NMB Bank Limited Information Security Standard Procedures PDF
Document Details
Uploaded by Deleted User
2024
Tags
Related
- Proeza Information Security Management for Supplier Relationships Policy (PDF)
- Certified Cybersecurity Technician Information Security Attacks PDF
- 3rd-5th Grade Acceptable Use Policy PDF
- Chapter 17 Risk Management and Privacy PDF
- Information Security Awareness Session PDF
- 5.1 Summarize Effective Security Governance PDF
Summary
This document is a procedure for acceptable use of IT resources at NMB Bank Limited, outlining rules, responsibilities, and guidelines for employees and external users. It covers topics such as desktop services, mobile devices, backup of critical files, and access control.
Full Transcript
NMB Bank Limited Information Security Standard Procedures Acceptable Use of Assets Domain: Acceptable Use of IT Resources Procedure Identifier: NMB-ISSP-P-41 Effective Date: 12st Aug 2024...
NMB Bank Limited Information Security Standard Procedures Acceptable Use of Assets Domain: Acceptable Use of IT Resources Procedure Identifier: NMB-ISSP-P-41 Effective Date: 12st Aug 2024 Version: 1.0 Total No. of Pages: 12 including this page Issued By: CISC AMENDMENT RECORDS Sl. Amendment Details Version No. Revision Date 1 New Release 1.0 Sl. Last Review Date Reviewed By _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 1 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures APPROVAL LOG NAME SIGNATURE SIGNED DATE Prepared By: Ram KC Sr. Officer-ISD Deepa Shrestha Supported By: ISO Bikash Shrestha Supported By: Head IT Dhruba Adhikari Supported By: Head Legal & Compliance Niraj Sharma Supported By: Head Human Resource Pramod Dahal Supported By: Chief Operating Officer Navin Manandhar Supported By: Chief Risk Officer Sudesh Upadhyaya Supported By: DCEO Sunil KC Approved By: CEO _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 2 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures Table of Contents 1 Introduction................................................................................................................................ 5 2 Scope......................................................................................................................................... 5 3 Executive Owner........................................................................................................................ 5 4 Responsibilities.......................................................................................................................... 5 5 Procedure.................................................................................................................................. 5 5.1 General............................................................................................................................. 5 5.2 Desktop Services............................................................................................................. 6 5.3 Mobile Devices................................................................................................................. 7 5.4 Backup of Critical Files..................................................................................................... 7 5.5 Access Control................................................................................................................. 8 5.6 Classified Information....................................................................................................... 8 5.7 Electronic messaging....................................................................................................... 8 5.8 Internet Browsing............................................................................................................. 9 5.9 Use of Social Media....................................................................................................... 11 5.10 Clear Desk and Clear Screen.................................................................................... 11 5.11 Unacceptable Use...................................................................................................... 12 6 Policy Compliance................................................................................................................... 12 6.1 Compliance.................................................................................................................... 12 6.2 Exception........................................................................................................................ 12 6.3 Non-Compliance............................................................................................................ 12 _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 3 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures ABBREVATIONS IT Information Technology ISD Information Security Department CISC Corporate Information Security Committee MFA Multi Factor Authentication PC Personal Computer WiFi Wireless Fidelity VPN Virtual Private Network PAN Primary Account Number CVV Card Verification Value 2FA Two Factor Authentication PII Personal Identifiable Information EOD End of Day _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 4 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures 1 Introduction This procedure makes employees and external party users aware of the rules for the acceptable use of IT assets like software, hardware, communication channel etc associated with information and information processing. While supporting the business and operations of the Bank, staff performing regular duties may have access to data in applications, emails, and file systems or on desktops, servers and networks, and other systems, which must be protected. Similarly, the human chain being the weakest link in cyber security chain, users should be aware of potential threats of cyber security to become a cyber resilience bank. In performing duties staff must comply with applicable Banks policies including the Banks Information Security and Information Technology Policy on access to any sort of information. 2 Scope This procedure applies to all employees (permanent, contract, temporary etc) and all other internal and external users having access to any system’s information or physical infrastructure of the Bank, regardless of its form or format, created or used to support the organization. 3 Executive Owner CISC is executive owner for reviewing and releasing this procedure. 4 Responsibilities Designation Role Information Security Department (ISD) Ensuring that this procedure is effectively implemented. Responsible for arranging for the awareness of acceptable use of information and assets to all employees of the Bank and HR Department users. Head of Departments Implementing the acceptable use procedure for compliance of (HoDs) this procedure Users and Staff at Bank Should be aware of this procedure and strictly adhere to it 5 Procedure 5.1 General Each user is to be responsible for their own actions and act responsibly and professionally, while using Banks IT assets. Users are expected to become familiar with, and follow, the organization's security policies and procedures and any special instructions relating to work. Users must always comply with the legal, statutory or contractual obligations that the organization informs users of are relevant to their role. Consistent with the foregoing, the acceptable use of information and IT resources encompasses the following duties: _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 5 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures Understanding the baseline information security controls necessary to protect the confidentiality, integrity, and availability of information Protecting organizational information and resources from unauthorized use or disclosure Protecting personal, private, sensitive, or confidential information from unauthorized use or disclosure; Observing authorized levels of access and utilizing only approved IT technology devices or services; and Immediately report suspected information security incidents or weaknesses to the Information Security Department (ISD). 5.2 Desktop Services When a new employee joins the Bank, a computing device (desktop / laptop) will be provided to the user by the Project & Strategic Sourcing Department and access to the user shall be provided by the IT department, based on the function to be carried out by the User. Users should not try to access any Computer or IT equipment, unless authorized to do so by the Information Security Department after getting proper justification of use. Access to the IT systems is controlled using User IDs, passwords and/or MFA and tokens (where applicable). All User IDs and passwords are to be uniquely assigned to named individuals and consequently, individuals are accountable for all the actions in IT systems having access to that system. PC installation, troubleshooting and maintenance shall be undertaken only by the IT Department, or a service provider appointed by the Bank for this purpose. Users should not do installation, troubleshooting or maintenance of any IT Resources on their own or outsiders prior notifying to IT department. All the data, information and any other material stored in a computer, or any other IT resource will be the sole property of NMB Bank. Users should not copy / store / transmit in any form the data, information or software installed on any IT Resource, unless specifically authorized by the Head of Department and IS department. Users must not: a. Allow anyone else to use their user ID, token and password on any IT systems and applications. b. Leave their user accounts logged in at an unattended and unlocked computer. c. Use someone else's user ID and password to access Banks IT systems d. Leave their password unprotected, for example writing it down in diary, sticky notes and sharing to others. e. Perform any unauthorized changes to IT systems or information f. Attempt to access data that they are not authorized to use or access g. Connect any unauthorized device to the Banks network or IT systems h. Store Banks data on any non-authorized equipment, device or platform. i. Give or transfer Banks data or software to any person or organization outside the company without the authority of the Bank j. Line managers must ensure that individuals are given clear direction on the extent and limits of their authority about systems and data k. Use strong and unique password /passphrase for personal and official platforms Users should not use IT assets for personal gain including commercial / social / cultural purposes. _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 6 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures Users are personally responsible for protecting the data and information of the Bank being used by them. Users should not switch off any tools / services from the IT assets set up by the IT Department like anti-virus etc. If users observe anything unusual in the IT resources or critical information, they should immediately bring the same to the notice of IS and IT Department with full details. The User shall be solely responsible for any damage to / loss of IT assets including laptops and confidential information. The executive management of NMB Bank shall decide, in its sole discretion, for disciplinary action on such damage, depending upon the seriousness of the incident. 5.3 Mobile Devices Mobile devices include items such as laptops, tablet devices and smartphones. Unless specifically authorized, only mobile devices provided by the organization may be used to hold or process classified information. An organization-provided device is for business /official use only, it must not be shared with family or friends or used for personal activities. Acceptable use of mobile device: Users must not remove equipment or information from the organization's personal devices without appropriate approval. Users must take precautions to protect all mobile devices and computer media when carrying them outside the organization's premises, for example, not leaving a laptop unattended that it would encourage an opportunist theft. The device must not be connected to non-corporate networks such as public Wi- Fi or the internet unless a VPN Virtual Private Network is used. Users must not remove any identifying tags / labelling on the device such as a company asset tag or serial number. Shall ensure that the device is locked away when stored in an office rack or drawers and that the key is not easily accessible. Users should not add peripheral hardware to the device without approval. Where possible, the device will be secured so that all its data is encrypted and only accessible if the password is known. Some drive in mobile devices are encrypted for data security hence users should not disable it. Users using laptops or movable IT Resources are responsible to protect such IT Resources from damage, loss, theft etc. as per Laptop security guideline. Users using sensitive confidential information in mobile devices like smartphones, should protect such information and data for unauthorized access and security breaches of data by setting appropriate security measures in mobile phones. Users handling portable / mobile devices should refer to and understand the laptop security procedure. 5.4 Backup of Critical Files Users shall keep backup of critical files on the shared drives allotted to them. If the User is traveling, then the user can work on the laptop if provided by Bank. As soon as the User is back in office, he/she should copy the updated files on to the server. Users should not directly share their files / directories / articles with other users. If sharing of the files / directories / articles is necessary for coordination / effective _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 7 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures functioning in the office, he/she should seek authorization from the respective head of department. Users should not share the confidential and internal use purpose files of the Bank to external users through personal email or social sites. 5.5 Access Control Users are responsible for the use and protection of their credentials i.e. user account and password, access token or other items which users are provided with. Use strong passwords that comply with organization policies and take reasonable precautions to ensure that user’s passwords are only known by respective users for example, not sharing passwords or writing them down. User should not use the same password (or close variation of the same password) for multiple user accounts. Users must not use privileged user accounts (user accounts with higher-than-normal system access) for business-as-usual activities. User shall never attempt to bypass or subvert system security controls or to use them for any purpose other than that intended. Also, users must not connect unauthorized devices to the organization network. 5.6 Classified Information User should ensure to label any classified document/s that user create appropriately according to published guidelines so that it remains appropriately protected. Users should always protect any classified material that is send, receive, store or process according to the level of classification assigned to it, including both electronic and paper copies. Should not send classified information over the internet via email or methods unless appropriate methods (for example encryption) have been used to protect it from unauthorized access. Users should securely store classified printed material and ensure it is correctly destroyed when no longer needed. On leaving the organization, the user must inform the line manager prior to departure, or any important information held in user account or in a location to which the organization has no, or limited, access. Refer NMB-ISSP-P-13 Information Classification Procedure for further details. 5.7 Electronic messaging Electronic messaging covers email and various forms of instant and store-and-forward messaging such as SMS texts, messaging apps, web chats and messaging facilities within social media platforms. The organization-provided electronic messaging facilities must always be used when communicating with others on official business. Users must not use a personal account for this purpose. All organization messages should be considered official communications from the organization and treated accordingly. In particular, organization electronic messaging facilities must not be used for below mentioned activities: - Users should not use the e-mail service facility to send / receive / store / transmit any personal e-mails. If any such mails are received by the users, they should immediately delete the same from their computer system simultaneously informing the sender/s of _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 8 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures such mails not to send in future any such mails as such actions are violation of NMB Bank’s Email Security Procedure. Users should not give out their corporate email id on non-commercial web sites that ask you to register with them. This will reduce spam email in your mailbox. To distribute any offensive, obscene or indecent images, data or other material or any data capable of being resolved into obscene or indecent images or material To send anything which is designed or likely to cause annoyance, inconvenience or needless anxiety to others To transmit material that either discriminates or encourages discrimination on the grounds of race, gender, sexual orientation, marital status, disability, political or religious beliefs Electronic Mail is not guaranteed to be private. Messages transmitted through the bank email system or network infrastructure are the property of the bank and are therefore subject to inspection. IS/IT Department shall monitor and escalate the activity for suspicious email. Users must provide their name and designation along with the corporate Disclaimer message at the end of every email message that is sent by them. Users shall not use the e-mail service for spamming. Spamming includes, but is not limited to: Bulk sending of unsolicited messages or the sending of unsolicited emails. Use of distribution lists. E-mail harassment of other Internet User/s including but not limited to, transmitting any abusive, bullying, threatening, libelous or obscene material, or material of any nature which could be deemed to be offensive and against the interests of NMB Bank. Users should not use any third-party e-mail service from within NMB Bank’s offices, unless specifically allowed by the concerned authority. Users should not send any sensitive data outside NMB Bank without the express written approval of their Heads. If not sure, users should clarify with their immediate supervisor before any data is sent outside NMB Bank. Users must not share any sensitive data or payment card details such as full card number (Primary Account Number or PAN), expiry date, security code (CVV2 etc.) through email or messaging platforms. 5.8 Internet Browsing Users Internet access on organization-owned devices is primarily provided for tasks reasonably related to work including: Access to information and systems that is pertinent to fulfilling the organization's business obligations The capability to post updates to organization-owned and or maintained web sites and social media accounts An electronic commerce facility (e.g. purchasing equipment / services for the bank) Research and other tasks that is part of job role Below list gives example of “unsuitable” usage but is neither exclusive nor exhaustive. "Unsuitable" material will include data, images, audio files or video files the transmission of which is illegal and material that is against the rule, essence and spirit of this and other policies of the Bank. _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 9 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures Internet access shall not be used for any illegal or unlawful purposes. Examples of this would be the transmission of violent, threatening, defrauding, pornographic, obscene or otherwise illegal or unlawful materials. The bank’s Internet connection shall not be used for commercial or political purposes. Internet access shall not be used for performing work for personal profit with the bank’s resources in a manner not authorized by the bank. Users shall not attempt to circumvent or subvert security measures on the bank's network resources or any other system connected to or accessible through the Internet. Bank’s users shall not use Internet access for interception of network traffic for any purpose unless engaged in authorized network administration. Bank users shall not make or use illegal copies of copyrighted material, store such copies on bank’s equipment, or transmit these copies internally or externally. Bank users who need to access the Internet will be provided with Internet access by IT Department upon approval of the internet access form filled up by the requesting user. Bank’s users shall not download any shareware or freeware or any other software from the Internet. Bank’s users shall not change the internet connection settings by themselves. Bank’s users must not download audio or video files onto NMB Bank’s network as this will cause congestion in the internet traffic. Streaming of audio and video is also prohibited. Bank’s users should not use the Internet service to enter or attempt to enter any network in an unauthorized manner. No peer-to-peer application is allowed from and within Bank’s network without any approval. Creating, downloading or transmitting material that is designed to annoy, harass, bully, inconvenience or cause needless anxiety to other people. Creating, downloading or transmitting data or material that is created for the purpose of corrupting or destroying other user’s data or hardware. Bank’s user shall not allow any Hotspot VPN Service from their desktop or laptop of the Bank. Internet access shall be controlled using VPN in banks owned mobile devices like laptop. Access to the Internet through the Bank’s network controls with strict guidelines concerning the appropriate use of this information resources. Users who violate the provisions outlined in this procedure are subject to disciplinary action as per HR By Laws. In addition, any inappropriate use that involves a criminal offense will result in legal action. All users must acknowledge receipt and understanding of guidelines in this document. _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 10 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures 5.9 Use of Social Media Bank makes extensive use of social media to communicate directly with customers as part of marketing activity and communicating with customers for particular notice, to provide support for products and services and to obtain useful feedback on how the organization is perceived. Only authorized users shall have access to use corporate social media accounts and to represent the organization to the public, and only if that is part of the job role. Only authorized accounts should be used to publish messages and respond to other users of relevant social media channels. Users shall not use their own personal accounts for responding to the public. Bank respects user’s personal online activity as a medium of self-expression, but user’s shall remember to have responsibilities to the organization outside of working hours. When using social media to engage on matters relevant to the organization, make it clear that it’s the user’s own opinion that the user is expressing and not that of the organization. Should anyone have a legitimate business need to access these sites they should have a formal recommender and approver for the use of social networking site for Bank’s purpose only and NMB-ISSP-F-24 Security Exceptions Authorization Form to be recorded. 5.10 Clear Desk and Clear Screen The following security measures must be followed for clear desk and clear screen policy: Clear Desk Sensitive or critical business information, e.g., paper or on electronic storage media, must be secured when not required, especially when the office is vacated at the end of the workday. Paper containing sensitive or classified information must be removed from printers and faxes immediately. Faxes and printers used to print sensitive information should not be kept in public areas. Documents containing sensitive information are being printed, the user must ensure they know the proper printer is chosen and go directly to the printer to retrieve it. Sensitive information on paper or electronic storage media that is to be shredded must not be left in unattended boxes or bins to be handled later and must be secured until they can be shredded. Files and documents containing sensitive information and personal identifiable information (PII) must be kept appropriately in the proper place by locking before leaving the office in EOD. Clear Screen Whenever unattended or not in use, all computing devices must be left logged off or password protected. When viewing sensitive information on a screen, users should be aware of their surroundings and should ensure that third parties are not permitted to view the sensitive information. All active application sessions should be terminated upon completion of the work. Users must keep the desktop of PC/Laptop clean by clearing the unwanted files and saving confidential information in separate folders. _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 11 Acceptable Use of IT Resources NMB Bank Limited Information Security Standard Procedures 5.11 Unacceptable Use The following list is not intended to be exhaustive but is an attempt to provide a framework for activities that constitute unacceptable use. Users, however, may be exempted from one or more of these restrictions during their authorized job responsibilities, after approval from management. Unacceptable use includes, but is not limited to, the following: Unauthorized use or disclosure of organization information and resources; Distributing, transmitting, posting, or storing any electronic communications, material or correspondence that is threatening, obscene, harassing, pornographic, offensive, defamatory, discriminatory, inflammatory, illegal, or intentionally false or inaccurate; Connecting unapproved devices to the organization’s network or any IT resource Connecting organizational IT resources to unauthorized networks; Connecting to any wireless network while physically connected to the organization’s wired network Using an organization’s IT resources to circulate unauthorized solicitations or advertisements for non-organizational purposes including religious, political, or not-for-profit entities Providing unauthorized third parties, including family and friends, access to the organization’s IT asset, information, resources or facilities Tampering, disengaging, or otherwise circumventing an organization or third- party IT security controls. Using public wifi without VPN in the laptop Not updating latest security update and tools like Antivirus in computing device Auto forwarding official email to personal mailbox Not using 2FA in administrative profile /accounts 6 Policy Compliance 6.1 Compliance It is the responsibility of the Authorized User to ensure compliance with the process above. The Information Security department will randomly verify compliance to process through various methods, including but not limited to, business tool reports, internal and external audits, log reviews and audit trails for compliance of this procedure and reports to CRO /CISC. 6.2 Exception Any exception to the process must be as per NMB-ISSP-F-24 Security Exception Authorization Form. 6.3 Non-Compliance An employee found to have violated this procedure may be subjected to disciplinary action, as per HR by Laws _________________________________________________________________________________ INTERNAL-IT-ISSP-P-41 12 Acceptable Use of IT Resources