Defense-in-Depth’ is key to combat APTs: Vimal Mani, CISO, Bank of Sharjah
“To protect the bank from emerging cyber security threats and APTs (advanced persistent threats), we have established multi-layer security controls in a ‘Defense-in-Depth’ approach which includes people, process and technology elements,” says Vimal Mani, Chief Information Security Officer, Bank of Sharjah. In conversation with Ankush Kumar.
As the Chief Information Security Officer (CISO) of the Bank, Mani is responsible for the end-to-end information security program along with the coordination of information security efforts within the banking operations spread across Middle East region. He is also responsible for coordinating the process to build a bank wide information security strategy, procedures, standards, leading the periodic information security risk assessment efforts, incident investigation and resolution, and the bank’s information security awareness & training programs.
Bank of Sharjah is primarily a corporate bank catering to UAE based businesses, SMEs, the government and government related entities. It has its operations spread across four of the emirates (Abu Dhabi, Al Ain, Dubai, Sharjah) in United Arab Emirates and Lebanon. The Bank offers general banking services, project finance, trade facilities, syndicate loans and short to mid term loans.
How important is the role of Information Security in your organization? How are you ensuring that the critical data of the customers and the bank remains safe?
Banking as a business involves the management of spectrum of information security risks in ongoing basis to avoid any subsequent financial and reputational loss. Security in banks thus assumes significant proportions, comprising physical security in addition to the factors relating to security of information and information systems, all of which have an impact on the operational & reputational risks faced by banks like ours. We have a well defined Information Assurance Program based on robust management and technical controls that helps us in ensuring that the critical data of our customers and the bank owned information systems remain safe. I am proud to share the news that we are one among the 13 banks selected for the first phase of implementation of Federal Information Assurance Guidelines established by NESA (National Electronic Security) for banking sector in United Arab Emirates (UAE).
The adoption of advance technologies have also increased the exposure to various kinds of security risks. What measure are you taking while adopting such technologies in your bank ?
We have well defined IT GRC (Governance, Risk and Compliance) strategy & operational plans in place. These IT GRC strategy & plans are made based on thorough market & technology analysis that helps us in identifying new technology & process innovations from areas such as social networks, cloud, big data analytics and BYOD. The information security & technology risks related to these technology & process innovations are assessed thoroughly in advance through well defined risk assessments. Based on the risks identified, appropriate risk mitigation controls are established in place to support the smooth implementation of these innovations in the bank.
According to you, what are the major issues that are bothering CISO’s in recent times? How are you handling these issues in your organization?
As a CISO there are few major issues that has bothered me in recent times; increasing amount of cyber attacks and Advanced Persistent Threats (APTs), availability of right threat intelligence in right time, data leakage, lack of information security awareness among staffs and management, and management buy in for new security initiatives.
To protect the bank from emerging cyber security threats and APTs, we have established multi-layer security controls in a ‘Defense In Depth’ approach which will include people, process and technology elements. This will include information security policies & procedures, hardening & patch management practice, end point protection suite, IDS/IPS, next generation & web application firewalls, periodic vulnerability analysis & penetration testing, information security risk assessments and ongoing information security training & awareness programs etc. Also, we have established agreements with UAE CERT and global cyber security consulting firms such as Fire Eye, Symantec, Kaspersky, McAfee for availing incident response services from them in an on demand basis. This helps us in addressing those attacks that can escape from the multi-layer security controls that we have established.
We have subscribed for periodic threat advisory with most of our vendors such as Microsoft Corporation, Cisco, Adobe and others. In addition we receive variety of threat intelligence feeds from industry in daily, weekly and monthly basis. Such intelligence feeds help us in planning for protective controls against emerging cyber security threats well in advance. In addition we also get threat alerts from Central Bank of UAE in ongoing basis.
We have a Data Loss Prevention (DLP) module configured as part of the McAfee end point protection suite in place. Also we have disabled all flash and CD drives which helps us in ensuring that critical data from the bank doesn’t get leaked to outside world. Personal laptops and PDAs cannot be connected to the bank’s internal network which is well protected through appropriate segregation of networks. We have Mail Marshal solution which works as an email gateway server that does the appropriate filtering of outgoing and incoming mails. Based on content type and size emails are getting regulated by this Mail Marshal solution which plays vital role in data loss prevention inside the bank.
Do you have any kind of training and awareness programs for the bank’s employees as well as for the customers, so as to regularly update them about the latest security threats?
We have established a well defined Information Security Training & Awareness Program which has identified specific trainings for different targeted audience groups of the bank. Detailed training content for these identified areas got developed which are rolled into our internal online elearning platform. In addition we publish daily information security tips to our staffs using desktop screen savers and in TVs kept in main lobbies across the floors of the bank. We also communicate information security tips to our customers through the monthly account statements sent to them from the bank. Also as and when we receive any threat alert from Central Bank Of UAE and from industry we keep communicating the same to the internal and external stakeholders of the bank in an appropriate manner governed by a communication matrix in place.
We also have an information security committee in place which looks into the strategic projects driven by the information security function of the bank. This committee is occupied by representatives form corporate functions such as internal audit, risk management, compliance and business units of the bank. In periodic basis this committee meets and discusses on the various information security initiatives in progress and identifies the support required. As a CISO of the bank, I am also the secretary for this information security committee. We get the management buy in through this information security committee which works with both management and information security team as an interface.
How are you managing the process of sharing business critical data in your organisation? What kind of incident response capability you have deployed?
We have a well defined data classification scheme in place. Various data elements used in bank are classified using this scheme. Based on the classification and sensitivity level identified, each document will be labeled and provided with appropriate level of protection which enables a safe sharing of these documents with outside world. Also the DLP solution in place ensures that no data element gets leaked from the bank. We have strong IT performance monitoring and incident response capabilities (SIEM & Contextual Secruity Analytics) established in place which are well supported by state of art technology stack. Also we have periodic risk assessments conducted for the various IT systems used in the bank by its staffs and affiliates. These arrangements help us in identifying IT performance issues, risks in a proactive manner and mitigating them in a timely manner.