SBI Core BankingAn Overview

Where we were

Early 1990s – More than 7000 branches based on manual procedures derived from Imperial Bank of India and evolved over decades.

Mainframes used for MIS, Reconciliation & Fund Settlement processes

Changes brought in IT Late 1990s – More than 8000 branches either on

decentralized systems or manually operated, Main Frame / Mini Computers used at CO/LHO/ZO

for backend operations. Internet Banking Facility for individuals. All ATMs of State Bank Group networked.

TBA - Distributed System Components

Banking Application

OS, Database

Internet-Banking

ATM

Diskless nodes LANLAN

Branches

System AdministratorUser Control Officer

Changes brought in IT 2001 - KMPG appointed consultant for preparing IT

Plan for the Bank. Core Banking proposed, FNS, CS, COMLINK selected

2002 – All branches computerized but on decentralized systems, Core Banking initiative started

Changes brought in IT2008- more than 6500 branches (95% of business)

on Core Banking Solution (CBS), Internet Banking facility for Corporate customersMore Interfaces developed with eCommerce & other

sites through alternate channels like ATM & Online Banking

All Foreign Offices on Centralized SolutionBPR initiative to realign business process with

changes due to IT

Changes brought in ITLarge Network as backbone for connectivity across

the countryMultiple Service Providers for providing the links –

BSNL, MTNL, Reliance, Tata & RailtelMultiple Technologies to support the networking

infrastructure – Leased lines, Dial-up, CDMA & VSATs

CBS - Core Banking System Components

Datacenter

Network Administrators

Core-Banking Application

OS, Database

Internet-Banking

ATM

Desktops, Branch Servers

WAN, InternetWAN, Internet

Branches

Application Developers

System AdministratorsBranch User/Admins

Alternative Channels

RBI Guidelines • RBI constituted a “working group on information

systems security for banking and financial sector” - 2001

• Banks were required to put in place effective security policies & controls.

•Information Systems Security Department to be set up to address security issues on an ongoing basis.

IT Governance at SBI

INFORMATION SYSTEMS SECURITY

GO

VERN

AN

CE

STRU

CTU

RE

RISK

ASS

ESM

ENT

RISK

MAN

AG

EMEN

T

COM

MU

NIC

ATIO

N

COM

PLIA

NCE

Organization structure of IT

DMD(IT)

GM (IT) & CISO

DMD (I&A)

CGM (IT)

GM (ITSS)

DGM (ITSS)

AGM (ITSS)

GM (I&A)

CIO CGM (I&A)

Application Owners

Organization structure of IT

Application Owners /Business Owners/System administrators /

IT Personnel• Implement technical and

procedural controls

• Manage Network, servers & applications securely adhering to policies, standards & procedures

• Report Incidents

• Action Security Logs

EnforcerInformation Security

Department• Assess risks• Define Policies, and

develop Standards and Procedures

• Provide training & awareness

• Deploy & manage security products

• Define security architecture for network, databases & applications: Secure Configuration Docs

EnablerInspection &

Management Audit Dept.

• Auditing compliance against policies across applications and locations

• Vulnerability testing• Penetration testing• Application security

testing • Feedback to ISD on

effectiveness of policies

Auditor

Organizational Structure of IS

AGM (ISD)

Information Security Officers

DMD(IT)

GM (IT) & CISO

FUNCTIONS

Consulting Monitoring Compliance

2003 - Information Security consultant appointed for Information Security Initiation

2004 - Information Security Department setup headed by GM (IT) & CISO and supported by CISA qualified ISOs ISSSC setup by the Board

Objective of IS

To provide bank’s business processes with reliable information systems by systematically assessing,

communicating and mitigating risks, thereby increasing customers’ trust on the bank and

achieving world class standards in information security.

How we manage Develop and enable implementation of strong systems

along 6 pillars of security.

Security Governance Set directions Approve top level policiesPromote security cultureDelegate responsibilityProvide resourcesReview security status

Align information security with overall risk management ISD represented on the Committee

Approve detailed standards & procedures Annual Review of Standards and Procedures – need to address new security threats, and mitigation; Changes to procedures based on feed back

Board/ CEO Integrated Risk Management Committee

ISS Standards Committee

Security GovernanceIT Policy and IS Security Policy approved by the

BoardStandard and Procedures (25 domains) approved by

ISSSCHalf yearly reviews by ISSSC to update IT Policy and

IS Security Policy - Standard and Procedures Security Guidelines for Critical Applications Security Policies for Overseas operationsIS Roles and Responsibilities across Organisation

approved by the BoardSecurity Guidelines for Branches and Offices

Security GovernanceCentral Anti-Virus, Firewall/IDS monitoring teams

setupAssociate Banks supported in ISMS initiativesPolicies enforced through periodic security

compliance reviewsPromoting IS Awareness and Security Culture across

the Bank

ConsultingCarrying out Risk AnalysisFormulation / Modification of IT Policy and IS

Security Policy for the Bank.Secured Configuration Document for various

Operating Systems & Databases.Devising effective Mitigation measures.Reviewing Banks’ new IT enabled product & services

for IS

MonitoringFirewall Rule BaseAnti-virusFirewall & IDS Logs Discover gaps in policy, standards & proceduresAssess User difficultiesPeriodic Vulnerability Assessments and Penetration

TestsBest Security Practices for Processes

.

ComplianceCompliance Review of process followed by different

applications, periodicity based on criticality of the application.

Application Security review of critical applications.Review of SDLC followed for Applications.Security review of selected branches and officesAction Taken Reports from Application Owners

Incident ResponseRCA for security incident reported through service

desk or emailRisk mitigating measures against phishing attacksSecurity measures against ATM based incidentsAnti-virus, Anti-spam initiatives

Security AwarenessUser awareness through multiple channels like intranet,

training etc.e-Learning package on information security distributed

across BankSpecialized IS awareness sessions for controllersDedicated IS Security sessions during training.Observing “Computer Security Day” every year across

the organization.Write ups on Information Security in the in-house

magazinesExchange of information on threats and vulnerabilities at

appropriate forums.

Improving our IS SecurityBenchmarking SBI initiatives against International

Best Practices E&Y benchmarking initiative in 2006RBI requirement under section 35 External audit of IS initiatives BS27001 certification of CDC-DRC, ATM & INB

24

Challenges ahead Retaining Bank's lead Position

Maintaining Business Edge over competitors in the context of sameness in IT infrastructure

Assured Availability Financially critical systems increasingly depend on IT

Delivery channels- no margin for downtimeInfrastructure derisking

Tie-up with multiple vendors for spreading risks due to infrastructure failures and obsolescence

Challenges ahead Vendor Management

Multiple vendor support necessary for working of highly complex technology

Coordinating various vendors to provide a secure IT infrastructure for business operations

Alternatives for failure of a specific vendor servicesExtant of Replacing vendors with internal staff

Challenges ahead Managing IS Security

Information Security dependency on vendor inputs Complex networked environment leading to lack of

Know Your - Employee , Systems & Procedures , Vendors Maintaining Confidentiality & Privacy of Data while in

storage, transmission & processing.Providing DRP & BCP in a complex technology

infrastructure supported by multiple vendors

Questions ?