Case Study

The holy grail of audit

Emphasis on audits and regular checks helped tighten infosec at Yes Bank By Aditya Kelekar

In the last five years since its inception, Yes Bank has steadily grown both in terms of turnover and customer numbers. In a recent statement, Yes Bank’s CEO Rana Kapoor claimed that the bank would have no trouble maintaining 35% growth, that coming at a time when most other players in the financial sector have had to make do with much more modest growth. Additionally, while many of the other larger private sector banks have had to deal with infosec breaches that have threatened to erode the brands’ reputation, Yes Bank’s infosec record has largely been commendable, if disclosure of breaches is anything to go by.

The bank’s CIO, Umesh Jain said, that there is an organization-wide information security council comprising the management team of Yes Bank which reviews the infosec direction and strategy and guides the IS team. “At the quarterly meeting of this council all strategic and high importance issues are highlighted,” he said. At the same time, risk acceptances (deviations from policy in specific cases) are reviewed.

At Yes Bank, company documents are classified as belonging to one of the four types—restricted, confidential, public and internal. The system also tracks the status of the document’s classification for its appropriateness over time. “Classification is automatically revisited annually as part of the standard process,” Jain said.

A formal information security audit is carried out by an independent audit and the report submitted to CEO. “CIO’s job is on the line if audit points out any serious lapses,” added Jain, as an indicator of how seriously the report is taken. The report is also shared with the RBI audit. Moreover, corrective mechanisms kick in as soon as an anomaly is reported—a monthly monitoring mechanism is held to address all issues that are pointed out. “The monthly monitoring report is also sent to the CEO who personally monitors the progress of these items,” Jain said.

A clean desk policy to ensure that no confidential / restricted information is lying around unprotected is enforced. Periodic audits are conducted and defaulters are warned and penalized if necessary. There is a weekly mailer on information security which is sent out to all employees. These are primarily small doses on infosec given intermittently so that the infosec thought remains in their sub-conscious said Jain.

An automated ID deletion system ensures that the IDs of exiting employees are terminated as soon as they get out of office on the last day. This software takes its feed from the HR system.

A quarterly entitlement review policy is undertaken to see to it that no user has rights over and above what are required for his role. “The entitlement reviews are done by the respective owners of the division who are authorized to take such calls on the type of rights to be provided to different users,” explained Jain.

Yes Bank also uses a content filtering solutions by Proventia Web Filter.

Jain feels that the new IT Act amendment would be quite beneficial as they would make it possible for quite a few ‘automations’ outside the organization such as those related to integrating with customers and governmental agencies.

aditya.kelekar@expressindia.com