RBI Guidelines: Tips for ComplianceNew Security Standards Represent 'Important and Significant Change'
"It's not just focusing on information security, but also the other elements which are requirements for information security to be implemented," says Salvi, CISO of HDFC Bank. Those elements include IT governance, infosec audits, customer communication, fraud management and legal aspects.
These new guidelines are going to help underline the CISO's role across the entire ecosystem of the banking industry, Salvi says. "Large banks have already been seeing the CISO role playing a leadership role in the organization, to broaden the spectrum, looking at it from an enterprise point-of-view," he says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
And there is no better time than now for these guidelines and the benefits they provide. Phishing attacks, Trojans and website defacement are some of the challenges infosec professionals are currently facing in the banking sector. Data leakage, malware and application attacks are also cause for concern. In mitigating these risks and complying with the new guidelines, banks should perform a gap analysis, identifying areas they need to focus on and developing a roadmap for how they'll remediate the issues.
In an exclusive interview about the new RBI guidelines, Salvi discusses:
- The RBI's key focus areas and compliance deadline for implementing these guidelines;
- How the RBI rules will change the way banks handle information security;
- Advice to CISO's in implementing these guidelines effectively.
Salvi is the Chief Information Security Officer & Senior Vice President at HDFC Bank, a $52 billion private banking institution. Prior to joining HDFC Bank, he worked in Standard Chartered Bank for 11 years and held a variety of roles in IT service delivery, governance and risk management, and information security. He has 19 years of industry experience and had previously worked in companies like Crompton Greaves, Development Credit Bank, and Global Trust Bank. He holds a Bachelors of Engineering in Computers, Masters in Business Administration - Finance from NMIMS, and Certified Information Security Manager (CISM).
TOM FIELD: To start with, would you tell us a little bit about yourself, your institution and your experience please?
VISHAL SALVI: I'm the chief information security officer for HDFC Bank for the last five years and I've been working in information security and IT service delivery for the last 20 years in the Indian industry. HDFC Bank is the second largest private-sector bank in India. We have around 2100-plus branches and over 6,000 ATMs. We operate out of 1,100 cities in the country. In terms of balance sheets, the overall balance sheet of HDFC Bank is $62 billion U.S. dollars.
India's Biggest Infosec RisksFIELD: Very good, well you have good experience in banking and in information security as well. You've good perspective to be able to answer this. What do you find to be the biggest information security threats to Indian banking institutions today?
SALVI: In terms of the threats, they are no different from what we're facing globally. But I would say that the rate of and the intensity of these attacks are far lesser in the Indian context as compared to what we are seeing in the west. Having said that, we have seen threats such as phishing, Trojan attacks, some of the websites had site defacement and other things. These have been around for some time. Apart from those, we also have threats because of data leakage, threats because of malware, application attacks and third-party risks. I would say that we're no different from what we're facing as opposed to threats globally. We haven't seen specific trends from the banking industry per say, but I would say that online banking and data leakage are the ones which I would probably highlight.
RBI's New GuidelinesFIELD: Now as you know the RBI recently released some detailed guidelines in information security for the banking industry. What do you see as the significance of these guidelines for your sector?
SALVI: I think there are a lot of breaking changes that have been brought about by these guidelines which were issued in April 2011, and some of those issues which I would like to highlight here, specifically focusing on these guidelines, are covering all requirements of information security, and what I mean by that is it's actually not just focusing on information security but also the other elements which are requirements for information security to be implemented within organizations such as IT governance, information security audits, customer communication, fraud management and also touching up on the legal aspects. A lot of emphasis has also been provided on process and on governance, apart from covering the technical controls.
As a result, it's actually expected to improve the overall maturity of how information security is practiced and understood within the banking industry. I would say that it's a very important and significant change that has been introduced by the regulators for the banking industry.
FIELD: You touched on this to some extent, but what would you say are the key focus areas of the guidance and what is the compliance deadline for implementing these guidelines?
SALVI: As I mentioned, the key focus areas are on chapters six, seven and nine that you are talking about, ranging from IT governance to legal aspects. There are obviously expectations in terms of getting the organization changes and the process changes completed in a shorter time. And the timeline for those are the end of October 2011. As far as the expectation for implementation of all the requirements of the guidelines are concerned, the expectation is to have it completed by the end of February 2012.
Challenges in Meeting DeadlinesFIELD: Well in a lot of ways that is a very tight deadline. What do see as being the biggest challenges in meeting these standards for your institution and for others as well?
SALVI: All the banks are looking at and performing their own gap analysis, and my guess is that most or all the banks will actually have variation in terms of the level of compliance. The larger banks will actually find themselves more compliant as compared to the smaller ones. There are specific expectations, higher expectations such as building up enterprise-level data storage or the implementation of digital rights management or creating a much more robust end-to-end identity and access management solution, so on and so forth. There are such changes which require a longer time than the one you are provided for implementation. My sense is that organizations would need larger timeframes than those. For some of these controls to be implemented, depending on their level of compliance to them as we stand, the challenges will range from organizations and there are these few points where it would be challenging for them to actually get them implemented within one year.
FIELD: Now how do you see these guidelines impacting the role of yourself, a CISO at a bank?
SALVI: Large banks have already been seeing the CISO role playing a leadership role in the organization, to broaden the spectrum, looking at it from an enterprise point-of-view trying to change the bank, and engaging business support functions and various other groups. What these guidelines are going to do is actually underline that control across the whole ecosystem of the banking industry. And my sense is that it will actually give more clarity to all the banks in terms of what the CISO's role is all about, why it needs to be placed at a leadership level and why it needs to have the focus and integrated approach towards driving the information security strategy into the organization. That's the change I guess will be brought about by the implementation of these guidelines.
FIELD: At the very beginning of this conversation, you spoke about the threat landscape for Indian institutions. How ultimately do you see these guidelines impacting that threat landscape?
SALVI: If you look at the normal work of an information security team, you will find that most of the time we are working towards improving the hygiene, the infrastructure and the maturity of the organization because you will not always be under attack and you are not always doing the reactive stuff in terms of managing and mitigating incidents. In the ballpark, 90 percent of your time is to do that proactive stuff and ten percent of the time you're dealing with the actual incidents. Given that, these guidelines are obviously going to be focusing on helping us to improve the proactive bit and have more focus on the proactive bit to improve the hygiene of the banking infrastructure, looking at and improving at many folds to ensure that we are able to be with the current, as well as the future, tech landscape. I think it's just preparing ourselves to deal with it better and improving the hygiene by giving a very consistent approach towards the whole banking industry, other than trying to allow only a few banks to actually improve based on those threats.
Advice to CISOsFIELD: Final question for you. If you could boil it down, what advice would you offer to other CISOs in your industry in implementing these guidelines and meeting the tight deadlines you face?
SALVI: I think the first step towards that is to perform a very granular gap analysis. Once you've identified the gaps, you start identifying the areas that you need to focus on and make a roadmap in terms of how you want to remediate. It's a great opportunity provided by the regulator to improve the security of the banking ecosystem, and the threats are real as we know. So this will help us to actually plug those gaps. But having said that, one size doesn't fit all. You need to apply a risk assessment approach, looking at which risks are more applicable for your environment and your infrastructure, and close the circle of risk management from the identification assessment to acceptance and implementation. As long as you've done that and as long as you have allowed the focus to be there on the identified gaps, it will be helpful for all of the organizations to actually adopt the approach. My sense is that from now through most of this financial year for the Indian banking industry, the only focus they have for information security leaders will be to actually ensure that you comply with these guidelines.