Centralised body still in papers

Saturday 30 November 2024 ,

Online Version

Centralised body still in papers

FAISAL MAHMUD

With the increasing number of financial transactions through online systems and the growing digitisation of banking services, measures to combat hacking and cyber crimes have become imperative in Bangladesh’s banking and financial sector. However, the absence of a centralised body to coordinate cyber security measures, such as a Computer Security Incident Response Team (CSIRT) for the banking and finance sector, has made the country’s financial transactions through online systems vulnerable to cyber threats, said experts.
CSIRT is considered one of the most important measures in modern banking and the internet. It is an organisation that receives reports of security breaches, analyses reports and responds to senders. A CSIRT can be an established group or an ad hoc assembly.
There are various types of CSIRTs. National CSIRT oversees incident handling for an entire country. There can be sector-wise CSIRTs—the entire financial and banking sector of the country can have a CSIRT. Even an individual organisation like a bank can have its own CSIRT, which can be linked to the sectoral CSIRT for updates.
Following the Bangladesh Bank (BB) heist, the demand for establishing a central CSIRT for financial and banking sector was raised again. The senior officials of commercial banks made the demand.
Incidentally, this was not for the first time that the demand for a CSIRT in Bangladesh’s financial and banking sector has been raised. Over the past few years, several senior officials from the commercial banks asked the central bank to establish a CSIRT.
A senior BB official told The Independent that the commercial banks had been seeking a centralised CSIRT and they had asked the central bank to coordinate the efforts to establish that. The official, however, has said that the establishment of a centralised CSIRT for the financial and banking sector cannot be done within a short period of time. Citing an example, the BB official said Sri Lanka had established a CSIRT for the banking and finance sector in 2014 after six years of planning and policymaking.
The Sri Lankan CSIRT for the banking and finance sector is hosted and managed by LankaClear (Pvt) Ltd under the guidance of the Central Bank with the assistance of the Sri Lanka Computer Emergency Readiness Team and Sri Lanka Banks Association (SLBA). The BB official also said the Sri Lankan CSIRT implementation was not easy as they had to overcome many hurdles and many banks were reluctant to share sensitive information. All the banks in Bangladesh have not arrived at a consensus for a centralised CSIRT. Many banks have expressed their reluctance to share information.
After the recent BB cyber heist, the situation has changed and most of the banks have now opted for a centralised CSIRT for the financial and banking sector, disclosed the BB official.
Omar Faruq, secretary general of Information System Audit and Control Association (ISACA) (Bangladesh chapter), an international professional association focused on IT governance, told The Independent: “A centralised CSIRT under the guidance and supervision of the BB has become imperative for the protection of the information security of the country’s financial sector.”
He said there was a growing need to protect the financial data in the banking system as the country has already embraced internet banking, mobile banking, electronic cheque transactions and e-transfer, etc., he said, adding that the importance of information security in the banking industry has grown rapidly at present.
“Under the circumstances, a centralised CSIRT under the umbrella of the BB could have ensured foolproof security in the financial and banking sector.”
Faruq said a specific information security framework and set of guidelines is also missing in Bangladesh. “The BB needs to come up with a specific framework and guidelines, as otherwise, the measures for ensuring information security will be taken on a piecemeal basis, like the way it’s done right now.”
He said the Indian chapter of ISACA had helped the Reserve Bank of India to establish Control Objectives for Information and Related Technology (COBIT), a framework created by ISACA for information technology (IT) management and IT governance to regulate policy for ensuring information security.
“From the Bangladesh chapter of ISACA, we have offered our aid to establish the framework. This is required because even if individual financial institution buys the highest security package for its own organisation, there could be a security breach because of one employee. A specific framework would ensure security efficiency at the employee level.” Mosharraf Hossain Khan, head of IT and cyber security of Standard Bank, said if there was a standardised set of guidelines, it would become easier for the banks to ensure cyber security.
“The commercial banks have their own responsibility to ensure cyber security of their bank. The IT department of individual banks has the freedom to add layers of security in their banking system,” he said. He also said after the heist in the BB, Standard Bank had installed a secondary firewall to make their transactions foolproof. “According to the directions of the management, we also established cyber security cell here and are conducting awareness programmes in all our branches.”

Comments

cyber security for banks

Centralised body still in papers

FAISAL MAHMUD

With the increasing number of financial transactions through online systems and the growing digitisation of banking services, measures to combat hacking and cyber crimes have become imperative in Bangladeshs banking and financial sector. However, the absence of a centralised body to coordinate cyber security measures, such as a Computer Security Incident Response Team (CSIRT) for the banking and finance sector, has made the countrys financial transactions through online systems vulnerable to cyber threats, said experts. CSIRT is considered one of the most important measures in modern banking and the internet. It is an organisation that receives reports of security breaches, analyses reports and responds to senders. A CSIRT can be an established group or an ad hoc assembly. There are various types of CSIRTs. National CSIRT oversees incident handling for an entire country. There can be sector-wise CSIRTsthe entire financial and banking sector of the country can have a CSIRT. Even an individual organisation like a bank can have its own CSIRT, which can be linked to the sectoral CSIRT for updates. Following the Bangladesh Bank (BB) heist, the demand for establishing a central CSIRT for financial and banking sector was raised again. The senior officials of commercial banks made the demand. Incidentally, this was not for the first time that the demand for a CSIRT in Bangladeshs financial and banking sector has been raised. Over the past few years, several senior officials from the commercial banks asked the central bank to establish a CSIRT. A senior BB official told The Independent that the commercial banks had been seeking a centralised CSIRT and they had asked the central bank to coordinate the efforts to establish that. The official, however, has said that the establishment of a centralised CSIRT for the financial and banking sector cannot be done within a short period of time. Citing an example, the BB official said Sri Lanka had established a CSIRT for the banking and finance sector in 2014 after six years of planning and policymaking. The Sri Lankan CSIRT for the banking and finance sector is hosted and managed by LankaClear (Pvt) Ltd under the guidance of the Central Bank with the assistance of the Sri Lanka Computer Emergency Readiness Team and Sri Lanka Banks Association (SLBA). The BB official also said the Sri Lankan CSIRT implementation was not easy as they had to overcome many hurdles and many banks were reluctant to share sensitive information. All the banks in Bangladesh have not arrived at a consensus for a centralised CSIRT. Many banks have expressed their reluctance to share information. After the recent BB cyber heist, the situation has changed and most of the banks have now opted for a centralised CSIRT for the financial and banking sector, disclosed the BB official. Omar Faruq, secretary general of Information System Audit and Control Association (ISACA) (Bangladesh chapter), an international professional association focused on IT governance, told The Independent: A centralised CSIRT under the guidance and supervision of the BB has become imperative for the protection of the information security of the countrys financial sector. He said there was a growing need to protect the financial data in the banking system as the country has already embraced internet banking, mobile banking, electronic cheque transactions and e-transfer, etc., he said, adding that the importance of information security in the banking industry has grown rapidly at present. Under the circumstances, a centralised CSIRT under the umbrella of the BB could have ensured foolproof security in the financial and banking sector. Faruq said a specific information security framework and set of guidelines is also missing in Bangladesh. The BB needs to come up with a specific framework and guidelines, as otherwise, the measures for ensuring information security will be taken on a piecemeal basis, like the way its done right now. He said the Indian chapter of ISACA had helped the Reserve Bank of India to establish Control Objectives for Information and Related Technology (COBIT), a framework created by ISACA for information technology (IT) management and IT governance to regulate policy for ensuring information security. From the Bangladesh chapter of ISACA, we have offered our aid to establish the framework. This is required because even if individual financial institution buys the highest security package for its own organisation, there could be a security breach because of one employee. A specific framework would ensure security efficiency at the employee level. Mosharraf Hossain Khan, head of IT and cyber security of Standard Bank, said if there was a standardised set of guidelines, it would become easier for the banks to ensure cyber security. The commercial banks have their own responsibility to ensure cyber security of their bank. The IT department of individual banks has the freedom to add layers of security in their banking system, he said. He also said after the heist in the BB, Standard Bank had installed a secondary firewall to make their transactions foolproof. According to the directions of the management, we also established cyber security cell here and are conducting awareness programmes in all our branches.