cyber security and data protection. Governments and Regulators have introduced mandatory guidelines and protocols towards security and privacy of data. Some of the initiatives include:The IT (Amendment) Act 2008, Guidelines for Information Systems Security/Audit-2001, RBIs guidelines on Mobile Banking and pre-paid Value Cards and guidelines on Internet Banking. Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERTIn (DIT), jointly conducted a survey to assess current state of data security and privacy practices being adopted by the Indian Banking industry and to gain insights into how the industry is addressing the concerns.
03
As part of this initiative, 20 banks were surveyed covering the following areas:
? Positioning of security and privacy in the banking organizations - analyzing
CISOs role and the tasks performed by the security organization

? Transaction security, customer centric security and privacy, emerging
threats, card security & payment gateway security

? Maturity and characteristics of key security disciplines such as Threat &
Vulnerability Management, Application Security and Incident Management in the wake of rising cyber crimes
? Strategic options adopted by banks in Business Continuity and Disaster
Recovery Impact of IT (Amendment) Act, 2008 on the Banking industry Technology
? Evolution of Physical Security and its integration with Information
In order to ensure that the survey results represent the industry at large, we interviewed CISOs and their equivalents across the industry. The survey results highlight trends and insights into the state of data security and privacy in the industry many generally known practices are validated, yet certain unexpected insights are revealed. Survey reveals that Data Security and Data Privacy in banks are driven by ITAA 2008 and stringent regulatory requirement by the Central Bank.The survey further indicates that banks in India are lagging in areas like security of cards transaction, as compared to their global counterparts.
04
Data Security and Privacy
06
Finding its place

Survey reveals that Data Security in banks continues to be driven by ExternalThreats and Regulatory Requirements whereas Data Privacy is slowly beginning to gain relevance. Information Security is still seen as an IT centric function with minimal coordination with Fraud Management function. Lack of customer awareness on information security and the threat from insecure customer end points are key challenges faced by the banks.
07
Drivers (Data security) (% respondents)
Critical
Important
Less Important
Drivers for data security

External threats and the increasing usage of online & mobile channels along with dependency on third parties are driving banks in India to invest in information security. There has been a conscious effort from the Central Bank to emphasize the need for information security by means of providing frameworks and guidelines. In addition, the IT (Amendment) Act, 2008 has laid the foundation for strengthening cyber security and data protection in India.This will have implications on the existing regulatory landscape of the banking industry especially with introduction of section 43A that mandates body corporates to implement reasonable security practices for protecting sensitive personal information.
08
Characteristics of security initiatives (% respondents)

100 Continuous vigilance on evolving security issues and vulnerabilities Constant review of the environment is undertaken to assess security posture in the wake of new threats and vulnerabilities Risk assessment is carried out Security strategy plan follows Plan-Do-Check-Act approach Risk metrics adopted is:Qualitative Organizations security takes major strength from ISO 27001 certification and processes Security solutions are provided with an architectural treatment Significant effort dedicated on compliance documentation Top management is aware of the risks and liabilities at granular level Enterprise portal is used to manage security requirements, enforce policies, educate employees and report security incidents Review of all applicable regulations/ circulars till date have been performed at a granular level for compliance Management reporting involves non-compliance to ISO 27001 standards Significant efforts are dedicated to ensure collaboration with external sources and internal functions Security officers main role is to ensure compliance with ISO 27001 Risk metrics adopted is: Quantitive Specific focus is given to innovation in the security initiatives Techniques such as threat modeling, threat tree, and principles such as embedding security in design are proactively adopted 50 45 40 40 40 35 75 70 70 65 65 60 60 60 60 90
Characteristics of security initiatives

The focus of security initiatives seems to be concentrated on keeping continuous vigilance over security issues & vulnerabilities and review of the environment against the new age threats. Almost two third of the respondent banks drive inputs from international standards such as ISO 27001 to establish their security function and have mechanisms for conducting regular risk assessments. However, banks need to provide more focus on proactive mechanisms such as threat modeling and bring innovation in the security initiatives that helps address evolving challenges. In light of the increasing sophistication of new age threats and rising complexity of the banking environment, some of the banks have started to collaborate with external and internal sources for information security.
09
Positioning of security function (% respondents)

60 Central security function Fraud Management handled by separate group Central security function for monitoring remote information processing locations Primary role in fraud management Each Line of Business has a representative Spread across different geographical locations
25 95
CISO reporting (% respondents)
50 40 30 50 20 10 0 25 10 Chief Information Officer (CIO) /Chief Technology Officer (CTO) Chief Risk Officer (CRO) 5 5
47
16
15
10
Chief Chief Executive Director Financial Operating (ED) Officer Officer (CFO) (COO)
Security function
Information security is predominantly a central function in banks.This reflects the ongoing consolidation in the banking infrastructure and adoption of core banking solutions.The involvement of business functions through their representatives for coordination of security in their respective units seems to be lacking. It is interesting to note that the information security has no or minimal role in fraud management.The silo in the security and fraud management role would lead to a significant gap in banks effort to curb financial frauds as security compromises are seen as a tool for committing financial frauds. Information security is still seen as an IT centric function with almost half of the respondents indicating the reporting of the CISO to CTO/CIO of the bank. In contrast to global trend of positioning security as an important corporate function, CISOs of banks in India do not seem to be acquiring their respective position in an organizational hierarchy as only few of them are reporting to their CEOs/COOs/EDs. Although privacy has emerged in the discussion landscape in India, its reflection in organizational response is still not visible.This is revealed by the survey as 80% of the banks do not have a separate privacy function.
Size of security team (% respondents)

15%
Separate privacy function (% respondents)
Size of privacy team (% respondents)

10% 10%
10%
Yes, 20%
No, 80%
75%
80%
Less than 10
10-20
More than 20
2-5 people
Part of security teams
Not Applicable
10
Drivers for data privacy

Data privacy in India is slowly beginning to gain relevance. Customers are becoming aware and increasingly conscious of their rights and the banks obligations towards personal information protection.The IT (Amendment) Act, 2008 outlines the need for stronger data protection measures for customers as well as employee data privacy.The results of the survey indicate that reputational and financial loss arising out of a data breach is also driving importance of data privacy in banks.
Factors driving data privacy (% respondents)

Rising concerns of end customers / consumers Direct and indirect financial loss arising out of a data breach Increased digitization of personal information of customers Bad publicity in the media in case of the data breach ITAA 2008 requirements
60
35
60
35
55
35
10
53
37
10
50
30
20
Protecting privacy of employee data
42
42
16
Global data protection regulations
32 Critical
42 Important
26 Less Important
Characteristics of banks' privacy initiatives (% respondents)

There exists an understanding of different roles and entities that exist for data protection (data subject, data controller, data processor, etc.) Significant level of understanding exists about Privacy Principles and their applicability Organizations processes are reviewed regularly from privacy perspective 58
53
47
Organization has a dedicated policy initiative for privacy
42
Specific technology, solutions and processes are deployed for privacy
32
The scope of audit charter is extended to include privacy.
32
Privacy has just appeared on the organizations agenda Focus on embedding privacy in the design of systems and processes
32
26
Privacy is seriously lacking as compared to security Privacy impact assessment is performed whenever new initiatives are undertaken 16
26
11
Characteristics of banks' privacy initiatives

Banks must align internal policies, procedures and deploy technology safeguards for protecting sensitive personal information. Survey results reveal that understanding of data privacy in the banking sector is beginning to emerge with a little more than half of the respondents being aware of privacy principles and roles and entities for data protection. However, data privacy has not yet fully permeated in the banking sector. Implementation of specific measures such as formulation of privacy policies, privacy impact assessments and embedding of data privacy in the business processes have not gained significant traction.
Major challenges faced by banks (% respondents)

Lack of end customers awareness on threats and vulnerabilities Increasing threats from insecure customers end points New age threats and vulnerabilities Organized and international nature of cyber crimes targeted against the banking industry Managing third party risks Rising complexity of the transactions that expand possibilities of attack Difficult to get a uniform level of assurance from various service delivery channels 47 65 60 89 84 79 78 35 40 16 22 11 0 16 0
5 0 0 0
47
Increased volume and complexity of data heavy transactions Endeavor to enhance customer experience, undermining security posture of the bank Non seriousness of employees for security and privacy related initiatives Meeting multiple regulatory requirements Business exigencies take precedence over security Business demand for flexibility complicating underlying infrastructure Managing competence of the staff to withstand evolving challenges Lack of support from top /senior management Inadequacy of technical skill Inadequate budget allocation for data security & privacy 32 27
50 50 47 45 41 39 58 33 56 36 35
33 33 41
17 17 12 20 12 6 11 40 25 50
47 56
19 14
Critical
Important
Less Important
Major challenges faced by banks

Information Security in banking has assumed significant importance and the top management of banks in India are fully committed to providing support.The survey reveals that banks in India do not feel constrained due to inadequate budgets or technical skills for information security. However, with increasing omnipresence of banking services and endeavor to enhance customer experience undermines the security posture. One of the most significant information security challenges highlighted by the banks in the survey is lack of customer awareness on information security and the threat from insecure customer end points.The boundary-less cyber space exposes the banks to internationally organized crimes and new age threats. Further, with banks increasingly working with third parties and in the process, sharing business information, management of third party risks is also becoming a challenging task.
12
13
Security Governance
14
Where do we focus
Survey reveals that there seems to be lack of understanding on CISOs roles and responsibilities because CISOs are spending their time on all security related activities irrespective of their strategic importance. It also reveals that banks avail the services of external consultants and service providers essentially for certain specialized services.
15
Security tasks
Area
Busines s Manage r 11% 5% 22% 5% 22% 0% 0% 0%
Corpora te Complia nce 0% 0% 11% 5% 6% 0% 0% 11%
CISO
ITSecur ity
ITInfra Team
AuditTe am
Externa l Consult ant 22% 16% 6% 16% 6% 5% 0% 11%
Externa l Service Provide r 11% 0% 0% 5% 6% 5% 0% 0%
Securitygap/baselineassessment Securitystrategyplan Securityrequirementsofbusiness Preparingsecuritypolicies&procedures Implementationofthepolicies&procedures Defining&managingthesecurityarchitecture Compliancereportingtoclients Advisorytotherelationshipvis-visdatasecurityand privacyissues Securitysolutionsevaluationandprocurement Installsecuritysolutions,productsandtools AdministrationofsecuritytechnologiesAntivirus,Patch Mgmt,IPS,Firewall,etc. Securitytesting-VAandPT Applicationsecuritytesting,codereview,etc Conductingandmanaginginternalaudits/asse ssments Securitymonitoring Securityauthorizationofchangerequests Report,investigateandclosesecurityincidents Keeptrackoftheevolvingthreatsandvulnerabili ties Strategiesforprotectingtheorganizationagain stnew threatsandvulnerabilities Keeptrackoftheevolvingregulatoryrequireme nts Participateininitialclientmeetingstounderstan dclients' securityrequirements Administration&testingBCP/DRplans
39% 84% 78% 84% 61% 68% 50% 74%
56% 37% 44% 47% 67% 63% 0% 37%
11% 0% 0% 0% 33% 42% 25% 5%
39% 5% 0% 5% 17% 5% 25% 5%
0% 0% 0%
5% 6% 5%
68% 33% 25%
63% 61% 55%
32% 56% 55%
0% 0% 0%
5% 6% 0%
0% 11% 15%
0% 0% 0% 0% 11% 6% 6% 6%
5% 5% 0% 0% 0% 11% 0% 0%
30% 26% 22% 63% 56% 67% 89% 100%
45% 42% 33% 63% 50% 50% 44% 39%
10% 16% 6% 11% 17% 11% 11% 6%
20% 21% 83% 5% 0% 11% 0% 0%
15% 11% 11% 0% 0% 0% 0% 0%
15% 26% 6% 16% 6% 6% 11% 6%
6% 14%
44% 0%
78% 71%
22% 57%
6% 14%
11% 7%
0% 7%
0% 0%
50%
Security tasks 0%
60%
25%
50%
5%
0%
0%
The age old adage Security is everyones responsibility is beginning to get realized in the banking sector in India. While most of the information security responsibilities lie with the dedicated information security teams of the banks, business users, compliance, and audit teams are important contributors. Division of the work between IT Infrastructure, IT Security and CISO is well aligned to their responsibilities. Except Business Continuity and Disaster Recovery Planning, the involvement of business in security initiatives especially defining security requirements of their business and security strategy plan is surprisingly minimal. The banks do not seem too keen on availing the services of external consultants and service providers except for specialized services such as application security testing, gap assessment, VA/PT and security policy formulation.
16
CISO spends time on (% respondents)

Review & respond on security alerts, incidents, issues 95 5 0
Review security reports
90
10
Issue guidelines to enterprise units
90
Review reports of security scan, assessment and audits
85
15
Plan for remedial measures
85
15
Oversee security policy enforcement & non-compliance issues
85
10
Check for new issues, threats and vulnerabilities
85
10
Prepare reports for higher managements consumption
84
16
Oversee security projects
80
15
Convene a meeting of security forum
10 80 20
10
Interact with IT teams
70
10
Oversee security training of employees
68
27
Review state of security in service delivery channels
65
30
Participate in business strategy meetings
63
32
Review and approve change request
47
42
11
Approve official request of reporting officers
47
41
12
Interact with support functions for enforcing measures
40
55
Significant
Not Significant
Not Responsible
17
CISO spends time on

There seems to be lack of clarity on CISOs roles and responsibilities. Survey response indicates that CISOs are spending their time across strategic and operational activities, which may lead to challenge in time availability of them.This may pose a challenge to CISOs in effectively utilizing their time. Ideally, CISO should be a business leader who engages himself/herself into communicative, collaborative and integrative activities rather than operational tasks.
18 20
19
Security in Service Delivery
20
Educate and communicate

Survey reveals that banks have recognized that customer awareness on security issues is not only a hygiene factor but also a key pillar of information security.The survey also reveals that the banks in India are lagging in security of card transactions.
21
Customer centric security initiatives

As expected, the survey reveals that basic hygiene factors such as enforcement of password policy, password change at first login, account lockout and session timeout have been implemented across all banks for end-customer applications. However, some of these banks do not enforce expiry of password after stipulated time. Technology systems in 37% of surveyed banks require download of external application systems/ mobile code leading to higher probability of unplugged vulnerabilities. Interestingly, banks are beginning to adopt security measures such as captcha implementation for login.
Customer centric security initiatives (% respondents)

Password policy is enforced Password change at first login is mandated Account locking after unsuccessful attempts Session timeout after stipulated time Use strong SSL certificate Strong logout process (e.g. closing browser window to delete the cache) System generated Unique ID for account access Password expiry after stipulated time is implemented Password hashed while sending the HTTP request Password policy is guiding in nature User selected ID for account access Active X control is required to be installed on the customer machine External application like JRE (Java RunTime) required to be installed on customer machine Captcha implementation while login 21 37 37 47 63 58 84 79 79 100 100 100 100 95
22
Customer centric privacy initiatives

Measures advocated for customers privacy protection such as privacy policy on corporate website, link of privacy policy on user data forms, disclosure of information to third parties and privacy policy notice to the customer are not being widely adopted by banks in India.
Customer centric privacy initiatives (% respondents)

The contact details are available for the customers to report any breach Users are given access to their information and provision to correct/update their data Customer acceptance on privacy policy is taken before providing banking services.The privacy policy clearly states the limitation imposed for collection and usage of Privacy policy is displayed on the corporate website the bank The policy clearly spells the restriction in disclosure of the information to third party The links to the policy is available on all important user centric data forms The policy lists the security countermeasures deployed to secure the information 53 63
47
42
37
26
26
Customers are notified of the changes in the policy
11
Solution for security of transactions

LoginID / Passwo rd 89% 88% 78% 88% 82% 76% 65% 76% 82% Virtual Keybo ard 67% 47% 56% 56% 53% 59% 53% 53% 59% Riskbase d Authentication 11% 0% 6% 6% 0% 6% 0% 6% 0% Separate Transacti on Password 28% 6% 39% 31% 47% 65% 47% 59% 24% DynamicT oken (OTP) 11% 6% 22% 13% 18% 29% 18% 12% 6% SMS verificati on 17% 0% 44% 19% 0% 24% 18% 18% 0% SMS Aler t 28% 0% 50% 38% 59% 71% 47% 65% 29%
Tasks
Identi tyGrid 11% 0% 6% 6% 6% 6% 6% 12% 6%
Accountlogging CheckingA/Cstatements Registerpayee Profilechange Moneytransfertoselfaccount Moneytransfertoothersaccount Payingutilitybills Onlinepurchases Service
23
Solution for security of transactions

Against the backdrop of increased focus of external threats to compromise the security of banking transactions, it is interesting to take a note of security measures implemented by banks for some of the key banking transactions. While measures such as SMS alert, separate transaction password, virtual keyboard seem to be more popular, adoption of the strongly advocated measures such as One-Time-Password (dynamic token), identity grid and risk based authentication are still at a nascent stage.
Customers education and awareness (% respondents)

100
Publishing do's and donts for secure transactions
Special instructions for avoiding phishing 74
95
Publishing consumer centric security policy on banks website
Publishing security messages on different communications channels 53
68
Providing demo for secure usage of banking services
Spreading awareness through public forums
53
Real time security messages while executing transactions 37
47
Conducting dedicated customer awareness programs 21
Spreading awareness through public media
Customer education and awareness

Banks have recognized that customer awareness on security issues is not only a hygiene factor but also a key pillar of information security. All of the banks have published information related to Dos and Donts for secure transactions on their websites. It is encouraging to note that a number of banks have begun to use public media and forums for spreading awareness and this may be a direction which other banks shall be following.
24
Card security initiatives (% respondents)

67 CVV2/CID/and PIN never gets stored/printed at merchant side 67 Educate and aware customers, merchants and employees on the importance of card security 60 Use of secure protocol to transmit/receive card information 53 Do not print card numbers on hard copies without a valid business need such as reconciliation. Hard copies are physically secured 53 Regular vulnerability assessment of the infrastructure that stores and transmits card data 47 The stored card authorization information is encrypted 47 Storing the card data in log files in plain text 47 Monitor the card transactions 40
Masking the card number (PAN) in all user communication and transaction notification Encrypting the stored card information: File encryption for encrypting card information stored in files
40
40 Card expiry date is not printed and stored at the merchant side 33
In the process of deploying PCI-DSS standards Encrypting the stored card information: Database encryption for encrypting database fields storing card information
33
The POS at merchants do not create the card records in plain 27
33
PCI-DSS certified
The scope of card security is extended to the designated merchants also
27
Card security initiatives

The survey reveals that the banks in India are lagging in security of cards transaction. Against the backdrop of well known global cases of card breaches, it is surprising to note that the basic measures for ensuring card security have not been adopted by many of the banks.The practices such as storing and printing authorization information like CVV and expiry date, merchants creating plain text card records, non masking of card number (PAN) followed by banks are non-conformant to globally accepted practices for card security.
25
Security of Payment Gateway

The main issue concerned with Payment Gateway is Security i.e. encrypting the crucial and sensitive card details like card numbers of the customer during card transaction. The survey reveals that most of the respondent banks have implemented steps to ensure security of payment gateway application programming interface and communication channel through use of appropriate security protocols. Banks also encrypt card number and other card confidential information during storage and transit. Banks conduct periodic security testing of underlying payment infrastructure.
Security of Payment Gateway (% respondents)
Ensure communication channel security through secure protocol Encryption of card information during transmission and storage
93
93
Security is ensured in the Payment Gateway API
93
No storage of authorization information: CVV2 value/PIN Regular security testing of the underlying infrastructure is performed
87
87
Enforce input validation for user data entries Sensitive data captured in the variables for authorization is not stored by the entities that are involved in the transaction Assuring message integrity during transit
80
73
73
Web services that facilitate execution of the transactions are tested for known security flaws
60
26
Managing security in service delivery channels

The survey reveals that amongst all the service delivery channels used by banks, online banking is still considered the most challenging in terms of managing security. Interestingly, phone (IVR) banking is also considered a difficult to manage service channel from security perspective. Channels such asTV (DTH) and online chat are being scarcely used by the banks. Mobile based channels are primarily being currently used to provide information and consequently its not considered to be difficult to manage. However, with increased mCommerce transactions expected, there may be increased security challenges for mobile based channels.
Managing security in service delivery channels (% respondents)
Online Phone (IVR) Branch Banking ATM SMS Mobile: Mobile WAP based Application
37 32
58 37
32 74 74
21 21 21 16 58
5 5
21 47
37
Online chat Email (Account/ transaction information communication) Mobile: Instant Menu based Mobile: Query based request TV (DTH)
11 5 5 5 5 11
26 68
63 26
42 37 84
53 58
Difficult to Manage
Easy to Manage
Not Implemented
27
28
29
Internal Processes
30
How do we align ourselves

Survey reveals that some banks need to create more robust processes to manage data security and privacy related threats. Majority of the banks still use traditional method of risk based internal or external audits for keeping track of threats & vulnerabilities. Survey also reveals that while most banks have implemented backup data centers, usage of mature practices such as Run Book automation are still at nascent stages of adoption.
31
Data centric approach in security and privacy initiatives (% respondents)
Involvement of process owners and lines of business is ensured in the data security initiatives
80
There exists a process for discovering and identifying the critical data elements within the organization
75
Adequate controls are applied on the data repositories, as per the sensitivity of data
75
For each of the outsourcing partner / third-party relationships or processes, the security organization is aware of how the data is managed in its life cycle
75
Strength of the countermeasures deployed is proportional to the sensitivity of the data
70
A granular level visibility exists over the financial and sensitive data used, stored, transmitted and disposed by various processes and repository is maintained
65
Uniformity of controls is maintained when data is moving in different environments (Organizations and its service providers environment)
55
Data classification techniques have been deployed and followed rigorously
50
Data centric approach in security and privacy initiatives

Majority of respondent banks have put in place a process for discovering and identifying critical data elements within the organization though only 50% of the respondent banks follow data classification techniques rigorously. There is also an added stress on involvement of process owners and lines of business in the data security initiatives. However, only 55% of the respondent banks said that uniformity of controls is maintained when data is moving in different environments. Hence, there is a need for increased emphasis on standardization and strengthening of the organizations processes with respect to data handling.
32
Characteristics of threat and vulnerability management (% respondents)

The security organization keeps vigilant track of new issues, vulnerability and threats The version of each critical asset is up to date, all the available & applicable security patches are applied Organization collaborates with agencies like CERT - In and other knowledge sources Scope of function is extended to mobile computing devices, third party & externally provisioned applications There exists a mechanism that test the relevance of these issues swiftly, without delays An architectural treatment is given to threat and vulnerability management solutions deployed Threat and vulnerability management is integrated with IT infrastructure management processes IT infrastructure is heterogeneous making threat and vulnerability management cumbersome IT infrastructure is homogeneous and standardized that help manage threats and vulnerability swiftly Compelling reasons such as compatibility of business application and cost escalation for version upgrades hinder to make the asset up to date
90
75 70 70 65 60 55 53 40 35
Characteristics of threat and vulnerability management

As external threats continue to be a key driver for the security initiatives of banking industry, banks seem to be fairly mature in their threat and vulnerability management practices. However, heterogeneous IT infrastructure and challenges in integrating threat and vulnerability management processes with IT infrastructure management processes are still seen as a hurdle.
Tracking evolving threats and vulnerabilities (% respondents)

95 85
Risk based internal or external audits Subscribing to CERT -In alerts Through websites of data security vendors Security research reports of product and professional organizations Through peers/competitors Subscribing to vulnerability, exploits databases, etc Subscribing to newsletters Mandating the vendors/third parties to report new threats and vulnerabilities in their products/services Through discussions on security forums on the internet Subscribing to Analysts reports 40 50 70 65 65 60 60 60
33
Tracking evolving threats and vulnerabilities

The banks keep vigilant track of new issues, vulnerability and threats by collaborating with agencies like CERT-In and other knowledge sources such as the website of security vendors, subscribing to vulnerability & exploits database, research reports, newsletters and analyst reports. However, the majority of the banks still use traditional method of risk based internal or external audits for keeping track of threats & vulnerabilities. Also, banks are increasingly adopting methods such as discussions on security forums and information through peers/ competition.
New age threats (% respondents)
Malware based attacks such as Zeus Malware that raids business accounts
82
12
Man in the Browser (MITB) -Trojans in browser that modify user transactions
78
22
Web is a channel for phishing attack
78
22
Botnet command and control targeting
53
40
Cross channel and multilayered fraud that uses multiple channels to perpetrate an attack
53
40
Man in the Middle (MITM) that modifies customer generated transactions
53
35
12
Unsecured APIs in mobile banking
44
31
25
Phishing through SMS
31
44
25
Critical
Significant
Less Significant
New age threats

In the currently prevailing global economic conditions, organized threats are being increasingly perpetrated against financial institutions. In line with expectations, survey results indicate that banks are constantly being exposed to sophisticated, organized and financially motivated threats. Increasing targeting of customers through phishing, vishing, smishing attacks is also one of the important elements of threat landscape. With the emergence of mobile banking, banks are also concerned about their interfaces with mobile applications. As the control requirements for information security spread beyond the boundaries of the banks and newer threats emerge, it will be imperative for bankers to use threat modeling techniques and deploy effective responses.
34
Characteristics of application security program (% respondents)
Application security knowledge and information is effectively managed Application vulnerability management to proactively focus remediation of the vulnerability There exist a mechanism to identify criticality of each application Compliance requirements are mapped to inscope applications Application security is derived out of well defined/ conceived security architecture Application security is an integral part of lifecycle management Application vulnerability management is integrated with security governance Lines of businesses are involved in application security initiatives Dedicated application security function exists in the organization Application security is integrated with incident management mechanism Enterprise guidelines or standards are established for secure coding Explicitly define trusted messages between subsystems Developers community are involved in application security initiatives Security testing of application includes code review Application security capability entails: Static Application SecurityTesting (SAST) tool e.g. Security code review Application security capability entails: Dynamic Application SecurityTesting (DAST) tool e.g. Vulnerability Scanning Enterprise tools to integrate security in application lifecycle have been implemented 10 45 45 40 35 30 25
70 70 65 65 65 65 65 60 55 55
Services availed from external service providers (% respondents)

Black box and grey box testing Architectural planning Security code review Threat modeling and threat tree
55 40
Scope of application security is extended to (% respondents)

Packaged applications like CBS, ERP and CRM Third party applications
65
60
30
15
Externally provisioned applications (e.g. cloud based applications)
25
35
Characteristics of application security program

There seems a shift of security attacks towards application layer requiring a holistic approach towards application security. On being asked about the state of application security measures, more than half of the respondent banks indicated that they had formulated a dedicated application security function. Majority of the banks have set up measures for proactive application vulnerability management. Banks have started to use Static Application SecurityTesting (SAST) and Dynamic Application SecurityTesting (DAST) tools. Due to the requirement of specialized skills for conducting blackbox and greybox testing, banks are increasingly availing these services from external service providers. However, enterprise-wide focus on application security, which has been globally adopted and enabled by enterprise tools to integrate application security in life cycle processes, has not gained significant attention of banks operating in India. Moreover, the involvement of developer community in application security is lagging. An organizations application portfolio is characterized by the externally provisioned applications, third party applications and packaged applications along with in-house applications.The banks seem to be managing the security of their application portfolio adequately except for externally provisioned applications.
Security incident and fraud management (% respondents)

A mechanism exits for internal employees and customers to report incidents and fraud There exist a formal reporting mechanism to report incident and fraud to the management and regulatory authorities The scope of security monitoring is extended to all the critical log sources The incident management mechanism takes inputs from external knowledge sources on vulnerabilities, anomalous patterns and threats Collaborate with CERT-In for incident reporting and response 84 79
74
74
74
The logs are securely managed and archived in accordance with compliance requirements Business rules are defined to identify incidents and frauds Automated solution is implemented for log management, security monitoring The scope of the incident management has been extended to third parties The incident management mechanisms support forensic capabilities Real time monitoring mechanisms exist that can proactively detect anomalies Incident management mechanism is integrated with organization IT processes for remedial actions (e.g. integration through service management tools) There exist a mechanism to define detective and investigative requirements There exists an inventory of all the possible scenarios that can lead to incident and fraud There exist a mechanism that generate an incident based on patterns and business rule exceptions
74 68
68
68
63
58
58
53
47
47
36
Security incident and fraud management

There seems to be a need for developing intelligence in incident management mechanisms as many of the respondent banks do not have in place measures like real time monitoring mechanisms that can proactively detect anomalies, incident generation based on patterns and business rules and integration with organization IT processes for remedial actions. Banks continue to remain largely dependent on incidents being reported by their customers and/or employees.
Business Continuity Management and Disaster Recovery Program (% respondents)

RecoveryTime Objectives (RTO) for each business process are defined Architectural planning exists for DR and BC preparedness Continuity plan is documented and actionable Line of business is involved in BCM planning and operations Recovery Point Objectives (RPO) for each business process are defined A formal crisis communication mechanism exists Adequate resources and efforts are dedicated to the DR and BC preparedness Knowledge and information generated out of DR and BC operations are managed effectively Scope of the DR and BCP is extended to all externalities: network service providers, partners, vendors, and technical support Scenarios such as city outages, terrorist threats are incorporated in the scope DR and BC is managed as an operational practice An inventory of scenarios that could lead to disaster is maintained Frequent resiliency testing is undertaken Dependency map of all business processes with IT assts exists There exists a recovery service catalogue for systematic recovery DR and BCP program incorporates means to collaborate with public services and local bodies DR and BC is managed as a project Service Delivery Objectives (SDO) for each process are defined
33 28 83 78 78 72 72 72 72 67 67 61 61 56 56 50 50 50
Resiliency measures have been adopted for (% respondents)

Data center planning Systems and servers Network Application layers Security infrastructure Endpoints Messaging platform
28 39 72 67 61 61 83
BCM is part of information security (% respondents)
No 37% Yes 63%
37
BCP/DR program
The survey revealed that two-third of the respondent banks surveyed have Business Continuity Management as part of their Information Security Framework. Most of the banks have line of businesses involved in BCM planning and operations.The survey also revealed that respondents have a mature BC/DR planning process in place wherein the scope of BCP/DRP covers strategies for business processes and recovery objectives of each business process.The scope of the BCP/DRP for most organizations extends to all externalities: network service provider, partners, vendors, and technical support.
With respect to BCP/DRP preparedness, which of the following options you plan to implement/already implemented?
47 32
Use backup data center
21
Automated backup management
42
32
26
Use managed backup services
37
16
47
Data dependency mapping tool to get assurance over RPO
26 42
42
32
Automation of IT services failover
21
37
IT services dependency mapping tool
21
32
47
Tool for Business Continuity Planning
16
42
42
Outsourcing of DR operations
11
47
42
Tool for crisis/incident management
11
42
47
Service level management for mobile computing devices 5
11
26
63 47 47
Virtualization for DR
Emergency notification system
42
53
Hosting provider for co-location services
21
74
Build private cloud infrastructure
37
63
Cloud based DR services
37
63
Runbook automation
37
63
Implemented
Plan to Implement
Not Planned
38
BCP/DRP preparedness
The 24X7 operations of banks and concentration of technology and processes have significantly increased the need for business continuity/ disaster recovery capabilities. The Central Bank through guidelines and circulars emphasizes on the need for establishing effective capabilities. While many banks have implemented backup data centers, usage of mature practices such as Run Book automation,Tools for Business Continuity Planning, IT service failover, Emergency Notification system are still at nascent stages of adoption.
Physical security of information processing areas
Process exists for provisioning and de - provisioning access of visitors, vendors, partners, and support services
90
85
There exists a mechanism for identification and authorization of employee
85
Process exists for asset movement
85
Scope of security review is extended to cover physical security controls
Physical security mechanisms like CCTV are deployed and monitored for all information processing/critical areas like branches and ATMs
85
85
Physical security function is owned by the Admin department
75
Physical security is part of information security
Significant level of collaboration exists between physical security, information security and other functions of the organization
75
The scope of the security monitoring and incident management mechanism is extended to integrate the physical security incidents
55
75
Physical security is integrated with IT security through competent solutions
There exists centralized monitoring of physical security across various locations by Physical Security Operations Center (PSOC)
40
35
Physical security function is owned by the IT department
39
Physical security of information processing areas

More than half of the respondent banks have physical security integrated with IT security.The respondents realize that risk of data leakage increases with physical access to the operational facility.Therefore, organizations have established strong physical security controls for perimeter, entry points and interior areas along with mechanisms for identification & authorization of employees. Banks also aim for significant level of collaboration between physical security, information security and other functions. However, the centralized monitoring of physical security seems absent in most of the banks.
40
41
Regulatory Requirements
42
What benchmark do we need to achieve

Survey reveals that in majority of banks, technology investment decisions are getting influenced by ITAA 2008. Survey also reveals that there seems to be strong clarity amongst responding banks regarding applicability of ITAA 2008.
43
Banks' response to ITAA 2008 (% respondents)

Creating awareness amongst top / senior management Strengthening monitoring and incident management mechanism Creating awareness amongst employees Creating awareness amongst board members Identify the personal information flow to the organization Revising organizations security policy Scope of security & privacy to also cover employees' personal data Review vendor contracts Collaborating with competitors / peers Activating legal function Creating awareness amongst contractors / third party employees Contacting external information sources Creating awareness amongst customers Identifying and making an inventory of scenarios Developing a strong forensic investigation capabilities 20 15 50 50 50 50 50 45 40 35 35 30 65 65 60
Banks' response to ITAA 2008

The survey reveals that although more than half of the banks are working towards creating awareness among senior management, employees and board members, very few are creating awareness amongst contractors and third parties. ITAA 2008 has also resulted in banks internalizing the Act by updating their policies, reviewing vendor contracts and implementing measures to strengthen monitoring and incident management. However, the trend suggests that developing strong forensic capabilities that support data breach investigation is not seen as a priority in response to ITAA 2008.
Influence of ITAA 2008 on adoption of new technology solutions (% respondents)

ITAA 2008 has recently acquired a place in the discussion related to the technology investment ITAA 2008 does not have any bearings on technology related investment decisions ITAA 2008 is becoming a significant driver for investment in technology solutions 15 30 65
Influence of ITAA 2008 on adoption of new technology solutions

The survey reveals that banks have realized the importance of ITAA 2008 and 2 out of 3 banks are influenced by requirements of ITAA 2008 while taking technology investment decisions.
44
My organization can be sued under ITAA 2008 (% respondents)

100% 80% 60% 40% 20% 5% 0% Yes For customer related liabilities No Not Sure For employee related liabilities 11% 11% 95% 78%
0%
Awareness on ITAA 2008

There is clarity and awareness amongst responding banks regarding applicability of ITAA 2008 as most banks have responded Yes with respect to their liabilities under ITAA 2008.
Measures to mitigate risks arising from use of third party services

The survey reveals that almost all responding banks use traditional risk mitigation techniques for third party vendors, such as engaging into contracts and non disclosure agreements. However, banks must also adopt and implement proactive mechanisms like third party risk assessment framework, which can assist in continuous monitoring of the risk exposure.
Measures to mitigate risks arising from use of third party services (% respondents)
Using contract as an instrument to make the third party liable for any security breach Signing non disclosure agreement/confidentiality agreement with the third parties Deploying technical and organizational safeguards Making employees aware of the risks arising from use of third party services Conducting vendor risk management exercise Controls deployed as per "Third Party Risk Assessment Framework" development by organization 30 60 80 95
95
80
45
Technology response to ITAA 2008 (deployed / planning to deploy) (% respondents)

84 84 79 79 74 74 63 58 53 53 47 42 42 21 21 16 5 5
Privilege access management Network access control Security Incident and Event Monitoring (SIEM) Encryption of data over WAN Database activity monitoring Fraud management Data masking Legal and compliance management Cross channel transaction monitoring Mobile data protection Email encryption Data Loss Prevention (DLP) Hard disk encryption Computer forensic Threat management for mobile computing devices Compliance notification services Not planning to invest in new technology initiatives Sufficient budget not being available currently
Technology response to ITAA 2008 (deployed / planning to deploy)

ITAA 2008 has resulted in most of the banks strengthening / planning to strengthen their security incident and event monitoring by implementation of solutions to address the same. Some of the other solutions adopted / planning to adopt are to address privileged access management, network access control, WAN data encryption, database activity monitoring and fraud management. However, adoption of solutions to address key areas such as data loss prevention, hard disk encryption, email encryption and mobile security has been low.
46
Way Forward
Banks in India have strategically adopted new technologies to deliver better customer services, cut costs and gain competitive advantage. While the benefits of technology adoption are visible across the public and private sector banks, the technology risks emerging from these technologies have also grabbed attention in the recent years. Although external threats have remained a key driver for banking security, the Central Bank's leadership through guidance and compliance norms, has also contributed to the strengthening of security culture in the banks. Apart from these two factors, the recent amendment to InformationTechnology Act is also emerging as an important regulatory factor that is driving the security as well as privacy initiatives in the banks. Banking industry is responding to the contemporary security challenges through a formal security function that derives inspiration from leading security standards for overseeing security initiatives in the banks. Along with aligning the security initiatives to these leading security standards, banks need to invest their energies on providing architectural treatment to security, continuously assessing their exposure to threats through exercises such as threat modeling, and imbibing the practice of security in design.This will bring a structured approach in their defense strategies and programs for efficiently & effectively mitigating the real threats by ensuring that security is considered right from the design phase of any product or service. Though the security initiatives in banks are primarily driven by a centralized security function, the responsibility of security is fairly distributed among the different functions, realizing the old adage of security is every bodys responsibility.The focus is still on arranging in-house resources except for few specialized services like Application Security testing.There is a significant scope for banks to further outsource these services, leveraging the expertise of external service providers and consultants. The primary motivation behind the new age attacks is to make financial gains and therefore the focus of these attacks is on obtaining sensitive information like login ids ,transaction passwords, credit card information, etc.This necessitates the banks to take a data-centric approach when designing and implementing their security and privacy initiatives and build synergies between their fraud management and information security functions. Also, against the backdrop of increasing card related frauds, banks need to make investments in improving security of card transactions. The banking customers continue to be the soft target of the new age attacks. Lack of customer awareness, insecure customer endpoints and their likely impact on security of banking systems remain as important areas of concern.To address these concerns, efforts by individual banks alone may not prove to be sufficient.The entire banking industry, with guidance from the Central Bank, needs to collaborate for enhancing the security awareness of banking customers. On the other hand, banks need to enhance their maturity in the area of customer centric security. While basic measures for transaction security have been adopted, very few of them have implemented new generation authentication solutions like dynamic token, identity grid and risk based authentication. With increased digitization of customer information, increased levels of customer awareness on privacy and notification of IT (Amendment) Act, 2008, privacy has emerged as an important focus area for the banks in India. However, privacy is yet to be factored in the banking ecosystem. In response to these developments, banks in India need to undertake a comprehensive privacy program that ensures protection of their customers information throughout its lifecycle.
47
Acknowledgments
DSCI CoreTeam Vinayak Godse Vikram Asnani Rahul Jain Director Data Protection Senior Consultant Security Practices Senior Consultant Security Practices
KPMG CoreTeam Navin Agrawal Nitin Khanapurkar Kunal Pande Atul Gupta Vidur Gupta Pallavi Mantrao Tushar Surekha Deepak Agarwal KPMG SurveyTeam Alok Choubey Deepti Karnik Glyn Crasto Lekha Ragupathi Monami Banerjee Nikhil Kulkarni Preetam Hazarika Srirang Srikantha Sundar Ramaswamy Sweta Nalwaya Syamala Raju Peketi
Executive Director Executive Director Director Director Associate Director Manager Consultant Consultant
DSCI ProjectAdvisory Group N. Balakrishnan BJ Srinath Anjali Kaushik AkhileshTuteja Kartik Shahani Satish Das Baljinder Singh Vishal Salvi AshwaniTikoo PVS Murthy Deepak Rout Seema Bangera Chairman, DSCI and Associate Director, IISc Bangalore Senior Director, CERT-In MDI Gurgaon Executive Director, KPMG Country Manager, India and SAARC, RSA CSO, Cognizant Global Head ofTechnology, InfoSec & BCM, EXL Service CISO, HDFC Bank CIO, CSC Global Head Information Risk Management Advisory,TCS CISO, Uninor DGM Information Security, Intelenet Global
48
KPMG Contact Kunal Pande Director, IT Advisory Services KPMG in India T: +91 22 3090 1959 E: kpande@kpmg.com
DSCI Contact Vinayak Godse Director, Data Protection DSCI T: +91 11 2615 5071 E: vinayak.godse@dsci.in
www.kpmg.com/in
www.dsci.in
2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International Cooperative (KPMG International), a Swiss entity. Copyright 2011 DSCI. All rights reserved. Printed in India.

DSCI KPMG Banking Survey

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DSCI KPMG Banking Survey

Uploaded by

Copyright:

Available Formats

PROMOTING DATA PROTECTION

State of Data Security and Privacy in the Indian Banking Industry

Under the Cyber Security Awareness Program of DIT-NASSCOM

DataSecurityCouncilofIndia(DSCI)isasection25,not-for-profitcompany,setupby NASSCOMasanindependentSelfRegulatoryOrganization(SRO)topromotedataprotection, developsecurityandprivacycodes&standardsandencouragetheIT/BPOindustryto implementthesame.

FormoreinformationaboutDSCIorthisreport,contact: DATASECURITYCOUNCILOFINDIA NiryatBhawan,3rdFloor,RaoTulaRamMarg,NewDelhi-110057,India Phone:+91-11-26155070,Fax:+91-11-26155072 Email:info@dsci.in

State of Data Security and Privacy in the Indian Banking Industry

Message from CERT-In

Dr. Gulshan Rai DG, CERT-In

State of Data Security and Privacy in the Indian Banking Industry

Message from DSCI

Dr. Kamlesh Bajaj CEO, DSCI

State of Data Security and Privacy in the Indian Banking Industry

Message from KPMG

AkhileshTuteja Executive Director, KPMG in India

? Information security is still seen as an IT centric function with reporting of

the CISO to CTO/CIO of the bank.

? adoption of measures that have been strongly advocated for

card security have not been adopted by many of the banks.

banking as compared to other service delivery channels.

State of Data Security and Privacy in the Indian Banking Industry

State of Data Security and Privacy in the Indian Banking Industry

CISOs role and the tasks performed by the security organization

threats, card security & payment gateway security

Recovery Impact of IT (Amendment) Act, 2008 on the Banking industry Technology

? Evolution of Physical Security and its integration with Information

State of Data Security and Privacy in the Indian Banking Industry

Data Security and Privacy

Finding its place

State of Data Security and Privacy in the Indian Banking Industry

Drivers (Data security) (% respondents)

Drivers for data security

State of Data Security and Privacy in the Indian Banking Industry

Characteristics of security initiatives (% respondents)

Characteristics of security initiatives

State of Data Security and Privacy in the Indian Banking Industry

Positioning of security function (% respondents)

CISO reporting (% respondents)

Size of security team (% respondents)

Separate privacy function (% respondents)

Size of privacy team (% respondents)

Part of security teams

State of Data Security and Privacy in the Indian Banking Industry

Drivers for data privacy

Factors driving data privacy (% respondents)

Protecting privacy of employee data

Global data protection regulations

Characteristics of banks' privacy initiatives (% respondents)

Organization has a dedicated policy initiative for privacy

Specific technology, solutions and processes are deployed for privacy

The scope of audit charter is extended to include privacy.

State of Data Security and Privacy in the Indian Banking Industry

Characteristics of banks' privacy initiatives

Major challenges faced by banks (% respondents)

Major challenges faced by banks

State of Data Security and Privacy in the Indian Banking Industry

State of Data Security and Privacy in the Indian Banking Industry

Busines s Manage r 11% 5% 22% 5% 22% 0% 0% 0%

Corpora te Complia nce 0% 0% 11% 5% 6% 0% 0% 11%

Externa l Consult ant 22% 16% 6% 16% 6% 5% 0% 11%

Externa l Service Provide r 11% 0% 0% 5% 6% 5% 0% 0%

39% 84% 78% 84% 61% 68% 50% 74%

56% 37% 44% 47% 67% 63% 0% 37%

11% 0% 0% 0% 33% 42% 25% 5%