Critical aspects of information security for BFSI and Healthcare domains

Ganesh Viswanathan, Senior VP-PMO & CISO, Aithent Technologies Pvt Ltd

Information Security is a critical requirement in the Banking and Healthcare industry. News abound about data theft and breaches affecting millions of customers. With increasing threat vectors and rising intensity of attacks it is important that we have a robust security framework. The article highlights the critical facets for protecting the business from various types of cyberattacks and secure the business-critical information.

As Banks & Financial Institutions and Healthcare providers are dealing with confidential Personally Identifiable Information (PII), Protected Health Information (PHI) it requires a high degree of safety and security. While there has been a good amount of focus on protecting the assets in terms of physical and logical security still there have been discernible gaping holes

1.    24 X 7 Physical Security & Surveillance: It is one of the most overlooked aspects of security. As per a 2015 study of healthcare data breaches found that physical security is the most common cause of security compromise. Hence the need for adopting a layered security strategy to protect the crown jewels which are the raison d’tre of the business.

2.    Risk assessment and Treatment: Risk management is a key element of information security and privacy governance. The identification, assessment and mitigation of top and emerging risks should be through a well-defined internal process through the use of appropriate Risk management policies, procedures and tools. Risk assessment should cover financial risks such as credit risk, business risk, market risk, liquidity risk and non-financial risks (NFRs) including reputational risk and operational risk. 

3.    Logical Security: Adequate controls need to be deployed at the desktop level to prevent any form of data leakage. To access remote applications, documents, desktops securely Citrix application is installed on all end point devices. The access to the application should be through 2 factor authentication. Besides disabling Internet services, Personal mails such as Gmail, Yahoo Mail, access to home drive should be disabled. USB and CD & DVD-ROM’s are also disabled. Right click access to save on desktop and Utilities to create, read, edit text files.

Operating system should be latest and supported by OEM. There should be a daily Anti-Virus signature update and patches should be deployed at least once a month. The internal and external Vulnerability scan to be conducted on a quarterly basis and all the critical and major gaps to be acted upon. For all applications Penetration Testing should be conducted and all the gaps to be fixed on an annual basis

The list of employees having privileged access to the IT Infrastructure (Application servers, database servers, database, network devices, VPN, Antivirus, Firewalls, Workstations, and Products/Applications) should be reconciled with the active employee list on the date of review by the concerned Project Manager on a monthly basis. Similarly all user access to the above IT infrastructure should be reconciled at least once in two months. 

4.    Social Engineering:  98% of cyber-attacks rely on social engineering. The human firewall is the weakest link in information security and deception as a technique is used by cyber criminals to manipulate the employees to divulge confidential or personal information. There are various techniques used such as Phishing (Email), Vishing (Voice), Smishing (SMS), shoulder surfing, dumpster diving , impersonation, whaling used to target the gullible employees and exploit them to break the security protocols and procedures.