The client is a fast-growing private sector retail bank. Ensuring security of banking transactions and customer privacy has been a norm for the bank since its inception. The top management at the bank is committed to inculcate security in all forms in the DNA of the organization. While many projects had been implemented for increasing the information security level in the past, the bank felt the need to look at the future scenario and prepare itself ahead of time to manage information security in a comprehensive manner. Therefore a new security project was undertaken in February 2007.

Over the last few years, threat landscape has changed. There have been a number of high profile attacks on financial organizations, new kinds of threats have emerged and the number of attacks has also increased. A recent study by Gartner shows that 40% of attacks by 2008 will be financially motivated attacks. The future thus will be more challenging for banks. The current model of information security, as practiced by most of the financial institutions today, is often inadequate for meeting the future challenges. Most banks have the required security technologies. What is, however, missing is the ‘control and management layer’ for operational excellence and a result-driven approach.

The bank therefore decided to adopt a new model for information security that can provide higher value to its business.

To meet the challenges of future, the bank in association with Paladion worked towards making security a more operations focused and result oriented function thereby making security activities run daily along with business processes. Further, the new model is based on three key criteria- holistic, continual and integrated. A system that can make security a part of every business activity, align with business goals and provide high level of assurance to stakeholders. And this assurance should be in quantified terms, measured through the protection provided to business. Part of the concept is to have the security quantified to the extent that it can be measured through structured SLAs (service level agreements) that are visible through a management dashboard. Among numerous features of this model are:

• Information Security Governance program that starts at the very top - right from Board of Directors of the bank. Managing Director of the bank is a member of Information Security Steering Committee and is a regular participant in the quarterly security review meetings
  
  
• Risk engine to manage risks across IT infrastructure, Applications, IT processes, banking channels & business processes and regulations
  
  
• 24X7 Security Operations Center (SOC) to monitor and manage intrusion attempts
  
  
• Quantified security metrics that are driven by business requirements
  
  
• An information security dashboard for management reporting of security status across the bank including all business units and banking channel

Based on the implementation of this model, the bank has accrued the following key benefits:

• There is defined ownership and accountability to drive security activities within the bank. The accountability can be measured in quantified terms
  
  
• It enables faster roll out of new business initiatives and technologies as the security issues are mitigated early and in time
  
  
• The bank is able to demonstrate full compliance to customers, auditors, regulators and stakeholders. This is backed with a security dashboard for online reporting
  
  
• Better acceptability of online banking channels. Net-based and payment gateway transactions have surged by over 350% and 100 % respectively in last one year
  
  
• Better prepared to meet the challenges of information security today and for evolving future threats
  
  
• Thrust on Security is a great comfort for the customers, leading to higher customer trust and increased usage of existing innovative products launched.

• Asian Banker - Best Banking Securities Systems Project Award 2007
  
  
• Microsoft Security Strategist Award 2007
  
  
• Best IT implementation Award, PC Quest 2007 for Managed Security Services Program across all Industries /Sectors/NGO’s in India
  
  
• IBA Best Security policy & procedure award 2007 within the entire Indian Banking Industry