🏦 SIDBI PII Encryption Review

Observation-Based Security Assessment

Small Industries Development Bank of India

Skillmine Technology Consulting Pvt. Ltd.

📅 November 28, 2025 - Kickoff Meeting

⏰ Duration: 10 Working Days | End: December 12, 2025

📋 Today's Agenda

Welcome & Introductions
Engagement Overview - Scope, Timeline, Deliverables
Detailed Scope of Work - Data at Rest, In Transit, Logs Review
Assessment Methodology - Our 4-Step Process
Observation-Based Approach - How it works
Roles & Responsibilities - RACI Matrix
Timeline & Milestones - 10-Day Schedule
Daily Status Reporting - Communication Plan
Next Steps - Starting Today
Q&A Session

🎯 Engagement Overview

Objective

Assess whether PII data is stored, transmitted, or logged in unencrypted/clear-text format across SIDBI's infrastructure.

Scope

Oracle 19c (On-premise)
AWS S3 Buckets (5-6)
SQL Server (Cyfuture + ESDS x4)
Security Tools (SIEM, DAM, EDR, AV)

Final Deliverables: Assessment Report + CERT-In Certification

📋 Detailed Scope of Work

            Objective: To assess whether PII data is stored, transmitted, or logged in an unencrypted or clear-text format across on-premises, cloud, and co-location
            environments. CERT-In certification will be provided upon completion.
        

💾 Data at Rest

• Oracle 19c (On-premise): Verify TDE encryption status for PII data
• AWS S3 Buckets (5-6): Validate SSE/KMS encryption configuration
• SQL Server (Cyfuture + ESDS x4): Review TDE implementation and key management

🌐 Data in Transit

• Traffic Sampling: Review exit points/perimeter devices (minimum 10 samples)
• TLS Configuration: Evaluate Oracle, AWS, and SQL Server data transfers for encryption
• Protocol Verification: Inspect perimeter devices for secure communication protocols

📋 Logs Review

• SIEM, DAM, EDR/XDR, Antivirus: Confirm PII is not forwarded in clear text
• Log Transfer Security: Assess whether logs are transmitted with encryption enabled
• Pattern Detection: Search for PII exposure in security monitoring platforms

🔄 Our Assessment Process - 4 Steps

Step 1: Understand the System As-Is

📊 Initial discovery to understand your infrastructure, architecture, and current security controls

Step 2: Interview & Evidence Collection

📝 Structured questionnaire with stakeholders + Observation sessions where SIDBI team demonstrates systems and provides proof/evidence

Step 3: Analysis & Report Preparation

📑 Analyze PII encryption findings (Data at Rest, In Transit, Logs), perform gap analysis against best practices, and prepare comprehensive report on PII protection posture

Step 4: Daily Status Updates

📧 Daily progress reports to stakeholders ensuring transparency and alignment

🔄 End-to-End Process Flow

flowchart TB START([🚀 Kickoff Meeting
TODAY 3:30 PM]) subgraph STEP1["📊 STEP 1: Understand System As-Is"] S1A[Review Architecture Diagrams] S1B[Understand Data Flow] S1C[Identify Systems in Scope] S1D[Review Existing Security Controls] end subgraph STEP2["📝 STEP 2: Interview & Evidence Collection"] S2A[Share Questionnaire
475 Questions] S2B[Schedule Observation Sessions
Days 1-6] S2C[SIDBI Team Demonstrates Systems
Skillmine Observes] S2D[Collect Evidence
Screenshots, Reports, Configs] end subgraph STEP3["📑 STEP 3: Analysis & Reporting"] S3A[Consolidate Findings
Day 7] S3B[Gap Analysis & Risk Rating] S3C[Draft Report
Day 8] S3D[SIDBI Review
Day 9] S3E[Final Report + CERT-In
Day 10] end subgraph STEP4["📧 STEP 4: Daily Status Updates"] S4A[Daily Email to Stakeholders] S4B[Progress Tracking] S4C[Issue Escalation if needed] end START --> STEP1 STEP1 --> STEP2 STEP2 --> STEP3 STEP3 --> END([✅ Engagement Complete
Day 10]) STEP1 -.Daily Updates.-> STEP4 STEP2 -.Daily Updates.-> STEP4 STEP3 -.Daily Updates.-> STEP4 style START fill:#90EE90,stroke:#228B22 style END fill:#FFD700,stroke:#DAA520 style STEP1 fill:#E6F3FF,stroke:#1E90FF style STEP2 fill:#FFE4B5,stroke:#FF8C00 style STEP3 fill:#E6FFE6,stroke:#228B22 style STEP4 fill:#FFE6E6,stroke:#DC143C

👀 Observation-Based Audit Model

            Key Principle: Skillmine has NO direct access to any systems.
            SIDBI team performs all actions while Skillmine observes and documents.
        

🏢 Onsite Mode

SIDBI staff uses their own laptop
Logs into systems
Navigates screens as requested
Skillmine observes and takes notes

🌐 Remote Mode

SIDBI shares screen via Teams/Zoom
Logs into systems
Navigates as requested
Skillmine observes remotely

🔍 How Observation Sessions Work

sequenceDiagram participant SK as Skillmine participant SB as SIDBI Team
(DBA/SecOps) participant SYS as System
(Oracle/AWS/SQL) SK->>SB: 1. Share verification scripts Note over SB: SIDBI reviews beforehand SK->>SB: 2. "Please execute this query" SB->>SYS: 3. Execute query SYS->>SB: 4. Return results Note over SB,SYS: SIDBI demonstrates SB->>SK: 5. Screen share (live) SK->>SK: 6. Observe & take screenshots SK->>SB: 7. "Can you show X?" SB->>SYS: 8. Navigate to X SYS->>SB: 9. Display X SK->>SK: 10. Capture screenshots SK->>SK: 11. Document findings SK->>SK: 12. Organize evidence SK->>SB: 13. "Session complete, thank you" Note over SK,SB: All evidence captured by Skillmine

🎯 Four Assessment Pillars

graph TB subgraph ASSESSMENT["🔍 PII Encryption Assessment"] subgraph DAR["💾 Data at Rest
(Days 1-3)"] DAR1[Oracle 19c TDE] DAR2[AWS S3 SSE/KMS] DAR3[SQL Server TDE
Cyfuture + ESDS x4] DAR4[Key Management] DAR5[Backup Encryption] end subgraph DIT["🌐 Data in Transit
(Day 4)"] DIT1[TLS Configuration
Version 1.2+] DIT2[Traffic Sampling
10+ samples] DIT3[Oracle SQL*Net] DIT4[SQL Connection Encryption] DIT5[Certificate Management] end subgraph MASK["🎭 Data Masking
(Days 1-6)"] MASK1[Non-Prod Masking] MASK2[Dynamic Masking] MASK3[Tokenization] MASK4[Masking Policies] end subgraph LOGS["📋 Logs Review
(Days 5-6)"] LOGS1[SIEM
PII Pattern Search] LOGS2[DAM
Database Activity] LOGS3[EDR/XDR
Endpoint Logs] LOGS4[Antivirus
Scan Logs] end end DAR --> REPORT[📑 Comprehensive Report
Days 7-10] DIT --> REPORT MASK --> REPORT LOGS --> REPORT REPORT --> CERTIN[🏆 CERT-In Certification
Day 10] style DAR fill:#E6F3FF,stroke:#1E90FF style DIT fill:#E6FFE6,stroke:#228B22 style MASK fill:#FFF0F5,stroke:#FF1493 style LOGS fill:#FFE6E6,stroke:#DC143C style REPORT fill:#FFF3E6,stroke:#FF8C00 style CERTIN fill:#FFD700,stroke:#DAA520

🔐 PII Assessment Criteria

PII Types Covered

PII Type	Pattern
Aadhaar	`[2-9][0-9]{11}`
PAN	`[A-Z]{5}[0-9]{4}[A-Z]`
Mobile	`[6-9][0-9]{9}`
Email	Email pattern
Bank Account	SIDBI format
Address	Free text

Four Assessment Pillars

1. Encryption at Rest

✓ TDE (Oracle/SQL Server)
✓ SSE-KMS (AWS S3)
✓ Key rotation & management

2. Encryption in Transit

✓ TLS 1.2+ for all connections
✓ SQL*Net/JDBC encryption
✓ Certificate validation

3. Data Masking & Tokenization

✓ Verify that masking is enabled where required
✓ Dynamic data masking
✓ Tokenization for sensitive fields

4. Log & Backup Security

✓ No PII in clear-text logs
✓ Log masking policies
✓ Encrypted backups

👥 Roles & Responsibilities (RACI)

R = Responsible | A = Accountable | C = Consulted | I = Informed

Activity	Skillmine	SIDBI SPOC	SIDBI DBA	SIDBI SecOps	SIDBI IT Head
Kickoff Meeting	R	R	C	C	A
Questionnaire Completion	C	R	C	C	A
Call Schedules	R	C	R	R	I
Evidence Collection	R	A	C	C	I
Daily Status Reports	R	A	I	I	I
Gap Assessment Report	R	I	I	I	A
Report Review & Approval	C	R	C	C	A
CERT-In Certification	R	I	I	I	A

📧 Daily Status Reporting (Step 4)

            Commitment: Daily email updates to all stakeholders by 6:00 PM every
                day
        

Report Contents

✅ Activities completed today
📊 Progress against plan
🎯 Findings summary (if any)
⚠️ Issues/blockers
📅 Next day's plan
📎 Evidence collected count

Communication Channels

Daily Reports: Email
Urgent Issues: Phone/Teams
Evidence Sharing: Secure Portal
Status Meetings: As needed

graph LR DAY[📅 End of Day] --> CONSOLIDATE[📊 Consolidate
Day's Findings] CONSOLIDATE --> DRAFT[✍️ Draft Status
Report] DRAFT --> REVIEW[✅ Internal
Review] REVIEW --> SEND[📧 Send to
Stakeholders
by 6 PM] SEND --> TRACK[📈 Update
Progress
Dashboard] style DAY fill:#E6F3FF,stroke:#1E90FF style SEND fill:#90EE90,stroke:#228B22

👥 SIDBI Team Availability Required

Role	Required Days	Key Sessions
SPOC/Coordinator	All 10 days	All sessions requiring SIDBI presence
Oracle DBA Lead	Day 1, 2, 4	Oracle TDE, Oracle Net encryption
SQL Server DBA	Day 2, 3, 4	SQL Server TDE (Cyfuture + ESDS x4)
AWS Administrator	Day 2	AWS S3 buckets, KMS configuration
Network Admin	Day 4	TLS config, traffic samples, perimeter
SecOps Lead	Day 5, 6	SIEM, DAM, EDR/XDR, Antivirus
IT Head/CISO	Day 1, 9, 10	Kickoff, Draft review, Final handover

📸 Evidence Collection & Success Criteria

✅ Acceptable Formats

Screenshots (PNG/JPG)
CLI output (TXT/CSV)
Config exports (XML/JSON)
Query results (CSV/Excel)

⚠️ Evidence Requirements

Clear, legible, timestamped
Show system context
No PII in screenshots
Organized by date/system

📁 Folder: SIDBI_Evidence/Day_XX/SystemName/[files]

✅ Engagement Success Criteria

1. Coverage

✓ 100% systems assessed

2. Evidence

✓ Complete package

3. Reporting

✓ Draft Day 8, Final Day 9

4. Certification

✓ CERT-In certificate Day 10

5. Timeline

✓ Complete within 10 days (Nov 28 - Dec 12)

📦 Deliverables

Deliverable	Due Date	Description
Daily Status Reports	Days 1-10 (6 PM daily)	Progress updates to stakeholders
Evidence Package	Day 6	Complete folder of screenshots, outputs, configs
Draft Report	Day 8	35-40 page assessment report for SIDBI review
Final Report	Day 9	Final report incorporating SIDBI feedback
CERT-In Certificate	Day 10	Official CERT-In certification
Executive Summary	Day 10	Standalone 2-page summary for leadership
Remediation Roadmap	Day 10	Prioritized action plan for gaps

📋 Assumptions

Assumption	Description
SIDBI Team Availability	All required personnel (DBAs, Admins, SecOps) will be available as per the 10-day schedule
System Access	SIDBI team has necessary access to all systems (Oracle, AWS, SQL Server, Security Tools) for observation sessions
Evidence Sharing	SIDBI will provide screenshots, configurations, and evidence in agreed formats within same day of session
Screen Sharing Infrastructure	Teams/Zoom or suitable screen sharing platform is available and tested for remote sessions
Questionnaire Completion	Pre-assessment questionnaire will be completed and reviewed by Day 1
Timeline Adherence	All sessions will be completed as per schedule to ensure 10-day timeline is met
CERT-In Vendor	Empaneled CERT-In vendor will be available for expedited certificate issuance on Day 10
No Direct Access	Skillmine will have NO direct access to systems; all activities performed by SIDBI team during observation

📞 Contact Information

🏢 Skillmine Team

Engagement Lead:

Mohsin Abbas

Head of Cyber Security - IT

📧 mohsin.mohammed@skill-mine.com

📱 9962560024

Technical Lead:

Vimalprakash

Director - Software Engineering • IT

📧 vimal.prakash@skill-mine.com

📱 9738122401

Senior Manager IT:

Brahma Biswal

📧 brahma.biswal@skill-mine.com

📱 9886209194

🏦 SIDBI Team

SPOC:

Suresh Thanikachalam

📧 nisg_suresht@sidbi.in

            📧 Daily Reports To: nisg_suresht@sidbi.in, mohsin.mohammed@skill-mine.com,
            vimal.prakash@skill-mine.com

            ⚠️ Escalation: Suresh Thanikachalam (SIDBI SPOC) → IT Head/CISO → Management
        

❓ Questions & Answers

Q&A

Please feel free to ask any questions

Contact us anytime during the engagement
We're here to ensure a smooth and successful assessment

Thank You! 🙏

Let's Begin the Assessment

🏦 SIDBI + Skillmine

Partnership for Secure PII Management

⏰ Next: Initial Oracle Review Session (if time permits)

📧 First Daily Status Report: Today by 6:00 PM