saMsagaaNak

ak p`NaalaI
aalaImaQaIla
a aIla vaaZto
aaZt Qaaoaak,
ko ,
AaQauuinak tM~&ana vaaprabaabatcao QaaorNa

sallaagaar va saMgaNak tj&

18/09/2010 YASHADA 1
 Agenda
y IInformation
f T
Technology
h l in Banks
B k
y Risk Areas
y Information Life Cycle
y Information Technology vs Information Systems
y Approach to Control Risks
y St t
Strategy ffor Ad
Adopting
ti NNew T Technology
h l

18/09/2010 YASHADA 2
Need of IT in Banks
y Enabling better customer service
y Facilitating Customer Relationship Management
(CRM)
y Improving asset-liability management for banks
y Enhancing compliance with various regulations
(like AML, Basel II)
y Improving operational efficiency
y Effective data management
y …. So on …..

18/09/2010 YASHADA 3
IT Enabled Channels
y Total Branch Banking
y Core Banking Solutions
y ATM
y Internet Banking
y Mobile Banking
y Tele Banking
y Other Services (like Dmat,
Dmat Bill Payments
etc.)

18/09/2010 YASHADA 4
Sample Risks / Concerns / Threats
y Computerised Branch Banking
◦ Data manipulation, theft, corruption
◦ Component failures

y Core Banking Solutions

◦ Data
D t corruption,
ti th
theft
ft
◦ Service failures
◦ Man-in-the-middle

18/09/2010 YASHADA 5
Sample Risks / Concerns / Threats
y ATM
◦ Cash management
◦ Card frauds

y Internet Banking
◦ Hacking,
H ki Phi Phishing
hi
◦ Identity theft
◦ Data theft

18/09/2010 YASHADA 6
Sample Risks / Concerns / Threats
y Mobile / Tele Banking
◦ Vishing
◦ Identity Manipulation
◦ pp
Weak application
◦ Clear text data transfer

18/09/2010 YASHADA 7
Information Life Cycle
y What is Information?
y “Information” is an asset which,
like other important business assets,
has value to an organization and
consequently needs to be suitable
protected.
protected

(as per ISO17799)

18/09/2010 YASHADA 8
Information Life Cycle
Creation

Storage
Access
Modification
Processing Transmission
Printing
Destruction

18/09/2010 YASHADA 9
Information Life Cycle
y Information Locations
◦ Servers, Desktops, Laptops etc.
◦ CDs, Tapes, DVDs, Floppies etc.
◦ p (Reports,
Paper ( p , Documents etc.))
◦ Trash Cans (Physical, Logical)
◦ Internet (Web,
(Web EE-mail
mail etc.)
etc )
◦ People (Employees, Contractors etc.)
◦ …………..

18/09/2010 YASHADA 10
Information Technology (IT) vs
Information System (IS)
y “IT”
IT is hardware,
hardware software,
software networking
and communication

y “IS”
IS is all the components and resources
necessary to deliver information and
f ti
functions to
t the
th organization
i ti

18/09/2010 YASHADA 11
What is a system?
y A system
◦ Is a set of interrelated components
◦ With a clearly defined boundary
◦ Workingg together
g to achieve a common set
of objectives
◦ By accepting inputs and producing outputs in
an organized transformation process

18/09/2010 YASHADA 12
Systems have three basic functions:
Input Output
involves involves
capturing transferring
Processing
and elements that
involves
assembling have been
transformation
elements produced by
process that
that enter the
convert input
the system transformation
into output
to be process to
processed their ultimate
destination
18/09/2010 YASHADA 13
What is an Information System?
• An organized combination of
– Hardware
– Software
– Networkingg and Communication
– Data resources
– Policies and procedures
– People
• That generates, stores, retrieves,
transforms and disseminates information
18/09/2010 YASHADA 14
Information systems model

18/09/2010 YASHADA 15
Areas of Concerns
y Risks
Ri k presentt in
i allll these
th areas
◦ Input
p Æ Process Æ Output
p

y Risk
Ri k pillars
ill
◦ People
p
◦ Process
◦ Technology

18/09/2010 YASHADA 16
Approach to Control Risks
y A systematic approach is required
y Consistent and reproducible method
y Should be based on industry best
practices
y Should be based on globally accepted
methods
h d
y Should consider statutory,
y, contractual,,
legal obligations

18/09/2010 YASHADA 17
Parameters to consider
Information Security Components
• Confidentiality:- Ensuring that
information
f is accessible
bl only
l to those
h
authorised to have access
• Integrity:- Safeguarding the accuracy and
p
completeness of information and
processing methods
• Availability:
Availability:- Ensuring that authorised
users have access to information and
associated assets when required
18/09/2010 YASHADA 18
Definition – Information Security
I f
Information
ti Security
S it :
◦ Preservation
ese vat o o of co
confidentiality,
e t a ty, integrity
teg ty
and availability of information; in
addition other properties such as
addition,
authenticity, accountability, non-
repudiation
di i and
d reliability
li bili can alsol beb
involved

(
(ISO27001)
)

18/09/2010 YASHADA 19
What is ISMS?
Information Security Management
System
y ((ISMS))
– That part of the overall management system,
based o
base on a busbusiness
ess risk
s app
approach,
oac , to
establish, implement, operate, monitor, review,
maintain and improve information security
• NOTE: The management system includes
organizational structure, policies, planning activities,
responsibilities practices,
responsibilities, practices procedures,
procedures processes and
resources.
(
(ISO27001)
)

18/09/2010 YASHADA 20
 Implementation Approach

Establish Maintain and

ISMS Improve ISMS
Plan Act
Continual
Improvement

Implement
Do Check
Monitor and
and Operate Review
ISMS ISMS

18/09/2010 YASHADA 21
Strategy for adopting new
technology
y As-Is
As Is analysis and To-Be
To Be definition
y Ensuring concrete ground work
y Uniformity of processes
y Capability assessment
◦ People
◦ Process
◦ Technology
gy
y Risk Analysis and Management

18/09/2010 YASHADA 22
Strategy for adopting new
technology

Source: Forrester Research

18/09/2010 YASHADA 23
Discussion