- Owner of Bank of India’s comprehensive, organization-wide information security awareness program
- Implementation of Bank of India’s 2-factor authentication system based on mutual authentication leading to zero incidences of identity theft
- Achieved PCI DSS certification, making Bank of India the first South Asian Bank to do so
- Spearheading the bank’s BCP and its bid for BS 25999
Sameer Ratolikar, CISO, Bank of India, is a firm proponent of the idea that information security will always hinge more on people than technology. A former scientist, Ratolikar believes that there can be no substitute to organic intelligence when it comes to successfully leveraging technology beyond the drawing board.
When Ratolikar joined Bank of India, the organization already had an information security policy in place. However, it overlooked key elements and granular controls such as segregation of duties, network layer security, third-party vendor access management and several attack vectors. Ratolikar and his core team of eight took it upon themselves to ensure that the security policies were up-to-date and benchmarked against recommendations by SANS, NIST, and similar standards. After several months, a new security policy was developed, combining internal best practices for security with best practices from the monetary authority of Singapore, RBI and ISF, among others.
Ratolikar’s core focus was on rolling out a culture of information security at the bank, rather than merely securing the infrastructure. Further reinforcing the bank’s focus on information security from a business risk perspective, Ratolikar reports to the chief risk officer (CRO) at the bank, whose mandate is independent of IT. Ratolikar also interacts closely with the CIO.
Bank of India’s security strategy revolves around people, processes and technology, with an objective to align information security with the business. Ratolikar’s team envisaged a campaign to sensitize the bank’s 40,000 employees through multi-pronged channels, promoting infosec best practices and assurance. Imparting training comes naturally to Ratolikar, who taught engineering at Pune University before joining the NIC in 1995 as a scientist.
Ratolikar’s team operates a security portal with regular updates and opinion polls, phishing quizzes, virus alerts, and so on, to keep employees clued in on security. This portal is pushed onto desktops via the bank’s active directory setup, ensuring that all users are aware of information security.
Under Ratolikar’s leadership, Bank of India became the first bank in south Asia to achieve PCI DSS compliance for its card products. Bank of India expects to be certified under BS25999 by Jan 2012 for all its 30 critical applications, a project being spearheaded by Ratolikar. Bank of India is also the first bank in the country to have certified its treasury operations for business continuity. Ratolikar’s team also manages a 24x7 SOC with an SIEM to provide real-time incident management.
Ratolikar’s third contribution to Bank of India’s security posture is the implementation of a two-factor authentication system for Internet banking clientele. What sets this solution apart is that it works on mutual authentication and end-to-end encryption, wherein both the client and the bank mutually authenticate each other prior to exchanging sensitive information. Developed by Uniken, this was the first large-scale deployment of this solution. With this system in place, Ratolikar proudly proclaims that there have been zero incidences of phishing, pharming or any kind of Web 2.0 attack in the last 18 months.
Ratolikar is looking to roll out a DLP solution in the next few months. He also expects Bank of India’s IT GRC project to take off soon.
This was first published in February 2012