It is necessary to have a well-prepared plan:
Database security is nothing but a broad range of information security controls to protect the data and related database applications, systems, servers and the associated network links against compromises of their confidentiality, integrity and availability. Internal controls are essential to protect the information / data, from unauthorized access, disclosure, disruption, modifications, inspection, recording or destruction etc. Threats and database security go together.
There are many threats like software attack, theft of intellectual property, identity theft, theft of equipment which contains data etc. Information security policies are prepared by banks, which ensure protection of the information assets against risks of loss, misuse, disclosure, damage etc and give necessary guidelines to follow. Information security policies are one of the regulatory requirements and have to be approved by the board of directors. It is also important to see whether the policies prepared are implemented in true spirit and not just in paper to satisfy regulatory authorities. It is often noticed that even though banks do have them, they do not get percolated to micro level and the staff is not aware of the requirement or what should be done in case of an eventuality.
Further, it is necessary to update the IS policies regularly to be in tune with the latest technology /products introduced at the bank.
The most important aspect in any risk scenario is the awareness about the pitfalls and how to overcome these. In this situation, there is no substitute for training to be offered to the staff members on various aspects of the risks and the polices of the bank on a regular basis. The bank may take help from external experts in this exercise in case internal resources are not available. An assessment may be made after the training program to find out whether staff members could understand the intricacies and whether any fine-tuning is necessary in the training schedule. The training should be an ongoing exercise whenever new developments take place or new technologies are introduced. The training should cover not just the staff members but middle and toplevel executives too. Most of the failures of a new technology driven product happens due to lack of training to the operational staff.
Violation of database security may be through unauthorised access, unintended activity or misuse of data, inappropriate changes to programs, configurations etc. There can also be leakage or disclosure of personal and proprietary data, deletion or damage to the data programs. It is necessary that database security centers at the data centre are created and necessary safeguards are created by framing necessary policies and guidelines. The policies, including access control policies and backup procedures should be documented, both for insource as well outsourced activities. To start with, necessary policies should be prepared for physical security, environmental controls, backup procedures, network controls etc. Information Security Management Systems (ISMS) is a set of policies concerned with information security management or technology related issues.
The three Ds of information’s security are (i) Secure by Design (eliminate vulnerabilities) (iii) Secure by Default (avoid auto permission etc) and (iii) Secure in Deployment. The controls may include prevention controls, detection controls and corrective controls.
It is suggested that once a crisis situation develops, one should not go for witch-hunting; instead it will be better to find out how serious the impact is, which are the operational areas affected and how fast the correction can be made. Untoward incidents cannot be avoided in any technology scenario. The risk occurred to the assets can be calculated by Business Impact Analysis (BIA), which is generally the magnitude of the potential loss and once this is identified, necessary action should be taken to set right the issue and to minimize the risk.
The fundamental task in BIA is understanding which of processes are vital for the ongoing operations and to understand the impact, the disruption of these processes would have on business and customer service. BIA is the process of figuring out which processes are critical and which will impact customer service, and understanding the impact of a disruption to those processes. Various criteria are used, including customer service, internal operations, legal or regulatory and financial for this purpose. From an IT perspective, the goal is to understand the critical business functions and link those to various IT systems. As a part of this assessment, understanding the interdependencies of various critical processes to both disaster recovery and business continuity, especially from an IT perspective is most crucial.
The most important thing is to take immediate action to prevent the incident from impacting other operational areas and to prevent a repetition. Banks should have in place detailed Business Continuity Plan (BCP), approved by the board. There is a misconception that the backup policy /disaster recovery policy is enough to take care of these things. These policies cover the technology areas only and not for all the banking operations. BCP is an exhaustive plan to include all the operational areas including technology to ensure a smooth customer service in case of any disaster. It is not just enough to have a plan or polices. It is necessary these are understood by the staff members so that they can follow the guidelines in emergencies.
Finally, too much dependency on anything leads to lethargy and subsequent risk. This is true of everything including staff and technology solution providers. Some banks depend on their technology solutions providers for all activities without any supervisory control on them. There lies the risk. All said and done, finally the bank is responsible for whatever happens and should take safeguards to save its assets and to give continued customer service.