CSO100 Award 2018

Manish Sehgal has more than 20 years of experience in the information security domain. He is currently the Chief Information Security Officer (CISO) at AU Small Finance Bank. Sehgal’s IT career started with being a faculty/network associate and gradually moving from pure IT to specialized information security profession. He has worked in sectors such as banking, manufacturing, telecom, travel and ITES. He is an expert in security project and program management; managing Governance, Risk and Compliance (GRC). His other areas of expertise include risk management, information security controls assessment and implementation, regulatory and compliance audits (internal and external), handling security incidents, and implementing security awareness programs. Key security initiatives AU Small Finance Bank needed to ensure that the data of its customers should not be leaked. It is most important for the bank to always adhere with regulatory guidelines and ensure that information security is prime focus of every employee and third-party vendors associated with it. For this, it has implemented a cybersecurity framework which enables it to evaluate, prioritize, manage and control cyber risks at all touch points of the banking operations. AU Small Finance Bank has deployed defense-in-depth architecture which ensures that the bank’s data is protected always and has put in both technical and procedural preventive measures to avoid IT security incidents. For network, it conducted VA/ PT exercises and configuration reviews which ensure that no known vulnerability could exploit the bank’s IT infrastructure. It has also implemented tools like SIEM, ATD, DDoS, and secure web gateway which monitor network health and protect the bank’s IT infrastructure from malicious actors. For servers and databases, it has DAM, patch management, FIM, and application whitelisting which ensure that harmful files cannot adversely impact the security posture of servers. For endpoints it has DLP, AV, Host Firewall, HIPS, FIM and application whitelisting, which ensure that endpoints do not create loopholes in the security architecture. To complete the Information Security framework, procedural controls like conducting POC’s for emerging IT security technologies, enhancing expertise of the team, subscription to advisories, continuous compliance, regular reviews and controlled self-assessments help the bank to prevent against delivery failures, and ensure that organizational goals towards information security are always met.