Cy­ber Se­cu­rity

Cre­at­ing aware­ness is the need of the hour:

Banking Frontiers - - News - - Babu V. is for­mer DGM- IT of Bank of In­dia. He is a diploma holder in cy­ber law and an ISO/IEX ISMS 27001 (2103) cer­ti­fied au­di­tor. He is also a con­sul­tant mem­ber at Fin­noviti Con­sult­ing

The most im­por­tant fac­tor in­volved in cy­ber se­cu­rity is de­fence and of­fence. What­ever may be the se­cu­rity pre­cau­tions an or­ga­ni­za­tion might have taken, these may not be suf­fi­cient to take care of the cy­ber in­ci­dents since cy­ber hack­ers are al­ways one step ahead. If the co­op­er­a­tive banks are not vig­i­lant, it is only a ques­tion of time be­fore they face a cy­ber at­tack on their sys­tems.


Any strong first line of cy­ber se­cu­rity re­quires a sig­nif­i­cant ef­fort on the part of the man­age­ment and the board. The board of di­rec­tors has the full re­spon­si­bil­ity for adopt­ing and im­ple­ment­ing ap­pro­pri­ate cor­po­rate poli­cies as en­vis­aged by the reg­u­la­tory au­thor­i­ties. This should cover the man­age­ment re­spon­si­bil­i­ties and the con­trol prac­tices for all the ar­eas of in­for­ma­tion pro­cess­ing ac­tiv­i­ties to take care of the cy­ber se­cu­rity.

It is no­ticed in banks that most of the time in­struc­tions given by the reg­u­la­tory au­thor­i­ties are rou­tinely passed on to the tech­nol­ogy depart­ment with­out any proper study. It is also ob­served that even though some of the banks have these se­cu­rity poli­cies, the same are not im­ple­mented in true spirit and are kept only for au­dit pur­pose. It is ne­c­es­sary for the man­age­ment to en­sure that the se­cu­rity poli­cies are cus­tom­ized and fine-tuned to suit the in­di­vid­ual needs of the bank and it is im­ple­mentable one.


A bank may in­vest in ne­c­es­sary tools to strengthen com­puter sys­tems but may not be hav­ing trained man­power to take care of the same. Se­cu­rity aware­ness train­ing is re­quired, not only for the staff work­ing in the tech­nol­ogy depart­ment, but to all em­ploy­ees, con­trac­tors or staff de­puted by dif­fer­ent out­sourced ven­dors. They should be trained in the bank’s in­for­ma­tion sys­tems se­cu­rity poli­cies, pro­ce­dures, le­gal obli­ga­tions spe­cific to their area of op­er­a­tion and their re­spon­si­bil­i­ties. This en­sures all the staff mem­bers and the con­trac­tor’s staff who are the first line of de­fense, are aware of the de­tails and as­sist the tech­nol­ogy team in safe­guard­ing the as­sets of the bank.

All per­son­nel in­clud­ing the man­age­ment and the board should also be trained so that they are well aware and can guide the staff mem­bers in times of need. It is to be noted that train­ing is not one­time, but it should be done on a con­tin­u­ous ba­sis at cer­tain in­ter­vals or when­ever any tech­nol­ogy re­lated changes hap­pen.

The man­age­ment should also train the staff mem­bers on in­ci­dence re­port­ing sys­tem and pro­cesses and should make them com­fort­able, so that they are will­ing to re­port even an in­signif­i­cant in­ci­dent no­ticed in the sys­tem. Man­age­ment sup­port is the most im­por­tant, since it is no­ticed that staff mem­bers, even if they no­tice any in­ci­dent, are not will­ing to re­port due to lack of sup­port. In­ter­nal au­di­tors should also be trained so that they are aware of the pro­cesses while do­ing the au­dit­ing and can help the bank to take ne­c­es­sary steps to strengthen the sys­tem.


Even though the au­dit is the most im­por­tant func­tion in a bank to safe­guard its as­sets, it is ob­served that this area is given least im­por­tance in most of the banks. The au­dit is done on a rou­tine man­ner and the re­ports are mainly fo­cused on banking trans­ac­tions and not on the tech­nol­ogy area. The main rea­sons are that the banks do not have au­di­tors, who are trained in au­dit­ing IT area.

The most im­por­tant func­tions of the au­di­tor in a com­put­er­ized en­vi­ron­ment is track­ing all sen­si­tive trans­ac­tions as well as master, pa­ram­e­ter and static data in an ap­pli­ca­tion; ad­e­quate au­dit trails should be gen­er­ated and made avail­able at reg­u­lar in­ter­vals and pro­ce­dures should be im­ple­mented for in­stan­ta­neous re­view of the said au­dit trails by the au­di­tors.

It is ob­served that most of the in­ter­nal au­di­tors are not equipped with knowl­edge to sug­gest the de­fen­sive as well as of­fen­sive mech­a­nisms. Due to this, the banks de­pend on ex­ter­nal au­di­tors who may or may not be hav­ing enough work­ing ex­pe­ri­ence. Of­ten IS poli­cies drafted are not suit­able and need fine-tun­ing to suit the co­op­er­a­tive banks.

Fi­nally, nobody can pre­dict when the cy­ber­at­tack will hap­pen. How­ever, the banks can han­dle such ex­i­gen­cies bet­ter if their staff mem­bers are equipped with ne­c­es­sary knowl­edge to re­port the in­ci­dents im­me­di­ately so that the dam­age is min­i­mized.

Babu V.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.