SBI Core Banking

An Overview
Where we were

Early 1990s – More than 7000 branches

based on manual procedures derived from
Imperial Bank of India and evolved over
decades.
Mainframes used for MIS, Reconciliation &
Fund Settlement processes
Changes brought in IT
Late 1990s – More than 8000 branches
either on decentralized systems or
manually operated,
Main Frame / Mini Computers used at
CO/LHO/ZO for backend operations.
Internet Banking Facility for individuals.
All ATMs of State Bank Group networked.
 TBA - Distributed System
Components
Branches

Banking
Application
Diskless OS, Database
LAN
LAN
nodes
Internet-Banking

ATM

User Control Officer System Administrator

Changes brought in IT
2001 - KMPG appointed consultant for
preparing IT Plan for the Bank. Core
Banking proposed, FNS, CS, COMLINK
selected
2002 – All branches computerized but on
decentralized systems,
Core Banking initiative started
Changes brought in IT
2008- more than 6500 branches (95% of
business) on Core Banking Solution (CBS),
Internet Banking facility for Corporate
customers
More Interfaces developed with eCommerce
& other sites through alternate channels like
ATM & Online Banking
All Foreign Offices on Centralized Solution
BPR initiative to realign business process
with changes due to IT
Changes brought in IT
Large Network as backbone for
connectivity across the country
Multiple Service Providers for providing
the links – BSNL, MTNL, Reliance, Tata &
Railtel
Multiple Technologies to support the
networking infrastructure – Leased lines,
Dial-up, CDMA & VSATs
 CBS - Core Banking System
Components
Branches Datacenter

Application Developers

Desktops
, Branch Core-Banking
Servers Application

WAN, OS, Database

WAN,
Internet
Internet
Alternati Internet-Banking
ve
Channels
ATM

Branch User/Admins Network Administrators System Administrators

RBI Guidelines
• RBI constituted a “working group on
information systems security for banking
and financial sector” - 2001

• Banks were required to put in place

effective security policies & controls.

•Information Systems Security

Department to be set up to address
security issues on an ongoing basis.
 GOVERNANCE

STRUCTURE

RISK ASSESMENT
IT Governance at SBI

RISK
MANAGEMENT
INFORMATION SYSTEMS SECURITY

COMMUNICATION

COMPLIANCE
Organization structure of IT

DMD(IT) DMD
(I&A)

CGM (IT) CIO CGM

(I&A)

GM (ITSS) GM (IT) & GM (I&A)

CISO
DGM
(ITSS) Application
Owners
AGM
(ITSS)
Organization structure of IT
Enabler Enforcer Auditor
Information Application Inspection &
Security Owners / Management
Department Business Owners/ Audit Dept.
• Assess risks System • Auditing
administrators / compliance
• Define Policies, IT Personnel
and develop against policies
• Implement across
Standards and
Procedures technical and applications and
procedural controls locations
• Provide training &
awareness • Manage Network, • Vulnerability
servers & testing
• Deploy & manage
security products applications • Penetration
securely adhering testing
• Define security
architecture for to policies, • Application
network, standards & security testing
databases & procedures • Feedback to ISD
applications: • Report Incidents on effectiveness
Secure of policies
Configuration • Action Security
Organizational Structure of IS
DMD(IT
)
GM (IT) &
CISO
AGM (ISD)

Information Security
Officers
FUNCTIONS
Consulting Monitoring Compliance

2003 - Information Security consultant appointed for

Information Security Initiation
2004 - Information Security Department setup headed by

GM (IT) & CISO and supported by CISA qualified

ISOs ISSSC setup by the Board
Objective of IS

To provide bank’s business processes

with reliable information systems by
systematically assessing,
communicating and mitigating risks,
thereby increasing customers’ trust on
the bank and achieving world class
standards in information security.
How we manage
Develop and enable implementation of strong systems
along 6 pillars of security.
Security Governance
Board/ CEO Integrated Risk Management
Committee
Set directions Align information security with overall
Approve top level risk management
policies ISD represented on the Committee
Promote security culture
Delegate responsibility
Provide resources
Review security status ISS Standards Committee
Approve detailed standards &
procedures
Annual Review of Standards and
Procedures – need to address new
security threats, and mitigation;
Changes to procedures based on feed
back
Security Governance
IT Policy and IS Security Policy approved by the
Board
Standard and Procedures (25 domains)
approved by ISSSC
Half yearly reviews by ISSSC to update IT Policy
and IS Security Policy - Standard and Procedures
Security Guidelines for Critical Applications
Security Policies for Overseas operations
IS Roles and Responsibilities across Organisation
approved by the Board
Security Guidelines for Branches and Offices
Security Governance
Central Anti-Virus, Firewall/IDS monitoring
teams setup
Associate Banks supported in ISMS
initiatives
Policies enforced through periodic security
compliance reviews
Promoting IS Awareness and Security
Culture across the Bank
Consulting
Carrying out Risk Analysis
Formulation / Modification of IT Policy and
IS Security Policy for the Bank.
Secured Configuration Document for
various Operating Systems & Databases.
Devising effective Mitigation measures.
Reviewing Banks’ new IT enabled product
& services for IS
Monitoring
.
Firewall Rule Base
Anti-virus
Firewall & IDS Logs
Discover gaps in policy, standards & procedures
Assess User difficulties
Periodic Vulnerability Assessments and
Penetration Tests
Best Security Practices for Processes
Compliance
Compliance Review of process followed by
different applications, periodicity based on
criticality of the application.
Application Security review of critical
applications.
Review of SDLC followed for Applications.
Security review of selected branches and
offices
Action Taken Reports from Application
Owners
Incident Response
RCA for security incident reported through
service desk or email
Risk mitigating measures against phishing
attacks
Security measures against ATM based
incidents
Anti-virus, Anti-spam initiatives
Security Awareness
User awareness through multiple channels like
intranet, training etc.
e-Learning package on information security
distributed across Bank
Specialized IS awareness sessions for controllers
Dedicated IS Security sessions during training.
Observing “Computer Security Day” every year
across the organization.
Write ups on Information Security in the in-house
magazines
Exchange of information on threats and
vulnerabilities at appropriate forums.
Improving our IS Security
Benchmarking SBI initiatives against
International Best Practices
E&Y benchmarking initiative in 2006
RBI requirement under section 35
External audit of IS initiatives
BS27001 certification of CDC-DRC, ATM &
INB

24
Challenges ahead
 Retaining Bank's lead Position
Maintaining Business Edge over competitors in
the context of sameness in IT infrastructure
Assured Availability
Financially critical systems increasingly depend
on IT Delivery channels- no margin for downtime
Infrastructure derisking
Tie-up with multiple vendors for spreading risks
due to infrastructure failures and obsolescence
Challenges ahead
 Vendor Management
Multiple vendor support necessary for working
of highly complex technology
Coordinating various vendors to provide a
secure IT infrastructure for business
operations
Alternatives for failure of a specific vendor
services
Extant of Replacing vendors with internal staff
Challenges ahead
 Managing IS Security
Information Security dependency on vendor
inputs
Complex networked environment leading to lack
of
Know Your - Employee , Systems & Procedures ,
Vendors
Maintaining Confidentiality & Privacy of Data
while in storage, transmission & processing.
Providing DRP & BCP in a complex
technology infrastructure supported by
multiple vendors
Questions ?