IT Strategy Committee

This committee looks into various technology related aspects. The functions of the Committee are to formulate IT strategy and related policy documents, ensure that IT strategy is aligned with business strategy.

The committee comprises majorly of independent directors and includes an external information technology expert.

Information Security Committee

This Committee is chaired by the CRO (Chief Risk Officer) and is responsible to assess, accept and sponsor company-wide security investments. It provides a forum to discuss information security risks and acts as a custodian for the enterprise security programme. The committee meets on a quarterly basis with participation from IT, Business Operations, Audit, and the Information Security Group.

Information Security Programme

This programme is based on regulatory requirements (RBI Gopalakrishnan committee report) and industry standards (ISO 27001:2013 and NIST 800-53). Our cybersecurity framework consists of components such as Identify, Protect, Detect, Respond, and Recover which remind us of how important it is to balance proactive safeguards while preparing for worstcase scenarios.

Key objectives of the programme include:

• Documenting, disseminating, operating, and reviewing information security policies, and procedures
• Monitoring cyber security threats and reviewing the risk profile across all critical assets, infrastructure components and business units/departments
• Providing transparency into the information security programme and associated controls to senior management including board
• Responding promptly to information security incidents and policy violations/exceptions in accordance with organisational policy
• Determining whether the actions taken to resolve an incident were effective and whether corrective actions are required, and documenting lessons learnt

Antivirus/Malware Programme

We have implemented a programme to prevent, detect and react to the introduction of malicious code through sources such as computer viruses, worms, and Trojans. We use a combination of commercially available and proprietary tools and monitoring systems to mitigate the risks associated with malware. The antivirus signatures are updated more than once per day to stay current and cover workstations, servers, email gateways, web gateways.

Network Security

The Bank uses a combination of firewalls and proxy servers to separate and control traffic between networks with different security requirements and levels of trust. The Bank has intrusion detection/prevention capabilities in place to detect and react to known attacks in real time. IDS/IPS signatures are updated periodically to update detections for specific threats, intruder profiles, and attack patterns. These tools are configured to generate alerts when predefined thresholds are exceeded.

Vulnerability management

The Bank administrates a vulnerability management process that actively scans for security threats. The vulnerability management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritised according to severity, and assigned an owner. The vulnerability management team tracks such issues and follows up frequently until they can verify that the issues have been remediated.

Patch management

The Bank has patch management processes and tools to assess and deploy operating system and application specific patches and updates. This process includes steps to evaluate vendor supplied patches to determine servers that require patches and updates, to document procedures for patching and updating servers, and to deploy patches and updates in a timely manner to protect the Bank’s infrastructure.

Penetration testing

To test for potential vulnerabilities, penetration tests are conducted for all critical networks and systems within the Bank’s internal environment and for external applications. Penetration tests are triggered based on several events, including new releases, updates, or enhancements. The types of penetration tests that are conducted include Network/Host Penetration Testing and Application Penetration Testing.