Escolar Documentos
Profissional Documentos
Cultura Documentos
MANAGEMENT IN BANKS”
On
By
KAUSTUBH D. GONDHALEKAR
WM/JO5/004
MBA III
(Information Management Specialisation)
This work has not previously been accepted in substance for any degree and is not being
concurrently submitted in candidature for any degree.
Signed___________________________________________ (candidate)
Date ____________________________________________
STATEMENT 1
This dissertation is being submitted in partial fulfillment of the requirements for the
degree of _________________________________________ (i.e. MA, MSc, MBA etc.)
Signed____________________________________________
Date _____________________________________________
STATEMENT 2
This dissertation is the result of my own independent work and investigation, except
where otherwise treated. Other sources are acknowledged footnotes giving explicit
references. A bibliography is appended.
Signed____________________________________________
Date _____________________________________________
STATEMENT 3
I hereby give consent for my dissertation, if accepted, to be available for photocopying
and for inter-library loan, and for the title and summary to be made available to outside
organizations.
Signed____________________________________________
Date _____________________________________________
TABLE OF CONTENTS
DECLARATION i
LIST OF TABLES ii
EXECUTIVE SUMMARY 1
1 CHAPTER:1 – INTRODUCTION 3 – 11
1.1 Background 3
1.6 Hypotheses 9
1.8 Limitations 10
2.2 Scope of IS 14
3 Chapter : 3 – METHODOLOGY 48 – 54
3.1 Introduction 48
3.8 Summary 55
4 Chapter : 4 – ANALYSIS 56 – 73
4.1 Introduction 56
5 Chapter : 5 – CONCLUSION 75 – 93
6 Chapter : 6 – BIBLIOGRAPHY 94
Appendix I 104
Appendix II 119
Appendix IV 125
List of Figures
CHAPTER:1 – INTRODUCTION
Chapter : 3 – METHODOLOGY
Chapter : 4 – ANALYSIS
Chapter : 5 – CONCLUSION
A Better Way
The holistic roadmap to security risk management provides a proactive approach
that can assist organisations of all sizes with their response to the requirements presented
by these environmental and legal challenges. A formal security risk management process
enables enterprises to operate in the most cost efficient manner with a known and
acceptable level of business risk. It also gives organisations a consistent, clear path to
organise and prioritise limited resources in order to manage risk. The benefits of using
security risk management would be realised when the cost-effective controls that lower
risk to an acceptable level are implemented.
The definition of acceptable risk, and the approach to manage risk, varies for every
organisation. There is no right or wrong answer; there are many risk management models
in use today. Each model has tradeoffs that balance accuracy, resources, time,
complexity, and subjectivity. Investing in a risk management process—with a solid
framework and clearly defined roles and responsibilities—prepares the organisation to
articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to
the business. Additionally, an effective risk management program will help the
organisation to make significant progress toward meeting new legislative requirements.
During a risk assessment process, qualitative steps identify the most important risks
quickly. A quantitative process based on carefully defined roles and responsibilities
follows next. Together, the qualitative and quantitative steps in the risk assessment
process provide the basis on which you can make solid decisions about risk and
mitigation, following an intelligent business process.
A Better Way
The holistic roadmap to security risk management provides a proactive approach
that can assist organisations of all sizes with their response to the requirements presented
by these environmental and legal challenges. A formal security risk management process
enables enterprises to operate in the most cost efficient manner with a known and
acceptable level of business risk. It also gives organisations a consistent, clear path to
organise and prioritise limited resources in order to manage risk. The benefits of using
security risk management would be realised when the cost-effective controls that lower
risk to an acceptable level are implemented.
The definition of acceptable risk, and the approach to manage risk, varies for every
organisation. Even so, there is no absolute right or wrong answers, inspite of the various
risk management models in use today. Each model has tradeoffs that balance accuracy,
resources, time, complexity, and subjectivity. Investing in a risk management process,
with a solid framework and clearly defined roles and responsibilities, prepares the
organisation to articulate priorities, mitigate threats, and address the next threat or
vulnerability to the business. Additionally, an effective risk management program will
help the organisation to make significant progress toward meeting new legislative
requirements. During a risk assessment process, qualitative steps identify the most
important risks quickly. A quantitative process based on carefully defined roles and
responsibilities follows next. Together, the qualitative and quantitative steps in the risk
assessment process provide the basis on which you can make solid decisions regarding
risk and its mitigation, following an intelligent business process.
1.1 Background
Information is an asset that, like other important business assets, is essential to an
organisation’s business and therefore needs to be updated regularly and suitably
protected. Since most of the businesses in the present and recent past have been
electronically connected in networks, the IS and its management plays a major
role. As a result of this existing and ever-increasing interconnectivity, information
is now exposed to a growing number and a wide variety of threats and
vulnerabilities.
Businesses are vulnerable to various kinds of information risks inflicting
varied damage and resulting in significant losses. This damage can range from
errors harming database integrity to fires destroying entire computer centers or
facilities. To control IS risks, the management needs to anticipate and be aware of
the potential threats, risks and resultant loss and accordingly deploy the necessary
controls across the environment.
IS is the protection of information from a wide range of threats in order to
ensure business continuity, minimise business risk, and maximise the return on
investment (ROI) and thereby extend the business opportunities.
“Security is like oxygen; when you have it, you take it for granted,
But when you don’t, getting it becomes the immediate and pressing priority”
----- Joseph Nye, Harvard University.
An IS Risk can be defined as any activity or event which threatens the
achievement of identified business objectives by compromising
‘Confidentiality’, ‘Integrity’, ‘Availability’ of the business information1.
Banks have always been and are one of the most important targets for hackers,
crackers and cyber criminals, as IS breach may lead to potential losses. These
losses may lead to downfall of the banking industry and thus have its impact on
the economy.
The actual losses on account of IS issues are difficult to estimate. However, 639
companies that responded to the 2005 CSI/FBI Computer Crime and Security
Comment [s1]: Was it a country
Survey ,reported total losses of $130 million with viruses, unauthorised access specific survey? If so, please mention
country
and theft of proprietary information accounting for 80% of it. Given the risks, IS
should be a top priority of any organisation — and not just for its IT department.
That's where a formal IS Management Program comes in.
Case Study: Newspaper clipping – Banks notify customers of data theft.2
Placed below is a news item that appeared in the money and business section of the
website http://home.netscape.com. The summary of the news item is presented below:
Summary:
• More than 100,000 customers of Wachovia Corp. and Bank of America Corp.
have been notified that their financial records may have been stolen by bank
employees and sold to collection agencies.
• So far, Bank of America has alerted about 60,000 customers whose names
were discovered by police, while Wachovia has identified 48,000 current and
former account holders whose accounts may have been breached.
• Both banks are providing the affected customers with free credit reporting
services.
• In a separate case with a potential for identity theft, laptop containing the
names and Social Security numbers of 16,500 current and former MCI Inc.
employees was stolen last month from the car of an MCI financial analyst.
MCI would not comment on whether the data was encrypted.
• The bank record theft was exposed last month when police in Hackensack,
N.J., charged 9 people, including 7 bank workers in an alleged plot to steal
financial records of thousands of bank customers.
• What are the information risks and security threats involved in the Banks?
• What benefits will be derived by implementing these systems in the
existing scenario?
• What should be the ideal characteristics of the IRSMS?
• What functions in security and risk management must be accomplished by
an IRSMS to support Banks?
• What would be the Total Cost of Ownership (TCO) for the institution?
1.6 Hypotheses
• The security policies in the same organisation (Bank) may differ based on
the geographic location.
• Many Banks prefer accepting the security risk rather than mitigating,
transferring or avoiding it.
• IRSMS policies show wide variations across all types of financial
institutions (here the type of bank would be considered, i.e. Apex / Public
Sector Commercial / Private Commercial / Co-operative / Foreign bank.)
1.8 Limitations
• The findings are based entirely upon the research conducted in India and
hence may not be applicable to other countries of the world on counts of
technological diversity and contextual forces.
• These kind of researches need to be done periodically to gauge the
authenticity of the security risk management program designed in an
organisation such as banks, due to the constant changing technology and
its vulnerabilities.
• To prove the hypotheses “The security policies in the same organisation
(Bank) may differ based on the geographic location”, the research may
not have considered several banks of similar type. It may be limited to
same bank with different locations.
• The research may not be able to provide the exact financial figures or the
financial impact due to the occurrence of the IS Threats and the Risk that
is followed because of the reputation risk involved in it. The respondents
might not provide complete, incomplete, partial or authentic information
regarding the questions posed for the survey.
1.9 Overview of the Paper
An introduction to the topic of research “IS Risk Management” is provided in
Chapter 1. The introduction focuses on aspects such as:
• Background of the Research Study,
• Purpose and Importance of the Study,
• Problem Statement,
• Research Questions With Certain Assumptions,
• Research Methodology.
It also throws light on the limitations of the study research.
In the Literature Review, the research provides a close look and feel of the
similar incidents in the past and in the present amongst various banks across the
country and the globe. The basic intention of this academic report is to spread
awareness regarding IS Threats and the Risk which follows them. The researcher
has tried to collect several examples from within the country or across the globe
which are on similar lines.
Chapter 3 is dedicated to the methodology of the research. It points
towards to sources of the data and information collection through surveys,
questionnaires, personal interviews, authentic articles on the web, magazines, etc.
This chapter re-visits the research questions, research hypotheses, etc. mentioned
in Chapter 1. This chapter also highlights the method of inquiry and the method of
analysis when the data is collected.
Chapter 4 illustrates the analysis performed on the data to obtain the
desired results. The analysis also throws more light on the key findings which I
came across while performing the analysis.
Chapter 5 provides the overall findings and the conclusions based on the
survey, the analysis and also from the management perspective. This chapter also
mentions, what needs to be done in order to prevent the IS Threats from recurring
and the steps taken to prevent them. Infact, the steps need to be incorporated in
the initial procedures of both, personnel management, and sourcing and change
management decisions. The bottom-line being “Prevention is always better than
cure”.
CHAPTER 2
LITERATURE REVIEW
Introduction
The chapter provides further insights regarding the traditional definition of
IS and Risk Management along with its historical background. This also puts light
on the makeover or the phase shift which has occurred in the field of IT. The
chapter also defines the scope of Information Systems and IS.
The literature review shows how the IS and Risk Management is applicable to the
banks. Why is it essential to take the responsibility and subdue the threats causing
the financial losses to the business sector as well as to the national and world
economies? In order to achieve this feat it becomes even more important to
understand what kinds of attacks are possible and the manner in which they
should be dealt with? Due to the scope and limited constraint, this academic
research is unable to throw light on all the threats or mention the remedies for
them. But, even so, a wide range of threats have been mentioned below with some
actual facts.
The literature review also attempts to focus on the computer frauds that
have occurred and their repercussions. It also points out the reason why computer
crimes are difficult to prove in a court of law. The types of computer crimes, their
impacts or effects and the victims are explained in the review. The review also
focuses on drawing the readers’ attention towards the understanding of IS at
length. The focus area for all the organisations, including banks, is the IT
spending pattern, which is already considered and explained in the review.
2.1 History of IS and Risk Management
• IS Management – A Concept
• Phase Shift of IS
The role of IS has changed during the past few years. ‘The
Traditional definition of protecting networks and the datacenters has
undergone a shift in focus resulting in the enablement of the businesses
with security solutions actually moving the business forward or even to
the next step. Security is now a way of life and a must-do for businesses in
order to survive. Hence, it has become obvious that, wherever the
information goes, security follows.’
3: Driving an IS Program in the Tertiary Environment; www.auckland.ac.nz/security; access date: November 28, 2005.
5 : Source: http://www.securesynergy.com/library/artcles/125-2003.php;
6: Defining Information Threats, Felix Mohan, CEO - Secure synergy; access date: May 05, 2006.
Active attacks would include attempts to:
Serial No. Type of attack
For example:
• Working with a small innovative start-up company whose promising
software solution could generate significant returns, but could also
harbour the associated risk of the small company’s IT environment
• Starting or acquiring operations in low-cost countries where the
infrastructure is less secure
• Outsourcing business processes to suppliers with lower-cost structures
but unknown or hard-to-monitor security practices
• Exposing internal business data to customers and partners to help with
the creation of new services or reduce operating costs.
All of these create security risk, even with the best practices. Becoming
aware of the risks is just the first step in building an effective management
strategy. In our survey of retailers, over 85 per cent said that the level of IS
offered by their suppliers was important to them. Yet we find that companies in
each industry are struggling to develop effective ways to measure and manage
security risks across their extended enterprise.
A simple way to reduce security risk is to limit business innovation – to
avoid partnering, pull systems offline and lock down the fort. This is a serious
mistake. Instead, risk should be balanced with reward. Embedding IT risk into
your overall enterprise risk management strategy implies establishing a risk
posture that does not seek to eliminate security risk, but rather manages it. The
key is first to understand the vulnerabilities, threats and consequences.
Vulnerabilities are areas that can be exploited by malicious individuals or
organisations.
Examples could include poorly maintained software (such as failing to
patch known security holes), poor security practices (such as inadequate password
and identity management), or the exposure of older systems with an unknown
security to the internet. Given these vulnerabilities, what are the threats? Are there
outsiders who are motivated and capable of exploiting the vulnerability? Or are
there insiders who may be tempted to steal intellectual property? Finally, if the
security was breached, what are the consequences? Would they be primarily
internally observed or would they impact external groups, such as customers or
business partners?
Internal failures, like viruses, generate real operational costs for the IT
department but rarely put the company into a catastrophic tailspin. On the other
hand, external failures, such as a breach of customer information, can be much
more painful, warranting far greater attention. To manage risk in the most
effective way possible, companies should include IS in the broader perspective of
business risk management, where the board of directors governs the company’s
overall risk posture. This same perspective must also be applied to business
partners. For many companies, measuring supplier risk will require new tools for
supplier security qualification. Like those tools used to assess a supplier’s product
quality, supply chain reliability, or its long-term financial viability, suppliers
should be qualified using a technical assessment of security and an assessment of
the supplier’s information risk management practices. Risks of working with a
new partner can then be balanced against the benefit that the partner delivers.
Most importantly, managing information risk is everyone’s responsibility
– not simply the job of IT executives. Rather than viewing IT executives as
security guards, technology- savvy executives – from corporate directors to line
managers – should act as consultants to the entire organisation. CIO’s with strong
business and technical skills are uniquely qualified to help educate the
organisation and chart a course to bring IT risk into the overall risk management
strategy. Bringing IT into the enterprise risk management strategy will not only
protect against catastrophic operational surprises, but will empower managers to
seize the exciting opportunities before them.
Computers have been in existence in European and American countries for
a long time. Consequently, frauds associated with the computer environment have
also been in existence for a long time. The American Institute of Certified Public
Accountants (AICPA) was commissioned to conduct a study of EDP- related
frauds in the banking and insurance sectors. The study, Report on the Study of
EDP-Related Fraud in the Banking and Insurance Industries, revealed many
shocking findings, the more significant of which are:
• In some cases, fraud occurred during normal transaction process
cycle;
• Many took advantage of the weaknesses in the system of internal
controls;
• Most frauds were in input area;
• Input was either unauthorised or proper input was manipulated;
• File maintenance was common method;
• Manipulation involved extending due dates on loans / or changing
names and addresses;
• Loss from reported cases worked up to several million US dollars;
• In all cases, perpetrators were employees.
30
26 26
25
20 19
No. of Cases 15
10
10
6 6 6
5
1
0
Ex-employees of
Unemployeed or
Employees (Acc. To
Miscellaneous
Law Enforcers
Students
Professionals
Accomplices
Computer
Criminals
Victims
Comp.)
Sources of Crimes
Damage of
Hardware
Theft of money
It was seen that computer crime losses were very high, with theft of
services and money contributing the maximum. Commercial users topped the list
of computer crime victims.
$100,000 $93,600
$80,000
$60,000 $55,166
$40,000
$20,000 $10,517
$0
Theft of money Theft of Damage to
program / data system /data
30
25
20
17 17
15
% of cases 12 12
10
5 4
2
0
Banks
Miscellaneous
Individuals
Commercial users
Universities
Government
Telecommunications
Victims of Computer Crimes
Pleaded Guilty,
76%
• India Today in one of its issues reported, “Hacking New Frontiers” wrote
“R. Srinivasan’s employers, a stock broking firm in Chennai, were very happy
with him and his proficiency in their new computers. He brought in new
clients and increased the volume of shares traded. But the company was losing
heavily on share transactions. A few months later, the managers found out
why: Srinivasan’s “clients” were no more than electronic entities, existing
only on the pathways of their computers. Losses: Rs. 50 lakh.”
Last June an employee with Hong Kong Bank in Bangalore was arrested
following an investigation into a theft of pound sterling 230,000 from a British
customer’s account. Earlier this month, Channel 4 of London controversially
claimed that “credit card data, along with the passport and driving license
numbers, are being stolen from call centers in India and sold to the highest
bidder”.
A survey on the Global State of the IS 2006, by
www.CSOonline.com says: “Most executives with security responsibilities have
made little or no progress
in implementing strategic measures that could have prevented many of the
security mishaps reported this year. Only 37% of respondents said they have an
overall security strategy”. Worse, “a large proportion of security executives
admitted they are not in compliance with regulations that specifically dictate
security measures their organisation must undertake” even though the
consequences were stiff penalties, including prison sentences, for the executives.
The study by CSO, CIO and PricewaterhouseCoopers (PwC) covered 7,791
respondents in 50 countries.
While things are pretty bad on the global IT security front, things are
worse in India. The study says: “Our of the most unsettling findings in this year’s
study is the sad state of security in India, by a wide margin the world’s primary
locus for IT outsourcing. India lags far behind the rest of the biggest IT
powerhouses in the world; these findings should cause considerable concern.
Many survey respondents in India admitted to not adhering to the most routine
security practices. Extortion, fraud and intellectual property theft occurred last
year are double and even quadruple those of the rest of the world. Nearly one in
three Indian organisations suffered some financial loss because of a cyber attack
last year, compared with one of five worldwide and one out of eight in the United
States.”
According to CSOonline.com, “The problem is obvious, but right now it’s
apparently easier to ignore than to address. Harder to ignore is the constant news
of large organisations losing laptops packed with unencrypted personal data on
millions of customers. Every report that such incidents should motivate
companies to tighten security, but every year the survey indicates that’s not
happening.”
7: Abstract from the Address by Shri. V. Leeladhar, Deputy Governor, Reserve Bank of India at the IT@BFSI- 200 Conclave,
• IS Policy cannot be the same for all banks despite there being
similarities in their business function. This is due to the reason that
each bank has its unique risks which might be multidimensional
considering their locations, their services, their business goals and
their technical infrastructure.
CAGR 154
6 3% 145
136
129
123
114
FY 02 FY 03 FY 04 FY 05 FY 06 FY 07
Source – Gartner
Processes
• Upper management buy – in
• Concept of six pillars of safety: governance, structure, risk assessment,
risk management, communication and compliance.
• Policy approval at board level
• Risk mitigation processes
• Documented standards and procedures
• Management overview for controllers
• Service Level Agreement (SLA) monitoring
Technology
• Firewall
• Anti-virus
• IDS (Intrusion Detection Systems)
• Management Tools
The security strategy must be in-line with the business needs and the
complexities, so as to prove holistic in approach and should include all the
components needed for the IS program.
“IS has commitment and support at the highest level in the organisation.
The state of IS is periodically reviewed by the top management.”
All the pillars are equally critical in providing IS assurance, rather than
merely focusing on the security products and penetration tests. IS derives its
strength from the highest authority, the board, which has approved the bank’s IS
policies and provided direction and support mechanisms to evolve the required
standards and procedures.
“Risk mitigation is not a one-size-fits-all process, and takes different
routes depending on the risk and business imperatives. This needs to be devised
after considering business needs vis-à-vis security controls. Being a financial
organisation, the banks are subject to a number of regulations, both internal and
external in nature. These are considered an integral part of the Security
Architecture.
“It is necessary that all the personnel across the business understand the
underlying philosophy and basis of the security policy. Merely writing a security
policy and sending it to the different departments will never succeed.”
“It is not good enough to have just the performance levels specified in a
Service Level Agreement (SLA). The organisation should also be able to measure
service levels, use appropriate measurement metrics, build adequate deterrents
against under-performance and monitor the performance of all the outsourcing
agreements.”
Business Continuity and Disaster planning bear a lot of importance in the
IS Strategy or Program. On this, Mr. Kumar observes “that a Disaster Recovery
(DR) system has been set up for critical applications in a different city and
periodic mock drills are conducted.”
“An important but often neglected aspect of the DR plan is to shuffle a
core team of operations personnel between production and DR sites periodically.
This ensures the availability of skilled resources at the DR site. They are current
with the latest state of the production application”, says Kumar.
2.8 Summary
The basic IS needs of banks and financial institutions are very similar to
those of most large organisations. The problem in the banks is that they are fairly
high value targets. Gaining unauthorised access to a bank’s customer records can
make identity theft easy on a large scale. Unauthorised access to customer records
creates operational, legal and reputational risks for banks.
Currently banks are spending approx 5-6% of their total IT Budget on
security and this amount of money may prove to be inadequate to ensure effective
ISRM considering the threats existing in the e-world today. Not only should the
banks spend more on IS but also ensure that their IS risks are mitigated. A
structured IS Risk Assessment will enable banks to accomplish this objective. A
Return on Investment (ROI) in IS should be demanded by the management.
Further banks should approach IS in a structured manner.
CHAPTER 3
METHODOLOGY
3.1 Introduction
This chapter elaborately discusses the methodology of this study. The
research questions and assumptions (hypotheses) proposed in Chapter 1 are
presented here. All phases of the research design, data collection, location of the
research performed, method of inquiry and statistical analysis are reviewed.
Finally, summary of the whole chapter is done. The research can be categorised as
a combination of exploratory and descriptive study seeking insights into the IS
and Risk Management in banks in India.
• Research Questions
• What are the information risks and security threats involved in the
Banks?
• What benefits will be derived by implementing these systems in the
existing scenario?
• What should be the ideal characteristics of the Information Risk and
Security Management Systems?
• What functions in security and risk management must be
accomplished by an IRSMS to support Banks?
• What would be the Total Cost of Ownership (TCO) for the institution?
• Hypotheses
• The security policies in the same organization (Bank) may differ based
on the geographic location.
• Many Banks prefer accepting the security risk rather than mitigating,
transferring or avoiding it.
• IRSMS policies show wide variations across all types of financial
institutions (here the type of bank would be considered, i.e. Apex/
Public Sector Commercial/ Private Sector Commercial/ Co-operative/
Foreign bank, etc.
Observation Survey
• Cross-Sectional Research
the situation and the changes that take place over time. Scholars recognise that
response bias is increased as a result of the fact that panel members more
consciously perform the investigated behaviors and that new panel members
implicitly requires long data collection periods. Based on these arguments and
the objective of this study, a cross-sectional research is considered to be
representative way.
• Non-Experimental Research
“systematic, empirical inquiry in which the scientist does not have direct control
• Survey Research
overshadows the others as perhaps the most powerful and useful tool of social
telephone surveys on nearly all criteria, except for interviewer control and bias,
cost, and social desirability. Several efforts were made in order to overcome
bias. Further, interviewers were not aware of the underlying hypotheses of the
basis.
software or hardware solutions), etc., Apart from this the data is also collected
from the customers regarding their awareness about the IS threats in banks. With a
responsible and critical team of intellectuals forming the basis of this research, the
(common man) of the banks. It was based on the domicile status of the customer,
to his staying in Mumbai or having moved into the city recently. This research
gave further insights regarding the depth of IS awareness in other parts of the
country. The data collected was obtained from a fair mix of gender, age groups,
Feedback regarding the format and structure of the questionnaire was considered
and changes were made to the questionnaire. Suggestions were taken to clarify the
to the topic of research the pilot test was done with people from varied
backgrounds. The respondents gave their valuable suggestions during the personal
developed in a manner, which would help in analysing the various IS threats and
the risks. Based on past researches, the data was gathered from both primary as
well as secondary sources. The questionnaire was a blend of open and closed
questions, which made it easy for the respondent to select from a range of
150 in various banks in India, with varied locations and to a sample of 100
customers of various banks in India, but limited only to the Mumbai region.
Among the 150 respondents few of them had less than 1 year of experience in the
IS and Risk Management area, and hence those who had not managed these kinds
of responsibilities were removed for a usable sample size of 133. Among the 133
respondents, 8 respondents did not fill all the details asked in the questionnaire,
and hence were not considered for the study and thus a usable sample of 125 was
used for evaluation. Among the 100 customer respondents few of them did not
have any inclination towards the IS nor were they interested in the new things.
They were really satisfied with all the traditional means of transactions with the
banks.
3.7 Analysis Performed on the Data
Different statistical methods were used for the data analysis using
Microsoft Excel and Statistical Package for the Social Sciences (SPSS). Descriptive
3.8 Summary
methods and procedures applied in this dissertation. The chapter has discussed the
and methods used to collect and analyse the data required by the research
questions.
analyse the data collected, a set of data analysis methods were used. The results
from all of the analysis methods have been discussed in detail in the following
chapter.
CHAPTER 4
ANALYSIS
4.1 Introduction
Some of the key findings from the participants in the survey are summarized below:
• Virus attacks continue to be the words, if the financial losses are
source of greatest financial losses. minimised, then effectively it will
Unauthorised access, hacking, etc., account in the increase in the profit
are the second greatest threat / of the banks.
source of financial losses. The third • According to respondents, the
greatest source of the financial loss management in the banks is still
are considered to be the ones related not very much keen on
to laptops (or mobile hardware) and outsourcing the IS procedures.
the theft of proprietary information. They prefer to have in-house IS
• The fourth source of the financial Officer for handling the
losses these days is being the social procedures or many a times it is
engineering (e.g. Phishing, preferred to accept the risk. At the
Pharming, etc.) most an external consultant to
• These four categories amount to advise the policies is appointed to
more than 50% of financial losses. assist the in-house IS Officer.
• The losses due to the lack of • The no. of IS Audits is increasing
physical security have decreased in the recent past. Co-operative
considerably in the recent past. banks are also trying to get
• The use of PKI infrastructure and themselves certified from the
encryption methodologies is Quality, Audit and Compliance
increasing and being promoted institutions such as DNV, BVQI,
widely, according to most of the etc.
respondents.
• The annual investment done by the
BFSI segment should be focused and
have to be marginally increased in
order to have much more secured
environment for operations. In other
4.3 Detailed Survey Results
30
25
20
15
10
0
Apex Body Nationalised Co-op Private Foreign Third Party
45
40
35
30
25
20
15
10
5
0
Metro Cities B-class C-Class Rural Areas Branches
across the
country
30
25
20
15
10
5
0
taff CIS
A M
CIS istrato
rs ger
s
tors er s
r na
lS ana tra Oth
in M i nis
Inte m in
jec
t
Ad
m
Ad Pro tems
tw ork y s
Ne S
Not Aware
10%
5-6%
3-4%
1-2%
0 5 10 15 20 25 30 35 40 45 50
The budgeting and financial issues are the concerns most of the times,
when it comes to the IS Risk Management as it is an on going process and needs
continuous updating. The respondents very hesitantly provided the information on
the IT expenditure on the IS Risk Management as apart of the IT Budget. As
illustrated in the figure above, a 46% of the respondents indicated that their
organisation allocated only 1 - 2% for the IS Risk Management from the total IT
budget. Around 10% indicated a figure ranging from 3 - 4% as the amount spent
on the IS. A 5 – 6% budget was indicated by 4% of the respondents. A major
portion of the respondent community claimed that their organisation spent a
relatively huge amount on the IS Risk Management. This portion amounted to
almost 23% who claimed of spending around 10% of the IT budget on the IS
issue. The remaining (17%) group of respondents was either not aware of the
expenditure on IS or preferred not to answer the question. They amounted for
almost 1/5th of the total respondents.
Among the results, 20% respondents have indicated that the IT and IS
functions are completely (100%) outsourced to the third party vendors by
entering into the SLA’s. Around 26% of the respondents have mentioned that
partial agreement is in place for the IT outsourcing and external auditing of
the Information Systems. The Information Systems Management and the
Security is internally taken care off, and only third party auditors (external
auditors) are appointed to verify genuine operations, claimed 14% of the
respondents. The remaining group (40%) of the respondents mentioned that
no outsourcing is done and have a team of internal auditors for verifying
genuine operations.
70 Not Insured, 60
60
50 Insured , 40
40
30
20
10
0
Insured Not Insured
0 10 20 30 40 50
Anti - Virus
Firewall
Anti - Spyware
Encryption
Reusable password
Smart cards
Forensics tools
Biometrics
Other
0 20 40 60 80 100 120
10: FBI 2006 --- http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf, access date: October 12, 2006.
Penetration Testing 45
Security Audits (Internal) 75
Automated tools 40
Security Audits (External) 55
E-Mail Monitoring Software 48
Web Activity Monitoring Software 50
0 10 20 30 40 50 60 70 80
• IS Awareness Training
The participants in the survey were also asked to rate the importance of
the security awareness training to their organisations in each of the several areas.
The percentages of the respondents indicating that security awareness was very
important are shown in the figure below.
Investigation 38
Cryptography 34
Information Security
55
softwares & appliances
Information Security related
66
threats
BCP / DRP 68
Information Security
70
Managements Systems
Security Policy 82
0 10 20 30 40 50 60 70 80 90
Identity Theft 98
Access Control 75
User Awareness 85
Wireless Security 64
Social Engineering 89
Mobile Devices 67
Patch Management 45
Intrusion Detection 51
Email Attacks 95
Employee Misuse 34
Physical Security 78
DoS 23
PKI Implementation 47
0 20 40 60 80 100 120
Responses were also invited from 100 customers of the various banks
having at least one branch office in the Mumbai region. The 100 customers
were also from the Mumbai region. These were done to enhance the study and
to understand in depth, whether are the customers aware about IS or they do
not bear any relation with IS.
The study included the responses from the customers into
consideration since; IS Risk Management is a new concept as far as Indian
banks are concerned. More over, IS Risk Management should be a joint effort.
Not only the banks and their employees are responsible for maintaining the
Information Systems and providing IS, but the customers are also a integral
part of the entire process.
e.g.: A bank has taken due care to prevent / protect against social
engineering threats such as Phishing and Pharming, but the customer is not
aware of these concepts and reveals his passwords / login names to third party,
might be unintentionally, unawareness, etc., even then his account can be
hacked.
The responses were as per the expectation as far as Mumbai region
was concerned. Most of the customers are at least aware regarding the concept
named IS. The responses were a mixed bag on the basis of the age group,
income levels, education, gender, etc.
Out of 100 responses invited the usable were only a sample of 50,
since the 40 of the total did not answer all the required questions, and 10 of
the total completely not aware of IS Risk Management. Out of the remaining
50 responses 50% fall in the age group of 16 – 35 years. 30% of 50 fall in the
age group of 35 – 55 years. 20% of 50 fall in the age group of above 55 years.
The figure below illustrates the above break up of the responses based
on the age group factor. This trend was observed since the respondents in the
16 – 35 years age group are more inquisitive regarding the Information
Technology and use the ATM centers, Internet Banking, Phone banking,
Kiosks, Credit cards, debit cards, etc more frequently than the other age group
respondents do. A part of these age group respondents are highly educated,
well informed business executives or highly salaried employees, who have
broad exposure and inclination towards usage of Internet. Hence, they are
aware and concerned regarding the IS, at least for their bank or account.
10
25
15
Total of 50
respondents
30
Total of 50
respondents.
45 All figures in
%
Here, the responses are high from the respondents from the income
group of Rs. 2, 00,000 p.a. – Rs. 5, 00, 000 p.a. These respondents are normally
from the working class or salaried employees. Due to the hectic schedule of the
jobs, they prefer using Internet banking, Phone Banking, etc., and hence are
more used to and aware about IS. The second highest respondents were the
again salaried employees at good positions or owners of small businesses. They
also use Internet banking for their transactions for credit card bill payment,
EFT, share trading, etc. Hence, they are also quite concerned regarding the IS.
The educational factor was also taken into consideration during the
invitation of responses to the questionnaires. It was more than obvious that more
the education level, more was the respondent aware of concepts such as
Information Systems, IS Risk Management, etc. as he had an exposure of the new
technologies emerging world wide.
CHAPTER 5
CONCLUSION AND RECOMMENDATIONS
Taking into consideration the all the analysis in the previous chapter, it is
evident that many things have to be taken care off on a continual basis. The IS is a
continual process which needs to be specifically monitored and enhanced time
and again. In order to implement the IS Risk Management successfully there are
many attributes that need to be considered in terms of IT / IS Governance. These
attributes include Implementation of ISO 17799 / BS 7799, CobiT, etc., physical
security, logical security, access controls, Business Continuity and Disaster
Recovery Planning, etc.
Within the scope of the academic research, there has an attempt to analyse
the varied situations that actually occur in various banks at different security
levels.
While this topics can be related to various facets, yet on the basis of this
research the following conclusion emerge:
The survey has provided the results regarding the IS awareness based on
the type of the organisation, location of the organisation and job description. The
responses give us better in-sights regarding the currently existing IS landscape
prevailing in various banks, with relation to kind of systems or policies are in
place to cater to the ever - increasing demands of the IS sector.
The survey has also tried to get in-depth information regarding the
currently existing threats and the malicious contents in the cyber world as on date.
As an academic research, there were some limitations in this study. The study has
revealed that there is an intense need for the banks to have a close watch on the IS
threats that concern the bank and its reputation in an attempt to find better ways to
transfer, mitigate, prevent or accept the risk involved in the same.
The exact cost factor could not be calculated for the implementation of the
IS Systems. Most of the security software solutions or appliances are implemented
in an assorted manner. There is no standardisation for the IS Systems
implemented till date. The entire implementation depends upon several factors
like spending pattern or the IT budget for IS, location of the organisation, the
intellectual resources available to those banks, etc. The views of all the banks or
the branches or the customers of the bank are too varied to reach at a certain
conclusion. Infact, it can be said that all banks do take steps that they feel
appropriate for preventing, mitigating, transferring or accepting risks.
On the basis of this, it is essential that there should be correctly drafted
policies and procedures to face the IS issues. The IS policy must essentially
include factors relating to the physical, logical security, access control, Business
Continuity Planning (BCP) and Disaster Recovery Planning (DRP). All these
factors are very essential as far as the IS threats are concerned. The physical
logical security, access control, etc. are the factors generally implemented in order
to prevent the risk while the BCP and DRP are implemented after the risk is
accepted or after the threats have made their impact. The BCP /DRP concept is
used to restart the business’ mission critical applications within a very short span
of time by allowing the organisation to bear the minimum losses.
• Personnel Management
• Hiring
• Confidential Agreements
• Staff may not be suitable for the position they are recruited to fill
• Temporary staff and third party contracts may introduce uncontrolled risks
The above mentioned control risks need to be taken care off / mitigated /
accepted / transferred before drafting the hiring policies / procedures for the bank.
• Employee Handbook
• Bank’s expectations
• Employee benefits
• Overtime rules
• Performance Evaluations
• Emergency procedures
• Excessive absence
In general, there should be a published code of conduct for the bank that
specifies all employees’ responsibilities towards the bank.
Cross training should involve more than one individual being properly
trained to perform a specific job or a procedure. This practice would have the
advantage of decreasing dependence on one employee and can be a part of
succession planning. It also provides a backup for personnel in the event of their
absence for any reason and, thereby, providing for continuity of operations.
However, in using this approach, it would be prudent to first assess the risks
regarding employee handling the system.
Sourcing
Sourcing practices relate to the way in which the organisation will obtain
the IS functions required to support the business. Organisations can perform all
the IS functions in-house (in sourcing) in a centralised manner, or outsource all
functions across the globe. The sourcing strategy should consider each IS function
and determine which approach allows the IS function to meet the enterprise’s
goals.
5.8Fax Machines
Fax machines present a potential IS risk. It is important to ensure that no
confidential information is left unattended on a fax machine. Further, fax
machines generally print the first page of any communication sent as the delivery
confirmation. If a cover page is not used then the confirmation page may include
confidential information that may be forgotten or discarded inappropriately.
Confidential messages sent by FAX must be clearly marked with a confidentiality
disclaimer.
5.9Internet Security Concerns
Viruses and hackers are active on the Internet and try to create and exploit
security vulnerabilities. Security services ensuring confidentiality, integrity and
authenticity are not automatically provided when using the Internet or Web. In
addition, information from Internet sites cannot be relied upon to be authentic or
accurate. As such, employees must exercise common sense and due care when
using the Internet.
There are several benefits which can be derived from the implementation of
the IS Systems in the existing scenario. They would be as mentioned below:
• The Information Systems would be protected from the malicious
threats existing in the cyber world as on date.
• The setup of the IS Systems would prevent or minimise the losses of
the valuable information assets of the bank.
• Would prevent reputation losses.
• Would provide a secure environment to perform all essential functions,
etc.
There was no indication or hint from the responses invited from the
customers or the employees regarding the difference in the policies, in the same
organisation, at different locations. The respondents mentioned that there were
some differences in the roles / job descriptions of the employees or the procedures
used to implement and follow the policies, but the policies were same throughout
the organisation.
• Many Banks prefer accepting the security risk rather than mitigating,
transferring or avoiding it.
The research survey as well as the observation has shown that the banks
are still ready to accept the risk, instead of transferring, preventing or avoiding it.
The analysis in Chapter 4 also shows that, when it comes to transferring the risk
only 40% of the banks (organisations) are insured and the rest are still not insured.
The IT spending pattern also indicates that when it comes to preventing or
avoiding risk, most of the banks or organisations lack the funds or focus and
hence cannot work on the residual risks. This may also occur because of lack of
expertise and awareness regarding IS and the repercussions due to its breach. This
is normally observed in the rural branches or branches located in small towns.
Then, the banks are left with no option but to accept the risk.
• ISMS policies show wide variations across all types of financial institutions
(here the type of bank would be considered, i.e. Apex/ Public Sector
Commercial/ Private Sector Commercial/ Co-operative/ Foreign bank, etc.
The ISMS policies do not change at large, even though the type of the
bank is different. The policies are more or less the same, but the mode of
implementation might be different.
Since the RBI does not have any transactions with the common public, so
the policies might differ here. The only difference between all other banks and the
APEX body (Reserve Bank of India) policies would be due to the mode of
operation
CHAPTER 6
BIBLIOGRPHY
QUESTIONNAIRE
General Information
The answers to the following questions would help in understanding and evaluating
the threats to the information resources in the organizations.
A. Physical Security
Sr. Criterion Risk Criterion Total Risk
X
Value Weight
1 Are physical access controls (like
identity badges, security cards, etc.)
available? Are they fully adequate and
effective?
(a) Yes, fully adequate and
effective.
(b) Yes, reasonably adequate and
effective.
(c) Totally ineffective.
2 Status of environmental controls (air
conditioners, smoke detectors, etc)
(a) Always up to the standards.
(b) Not always up to the
standards.
(c) Not monitored.
3 Are good house keeping procedures
distributed?
(a) Yes, strictly followed and kept
up-to-date.
(b) Yes, mostly followed and
reasonably up-to-date.
(c) No procedure available.
4 Have physical security aspects been
audited?
(a) Yes, less than a year ago.
(b) Yes, more than a year ago.
(c) Never.
5 Are mission critical systems in a
location to which access is restricted
to authorised personnel only?
(a) Yes, adequately.
(b) Yes, reasonably.
(c) No.
6 Are all desktops and notebooks
equipped with anti-theft devices?
(a) Yes, adequately.
(b) Yes, reasonably
(c) No.
7 Are power protection devices installed
to protect the systems from any
power disruptions?
(a) Yes, adequately.
(b) Yes, reasonably.
(c) No.
8 Are hacker attempts on desktops,
laptops and servers reported to
abuse@bank.com?
(a) Yes, always
(b) Yes, in some cases
(c) Never.
9 Are any devices such as Smoke
Detectors, Water detectors, Fire
Suppression systems, temperature
sensors, etc., installed to safeguard
the systems/ servers from such
unforeseen incidents?
(a) Yes, are checked regularly.
(b) Yes, checked whenever
required.
(c) Not installed.
B. Personnel Security
GLOSSARY
Authorized User: A University employee, student or other individual affiliated with the
University who has been granted authorization by the Electronic Information Resource
Proprietor, or his or her designee, to access an Electronic Information Resource and who
invokes or accesses an Electronic Information Resource for the purpose of performing his
or her job duties or other functions directly related to his or her affiliation with the
University. The authorization granted is for a specific level of access to the Electronic
Information Resource as designated by the Electronic Information Resource Proprietor,
unless otherwise defined by University policy. An example of an Authorized User
includes someone who handles business transactions and performs data entry into a
business application, or someone who gathers information from an application or data
source for the purposes of analysis and management reporting.
Business Continuity Plan: A plan for the continued operation of critical business
administration in the case of a disaster affecting normal functioning. A Business
Continuity Plan is more all-inclusive than a Disaster Recovery Plan, which normally
relates to information systems only. Overall business continuity planning is not within the
scope of these Guidelines.
Disaster: Any event or occurrence that prevents the normal operation of Electronic
Information Resource(s) for a period of time, such that the resulting disruption and/or
losses exceed the acceptable limits established consistent with these Guidelines. A
disaster may occur as a result of a natural disaster (such as a flood, fire or earthquake),
employee error or other accidents, long-term system failures, and criminal or malicious
action.
Disaster Recovery Plan: A written plan including provisions for implementing and
running Essential Electronic Information Resources at an alternate site or provisions for
equivalent alternate processing (possibly manual) in the event of a disaster.
Annual Loss Expectancy (ALE): The total amount of money that an organization will
lose in one year if nothing is done to mitigate a risk.
Annual Rate of Occurrence (ARO): The number of times that a risk is expected to
occur during one year.
Cost-benefit analysis: An estimate and comparison of the relative value and cost
associated with each proposed control so that the most effective are implemented.
Decision support: Prioritization of risk based on a cost-benefit analysis. The cost for the
security solution to mitigate a risk is weighed against the business benefit of mitigating
the risk.
Impact: The overall business loss expected when a threat exploits a vulnerability against
an asset.
Integrity: The property that data has not been altered or destroyed in an unauthorized
manner.
Reputation: The opinion that people hold about an organization; most organizations'
reputations have real value even though they are intangible and difficult to calculate.
Risk assessment: The process by which risks are identified and the impact of those risks
determined.
Risk management: The process of determining an acceptable level of risk, assessing the
current level of risk, taking steps to reduce risk to the acceptable level, and maintaining
that level of risk.
Single Loss Expectancy (SLE): The total amount of revenue that is lost from a single
occurrence of a risk.
Threat: A potential cause of an unwanted impact to a system or organization.
POCKET MATERIAL
BRANCH: Date:
Section 1
Physical Vulnerability
YES NO N/A
Supporting Documentation:
Section 2
Lighting Systems
YES NO
1. Do all lights illuminate all areas surrounding the building including ATM’s,
night depositories, walkways and parking lots?
Supporting Documentation:
Section 3
Vaults
YES NO
1. Is the vault equipped with a ventilator to provide air to an employee in
the event of a lock in?
Supporting Documentation:
Section 4
3. Are the alarm terminals in the telephone junction box unmarked and known
only to selected bank officials?
Supporting Documentation:
Section 5
3. Has a burglar alarm response procedure (including all clear) been developed that
conforms with local police response procedures?
4. Are procedures for operating, testing, and maintaining the burglar system in place
and rigorously followed?
General Comment
Section:
Supporting
Documentation:
Section 6
4. Are alarm actuators located at each teller station, inside the vault, and at
all other workstations where currency is handled or customers are
served?
8. Are silent alarm annunciation lights installed in the employee lounge and
back offices to alert employees when a robbery is in progress?
General Comment
Section:
Supporting
Documentation:
Section 7
6. Are recorded videocassettes properly labeled and retained for at least one month
before being erased and re-recorded?
7. Is test video periodically reviewed by the security officer for coverage and clarity?
10. Are the video tapes changed on a regular schedule, i.e. each day, every Monday …..?
(review tape log and copy current page)
11. Is the camera coverage and VCR recording checked on a daily basis, to ensure quality
pictures and that the system is working correctly?
Supporting Documentation:
Section 8
Night Depository
YES NO
1. Is the area surrounding the night depository properly illuminated?
5. Is the depository located so any activity around the unit is visible from a
public area?
Supporting Documentation:
Section 9
2. Are the cash dispenser and depository chute designed to prevent “fishing” and
“trapping”?
3. Is the surveillance camera positioned to record criminal activity at and around the
ATM?
4. Is the ATM located so any activity around the ATM is visible from a public area?
5. Are architectural and landscaping features around the ATM designed to deprive
would be robbers of concealed positions to await customers making deposits or
withdrawals?
6. If a remote ATM, is the service equipped with a silent robbery alarm, telephone, or
other means of communication with law enforcement officials?
7. If a remote ATM, is the service entrance equipped with a viewing port or closed-
circuit television system that allows personnel inside the service room to view
activity outside?
8. Does the ATM provide customers with adequate privacy to prevent bystanders from
observing details of their transactions (e.g., entry of their pin numbers)?
General Comment
Section:
Supporting
Documentation:
Section 10
Teller Stations
YES NO
1. Are teller counters of sufficient height to discourage a bandit from
vaulting them or are they otherwise protected (e.g., by bullet-resistant
windows)?
3. Are access gates to teller areas kept secured during banking hours?
4. Are all tellers equipped and trained to use bait money, dyepacks or
electronic homing devices in the event of a robbery?
5. If teller nameplates or badges are used, are only first names used?
Supporting Documentation:
Section 11
General Comment
Section:
Supporting
Documentation:
Section 12
Opening Procedures
YES NO
1. Is the all clear signal changes at least once every quarter?
2. Are employees instructed to contact the security officer or the police if the all clear
signal is not displayed within the allotted time?
3. Are the employees instructed not to gather at the bank entrance while awaiting
entry?
4. Are all persons except office employees refused entry to the office before opening?
General Comment
Section:
Supporting
Documentation:
Section 13
Closing Procedures
YES NO
1. Are all employees instructed to look for strangers and suspicious customer behavior
at the end of the business day and to actuate surveillance cameras and notify the
security officer or branch managers if their suspicions are aroused?
2. Is the banking office inspected to ensure all valuables have been secured, all
customers have left, all exterior windows and doors are securely locked, and all
alarms, lighting, and security devices intended for use during nonbusiness hours are
operating?
General Comment
Section:
Supporting
Documentation:
Section 14
2. Is a log maintained listing all employees who have received office keys?
3. If a terminated employee fails to return a key, or is otherwise suspect, are the locks
changed on all exterior doors?
5. Is dual control maintained over vault and safe combinations so that no single employee
is capable of accessing the vault or safe alone?
General Comment
Section:
Supporting
Documentation:
Section 15
2. Is bait money, dyepack or electronic homing device kept in an accessible place in each
teller’s top drawer?
3. Is bait money, dyepack or electronic homing device also kept with cash reserves in
the vault or safe?
5. Are bait money forms initialed, dated and filed with the security officer or his
designee?
General Comment
Section:
Supporting
Documentation:
Section 16
Height Markers
YES NO
1. Are height reference markers or visible strips of tape installed at a six foot height
on the door frames at all entrances to the office?
2. Are height reference markers indicating counter height installed at each teller
station?
3. Are all employees trained to use height reference markers to estimate a suspect’s
height?
General Comment
Section:
Supporting
Documentation:
Section 17
2. Is a log book maintained to document all visitors entering restricted areas of the
banking office?
General Comment
Section:
Supporting
Documentation:
Section 18
Rubbish Retention
YES NO
1. Is rubbish from the lobby, teller areas and other locations where transactions are
conducted, collected on a daily basis?
2. After the retention period has expired are all documents (e.g., deposit or withdrawal
slips, voided checks, application forms, etc.) shredded, incinerated or disposed of by
bonded recycling company which guarantees their destruction?
General Comment
Section:
Supporting
Documentation:
Section 19
Evidence Protection
YES NO
1. Are employees trained to follow established procedures for handling and protecting
evidence?
General Comment
Section:
Supporting
Documentation:
Section 20
Fire Security
YES NO
1. Is the office protected by smoke detectors and fire alarms?
General Comment
Section:
Supporting
Documentation:
Section 21
Training
YES NO
1. Do branch personnel know what to do if they receive a bomb threat or extortion /
kidnap call?
General Comment
Section:
Supporting
Documentation:
Branch Security Review Checklist - http://www.bankersonline.com/tools/branchsecurity2.doc access date: November 04, 2006.