OCISO set up: SBP acts to enhance cyber security

03 Nov, 2018

The State Bank of Pakistan (SBP) has taken a number of steps for information and cyber security improvement and set up new Office of the Chief Information Security Officer (OCISO) to ensure cyber security during the last fiscal year. According to the State Bank's annual performance review, the SBP has revamped its organizational structure according to industry best practices for cyber security and witnessed major improvement in the area of information and cyber security governance within the bank and in order to provide full independence during FY18.
The SBP has established OCISO along with the appointment of CISO and in order to ensure CISO's role in management committees, permanent membership was granted in Enterprise Risk Management Committee, Management Committee on Information Technology and Business Continuity Planning Committee.
Further, to ensure monitoring of cyber threats, OCISO has started monitoring critical security controls protecting the SBP network and systems from different kind of cyber security threats. Further, in order to strengthen the organization structure, Office of the CISO built its team by inducting specialized IT security resources to ensure delivery of key services and functions and organization-wide IT Security Policy covering the complete IT infrastructure of SBP and its subsidiaries was devised.
Moreover, OCISO led the efforts in conducting the first annual SWIFT Customer Security Control (CSP) framework and reviewed SBP's SWIFT security posture.
Based on the monitoring of data from multiple technical controls, OCISO initiated submission of monthly cyber activity reports to senior management. In addition to independent third-party security assessments, OCISO also improved and performed multiple Software Vulnerability Assessments in IT Infrastructure to identify security vulnerabilities in software systems used in SBP and its subsidiaries.
The report said that identified vulnerabilities were shared with IT departments for mitigation and patching purposes to reduce operational risks and OCISO collected and disseminated security advisories from multiple legitimate sources including but not limited to national agencies, OEMs, etc. after thorough analysis during the last fiscal year.
Technical security advisories were shared with IT departments for timely actions and end-user advisories were broadcasted bank-wide for security awareness of all employees.

Read Comments