Vishal Salvi, Chief Information Security Officer, HDFC Bank speaks to Biztech2.0 about his role in driving security policy at the bank and the emerging trends in data security to financial institutions.

What is your role in the overall security strategy at HDFC?

At HDFC Bank, the CISO is empowered and accountable to build, lead and deliver the information security program for the bank. I also have a significant role to play in shaping the information security strategy and am backed by the bank’s information security committee and higher management.

As a CISO what are your priorities at HDFC Bank? Can you outline your road-map for the next few years?

My first priority at the bank is to review and refine the information security governance framework and information security policy and ensuring that both receive senior management contribution and support. The aim is to have a robust foundation to support the future information security road map.

To align information security requirements with regulations particularly from an RBI guidelines and Sarbanes Oxley (SOX) Act perspective is my next priority. While we have successfully completed the first year of SOX compliance, we need to leverage the knowledge gained from that experience and apply it this year.

The other main concern is to embed a risk management framework into the business processes and identify information security requirements and their applicability at an early stags of system acquisition and development.

HDFC is the first Indian financial company to have become a member of the Information Security Forum, a globally reputed security forum. This is in order to get access to mature information security best practices and tools to support HDFC’s information security agenda.

The bank also has a special focus on Information Security Awareness and has plans to develop a user-friendly mandatory training programme for all our staff.

Once we have made progress in risk and awareness areas, we intend to define and implement our next phase of identity management and enhanced monitoring.

Could you tell us about some of the security measures you have implemented to combat electronic fraud?

The ISMS road map has been designed based on nine components, which comprise of governance, policy, standards & procedures, risk management, awareness, architecture, access control, monitoring and testing.

To give you some examples, we are partnering with a global security vendor who provides anti-phishing and anti-pharming service. We have also completed a review of the Bank’s existing Information Security policy based on ISO 27001 and ISF 2007 standards and will be launching the next version in September this year.

There are several other initiatives to implement controls using automation, which are either being implemented or are in the pipeline.

What percentage of your overall IT budget is allocated for security related expenditure?

We do not allocate the information security budget as a percentage of the IT budget. The sponsorship is provided based on the risk that we want to mitigate and the investments may vary from year to year based on the new identified risks or compliance requirements.

As a security specialist, what are the emerging trends you see in this space, as far as security threats are concerned?

According to me, hand-held devices and portable computers are getting increasingly vulnerable to malware attacks and physical theft and thus pose the largest emerging security risk. Proliferation of these devices and ungoverned use in a corporate setup will expose users to new risks of significant proportions, which will require new techniques and process to counter.

I personally feel that government agencies would be more prone to such attacks. Spam, spyware and phishing will continue its virulent growth and penetration.

Usage of Network Access Control will become widespread and this technology will iteratively get more sophisticated. From an Indian context, I think there will be more focus on data privacy in the next few years, where organisations would be required to look at an information security strategy and implementation with far greater detail than they have so far.