Taher Ahmed Chowdhury, the Deputy Managing Director of Islami Bank, is a 30 years experienced personality in field of IT and is therefore also the Head of Information & Communication of this bank. He has also played the role of Executive Vice President & CIO of first security of Islami Bank.
Mr. Taher Ahmed Chowdhury’s resume reveals that apart from completing MBA from IIUC, he have also mastered the International Project Managing from AAPM, USA, after which he finally mastered in Information Technology from Institute of IT from Jahangirnagar university. He, for the quest of knowledge, has also earned professional/global online certifications on MCP, MCSE and CCNA from Microsoft & Cisco, USA. Recently he has received CISSO (Certified information Systems Security Officer)from Miles2 of USA. The fact is, he is the only head of ICT in banking industry who have earned this prestigious online certification.
With such high qualifications in the field of IT, in 1986, he started his career as the Hardware Engineer of Beximco Computers Ltd.; which was the first IT Company of Bangladesh. After sometimes, he took a break from Beximco and joined as a Radio Electronic Instructor in the Marine Academy of Chittagong (under Ministry of Shipping) in 1993. However, he joined back Beximco in 2000 as the Senior Network Engineer. After a while during the period of 2002, he became the Senior Faculty & System In-charge of BRAC IBM-ACE & BRAC BITI. Nevertheless, he went back to Beximco; but this time as a Manager Technical of Training & Services in 2005. Later after a certain time, he finally shifted his career to banking and joined as the Assistant Vice President of IT division of IFIC Bank. He worked there before he finally became a part of Islami bank.
Following is a small part of the guidebook on “Executive leadership of cyber security” in banking industry written by this IT personality where a brief description on cyber security and its first core function is being discussed.
The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely considered an IT problem, the rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of bank CEO’s that management of a bank’s cyber security risk is not simply an IT issue, but a CEO’s and board of directors issue. Cyber security experts expect the trend toward increasingly sophisticated cyber-attacks to continue in the near future. And the financial services industry, a vital component of the nation’s critical infrastructure, remains a prime target for cyber criminals. Cyber risks, like reputational and financial risks, have the ability to affect a bank’s bottom line. It can be costly, compromising to customer confidence, and, in some cases, the bank could be held legally responsible. Beyond the impact to an individual bank, cyber risks have far-reaching economic consequences. Due to the inherent interconnectedness of the Internet, a security breach at a few financial institutions can pose a significant threat to market confidence and the nation’s financial stability.
This reinforces the notion that safeguarding against cyber security threats is not a problem that can be addressed by any one bank. To adequately deal with the persistent threat of cyber-attacks, financial institutions and bank regulators must come together, collaborate, identify potential weaknesses and share industry standards and best practices. The goal of this document is to provide you, the bank CEO, with a non-technical, easy to- read resource on cyber security that you may use as a guide to mitigate cyber security risks at your bank. This resource guide puts in one document industry recognized standards for cyber security, best practices currently used within the financial services industry, and an organizational approach used by the National Institute of Standards and Technology (NIST).
While this resource guide does not guarantee protection against cyber security threats, it attempts to identify various resources—including people, processes, tools and technologies—that financial institutions can use to reduce the potential of a possible cyber-attack. Cyber security 101 is organized according to the five core cyber security functions of the NIST’s Cyber security Framework.
The five core functions of cyber security include: Identify, protect, detect, respond and recover.
The first core cyber security function is to identify your bank’s cyber security risk, which is the amount of risk posed by a financial institution’s activities, connections, and operational procedures. A risk is the potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability. To identify these risks, your financial institution should have a risk assessment, or a process for identifying threats to information or information systems, in order to determine the likelihood of the occurrence of the threat and to identify system vulnerabilities.
A risk assessment should include the classification of critical information assets, identifying threats and vulnerabilities, measuring risk, and communicating risk.
Before you can adequately assess risk to your bank, you must first identify what your bank’s “crown jewels” are, where they are located, and how they are being protected. Crown Jewels are critical information assets that are regarded as highly sensitive, essential pieces of information to the organization. “Crown jewels” could be people (e.g., employees or customers), property (both tangible and intangible), or information (e.g., databases, software code, critical company records). After the “crown jewels” have been identified, all information assets should be classified based on a defined category of sensitivity. This can be carried out by an individual or a team.
Classifications could include such categories as:
- Confidential—having a severe impact to the financial institution, its critical functions, business partners, or customers if lost, damaged, or if disclosure is unauthorized;
- Internal Use Only—having minimal to limited impact to the financial institution, its critical functions, business partners, or customers if lost, damaged, or if disclosure is unauthorized;
- Restricted—having limited impact to the financial institution, its critical functions, business partners, or customers if lost, damaged, or if disclosure is unauthorized.
A threat is a force, organization, or person that seeks to exploit a vulnerability to obtain, compromise, or destroy an information asset. A vulnerability is a weakness in a system or program that can be exploited by threats to gain unauthorized access to an information asset. Identifying threats and vulnerabilities to your bank is critical. At any given time your bank could be exposed to several different types of information security threats. These threats include:
- Natural disasters, such as floods and fires;
- Internal threats, like malicious or unaware employees;
- Physical threats by a potential intruder; and
- Internet threats, such as hackers.
To measure your bank’s level of risk, first develop a method for measuring risk. One approach is shown in figure 1 taken from the “Risk Management Non-Technical Guide” provided by the Multi-State Information Sharing & Analysis Center (MS-IAC). Information assets are given a value of high, medium, or low. The risk level of those information assets is also given a rating of high, medium, or low. The final level of risk depends on actions taken by the bank. For example, if backups are done and secured, the loss of an electronic file may be a low risk.
It is vital to have a process that informs senior management and the board of directors about cyber risks to your bank, how your bank currently manages them, how to mitigate those risks and who is accountable for doing so. Once your financial institution has conducted a risk assessment and made decisions about how to mitigate those risks, reviews should be conducted at least annually.
CYBER RISK MANAGEMENT PROCESS
The risk assessment is one element of a larger cyber risk management process that each bank should have in place. Bank CEOs should strive to create and implement an effective and resilient risk–management process to enable proper oversight and to ensure that you are effectively managing cyber security risks. Key elements of a risk–management (or cyber-incident management) process should include the initial assessment of new threats; identifying and prioritizing gaps in current policies, procedures, and controls; updating and testing policies, procedures and controls as necessary.