Chief Information Security Officer

Designation: CISO

Department: Information Security & Cyber Security

1. Governance
   • Overall responsible for leading the information and cyber security initiatives of the bank. Create, update and maintain banks information security policy and cyber security policy, strategy and framework. Alignment of information security with business strategy to support organizational objectives
   • Review the performance of Information & Cyber security program and report it to the top management through various committees (Monthly, IT committee and Audit committee) through presentations/ status reports etc.
   • Submission of office note to the board of directors for quarterly cyber security posture review as per RBI guidelines
   • Vendor management for the risk based product / service provider by doing contract / SLA, implementation of product / Service as per defined scope and review of services of the vendor from time to time.
   • Overall supervision of information & cyber security teams departmental activities and ensuring competence/ skillset within team by nominating person resources to various trainings/ webinars/ awareness sessions in coordination with HR
   • Responsible for overall information security, business continuity and cyber security governance as per defined Bank policy and statutory guidelines from time to time.
2. Risk
   • Perform risk management and BIA (Business Impact Analysis) as per framework to identify, assess, mitigate and overall information and cyber security risk with its impacts considering the baselines from different internal and external contexts, regulatory requirement change/ addition, change in threat landscape, incident happened outside, result of audit and security assessment
   • Reporting of information and cyber security risks and severity to process owner, HOD, various committees on board with recommendation on mitigation and tracking it
3. Compliance
   • Responsible for carrying out gap assessment, ensuring adherence and compliance in coordination with IT & respective departments for information and cyber security requirements (in form of circulars, guidelines, letter, alerts & advisories) for regulatory and legal entities i.e. RBI, CERT-In, SEBI/NDSL, PFRDA, IDRBT, NPCI etc.
   • Responsible for approving and submitting SWIFT customer security program KYC attestation.
   • Ensure submission of various returns to various regulatory entities as per their respective guidelines.
4. Cyber Security Specific Activities
   • Overseeing the CSOC (Cyber security Operation Center), Dark web monitoring portal, DAKSH and IB-CART portal function and ensuring appropriate cyber incident response.
   • Review and driving initiatives related to cyber security by overseeing the planned projects, getting it done with the help of IT, cyber security team and vendors. Review it on yearly basis and plan for further development and reporting status to the top management
   • Ensure reporting to top management, RBI, IDRTB, NPCI and CERT-In in case of cyber fraud having banks liability and invoke actions as mentioned in the plan / framework.
5. Overseeing implementation and maintenance of ISO 27001(ISMS) and 22301(BCMS) certification standards.
6. Overseeing IS audit of Bank through internal team and external agency once in a year and ensure compliance of the same.
7. Participation in IDRBT CISO forum meeting for UCBs.
8. Any other work assigned by the Reporting Authority from time to time.

As per RBI circular for CISO, we expect you to perform below mentioned roles and responsibilities:

• The CISO should place a separate review of cyber security arrangements/ preparedness of the UCB before the Board on a quarterly basis.
• The CISO will be responsible for bringing to the notice of the Board about the vulnerabilities and cyber security risks that the UCB is exposed to.
• The CISO, by virtue of his role as member secretary of information security and/or related committees(s), if any, may ensure, inter alia, current/ emerging cyber threats to banking (including payment systems) sector and the UCBs preparedness in these aspects are invariably discussed in such committee(s).
• The CISOs office shall manage and monitor the C-SOC and drive cyber security related projects. It can have a dotted relation with Chief Information Officer (CIO)/ Chief Technology Officer (CTO) for driving such projects.
• The CISO shall be an invitee to the IT Strategy committee and IT Steering Committee. The CISO may also be a member of (or invited to) committees on operational risk where IT/ IS risk is also discussed.