Home > Information Security News > Managed security service for risk management: The Kotak Mahindra story
Information Security News:
EMAIL THIS

Managed security service for risk management: The Kotak Mahindra story

By Dhwani Pandya, Principal Correspondent
10 Dec 2009 | SearchSecurity.in

Enterprise IT news roundup
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Banks face two dilemmas — constantly evolving security threats and the fact that information security is not their core expertise. This leaves them with the option of outsourcing their security management functions. However, Indian banks are very apprehensive about outsourcing security. In this context, Kotak Mahindra Bank has been a forerunner of sorts. One of the leading Indian private sector banks, Kotak Mahindra Bank took a bold step when it decided to completely outsource its information security requirements in 2007.

Prior to 2007, Kotak Mahindra Bank managed its information security requirements through multiple security service providers and the internal team. This arrangement led to a lack of overall visibility. As security threats got more complex, the bank found it challenging to build and retain in-house security expertise.

To prepare itself for more comprehensive information security management, Kotak Mahindra Bank decided to outsource its security operations to Paladion, a managed security service provider. "Outsourcing security to the experts made sense from an expertise as well as cost perspective. While this ensures quick turnaround times and faster resolution, ownership and accountability are still with the bank," explains Sanjay Belsare, the vice president of IT for Kotak Mahindra bank.

Security technologies under the MSS model
1. Multi-layer firewall architecture for the data center.
2. Intrusion Detection Systems.
3. Gateway level protection (email and Web) against malicious code using reputation filtering.
4. Email archival and patrolling systems.
5. Desktop management suite for remotely enforcing security compliance on desktops and servers.
6. IP VPN for the bank's wide area network.
7. Secured third party connectivity.
8. Secured wireless connectivity.
9. Protection of documents published on the Intranet.
10. Laptop encryption to protect against data compromise if it gets lost or stolen.
According to Belsare, two factors led to the selection of Paladion as a managed security service provider. Paladion already provided certain security management services to Kotak Mahindra Bank, so the bank was aware of the service provider's capabilities. However, Paladion's capability to deliver multiple information security services proved decisive.

The managed security service (MSS) model called for enhancements in the bank's information security policy. The bank rolled out an information security management system (ISMS) document based on the ISO 27001 standard and Reserve Bank of India (RBI) guidelines. This document helped Kotak Mahindra Bank to adopt a more proactive and structured manner, as opposed to the earlier ad-hoc approach.

The managed security service model
Instead of opting for standard offerings, Kotak Mahindra Bank discussed its specific business needs with the service provider. The bank made it clear that security technologies are not sufficient, unless they are more operation-focused and result-oriented. The bank has focused on quantifying security through a structured service level agreement (SLA) that is visible to top management through dashboards. Belsare says that the designed SLAs are result or outcome based in nature. This ensures that SLAs measure direct or indirect business benefits.

Kotak Mahindra Bank's entire managed security service model is based on three principals — holistic, continual and integrated. The bank places special emphasis on security monitoring and compliance. An audit schedule is also followed to review existing systems, with daily, weekly and monthly compliance reports. Every new initiative (application, process and third party outsourcing) goes through a security signoff process to ensure that the risks are mitigated and controlled at the initial stage.

The bank has a 24x7 security monitoring center to monitor security logs. It also monitors security devices, network devices, servers and databases.

Some of the MSS' prominent features are:

Risk engine: This is the repository of risks across delivery channels, business applications, underlying technology infrastructure, and business processes around IT. Assets (along with the business value of assets) are captured in the risk engine. The risk engine quantifies risks and enables prioritization for mitigation. The security intelligence service (part of MSS) tracks global threats. All these are inputs to the risk engine for comprehensive risk identification and mitigation.

IS steering committee: Kotak Mahindra Bank's top management has representation in the bank's periodic Information Security Committee (ISC) meetings. They are updated with status of MSS through various reports, and their directives on critical information security are tracked and implemented.

Management dashboards: This helps the bank's management to view security status, gives information on covered risks, asset classification, pending vulnerability assessment observations and pending audit observations.

Earlier, user awareness and constant monitoring of security threats were major challenges. However, the MSS model has helped Kotak Mahindra Bank to handle these issues in a more effective manner. According to Belsare, the managed security service has significantly transformed the bank's security landscape. "Losses from phishing incidents and breaches of IT systems are almost nil. Phishing sites are brought down in less than four hours, while response times for security infrastructure attacks are less than 30 minutes on an average," says Belsare. Data is not compromised in case of loss or theft of laptops.

Kotak Mahindra Bank has experienced a significant increase in the number of online transactions across all channels, and a 100% surge in payment gateway transactions in 2008. The bank has also been successful in creating better security awareness among customers and employees. "We have experienced significant cost benefits, as we invest only in the services and not in resources or tools," says Belsare.

Tags: Enterprise risk management strategiesBusiness compliance managementVulnerability and patch managementIncident response management best practicesNetwork and endpoint security tools and technologiesRisk Management StrategiesNetwork Security TacticsVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Enterprise risk management strategies
How to address HIPAA data encryption security challenges
Vulnerability management gets in-house treatment at AXA Business Services
Gartner's server virtualization security risk list
Noted cryptographer on SSL, encryption and cloud computing
What's a risk management strategy worth to your S&P credit rating?
ISO 27001 certification: Preparation in four steps
Two factor authentication gets token agnostic at Central Bank of India
Considering two-factor authentication? Do cost, risk analysis
PCI tokenization push promising but premature, experts say
Clientless SSL VPN vulnerability and Web browser protection

Business compliance management
How to address HIPAA data encryption security challenges
Vulnerability management gets in-house treatment at AXA Business Services
Noted cryptographer on SSL, encryption and cloud computing
What's a risk management strategy worth to your S&P credit rating?
ISO 27001 certification: Preparation in four steps
Two factor authentication gets token agnostic at Central Bank of India
PCI tokenization push promising but premature, experts say
Information rights management helps L&T protect its knowhow
Voice data security risks on the rise, say experts
Firewall audit tools aid compliance

Vulnerability and patch management
Vulnerability management gets in-house treatment at AXA Business Services
Gartner's server virtualization security risk list
Clientless SSL VPN vulnerability and Web browser protection
Cloud Security Alliance releases top cloud computing security threats
RAM-scraping attacks are a rising -- but preventable -- threat
Microsoft warns that IE zero-day vulnerability causes data leakage
What to do with network penetration test results
Network discovery and the Simple Network Management Protocol
Best practices to secure wireless networks
Microsoft issues advisory on Internet Explorer zero-day

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
knowledge process outsourcing (KPO)  (SearchSecurityIN.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

HomeNewsTopicsITKnowledge ExchangeTipsMultimediaWhite Papers
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2009 - 2010, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts