© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 1

Information (Data) Security & Risk Mitigation

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 2

IT Act 2000 Amendment (Sec 43 A)

Corporate Bodies like Banks handling sensitive personal data to implement and practice reasonable security practices and procedures.

Damages by way of compensation to person affected without any upper limit.

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 3

Information Security- Myths

Passwords are enough

to secure our

business

Data backups are enough

Why plan for BCP ?Information Security

is

responsibility of IT…

Our existing Security controls are adequate

to prevent any information loss

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 4

Information Security- Reality

Critical data is accessible to others because I have left my PC/terminal unattended

Worm infecting my machine can bring down the entire network

My account is used to commit fraud because my password is weak /shared

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 5

Why Information Security?

Confidentiality, Integrity, Availability

People are the weakest link in Information Security

To know Security Responsibilities

To know Information Security Risks associated with their job responsibilities

Adherence to the Organizational security policies

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 6

Information Security Risks

Online Frauds Hacking Attacks Phishing / Vishing Attacks Spam Data Theft Insecure Business Applications Malware / Spyware Virus / Worm / Trojan Attacks Denial of Service (DOS) Attacks Lack of User Awareness

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 7

Risk Mitigation Measures

Infrastructure Set up• DR Site

• DR Drills

• Updated BCP

Critical Applications• High Availability Clusters/Multiple Servers

• Application Security Testing

• Parameter Fine Tuning

• Hardened Operating Systems

• Strong Physical Security/Surveillance Camera/Biometric Access

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 8

Risk Mitigation Measures

Delivery Channels• Secured Indirect Access to CBS

• Independent Systems

• Encrypted Data Exchange across systems

• Multiple Authentication

Outsourced Services• Drafting and Monitoring of SLAs

• Non Disclosure Clauses

• Review and Monitoring of Reports and Outputs

• Third Party Employee Background Checks

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 9

Risk Mitigation Measures

Users• Need to know basis

• Periodic Review of Access rights

• Strong Authentications

• Awareness Training

Networks• Intrusion Detection/Prevention Systems

• Internal and External Firewalls

• Periodic Penetration Testing

• 24x7 Cyber Policing/Monitoring Attacks

• Virus/Worm/Malware/Spyware Protection

• Regular Security Updates – IPS/IDS, Anti-Virus

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 10

Information Security Practices

Information Security Management System Information Security Policy & Procedures Continuous Risk Assessment Information Security Incident Management Business Continuity/Disaster Recovery Plans Information Systems Audit Network Security Audit Application Security Testing Vulnerability Assessment/Penetration Testing Security Operations Centre (SOC)/Cyber Policing Control Room Awareness Trainings

© 2009 IDBI Intech, Inc. All rights reserved. IDBI Intech Confidential 11

Thank You