Indian banks have deployed IT-based solutions to cater to increasing demands in the banking industry required for a growing economy. Adoption of technology has necessitated improving IT-related skills of experienced bankers. Considering the unavailability of internal IT skills, most banks resort to outsourcing IT activities. This has resulted in over-relying on third-party vendors and slackened the pace of acquisition of skills by bank employees.
Considering these limitations, the Reserve Bank of India (RBI) – India’s central bank – appointed a ‘Committee on Capacity Building’ that has made recommendations relating to particular areas/components of function, such as recruitment, performance assessment, promotion, placement, job rotation, and skills and capacity building. The committee also has made a number of recommendations for certification of staff in specialized areas, emphasizing that banks should make certification mandatory for the following areas:
- Treasury operations – dealers, mid-office operations
- Risk management – credit risk, market risk, operational risk, enterprise-wide risk, information security, liquidity risk
- Accounting – preparation of financial results, audit function
- Credit management – credit appraisal, rating, monitoring, credit administration
- Information and cyber security
- Governance of enterprise IT (GEIT)
The Indian Banks’ Association (IBA), in consultation with RBI, identified 10 institutes, such as the Indian Institute of Banking and Finance (IIBF), the National Institute of Bank Management (NIBM), ISACA, and others, as certifying organizations. ISACA is identified for its certifications in audit, risk management, security and GEIT.
RBI’s directives for banks
RBI had made a compliance requirement for banks in 1999 to perform annual IS audit of IT-based systems deployed and used by banks, with the report of the audit to be submitted to RBI. The notification recognized CISA as a qualifying certification for conducting IS audits.
Another committee provided guidelines for IT governance, information security, IS audit, outsourcing management, business continuity and compliance in 2011. These guidelines recommended banks to use COBIT 5 or similar frameworks for GEIT. Recommendations for other areas include adopting global best practices, including ISO 27001.
In June 2016, RBI issued a notification for banks specifying compliance requirements for cyber security.
Considering these compliance requirements and skills and competency development requirements, banks have already taken steps to recognize ISACA certifications. Some banks provides examination and membership fees reimbursement on passing the examination.
Role of ISACA certifications in skills development of bank staff
ISACA offers certifications in governance of enterprise IT (CGEIT), risk and control (CRISC), information systems audit (CISA), information security management (CISM) and performance-based cyber security (CSXP).
Certified Information Systems Auditor (CISA)
Most banks have made this certification mandatory for IS auditors, both internal and external.
Certified in Risk and Information Systems Control (CRISC)
Most banks have a defined chief risk officer (CRO) to implement enterprise risk management (ERM); however, there is a gap in aligning them with IT risk. CRISC helps bankers in aligning IT risk with ERM.
Certified Information Security Manager (CISM)
CISM is designed for information security and cyber security professionals including CISOs, information security managers and enterprise leadership.
Certified in Governance of Enterprise IT (CGEIT)
CGEIT is designed for senior management personnel who are responsible for overall governance of IT to ensure that investments in IT realize the expected benefits. This certification is ideal for the CIO, CEO, and members of the board of directors. Considering the RBI’s expectations from banks to implement GEIT, this certification is valuable for bankers in understanding the steps to implement an IT governance framework.
CSX Practitioner (CSXP)
This performance-based cyber security certification provides technical skills for much-needed and critically important cyber security responders working in the area of threat intelligence, incident response, SOC, etc.
Current challenges and next steps
Banking professionals with these skills are needed all over India and in many other countries throughout the world. Therefore, IBA has decided to develop and launch e-learning certification courses, and certifications in other areas are being developed by different institutes.
ISACA’s CISA, CISM, CRISC and CGEIT certifications are experience-based; however, there is some level of preparation required. There are 10 ISACA chapters in India, some of which offer review courses. Many banks officers, therefore, may not have access to the review courses conducted by chapters. However, ISACA is launching online review courses for some of its certifications and has moved to global computer-based testing, which should expand accessibility for bankers interested in pursuing these important certifications.
Sunil Bakshi, CISA, CISM, CRISC, CGEIT, Consultant
[ISACA Now Blog]