Information Security Committee
The role of the Information Security committee is to devise strategies and policies for the protection of
all assets of the bank (including information, applications, infrastructure and people). The committee
will also provide guidance and direction on the Security Implications of the business continuity and
disaster recovery plans.
Develop and facilitate implementation of information
security policies, standards and procedures to
ensure that all identified risks are managed within
the bank's risk appetite.
Create an information security and risk management
structure covering the entire bank, with clearly
defined roles and responsibilities.
Create and follow a risk assessment process that is
consistent across the bank to identify, evaluate key
risks and approve control measures and mitigation
strategies.
Regularly monitor the information security and risk
management processes and corrective actions to
ensure compliance with regulatory requirements.
Ensure that the Information Security Team is
appropriately skilled and adequately staffed.
Regularly present reports to the Board and invite feedback on the information security
management processes.
Head – Integrated Risk Management (HIRM)
The Head of Integrated Risk Management will be a senior level official of the rank of CGM/GM/DGM.
The HIRM is responsible for all Risk Management functions in the Bank, like Credit Risk, Market Risk,
and Operational Risk. Information Security will be one of the most critical components of Operational
Risk that has to be looked after by the HIRM. He is the senior-most executive in the Information
Security function in the bank and provides the required leadership and support for this across the
bank, with the full backing and commitment from the Board.
Responsibilities (in the Information Security Governance domain):
Information Security Governance
Information Security Policy and Strategy
Information Security Risk Assessment, Management and Monitoring
Security Aspects and Implications of Business Continuity Planning in the in the Bank.
Allocation of adequate resources for Information Security Management
The Chief Information Security Officer (CISO)*
Depending upon the size of the bank and its scale of operations, a sufficiently senior level official of the
rank of GM/DGM/AGM needs to be designated as the Chief Information Security Officer (CISO)
responsible for articulating and enforcing the policies that a bank uses to protect its information
assets apart from coordinating the information security related issues / implementation within the
organization as well as relevant external agencies.
The CISO needs to report directly to the Head of Integrated Risk Management (HIRM) function and
should not have a direct reporting relationship with the CIO. The CISO's role spans across both
strategic and operational dimensions and is responsible for all the administrative tasks and control
related to Information Security and reports to the Owner of this function, the HIRM.
Responsibilities:
Information Security Policy and Strategy – Inputs and Enhancements
Establish security guidelines and measures to protect data and systems.
Information Security Risk, Threat, Vulnerability Assessment, Review, Management, Monitoring
and Reporting – on a continuous basis
Monitoring Key Goal Indicators and Key Performance Indicators of the Information Security
Programme
Establish and disseminate enforceable rules
Business Continuity and Disaster Recovery Planning – Security Inputs and Enhancements
Oversee Information Security Awareness training
Security Operations Centre and Incident Management
Business Case for Information Security Investments and Expenditure
Maintaining the Security Posture and Profile of the Bank at expected levels
Active collaboration and communication with business and operating units.
Gathering internal and external security intelligence
Set up Security organisation structure with well designed roles and responsibilities
Compliance with regulatory requirements on Information Security.
Facilitating investigations in IT frauds and mitigation measures
Information Security Risk Manager (ISRM)
The ISRM owns the Risk Management Life Cycle as far as Information Security is concerned. He
assists the CISO by discharging the following.
Information Security Risk Assessment
Information Security Risk Analysis and Evaluation
Information Security Risk Mitigation
Identification and assignment of controls.
Information Security Risk Management
Compliance with Information Security Risk Management Guidelines – External and Internal
Monitoring Information Security Policy Implementation
Information Security Awareness Manager (ISAM)
The ISAM is responsible for enhancing the Information Security Awareness levels and for striving to
create a conducive environment and compliance culture across the bank. He is expected to keep
himself abreast of the latest developments in the field of Information Security Standards and Best
Practices so that proactive steps can be taken for adopting them, wherever possible and applicable in
the bank, at the earliest. He is a friend, philosopher and guide to the entire bank, as far as education
and awareness-building in Information Security is concerned.
Information Security Policy – Inputs and Enhancements
Measurement and Monitoring of Effectiveness of Information Security Policy implementation.
Education, Awareness and Promotion of Information Security initiatives across the bank.
Intensive Training of various types and for different levels on Information Security
Promoting customer education and awareness on Information Security through appropriate
channels, tools and interventions.
Proactive dissemination of Information Security Policy initiatives, mechanisms and best practices
– a Resource Base of online tutorials, demos, quizzes and FAQ's on the Intranet for easy access
within the bank.
Security Operations Centre and Incident Management (SOCIM)
The SOCIM executive is responsible for effective oversight of the Security Operations Centre and
Incident Management capabilities for the bank as a whole. The Security Posture and Status is
demonstrated by this functionary.
Responsibilities:
Owner of the Bank-wide Security Operations Centre(SOC)
Owner of Incident Management at the bank level.
Responsible for creating, training, upgrading Incident Response Teams across the bank at
various levels.
Continuous surveillance of the IT Infrastructure of the bank to guard against Information
Security breaches and incidents: IT and non-IT.
Responsible for monitoring and reviewing security logs of applications, operating systems,
databases, networks, etc.
Demonstrating the much-needed robustness and improvement in the information security
compliance environment and preparedness to meet eventualities.
Keeping abreast of the fast paced changes in technology and business process to make the SOC
live up to the growing demands from within and outside.
Regular Penetration Testing, Vulnerability Assessment and liaison with local CERT.
Responsible for collection, aggregation, correlation, analysis and synthesis of information related
to security incidents to learn effective lessons and to incorporate changes in policies and
procedures accordingly on a continuous basis.
No comments:
Post a Comment