Data is the New Electricity, because now-a-days data is always active and is THE Energy for whatever you are building. Yes, you heard me right, data has graduated from being called the Oil, which is a form of stored Energy. Organizations must design systems and security for this active data and cannot assume a passive state of data waiting to be discovered. With me?
Because data is the New Electricity, Data security also needs a rethink. FinTechs like Banks and NBFC are adopting newer technologies and digital channels, which in turn gives them reach and efficiency. We have also seen a step change in customers demanding advanced capabilities to see financial information and ability to complete transactions from wherever they are. This requires adoption of new security measures by FinTechs.
As per Reserve Bank of India’s (RBI) Cyber Security Framework, banks must proactively create or modify their policies, procedures and technologies based on new security developments and concerns. As per RBI, use of information technology and their constituents has grown rapidly and should now be an integral part of banks’ operational strategies; hence the need for a board-approved cyber-security policy.
RBIs Cyber Security Framework is written from the perspective that a breach has already happened, or it will occur, therefore, instead of focusing on preventive tools to detect, contain, and respond; it calls for a range of techniques and policies to help banks operate securely in an evolving threat landscape. The guidance consists of an introductory framework and guidance on three annexes:
1. An indicative set of baseline cybersecurity and resilience requirements.
2. Information on setting up and operationalizing a cybersecurity operation center (C-SOC).
3. A template for reporting cyber incidents to the RBI.
This requires organizations to consider the following sufficient conditions for data security
1. Proactive cybersecurity: A proactive cybersecurity strategy is based on prevention instead of detection and response to cyberattacks which is the focus of a reactive approach
2. A cyber security policy: In addition to a broader IT Security policy, this should be defined and adopted along with a cybersecurity strategy and an assessment of cyber threats and risks.
3. Cybersecurity preparedness indicators need to be defined to assess and measure the level of risk/preparedness, for thorough testing through independent compliance checks and audits.
4. Supervisory reporting framework to be set to collect both summary level information as well as details on information security incidents.
5. All unusual cybersecurity incidents should be reported to the RBI as per format given in the annexes.
6. Cybersecurity awareness and training sessions need to be conducted for all relevant stakeholders of the bank.
But following the above sufficient conditions does not provide for the necessary conditions for data security. I feel the necessary condition for data security is to understand data itself by 1) classifying the data into categories and 2) defining data handling policies for each category.
Typically think about classifying data into the following broad categories.
1. Critical Data: This could be Personally Identifiable Data (PII) of customers, businesses, or organizations which if breached would be a trust buster for the company and would directly impact the business.
2. Confidential Data: This could be HR related data or data in aggregate could result in damage to the company.
3. Public Data: Public data is information that can be freely used, reused, and redistributed by anyone with no existing local, national, or international legal restrictions on access or usage.
Now, depending on the complexity of your business, you can define handling policies for each category of data to make sure data at rest or in motion is given its due security.
If you build your systems for data security bottoms up, the cyber security frameworks will provide additional guard rails for rock solid security posture and you will find yourself generally ahead of the curve.
The article has been written by Manish Bhatia, President – Tech, Analytics & Capabilities at Lendingkart