SbiCoreBanking
-
Upload
sarthakganguly -
Category
Documents
-
view
325 -
download
0
description
Transcript of SbiCoreBanking
SBI Core BankingAn Overview
Where we were
Early 1990s – More than 7000 branches based on manual procedures derived from Imperial Bank of India and evolved over decades.
Mainframes used for MIS, Reconciliation & Fund Settlement processes
Changes brought in IT Late 1990s – More than 8000 branches either on
decentralized systems or manually operated, Main Frame / Mini Computers used at CO/LHO/ZO
for backend operations. Internet Banking Facility for individuals. All ATMs of State Bank Group networked.
TBA - Distributed System Components
Banking Application
OS, Database
Internet-Banking
ATM
Diskless nodes LANLAN
Branches
System AdministratorUser Control Officer
Changes brought in IT 2001 - KMPG appointed consultant for preparing IT
Plan for the Bank. Core Banking proposed, FNS, CS, COMLINK selected
2002 – All branches computerized but on decentralized systems, Core Banking initiative started
Changes brought in IT2008- more than 6500 branches (95% of business)
on Core Banking Solution (CBS), Internet Banking facility for Corporate customersMore Interfaces developed with eCommerce & other
sites through alternate channels like ATM & Online Banking
All Foreign Offices on Centralized SolutionBPR initiative to realign business process with
changes due to IT
Changes brought in ITLarge Network as backbone for connectivity across
the countryMultiple Service Providers for providing the links –
BSNL, MTNL, Reliance, Tata & RailtelMultiple Technologies to support the networking
infrastructure – Leased lines, Dial-up, CDMA & VSATs
CBS - Core Banking System Components
Datacenter
Network Administrators
Core-Banking Application
OS, Database
Internet-Banking
ATM
Desktops, Branch Servers
WAN, InternetWAN, Internet
Branches
Application Developers
System AdministratorsBranch User/Admins
Alternative Channels
RBI Guidelines • RBI constituted a “working group on information
systems security for banking and financial sector” - 2001
• Banks were required to put in place effective security policies & controls.
•Information Systems Security Department to be set up to address security issues on an ongoing basis.
IT Governance at SBI
INFORMATION SYSTEMS SECURITY
GO
VERN
AN
CE
STRU
CTU
RE
RISK
ASS
ESM
ENT
RISK
MAN
AG
EMEN
T
COM
MU
NIC
ATIO
N
COM
PLIA
NCE
Organization structure of IT
DMD(IT)
GM (IT) & CISO
DMD (I&A)
CGM (IT)
GM (ITSS)
DGM (ITSS)
AGM (ITSS)
GM (I&A)
CIO CGM (I&A)
Application Owners
Organization structure of IT
Application Owners /Business Owners/System administrators /
IT Personnel• Implement technical and
procedural controls
• Manage Network, servers & applications securely adhering to policies, standards & procedures
• Report Incidents
• Action Security Logs
EnforcerInformation Security
Department• Assess risks• Define Policies, and
develop Standards and Procedures
• Provide training & awareness
• Deploy & manage security products
• Define security architecture for network, databases & applications: Secure Configuration Docs
EnablerInspection &
Management Audit Dept.
• Auditing compliance against policies across applications and locations
• Vulnerability testing• Penetration testing• Application security
testing • Feedback to ISD on
effectiveness of policies
Auditor
Organizational Structure of IS
AGM (ISD)
Information Security Officers
DMD(IT)
GM (IT) & CISO
FUNCTIONS
Consulting Monitoring Compliance
2003 - Information Security consultant appointed for Information Security Initiation
2004 - Information Security Department setup headed by GM (IT) & CISO and supported by CISA qualified ISOs ISSSC setup by the Board
Objective of IS
To provide bank’s business processes with reliable information systems by systematically assessing,
communicating and mitigating risks, thereby increasing customers’ trust on the bank and
achieving world class standards in information security.
How we manage Develop and enable implementation of strong systems
along 6 pillars of security.
Security Governance Set directions Approve top level policiesPromote security cultureDelegate responsibilityProvide resourcesReview security status
Align information security with overall risk management ISD represented on the Committee
Approve detailed standards & procedures Annual Review of Standards and Procedures – need to address new security threats, and mitigation; Changes to procedures based on feed back
Board/ CEO Integrated Risk Management Committee
ISS Standards Committee
Security GovernanceIT Policy and IS Security Policy approved by the
BoardStandard and Procedures (25 domains) approved by
ISSSCHalf yearly reviews by ISSSC to update IT Policy and
IS Security Policy - Standard and Procedures Security Guidelines for Critical Applications Security Policies for Overseas operationsIS Roles and Responsibilities across Organisation
approved by the BoardSecurity Guidelines for Branches and Offices
Security GovernanceCentral Anti-Virus, Firewall/IDS monitoring teams
setupAssociate Banks supported in ISMS initiativesPolicies enforced through periodic security
compliance reviewsPromoting IS Awareness and Security Culture across
the Bank
ConsultingCarrying out Risk AnalysisFormulation / Modification of IT Policy and IS
Security Policy for the Bank.Secured Configuration Document for various
Operating Systems & Databases.Devising effective Mitigation measures.Reviewing Banks’ new IT enabled product & services
for IS
MonitoringFirewall Rule BaseAnti-virusFirewall & IDS Logs Discover gaps in policy, standards & proceduresAssess User difficultiesPeriodic Vulnerability Assessments and Penetration
TestsBest Security Practices for Processes
.
ComplianceCompliance Review of process followed by different
applications, periodicity based on criticality of the application.
Application Security review of critical applications.Review of SDLC followed for Applications.Security review of selected branches and officesAction Taken Reports from Application Owners
Incident ResponseRCA for security incident reported through service
desk or emailRisk mitigating measures against phishing attacksSecurity measures against ATM based incidentsAnti-virus, Anti-spam initiatives
Security AwarenessUser awareness through multiple channels like intranet,
training etc.e-Learning package on information security distributed
across BankSpecialized IS awareness sessions for controllersDedicated IS Security sessions during training.Observing “Computer Security Day” every year across
the organization.Write ups on Information Security in the in-house
magazinesExchange of information on threats and vulnerabilities at
appropriate forums.
Improving our IS SecurityBenchmarking SBI initiatives against International
Best Practices E&Y benchmarking initiative in 2006RBI requirement under section 35 External audit of IS initiatives BS27001 certification of CDC-DRC, ATM & INB
24
Challenges ahead Retaining Bank's lead Position
Maintaining Business Edge over competitors in the context of sameness in IT infrastructure
Assured Availability Financially critical systems increasingly depend on IT
Delivery channels- no margin for downtimeInfrastructure derisking
Tie-up with multiple vendors for spreading risks due to infrastructure failures and obsolescence
Challenges ahead Vendor Management
Multiple vendor support necessary for working of highly complex technology
Coordinating various vendors to provide a secure IT infrastructure for business operations
Alternatives for failure of a specific vendor servicesExtant of Replacing vendors with internal staff
Challenges ahead Managing IS Security
Information Security dependency on vendor inputs Complex networked environment leading to lack of
Know Your - Employee , Systems & Procedures , Vendors Maintaining Confidentiality & Privacy of Data while in
storage, transmission & processing.Providing DRP & BCP in a complex technology
infrastructure supported by multiple vendors
Questions ?