Ensuring information security in an organization with over 40,000 individuals can be a formidable challenge for any infosec team. Leading financial institution HDFC Bank overcomes this challenge using a structured enterprise security framework for information security, formulated by the security team under Vishal Salvi (CISO).
Salvi’s team tackles problems head-on using a systematic approach to strategize infosec delivery. According to Salvi, the effort was to try and build a structured enterprise security framework and adhere to it, rather than put in ad-hoc security measures. The team has managed to get a great degree of granular insight into the bank’s processes. It instituted a proactive enterprise security framework which constantly improves hygiene at HDFC Bank, irrespective of the threat landscape. The focus is on proactive rather than reactive security. The team constantly probes the framework to weed out vulnerabilities and potential security hazards, rather than wait for events.
HDFC Bank’s Infosec strategy is based on an enterprise security framework split it into four components (dubbed the ‘four pillars’). These pillars come under design, awareness, control implementation and governance.
The first component of HDFC Bank’s enterprise security framework involves creating clarity around policy, standards and operating procedures. This operating design is aligned to industry standards (like ITIL, COBIT and PCI DSS), as well as compliant with regulations (like RBI guidelines and Sarbanes-Oxley). It takes into account global best-of-breed practices (ISF Standard of Good Practice) and embeds them into the enterprise security framework, says Salvi.
Salvi explains that it is one thing to create a design. Ensuring understanding and acceptance of the design among stakeholders is a different ball-game. Many a sound enterprise security framework design suffers during execution due to this shortcoming, inevitably leading to non-compliance from primary stakeholders.
A copy-paste exercise will not work, as there is a need to embed security design into the organization’s cultural fabric, he says. Stakeholders need to buy in and acknowledge that they are ready, capable of implementing the enterprise security framework, and have adequate resources. Engaging with all stakeholders expected to operate the design is essential for the success of your infosec strategy.
HDFC Bank’s enterprise security framework aims to change user behavior through awareness. A two-fold process which starts with education of people on processes and expectations ensures that at the very least, employees can’t claim ignorance, says Salvi. The second aspect deals with motivation by citing examples, building relevance, and setting context.
Awareness is imparted via a variety of channels — posters, quizzes, contests, movies, animations, giveaways and classroom training. The ongoing awareness programs have different periodicities: monthly, quarterly and annual, with the frequency and location decided based on the target audience. HDFC Bank also has a mandatory online infosec certification course, where the bank has recorded 100% compliance to the enterprise security framework, with every employee completing the prescribed courses.
At HDFC Bank, a full-time awareness manager manages organizational changes like employee churn as well as regulatory and threat landscapes. Over 30 HR trainers impart organization-wide awareness training, which follows a train the trainer model.
The third peg in HDFC Bank’s enterprise security framework deals with design enforcement. It involves both technical and procedural controls. Periodic audit plays an important role in making people and processes accountable.
HDFC Bank’s technology stance is defined here, which starts with firewalls, DLP solutions, DRM, IAM, application security. It encompasses other functions like security operations center, e-commerce, online banking, cryptography and business continuity management. It’s the information security team’s responsibility to ensure that the technology stack operates smoothly to deliver preventive/detective functions in addition to ensuring design enforcement. All modifications are incorporated into the design.
The forth and most important infosec pillar in HDFC’s enterprise security framework is the overarching governance mechanism, which governs the initial three areas. It is managed by five committees; the first four is responsible for risk management, security governance, business continuity management and customer communication processes. The fifth interfaces with management, audit committee and the bank’s board, acting as the overarching component. This ensures that the other layers function in tandem. The five committees work seamlessly towards resolution of implementation challenges and charting of security strategy.
Using this enterprise security framework, HDFC Bank has managed to achieve success in enforcing and refining its infosec strategy. This is demonstrable through ISF benchmarking results and its monthly metrics which use ISO 27004-based dashboards. The strategy is structured to ensure that security is proactive, and improvement is constant. For example, the team can record the number of security incidents over time using metrics, and ensure downward trends. Metrics help the team get an idea of where they are versus where they want to be, says Salvi. He expects that the enterprise security framework based on a strategic ‘four pillar’ approach to infosec, will bring rich dividends to HDFC Bank in times to come.