74 | October 31, 2011 visit www.dqindia.com DATAQUEST | A CyberMedia Publication

Tablets

RBI is leaving no stone unturned to ensure that banks evolve from being late users to the best implementors of technology

KEEPING IN VIEW THE CHANGING THREAT MILIEU AND THE LATEST INTERNATIONAL STANDARDS, IT WAS FELT THAT THERE WAS A NEED TO ENHANCE RBI GUIDELINES RELATING TO THE GOVERNANCE OF IT, SECURITY, ETC

SHILPA SHANBHAGshilpas@cybermedia.co.in

(With inputs from Onkar Sharma)

RBI Security Policies

In Step With the Times

Technology has touched lives in more ways than one and the banking sector is one of the recent beneficiaries to vouch for it. Technol-ogy has been used across many areas of the

banking business in India. Banks have been taking up new projects like data warehousing, customer relation-

ship management, and financial inclusion initia-tives to further innovate and strategize for the future and to widen the reach of banking. Keep-ing in view the chang-ing threat milieu and the latest international standards, it was felt that there was a need to enhance RBI guidelines relating to the governance of IT, information secu-

DATAQUEST | A CyberMedia Publication visit www.dqindia.com October 31, 2011 | 75

rity measures to tackle cyber fraud apart from enhancing independent assurance about the effectiveness of IT controls.

Viewpoint CornerPrasad CVG, CIO, ING Vysya Bank, says, “The RBI guidelines reflect the regulator’s seriousness in maintaining robust cyber secu-rity levels in banks and financial institutions. The document covers most of the concerns in a detailed manner and gives the liberty to banks to implement solutions that fit their working environment. Banks can do a gap analysis to understand and identify which are the solutions they need first. As the guidelines say, banks can imple-ment first the solutions that do not require a lot of investment.”

“Information is the blood of any society and hence this highlights the reason to safeguard it the most. The information security policies are in sync with those being followed across the developed nations. This report is a right step at the right time and in the right direction,” says Dr Gandhi PC Kaza, chairman, expert board (former IGP & director, APFSL), Truth Labs.

“The report can be described as a timely step as most of the institu-tions are aligned to either verticals or businesses. This report lays down the framework for a uniform model of IT governance which is the need of the hour. It will surely lead to a collaborative effort,” says Mural-idharan R, chief operating officer, Dhanlaxmi Bank.

“It can be described as an IT vision document for 2011-17 and is recommendatory in nature,” says B Murali Nair, chief technology officer, Lakshmi Vilas Bank.

Finer AspectsThe report mentions use of emerg-ing technologies such as data center hosting, applications as a service,

“Information is the blood of any society and hence this highlights the reason to safeguard it the most”

Dr Gandhi P C Kaza, chairman, expert board (former IGP & director, APFSL), Truth Labs

“RBI guidelines reflect the regulator’s serious-ness in maintaining ro-bust cyber security lev-els in banks and financial institutions”

Prasad CVG, CIO, ING Vysya Bank

being operated at a time and having to deal with a large quantum of data and staff alike where many may be required to be trained also, it would be a big challenge for the older banks,” says Nair.

The need for new guidelines in relation to data warehousing is to ensure that RBI can gain access to the bank’s systems when it requires. Considering the fact that the BFSI segment has been a late and hesi-tant adopter of technology owing to the crucial data that it deals with, this is not going to be easy. But it needs to be borne in mind that in the future such an automated system will help in the decision support system as it will enable to take information backed decisions. Cur-rently, banks are taking decisions based on information that is either 2 or 3 years old but access to reams of data will help in taking better informed decisions.

and cloud computing have given rise to unique legal jurisdictions for data and cross-border regulations. It was felt that banks are required to clarify the jurisdiction of their data and applicable regulations at the outset of an outsourcing arrange-ment. This information should be reviewed periodically and in case of significant changes performed by the service provider, it notes. It also contains provisions in relation to use of data warehousing.

“The newer banks will not face a challenge in relation to the new data warehousing guidelines as they are in line as far as automation is concerned. Meanwhile, it will be a challenge for the older banks that will have to deal with reams of data and leaps of technology to be implemented. The report requires all transactions to be done on HTP mode and discourages manual feed-ing of data. With 60-70 applications

RBI Security Policies

76 | October 31, 2011 visit www.dqindia.com DATAQUEST | A CyberMedia Publication

Technology is not the challenge but using existing infrastructure and leveraging on the same to match steps with the guidelines is going to be a challenge, especially in banks where there are less investments allocated for the purpose of technol-ogy. The need of the hour is to bal-ance investment with IT in a witty manner. “We would like to leverage on our existing technology to ensure that we are in step with the RBI report,” says Nair.

The report also highlights the need for a CIO in a bank to play a key role in the executive decision-making function. The key role of the CIO would be to act as a bridge between the IT function and the management. It has also set the guidelines for a senior level official of the rank of GM/DGM/AGM to be designated as the chief information security officer (CISO) who would be responsible for articulating and en-forcing the policies that a bank uses to protect its information assets apart from coordinating the information security related issues/implementa-tion within the organization as well as relevant external agencies. Guide-lines have been formulated in rela-tion for the CISO to report directly to the head of the risk management function and should not have a direct reporting relationship with the CIO.

“The provisions regarding crea-tion of a function of CIO and IVO positions can be labeled as a good move as they can play a critical role in risk management,” says Prasad.

On a cautious note, Nair says, “The CIO should be a part of the IT

department as he is well equipped for making informed decisions and also explain the needs of the IT department well.”

“It is a very good move to create a full-fledged responsibility as the CIO who will act as a bridge be-tween the technology and business functions. Meanwhile, the CISO will be designated to protect all the crucial assets of the bank. We have kept information security as an independent function but if it be-comes a part of the IT department, there will be temptations for IT infrastructure use. For small banks,

AGM-IT will be responsible for the same functions as the CISO. We expect that the use of technologies will enable banks to leapfrog into a new era as IT is the backbone,” says Muralidharan.

Dr Gandhi says, “Banks can take advantage of software that enables digital analysis of fraud even when faced with the issue of limited budgets and employees. Banks can also undergo audit procedures by an individual authorized by the Government of India or Department of Information Technology. The CISO of these banks can develop software attuned to their specific interests and then undergo the proc-ess of scrutiny. They could also use forensic accounting software or fiber forensic, which we use. Use of such software will ensure that more than half of the scrutiny job is catered to. This report can be termed as the right step in the prevention and control of data security.” n

THE REPORT ALSO HIGHLIGHTS THE NEED FOR A CIO IN A BANK TO PLAY A KEY ROLE IN THE EXECUTIVE DECISION-MAKING FUNCTION. THE KEY ROLE OF THE CIOWOULD BE TO ACT AS A BRIDGE BETWEEN THE IT FUNCTION AND THE MANAGEMENT

“It can be described as an ITvision document for 2011-17”

B Murali Nair, chief technology officer, Lakshmi Vilas Bank

“This report lays down the framework for a uni-form model of IT govern-ance which is the need of the hour”

Muralidharan R, chief operating officer, Dhanlaxmi Bank

RBI Security Policies