Crafting the security roadmap for Indiabulls Group

Recent headlines of security breaches, on the global horizon, outlined the importance of cyber controls. Cyber attacks pose a silent threat for organisations with huge finance damage besides killing investor confidence and denting brand image. Rohit Kachroo, CISO, Indiabulls Group highlights the focused efforts to meet the security needs of the company.

As it is said, “Data is the new Oil”, how is Indiabulls matching up to needs of data protection?
Today organisations are backboned with data irrespective of their business domain, hence, it is critical for enterprises to take the utmost effort to safeguard its sensitive business and customer information, not only for sustaining their business, but also predicting about future growth while considering the changing customer behaviour.

Data protection has now become the mandatory element within the information security fabric for the financial sector, the obligation of data protection increases many folds onto us as we process various sensitive business and personally identifiable information. Aiming to achieve the secured business environment and fulfilling the Statutory & Regulatory Information Security requirements, we have implemented the Security Operations Center, and are running a vulnerability management program. We have also implemented the ISO 27001:2013 controls along with ITGC controls to comply with the regulatory requirements.

What is your security strategy overview?
Various global information security surveys discovered that the biggest threat is from the employees with either malicious intent or casual approach or due to unawareness. Although we have implemented the best available security solutions, still we are focusing towards educating users to lessen the chances to become the victim of an intrusion attempt which targets one of the weakest links in the security chain.

Awareness: In this endeavour, the InfoSec team has already started an initiative named as “SANKALP”, which means commitment. Under the umbrella of SANKALP, a dedicated team is functioning with the responsibility to increase the security awareness across all business locations in various ways. The team has launched a cyber security awareness campaign by the name of “e-Surksha” aiming to create awareness around the cyber hygiene across the organisation. Moreover, every employee has to undergo the mandatory InfoSec training through online TMS module.

Additionally, publishing regular newsletters, mailers on important topics as a part of this initiative. Users are encouraged to report security incidents through various channels and get rewards accordingly.

• Privacy: The cyber security threats are more potent than ever before, with employees cited as the primary risk. This trend, coupled with the expansion of data privacy laws around the world, has led to the growing realisation that robust information management solutions are must-have tools for data protection and regulatory compliance.

  It’s only through a robust Enterprise Information Management strategy and layered thoughtful security practices can protect our organisation and its data. Data privacy has become the important element within the information security fabric when it comes to fulfilling the need for complying with various regulatory and compliance requirement.

  Being in a financial sector, we are fulfilling all the regulatory and compliance norms of data protection compliance and aiming to imbibe it at the grass root levels for meeting regulatory and compliance goals as the core element of our data protection strategy.

• Compliance fulfillment: Strengthening the security control measure to support our business objectives, we have implemented the right management system to gain more control over access to our organisational information.

What kind of bulletproof approach you are adopting to ensure data protection across the organisation and drive the digital strategies?
No single security solution is vigorous enough to fully rely upon. To cope with the increasingly sophisticated security threats, solutions should also mature themselves enough to counter the upcoming security challenges. Scrutinising the pre and post solutions implementation scenario, we have observed that remarkable improvement has been achieved pertaining to lowering the security incidents as well as preventing the potential cyber-attacks.

How do you identify and classify the relevant data and churn it out securely?
In order to execute an effective information security strategy, data classification is an essential consideration. It allows organisations to identify the business value of unstructured data at the time of creation, separate valuable information that may be targeted from less valuable information, and make informed decisions about resource allocation to secure data from unauthorised access.

Successful data classification determinations the security measures applied to a specific set of data, helped us meet the regulatory requirements for retrieving specific information within a defined timeframe.

Ideally, in order to identify and classify relevant data, we take risk-based approach, data classification and data categorisation. Risk-based approach is referred to identifying and understanding of the organisational regulatory and contractual privacy and confidentiality requirements, and then defining data classification objectives by involving key stakeholders, including compliance, legal and business leaders.

Under data classification we have classified our information in the four categories which are categorically defined within the policy document, which is formalised and communicated to each stakeholder at relevant periodicity.

Data categorisation is depending upon the sensitivity of business, the data is organised around business processes and driven by process owners. Considering the nature of customer or vendor data is being collected, processed, and transacted are the determining factor for data categorisation.

Data location, data flow in and out of our organisation is a key consideration. For example, data storage internally or externally, cloud-based services and devices being used are the determinant factors.

Considering the location of data storage, movement of data and classification, protection strategy will be planned. Most important aspect is understanding the potential monetary loss associated with the compromise of datasets, the expectations for safeguarding it and the type of classification level, the business has willing to set. For secure churning of data, we have adopted various security mechanisms such as physical controls as well as logical controls.

(The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of his organisation.)