1. IT Policy.pdf

Full Transcript

IT POLICY
SPSR NELLORE DISTRICT COOPERATIVE CENTRAL BANK
LIMITED
 CONTENTS

SL. NO. TOPICS PAGE NO.

INFORMATION TECHNOLOGY POLICY
PART-I A 1 - 10
1. Introduction 1
2. Information Technology and Changing Face of Banking 1
3. IT is one of the Major Drivers of Banking Business 2
4. Yet “IT” can cause Business Vulnerability 2
5. Information Security (IS) Defined 3
6. Our Bank and IT 4
7. IT Security and Controls in the Bank 4
8. Information Security Policy: Objectives 4
8.1. The Policy.
9. Scope of the IS Policy 5
10. Owners and Custodians 5
11. Responsibility 5
12. Steering Committee/ Information Security Committee 6
13. Chief Information Security Officer ( CISO) 6
14. Business Heads 7
15. Coverage of the Policy 7
16. To Achieve the Objectives 7
17. IS Review 8
18. Applicability and Exceptions 8
19. Box: Certain Terms Explained 9
PART-I B 11-18
1. Information Systems Security Policy 11
2. Environment & Physical Security 11
2.1 Purpose 11
2.2 Policy Statement 11
3. Acceptable Usage Security 11
3.1 Purpose 11
3.2 Policy Statements 12
4. Incident Management 12
4.1 Purpose 12
4.2 Policy Statement 12
5. Asset Classification & Handling 12
5.1 Purpose 12
5.2 Policy Statement 12
SL. NO. TOPICS PAGE NO.
6. Asset-Media
Media Disposal 13
6.1 Purpose 13
6.2 Policy Statement 13
7. Anti- Virus
7.1 Purpose 13
7.2 Policy Statement 13
8. Networking & Internet Security 13
8.1 Purpose 13
8.2 Policy Statement 14
9. Operating Systems 14
9.1 Purpose 14
9.2 Policy Statement 14
10 Applications 14
10.1 Purpose 14
10.2 Policy Statement 14
11. Database 15
11.1 Purpose 15
11.2 Policy Statement 15
12. Patch Management 15
12.1 Purpose 15
12.2 Policy Statement 15
13. Back-up 15
13.1 Purpose 15
13.2 Policy Statement 15
14. Personnel 16
14.1 Purpose 16
14.2 Policy Statement 16
15. Password 16
15.1 Purpose 16
15.2 Policy Statement 16
16. E-mail
mail Usage and Security 16
16.1 Purpose 16
16.2 Policy Statement 17
17. Change Management 17
17.1 Purpose 17
17.2 Policy Statement 17
18. Monitoring 17
18.1 Purpose 17
18.2 Policy Statement 17
19. Outsourcing/Third Party 17
19.1 Purpose 17
19.2 Policy Statement 18
SL. NO. TOPICS PAGE NO.
20. Business Continuity 18
20.1 Purpose 18
20.2 Policy Statement 18
21. ATM Security Policy 18
21.1 Purpose 18
21.2 Policy Statement 18
PART II – INFORMATION SYSTEMS SECURITY POLICY 19-67
Policies and Procedures 19
2. Environment and Physical Security Policy 19
2.1 Purpose 19
2.2 Policy Statement 19
2.3 Procedures: Scope 19
2.4 Access Control 19
2.5 Environmental Protection 20
2.6 Data Centre Security 20
2.7 Identification of Devices 20
2.8 CCTV Monitoring 20
2.9 Power at the Data Centre 20
2.10 Fire Prevention and Control 21
2.11 Environmental Safeguards 21
2.12 Preventive Maintenance 21
2.13 Monitoring 21
2.14 Document Security 21
2.15 Enforcement 22
3. Acceptable Usage Security 22
3.1 Purpose 22
3.2 Policy Statement 22
3.3 Scope 22
3.4 Desktop Users 22
3.5 Laptop Users 23
3.6 Password Security 24
3.7 Internet Usage 25
3.8. Clear Desk 25
4. Incident Management 25
4.1. Purpose 26
4.2. Policy Statement 26
4.3 Scope 26
4.4 Incident Identification 26
4.5 Incident Reporting 26
4.6. Incident Verification 27
4.7 Incident Recovery 27
4.8 Incident Prevention 27
SL. NO. TOPICS PAGE NO.
5. Asset Classification & Handling 27
5.1 Purpose 27
5.2 Policy Statement 28
5.3 Procedure for Asset Classification and Handling: Scope 28
5.4 Accountability 28
5.5 Information Classification 28
5.6 Document Classification 29
5.7. Secret Documents 29
5.8. Confidential Documents 29
5.9 General Documents 29
5.10 Media Handling 29
5.11 Enforcement 29
6. Asset-Media
Media disposal 29
6.1 Purpose 29
6.2 Policy Statement 29
6.3 Scope 30
6.4 Disposal of Information Assets 30
6.5 Disposal of Electronic Media 30
6.6 Disposal of Paper Based Media 30
6.7 Condition for Disposal of IT Assets 31
6.8 Disposal of IT Asset - Procedure 31
6.9 Periodicity of Disposal of Obsolete IT Assets 31
6.10 Outsourcing of Disposal of IT Assets 31
6.11 Enforcement 32
7. Anti- Virus 32
7.1 Purpose 32
7.2 Policy Statement 32
7.3. Scope 32
7.4 Installation 32
7.5 Anti-Virus
Virus Support Team 33
7.6 Anti-Virus
Virus Signature Update 33
7.7 Status Reports 33
7.8 Server Security 33
7.9 Server Monitoring 33
7.10 Tracking New Vulnerabilities 34
7.11 Documentation 34
7.12 External Users 34
7.13 Backup and Redundancy 34
7.14 Reporting 34
8. Networking & Internet Security 34
8.1 Purpose 34
8.2 Policy Statement 35
8.3 Scope 35
8.4 Internet Access 35
8.5 Dial out Access 35
SL. NO. TOPICS PAGE NO.
8.6 WAN access on bank’s network 35
8.7 Segregating Server and User Segments 36
8.8 External Access 36
8.9 Dial in Access 36
8.10 Redundancy 36
8.11 Network Device Configuration 36
8.12 Documentation 36
9 Operating Systems 37
9.1 Purpose 37
9.2 Policy Statement 37
9.3 Scope 37
9.4 User Authentication 37
9.5 Account Policy 37
9.6 New User Provisioning 37
9.7 Security of User Credentials 37
9.8 Logging 38
9.9 Non-Essential
Essential Services 38
9.10 Login Banner 38
9.11 Anti-Virus 38
9.12 Naming Conventions 38
9.13 Documentation 38
9.14 Review of User Access Rights 38
9.15 Emergency Procedures 38
10. Procedures for Application Security 38
10.1 Purpose 38
10.2 Policy Statement 39
10.3 Scope 39
10.4 Application Owner 39
10.5 Application Access 39
10.6 Data Security 40
10.7 Input Controls 40
10.8 Processing Controls 40
10.9 Account Policy 40
10.10 Database Access 40
10.11 Audit Trails 40
10.12 Error Handling 41
10.13 Capacity Planning 41
10.14 Performance Testing 41
10.15 Security Testing 41
10.16 Documentation 41
11. Database 41
11.1 Purpose 41
11.2 Policy Statement 41
11.3 File System Security 42
11.4 User Authentication 42
SL. NO. TOPICS PAGE NO.
11.5 New User Provisioning 42
11.6 Account Policy 42
12. Patch Management 43
12.1 Purpose 43
12.2 Policy Statement 43
12.3 Scope 43
12.4 Identification & Validation of Patches 43
12.5 Patch Classification 44
12.6 Patch Scheduling & Prioritization 44
12.7 Patch Application Procedure 45
12.8 Patch Tracking 45
12.9 Audit & Assessment 45
12.10 Centralized Patch Management System 45
12.11 Enforcement 46
13. Back-up 46
13.1 Purpose 46
13.2 Policy Statement 46
13.3 Scope 46
13.4 Backup Process 46
13.5 Security of Backup Media 47
13.6 Migration of Backup Data 47
13.7 Recovery Testing 47
13.8 Documentation 47
14 Personnel 47
14.1 Purpose 47
14.2 Policy Statement 47
14.3 Scope 48
14.4 Terms of Employment 48
14.5 Training and Awareness 48
14.6 Compliance 48
14.7 Termination 49
15. Password 49
15.1 Purpose 49
15.2 Policy Statement 49
15.3 Scope 50
15.4 Construction of Passwords 50
15.5 Disabling Access 50
15.6 Generation of Password 50
15.7 Resetting Passwords 51
15.8 Customer Facing Applications 51
15.9 Resetting of Default Passwords 51
15.10 Compliance to Password Policy 51
15.11 Enforcement 52
SL. NO. TOPICS PAGE NO.
16. E-mail
mail Usage and Security 52
16.1 Purpose 52
16.2 Policy Statement 52
16.3 Scope 52
16.4 E-mail
mail Service – General 52
16.5 Account Protection 53
16.6 Server Monitoring 53
16.7 Monitoring & Reporting 53
16.8 Document and Storage Security 53
16.9 Backup and Redundancy 53
16.10 Change Management 54
17. Change Management 54
17.1 Purpose 54
17.2 Policy Statement 54
17.3 Scope 54
17.4 Change request and approval 55
17.5 Testing of Implementation Plan 55
17.6 Implementation of Change 55
17.7 Minor/Emergency Changes 56
17.8 Review of Change 56
18. Monitoring 56
18.1 Purpose 56
18.2 Policy Statement 56
18.3 Scope 56
18.4 Security Monitoring 56
18.5 Performance Monitoring 57
18.6 Log Monitoring 57
19. Outsourcing / Third Party 57
19.1 Purpose 57
19.2 Policy Statement 57
19.3. Scope 58
19.4 Outsourcing Plan 58
19.5 Vendor Selection 58
19.6 Transition Risks 58
19.7 Security 59
19.8 Performance 59
19.9 Contractual Terms 59
19.10 Conformity to RBI Guidelines 60
20. Business Continuity 60
20.1 Purpose 60
20.2 Policy Statement 60
20.3 Scope 60
20.4 DR Requirement 61
20.5 Business Impact Analysis 61
SL. NO. TOPICS PAGE NO.
20.6 Disaster Recovery Strategy (DRS) 61
20.7 Disaster Recovery (DR) Plan 61
20.8 Awareness and Training Program 61
20.9 Testing of DR Plan 61
20.10 Review of DR Plan 61
20.11 Maintenance of Emergency Contact Numbers 62
21. ATM 62
21.1 Purpose 62
21.2 Policy 62
21.3 Scope 63
21.4 Physical Security 63
21.5 General Security 63
21.6 Issue of Personalized ATM Card & Pin Mailer 65
21.7 Loss and Theft of Card 65
21.8 ATM Network Security 65
21.9 Confidentiality 66
21.10 Data Integrity 66
21.11 Key Management 66
21.12 Authentication 66
21.13 Non-Repudiation
Repudiation 66
21.14 Access Control 67
21.15 Security 67
21.16 Audit 67
21.17 Activity Reporting 67
21.18 Security Recovery 67

ix | P a g e
 PART-I A

1. Introduction
1.1 Banking industry uses information in every aspect of its business, from processing
payments to making loan and investment decisions. Information and the supporting
processes, the computer systems and the networks, and personnel (human beings)
are important business assets of every Bank.
1.2 Customer confidentiality is important for all businesses but it is an USP for banking
business and hence more important. In order to maintain customer confidentiality and
cater to business growth, information has to be fully protected from a variety of threats
so as to ensure confidentiality, integrity & availability. The confidentiality, integrity and
availability of information in the right place to the right person for right purposes are
essential for any bank of financial institution to maintain its competitive edge, cash
flow, profitability, legal compliance and reputation.
1.3 The adoption of Information Technology (IT) has brought about significant changes
in the way the banking and the financial institutions create, process and store data and
information. The communication networks have also played an equally catalytic role in
the expansion and integration of the Information Systems, within and among the
banks, facilitating data accessibility to different users.
1.4 Loss of information may lead to (a) financial losses which need to be minimized
and (b) loss of reputation which must be avoided. In view of this it is important that our
bank puts in place an appropriate set of controls & procedures to achieve impeccable
IS (IS) to ensure that data is accessible and accessed only by authorized users of data
and is completely inaccessibility to all others (unauthorized persons trying to use the
system, information etc.). Essentially this is an issue of data integrity and
implementation of safeguards against all security threats to guarantee information and
information systems security across our Bank.
1.5 As technology is evolving and ever changing it is possible that information systems
in operation in banks may not have been designed to be sufficiently secure. Further,
the level of security, which can be achieved through the application of technology,
could be limited unless it is supported by appropriate management policies and
procedures. The selection of the security controls requires careful and detailed
planning. It is clear that the success of information systems security cannot be
achieved except with the participation by all the employees in the Bank. It will also
require support and participation from the third parties such as the suppliers, vendors,
contractors and customers. This calls for our bank to define, document, communicate,
implement and audit information and Information Systems Security.

2. Information Technology and Changing Face of Banking.

2.1 Over the last three decades banking industry in India has adopted Information and
Communication Technology (ICT) which has resulted in a paradigm shift in the way

1|Page
banking is done in the country. Over the years, what started as a Ledger Posting
Machine has moved through Total Branch Automation (TBA) to today’s Core Banking
Solutions (CBS) and other applications supported I T driven banking. It is seen that
banking technology has not only changed the way customer perceives the bank but
also the way bank drives its business. Customer is more keen to use latest technology
driven access to banking so that he/she is able to save time and effort in doing
banking.

2.2 Continuous use of banking technology has enabled the banks to have a re-look
into their business processes, reengineer the same to make them effective & efficient.
Rapid technological up-gradation has increased the business volumes without having
to increase the branch net-work. Simultaneously there is a demand for processing
large amount of information within banks to enable better decision making in response
to the changing business environment. The ability of technology to manage large
volume of data and has resulted in IT moving from a support function to the main driver
of banking business.

2.3 Thanks to the impact of IT, banks’ are now able to offer Automated Teller Machine
(ATM), Cards (both debit and credit), internet banking and mobile banking to its
customers. The CBS gives the customer access to transact his/her account from any
of the branches or from home or work place at any time. In the recent years as e-
commerce has started flourishing. Banks have stepped in to complement the process
as payment gateways for e-shopping, etc. Within the bank internal processes such as
accounting, ledger maintaining and other processes within bank are no more manual
but are more efficient due to IT driven processing of internal data/activities & back
office operations.

3. IT is one of the Major Drivers of Banking Business

3.1 Over the years our bank has been making increased use of IT in business. Our
bank has taken the following IT driven initiatives.

3.1.1 Implemented Core Banking System in 2010.

3.1.2 Implemented RTGS/NEFT, CTS and DBT applications

3.1.3 In the process of implementing Rupay Card Project in the next 3 months.

3.1.4planningto introduce new Technological initiatives like Mobile Banking, Internet
Banking, CDMs etc., in the years to come.

3.2 In view of this dependency of our bank on IT is fairly high. Further, IT will be central
to all transaction processing. This dependence on IT is only expected to increase with
time as newer technology comes into being & keeps on creating better prospects for
banking business. Eventually our entire business processes will be through the use of
IT.
4. Yet IT can cause Business Vulnerability

2|Page
4.1. Banking technology is the use of advances in ICT for enhancing banking business.
Use of technology can cause certain vulnerabilities due to possible external or internal
attack, which may result in failure of the underlying information systems and
compromise information assets. There is a risk for data loss due to malafide or
accidental or unauthorized access, use, misappropriation, modification or destruction
of information, information systems & IT. This possibility is accentuated as the number
of users accessing information systems within and outside the bank is on the high side
and will keep increasing. As such exercising effective control over the information will
remain a challenge. In view of the above the use of IT in banking has necessitated a
completely different set of controls & processes to maintain & monitor and ensure
security effectiveness. Managing vulnerability in IS cannot be manual. It is for this
reason that business houses, public services and individuals manage the gap between
the traditional security and controls and demand put forth by newer technologies by
relying on newer technologies. Each new technology may bring in additional concerns
about security.

5. Information Security (IS) defined

5.1 IS (IS) is concerned with safe guarding information and data both in electronic and
physical form, from unauthorized access, perusal or inspection resulting in misuse,
disclosure, modification, recording and destruction. IS ensures that only authorized
users (confidentiality) have access to accurate and complete information (integrity)
when required (availability). In its guidelines for the Security of Information Systems
and Networks, OECD has brought out nine principles namely Awareness,
Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design &
Implementation, Security Management, and Reassessment.

5.2 IS framework is a set of policies, procedures, rules, regulations, compliance and
review functions ensure smooth implementation and seamless operations, to achieve
the business objectives. IT is, without doubt a business driver and the risk
management thereof is the area of concern for IS. The three major constituents of any
I S framework/architecture are people, process & technology. First of all, since
technology is continuously evolving, security has to move in tandem and keep pace
with it. Our bank will ensure that IS (I S) methods are appropriate to the I T
architecture. Secondly the policy has to factor in the changed processes. Our bank will
evaluate every new process critically in the angle of security. Thirdly people will have
to understand and implement the policy. This will be ensured by capacity building.
Further our bank will adhere to RBI’s and other regulatory guidelines on the issue.

5.3 Efficient IS framework is also a function of awareness, knowledge and skills.

IT Governance entails number of activities for Board & Senior Management
becoming aware and impact of IT on a bank.
IT Security teams require skills, processes that are effective and needed to

3|Page
 carry out efficient operations of the security policies.
The people in the business functions (users of information and information
assets) require knowledge on day-to-day basis to use IT. For example for users
at various levels in the bank,should understand their role in very simple
language like Do’s and Don’ts; these are derived from the policy statements.

6. Our Bank and IT

6.1 Our Bank is using many new technologies in the banking operations. The bank is
aware of the security and other challenges faced by it which has led the bank to draft
policy guidelines to ensure that its information assets are secured & controlled.

6.2 The bank’s business philosophy is to ensure optimum use of technology in carrying
out the business, while at the same time and under any circumstances not
compromising information and data security. Further, the bank is committed to conduct
its business activities in such a manner that business process are smooth, customer
service is excellent and business growth is continuous.

7. IT Security and Controls in the Bank

7.1 Our bank has introduced technology in a number of areas as mentioned above. In
view of this, the implementation of processes will change along with the way we do our
business. The focus will shift from branch to bank. Customers will be able to access
their accounts from their home. On account of these changes, certain risks are
foreseen in the area of security of the bank’s information assets in terms of
unauthorized access to bank’s information and data, breakdowns in business due to
technical issues or non-availability of technology support, frauds and theft in the ATMs
and card business and customers facing difficulties in accessing their accounts or
customers being subject to electronic threat etc. In fact the list of vulnerable areas is
large. Every one of the known vulnerability needs to be addressed if it has to be
ensured that users of bank’s services and banks customers have full confidence that
the bank and its information systems will operate as intended without failures or
problems. Bank cannot guarantee that breach of security will not happen, but it will like
to minimize such possibilities. Here again bank will ensure that technology is optimally
utilized and that IT enhances future growth. It is in this background that the bank is
putting in place an IT security system and control mechanism to minimize the risk of
security incidents involving IT usage.

8. IS Policy: Objectives

8.1 The Policy.

“This IS Policy of SPSR NELLORE District Cooperative Central Bank Ltd., has
been established with an objective of protecting all critical information and
information processing assets in order to ensure secure and correct provision of
4|Page
services to its customers and ensure business continuity”

The objective of this is to ensure that the information assets of the bank are
appropriately protected against the breach of confidentiality, failures of integrity and/or
interruptions to their availability. IS is concerned with various channels like spoken,
written, printed, and electronic orany other medium and also with the handling of
information with reference to creation, viewing, transportation, storage or destruction.
The users of technology in the bank are its employees, vendors, employees of vendors
and most importantly the customers. This IS Policy provides management direction
and support towards IS across all relevant levels and locations within and outside the
bank.

This policy mandates the IS Management at the bank. It communicates top
management’s commitment towards establishment and implementation of all security
controls and mechanisms as given out in this and other documents lays down the
structure of IS management in the bank.

9. Scope of the IS Policy

IS policy is applicable to all information assets of SPSR NELLORE District Cooperative
Central Bank, that are electronically stored, processed, documented, transmitted,
printed and/ or faxed. The policy applies to all employees and external parties which
term includes suppliers, vendors, third party users, contract staff, outsourced service
providers and consultants of the bank's Primary Data Centre, Disaster Recovery
Centre/Cell, CBS, Department of IT as well as all other locations of the bank.

10. Owners and Custodians

For a policy to be effective it is imperative that each the stakeholders understand
clearly his/her as well as other’s roles & responsibilities within the organisational
framework. Important aspects of the role are (a) Governance, (b) Strategy, (c)
Creation, implementation, operations, compliance and review of the IS policies in line
with the banks broad requirements and activities.

Board of Directors of the bank is the owner of IS Policy. Chief IS Officer (hereafter
referred to as CISO) will be the custodian of the policy.

11. Responsibility
Board of Directors: Board alone can make changes in the policy. The Board is vested
with the overall responsibility of IS. It will develop policy guidelines to be conveyed and
implemented by various layers in the organisation namely people (employees and
other persons entrusted with the responsibility of different business functions) at
senior, middle and the grass-root levels. In doing so, the Board will keep in reckoning
major objectives of the IS. IS policy should be such that people, when they are aware
of the banks’ expectations from them, are able to implement the policy in full and
without any deficiency. In this regard;
5|Page
 1. Policies have to be clear and well enunciated
2. Policy should be supported with standards, guidelines & procedures
3. Policy should be statements on macro, major and organisational level issues.
4. Procedures and rules should deal with implementation of policy statements.
Implementation should cover procedure, functions and technologies
5. IS strategy has to be aligned with business objectives, indicate scope of
ownership and individual and team responsibilities for the policy. These should
include items such role of IT security officer, owners of information assets,
custodian and users
6. Policy will also need the support of investment for enabling IS and such will deal
with budgeting, financial outlay, reporting etc.
7. Policy must be reviewed in regular periodicity at least annually. The focus of the
Policy review will be continuous improvement in IS
8. IS governance must comply with relevant legal and regulatory requirements

It is provided that in exceptional and emergency situations IS Committee can approve
emergency changes in the Policy which should be ratified by the bank in the meeting
immediately after such changes.

12. Steering Committee/ IS Committee.

The IS Committee (ISC) of the bank is responsible for implementation of security policy
and for dissemination of IS Policy across all business functions. The MD/CEO of the
bank will be the Chairman of the Committee and the CISO will be its convener. Select
Business heads of the bank will be members of the committee. The committees’ main
focus will be supervising and oversight of IS. It will also align & integrate IT and IS
strategy with business goals. The committee will meet on a regular basis to discuss
implementation of IS.

- The committee shall be responsible for making budgets, reviewing the
security procedures, and compliance, as also guide people with
corrective action where needed. Information Security Committee will
ensure that threat &vulnerabilities are evaluated, and initiate/undertake
remedial action, where ever necessary on an ongoing basis
- Risk management Committee/function of the bank will also review IT
security in a routine manned and will take care for promoting security
throughout the bank including assisting development of IT based
measures and compliance
- Bank shall ensure that technology is available for updating in a manner
that efficiency and security are given paramount importance. Best
process can be defined as Corporate IS Policy (CISP) about deployment,
use and maintenance for all people as per the various levels.
- Lastly audit, fraud monitoring management to review to take care of
compliance

13. Chief IS Officer (CISO)

6|Page
The bank will nominate/appoint a CISO or entrust the exclusive responsibility of CISO
to an official of the bank by whatever name called. CISO is responsible for ensuring
that IS policies are regularly updated and reflect the bank’s requirement.
CISO will have a dedicated, skilled & adequate staff team. The job role of CISO will
include:
1. create, maintain and disseminate IS strategy, plans policies and procedures
2. carry out assessment and review of IS risk threats and vulnerability assessment
in regular periodicity,
3. monitoring & reporting on a continuous basis
4. will obtain approval at appropriate level for IS plan, budget, resources and
provide on-going support activities
5. Ensure that monitoring, testing and reporting of IS is done in an on effective and
efficient manner. Will install effective controls to ensure compliance with IS
norms.
6. establish and maintain awareness and training to promote IS across the bank

14. Business Heads
Business heads are the officials in-charge of various offices and functions (Heads of
department in the HO and branch heads). They are responsible for enforcing the
implementation of IS Policy within their control or area of operation. It is however
clearly stated that every bank Employee, officer and contractors/consultants must
comply with IS Policy and protect the bank’s information assets.

15. Coverage of the Policy

15.1.Covers all forms of electronic / print information etc. on servers, desktops,
networking and communication devices, tapes, CDs, USBs and other devices.
Information printed or written on paper or transmitted by facsimile or any other medium
is also covered.

15.2. Envisages that appropriate procedures will be created and followed at various
levels of the bank to ensure absolute protection of IS. The IS objectiv0es are set for its
continual improvement.

15.3. Provides directives towards IS within the Bank

15.4. Recommends appropriate security controls that have to be implemented to
maintain and manage IS system in the bank.

16. To Achieve the above Objectives

16.1. The bank shall be establishing and organizing the IS governance framework so
as to ensure alignment of the IS of the bank with business strategy to support
growth and other organizational objectives.

16.2. The bank will also be developing and maintaining an effective IS management
system supported by appropriate procedures and rules in consonance with the
policy.

7|Page
16.3. Through the CISO the bank will conduct periodic risk assessments and ensure
adequate, effective and tested controls for people, processes and technology to
enhance IS. Through this means the bank will ensure that critical information is
protected from unauthorized access, use, disclosure, modification, and disposal,
whether intentional or unintentional.

16.4. The bank recognizes that this will call for deploying appropriate technology and
infrastructure and training its people. The bank will particularly insist on its senior
officials for monitoring, reviewing, exception reporting and taking actions thereof for
improving the effectiveness of the IS management system.

16.5. The bank will provide an environment for promoting ‘best practices’ relative to its
business, information systems and infrastructure;

16.6. The bank will ensure that all legal and contractual requirements with regard to IS
are met wherever applicable and that any security incidents and infringement of the
Policy, actual or suspected, are reported and investigated;

16.7. The bank will organize awareness programs and training on IS to all Employees
as also other stakeholders such as contractors, consultants, vendors etc.

16.8. More importantly the bank will (a) take immediate and suitable actions for
managing violation(s), if any of the IS Policy; and (b) develop a IS compliance
culture in the bank.

17 IS Review

17.1 The implementation of IS in the bank will be one of agenda items of all Board
meeting. Further the IS Policy document shall be reviewed, by the Board periodically
and at least once a year as also at the time of any major change(s) in the existing
environment which will affect the policies and procedures. The reviews will cover the
following:

17.1.1. CISO report on IS and its implementation

17.1.2. Impact on the risk profile in the bank due to changes in the information assets,
technology/ architecture, regulatory and legal requirements. The impact assessment
will focus on effectiveness of IS policies and periodic compliance review of the policy
adherence.
17.1.3. It is possible that as a result of the reviews there could be some need to frame
additional policies or amend/update the existing policies. These additions and
modifications will be incorporated into this IS Policy document. Policies that are not
relevant due to changes in the regulation etc. shall be withdrawn.

18. Applicability and Exceptions

18.1 All employees and external parties are required to strictly comply with IS Policy.

8|Page
The bank has announced that non-compliance to IS Policy is a ground for
disciplinary action. This provision will be incorporated in the Bank’s disciplinary
policy.

18.2 Exceptions

The IS Policy is a guideline and a policy pronouncement on IS requirements which is
needed in the business interest of the bank. However for smooth conduct of business
exceptions against individual controls in specific policy domains shall be documented
and formally approved by GM operations in consultation with Head IT.

19. Certain Terms Explained
1. Policy & Procedures how distinguished?

"Policies" are management instructions indicating a course of action, guiding
principles, and appropriate procedure. Policies are mandatory and can also be
thought of as the equivalent of an organization structure and governance giving
responsibilities and segregation of duties for a given objective say protection of a
bank’s information and information assets. Policies are distinct from and
considerably higher-level than "procedures" (sometimes called "standard operating
procedures"). A policy statement describes an issue or an aspect or a subject only
in a general way for addressing a specific problem. Procedures are specific
operational steps or methods that employees must follow/use to achieve goals
(collection of procedures in a sequence could be called as a manual). A user
manual in IS will include all rules and regulations and procedures that an employee
must follow in day to day operations. It will also contain a set of do’s and don’ts and
a FAQ as well.
A standard could define how a software has to be used to perform back-ups and
how to configure that software. A procedure could describe how to use the back-up
software, the timing for taking back-ups, and other ways that Users interact with the
back-up system. Policies drives standards and procedures and all of them require
compliance. Policies provide general instructions, while standards provide specific
technical requirements. Operational steps are known as procedures.

2. Who is an Information Owner?

Data and records stored on systems are responsibility of Information Owner, like
business executive, business managers, and asset owners within the organization.
The owner/s may delegate ownership responsibilities to another individual, mostly
personnel. While doing so the owner has to ensure that appropriate procedures are
in place and followed to protect the integrity, confidentiality and security of the
information used or created within his/her/their area. They can authorize access and
assign custodianship of information and information asset. Specify controls and
communicate the control requirements to the custodian and users of the
information. Owner must promptly inform the CISO about loss or misuse of

9|Page
information, who will initiate appropriate actions when problems are identified. CISO
has to promote education and awareness by training programs administered where
appropriate.

3. Who is an Information Custodian?

The custodian of information is the person who is generally responsible for the
processing and storage of the information. Responsibilities may include:
- Providing and/or recommending physical safeguards.
- Providing and/or recommending procedural safeguards.
- Administering access to information.
- Evaluating the cost effectiveness of controls.
- Coordinating the maintenance of IS policies, procedures and standards as
appropriate and in consultation with the IS Officer.
- Report promptly to the IS Officer the loss or misuse of any authenticated device.
- Report promptly to the IS Officer the loss or misuse of information.
- Initiate appropriate actions when problems are identified.
4. Who are Information Users?

User of information could be any employee irrespective of the level of hierarchy and
will also include contractual personal, vendors, employees of vendors, employees of
service providers etc. They are expected to:
- Access information only in line with authorized job responsibilities or roles.
- Comply with IS Policies and Standards and with all controls established by
the owner and custodian.
- Adhere to all norms regarding disclosures of confidential information and
refer to the authority where ever the disclosures are not defined..
- Keep authentication devices (e.g. passwords, Secure-Cards, PINs, etc.)
confidential.
- Report promptly to the IS Officer the loss or misuse of any authenticated device.
- Report promptly to the IS Officer the loss or misuse of information.
- Initiate appropriate actions when problems are identified.

5. What is Outsourcing?

In keeping with this international trend, it is observed, that banks in India too have
extensively outsourced various activities. Outsourcing means asking a third party to
do a set of activities for the bank either outside the bank or inside the bank. These
activities are notperformed by the employees of the bank but by the employees of
the outsourcing firm. Outsourcing could be process outsourcing or a complete
vertical being managed by outside firms. Needless to say, such outsourcing, results
in banks being exposed to various risks. The outsourcing activities are subject to
regulatory oversight. The interests of the customers have to be protected. Typically
IS is concerned with outsourced information which include operational, data

10 | P a g e
processing, back office and third party related activities. The outsourcing of any
activity by bank does not diminish its obligations, and those of its Board and senior
management, who have the ultimate responsibility for the IS aspects as well as
business aspects of outsourced activity. Banks would, therefore, be responsible for
the actions of their service providers including the confidentiality of information
pertaining to the customers that is available with the service provider. Banks should
retain ultimate control of the outsourced activity.
PART-I B
1. Information Systems Security Policy

Comprehensive IS policy document has to be, overall, in alignment with the business
management objectives. The policy statements have to be further granulated for arriving
at documented procedures.

The policy statements are provided in this Part (Part – B) of the document. Chief
Information Systems Security Officer (CISO) would be responsible for the
implementation, review and updating of the Information Systems Security. He will be
assisted by a team of Officers comprising both Technical and Banking Officers. CISO will
be responsible for the implementation of information systems security policy’s in each
and every one of the offices/locations of the bank.
CISO in the bank will be fully involved in various issues such as the development of the
Information Systems Security Policy, updating of the Information Systems Security
Guidelines on an on-going basis. In performing his role the CISO will work through the
existing systems and as such the banks administration department will among others,
have the responsibility of the security controls and compliance with the information
systems security guidelines.

2. Environment & physical security

2.1 Purpose

Control of physical and electronic access to confidential information and computing
resources is must to ensure IS.. To ensure appropriate levels of access, a variety of
security measures must be instituted based on business needs and as recommended by
the Chief IS Officer.

2.2 Policy Statement

Mechanisms to control access to confidential information and IT assets shall include all
sites situated within the bank. The assets shall be protected against unauthorized
environment and physical threats. For this purpose the bank will give clear guidelines on
authority and responsibility for its employees and other authorized stake holders to
access the information and IT assets. Bank employees will strictly adhere to these
norms/guidelines. Detailed rules on this regard will be issued by the bank.

3. Acceptable Usage Security

3.1 Purpose

11 | P a g e
The purpose of this policy is to clarify users’ rights, responsibilities, information assets
and rights, to shield the organization against potential threats and liabilities. Bank assets
are provided for business purpose. User of information is expected to access information
only in support of authorized job responsibilities or role.
This will
- Minimize security threats by promoting awareness and good practices
- Encourage effective and positive use of information assets and resources.
- Ensure that users follow safe usage practices that do not hamper
business objectives, not to bring disrepute or to attract legal liability
3.2 Policy Statement

Bank assets are l be provided for business purpose and not for the personal use of its
employees or other authorized users of information and information assets. To ensure
this users shall follow to safe usage practices that do not hamper business objectives,
bring disrepute to or attract legal liability. Violations to the usage policy by an employer
/user will attract strict action and penalties including disciplinary action.

4. Incident Management

4.1 Purpose

IS incident could be a single or a series of unwanted or unexpected IS events that have a
significant probability of compromising business operations and threatening IS. IS
incidents are those which impact I T security. Incident management call for plan and
procedures to deal with the incidents so as to protect the information and or information
assets. The purpose of this policy is to develop and implement processes for identifying
and responding to IS incidents. The CISO and his/her team shall conduct reviews to
identify reasons for IS incidents, evaluate the same and also develop corrective and
preventive actions to manage and /or avoid recurrence of the incidents..

It is necessary that IS events and weaknesses associated with information systems are
communicated in a manner allowing timely corrective action to be taken.

4.2 Policy Statement

Every employee and user must report such IS events (breach or attack) to his/her
immediate supervisor and also to the IS department. The banks IS committee, based on
the CISO recommendations define roles and responsibilities for the department heads,
branch heads to identify, and manage IS incidents. Events, incidents and problems
should be reported to the appropriate authority. Persons vested with the responsibility
should respond promptly with a view to contain loss and damage if any and to avoid
reoccurrence.

5. Asset Classification & Handling

5.1 Purpose

Bank provides the medium for the purpose of exchanging transaction details through
clients/ servers. Failure to properly protect information could have serious effect on the
bank. As such, they would have to be protected with stringent security controls.

12 | P a g e
Information is classified to ensure its proper protection. Immediately after information has
been created, modified or acquired, information must be evaluated to determine its
classification. Also it should be decided as to how it must be handled. Information asset is
any asset that has value for bank & consequently needs to be suitably protected.

5.2 Policy Statement

Every employee and authorized functionaries of the bank has responsibility in protecting
the information asset from unauthorized access, generation, modification, disclosure,
transmission or destruction. This is achieved by strictly following laid down procedures. In
order to ensure that the security, reliability, integrity & availability of information is not
compromised bank has laid down specific procedures and rules for each information
activity. Bank will specify authority for appropriate asset handling. Schemes for labels
shall be adapted by the bank for marking guidelines for IS.

6. Asset-Media Disposal

6.1 Purpose

Information can be compromised through careless disposal or re-use of media. Storages
devices containing sensitive information should be physically destroyed or security
overwritten. Rather than using the standard delete functions, all storages media should
be checked prior to its disposal to ensure that sensitive data and licensed software, if any
is not remained. It should be ensured that such data or software is either removed or
overwritten.

6.2 Policy Statement

Employees, users and authorized officials of the bank shall ensure that banks owned
computers, devices storages media shall have all data and licensed software reliable
erased from all device at the time of disposal of the media or its movement out of bank
control using best practices for each type of media.

7. Anti- Virus

7.1 Purpose

Bank must be protected against vulnerability due to virus and attack by Trojans and
malicious codes. Hence IT assets of the bank must use enterprise level anti-virus
solutions on the system. Appropriate Antivirus solutions approved by the Chief IS Officer
and must be deployed for protecting against virus attach and Virus checking.. Wherever
possible a multi-layered approach should be used (desktops, servers, gateways, etc.)
that ensures that all electronic files are appropriately scanned for viruses. Users
(employees and other stake holders) are not authorized to turn off or disable virus
checking.

7.2 Policy Statement

Malicious codes are viruses, worms, Trojans, root kits etc. represent significant threat to
performance secrecy. Bank shall ensure that these malicious codes are detected early
and removed.. These guidelines shall protect IT assets of the bank against malicious

13 | P a g e
code through enterprise level anti-virus solution. Bank will use an appropriate antivirus
solution and keep it updated on a regular basis.

8. Networking & Internet Security

8.1 Purpose

Protecting Networking infrastructure against threats and mitigating such threats
originating from external, and internal network is of prime importance of the bank.
Absence of proper access control and protection can lead to internet based attack that
includes unauthorized access from internet; spread of virus, worms, malware, etc. There
could be unsecured transit on the network that can lead to unauthorized access leading
to loss of critical & sensitive information.

It is necessary to provide secured access to the bank’s network to internal and external
users, provide adequate redundancy for critical IT assets & establish effective
management of the networking infrastructure.

8.2 Policy Statement

Enterprise network infrastructure shall be appropriately designed, and managed and
controlled effectively in order to ensure protection of the information in the network as
also of the for support infrastructure. All connections to extended network including
Internet, outsourced Vendors and partners shall be authorized and provided in a secure
manner. All remote access to the network shall be authenticated & provided based purely
on business requirement. Network should be designed & maintained for high availability
and to meet the requirement of the User.

9. Operating Systems

9.1 Purpose

To determine appropriate risk response options, identify performance gaps between
current and desired risk level. Risk associated with IT systems whether appropriate and
effectively mitigated to an acceptable level by securing Operating Systems.

9.2 Policy Statement

Operating systems shall be installed and configured in a proper manner. Operating
system shall only be accessed by authorized users (employees and others) and un-
authorized will be denied by using appropriate technology and other process ensuring
confidentiality, integrity and availability.

10 Applications

10.1 Purpose

Applications are vulnerable to various kind of attacks, which are exploited by a malicious
activity. Computer software owned or licensed must not be copied by users; employees
and others for use at home or any other location. Exceptions to this will be specifically
14 | P a g e
authorized by the Information Owner. Anyone could access information and/or data
wherein security controls like authentication mechanism can be easily bypassed. Hence,
it is imperative that Security controls to protect the application are appropriate and
deployed on a continuous basis.

10.2 Policy Statement

Application deployed in bank shall have controls for secure input processing, through
system, storage and output of data. Application shall be tested for security performance
before deployment & for high availability. Access to application shall be restricted to
authorized persons & access will be o provided on the principle of least privilege.

11. Database

11.1 Purpose

Bank’s database contains critical and confidential business information of its constituents
which have to be protected at all times. Hence, it has to be ensured that database is
configured to protect client information and at the same make them available to
authorized users on authentication. The organization needs to define and develop
adequate controls to secure its database.

11.2 Policy Statement

The technical team (I T department) shall implement database system configured as per
best security practices. Adequate controls to maintain confidentiality, integrity and
availability of database at all times shall be put in place. User access to database shall be
provided as per authorization and based on authentication. Database access will be
given strictly based on business, operational needs and requirement.

12. Patch Management

12.1 Purpose

The hardware having computers and applications should be frequently patched to protect
against widespread worms, malicious code that target known vulnerabilities on non-
patched systems, resulting in downtime & business impact on banks.

The down time and business impact can be avoided by have effective patch management
which will keep updated the IT system and applications deployed in the bank.

12.2 Policy Statement

The bank shall be secured against known vulnerabilities in operating systems and
applications software through an effective patch management process.

13. Back-up

13.1 Purpose

Back-ups of essential information, data and software shall be taken on regular basis, one

15 | P a g e
copy on site and one off-site. This should to be strictly followed to ensure that all essential
information and SW could be recovered in the event of a disaster or failure of media. This
would help to prevent loss of data which can impact in terms of delay, increased costs,
loss of credibility & embarrassment.

13.2 Policy Statement

Information system/asset owners (employees) shall ensure that adequate back-ups, as
per stipulated periodicity are taken so that the data is not lost and can be recovered, in
the event of an equipment failure, intentional destruction of data, or disaster. The IT
department shall be responsible for operationalizing this policy.

14. Personnel

14.1 Purpose

People are the key assets in creating, storing, maintaining, distributing, processing and
protecting the information/data of the organisation. All employees as also contractual
users should adhere to all the IS security guidelines and access information purely based
on job responsibilities and requirements. They should not access information for personal
use. The access can be revoked or modified with changes in such responsibilities.

14.2 Policy Statement

People are the key assets in creating, storing, and maintaining, distributing, processing
protecting. All employees as also contractual users shall adhere to the Personnel
Security and access based on responsibilities. The access can be revoked or modified
with changes in such responsibilities

Bank shall ensure that each employee is made aware of the importance of IS and their
role in ensuring IS. Also employees will be instructed to strictly adhere to various IS
related instructions and not to use information for other than official purposes. Employees
will be informed of their access and other rights which can be revoked in the event of role
changes.

15. Password

15.1 Purpose

If an authorized user or a customer who is not authorized gains access to banks
information and information assets, it could result into loss of confidence constituents and
result in compromise with integrity of data.
Generally the user and customer gain access to information/data through user-ID and the
password provided for securing transactions. Access to systems should be strictly limited
for the genuine business purposes with the complement of User ID and password

15.2 Policy Statement

Every user shall be assigned a unique User ID. Users both employees and customers
shall choose/create their passwords in accordance with policy and shall protect at all
times during its generation, delivery, storage and usage. The password change process
shall be well calibrated. Users and Customers will be mandated to periodically change
16 | P a g e
the password. Bank will educate the customer on the need for confidentiality in the
password, not sharing it with others and the consequences of sharing the password.

16. E-mail Usage and Security

16.1 Purpose

The e-mail system for the bank is required for day-to-day function for genuine banking
and operations. It is also a part of the customer service. A lot of internal information is
shared with employees and functions/function heads through email. As such appropriate
controls have to be provided for security for e-mail.

16.2 Policy Statement

E-mail ID and access shall be made available to employees purely based on business
needs. Every employee shall develop a password for accessing the mail. Email activity
shall be protected adequately to provide availability, exchange of information between
employees of the bank and with the third parties. Bank will protect the system with
appropriate technology and other means against breach or unauthorized access.
Employees will not be allowed to use email for personal work.

17. Change Management

17.1 Purpose

Unauthorized changes and ad-hoc changes in the IT and other electronic systems could
lead to system getting interrupted and result in genuine persons and users unable to
access system or information assets. It is laid down that major or minor changes to any
information assets where ever necessary should be carried out with prior approvals. The
changes are to be identified and monitored. The entire process will have to be
documented. It is provided that changes will be implemented in test environment before
taking to production.

17.2 Policy Statement

Changes to the IT systems shall be performed in controlled manner. To ensure that the
risk associated with changes are managed to an acceptable level, changes will be made
only after carefulconsideration of its need, impact and proposed changes will be
thoroughly tested before these are deployed.

18. Monitoring

18.1 Purpose

IT infrastructure components form a crucial part of assets of the banks. IT assets are
constantly under threat from hackers and other malicious users and as a result needs to
be monitored effectively on a continuous basis for identifying any abnormal activities and
for the purpose of protecting the asset. The effectiveness and applicability of IS controls
have to be monitored based on control testing criteria, purpose of testing and results
periodically reported to the management. Security controls need to be continuously

17 | P a g e
implemented on IT assets to protect them from unforeseen threats.

18.2 Policy Statement

The bank shall establish an effective enterprise level system to centrally monitor IS
controls. All access to critical applications and banks network shall be monitored for
suspicious activities or security breaches. Adequate response mechanism shall be set up
for controlling security breach, if any.
19. Outsourcing/Third Party

19.1 Purpose

There are a number of IT based activities that the bank has outsourced. These include
AMC for hardware and software, maintaining ATM etc. The bank is aware of the risk of
improper access to information and information assets from users of third party or
outsourcing agencies which could prove detrimental to banks interests. A risk
assessment exercise should be carried out to determine the specific security
requirements in such cases. Contract with third parties or outsourcing agencies should be
established with necessary security conditions and service levels in mind.

19.2 Policy Statement

Banks shall ensure that access to the data processing facilities and Intellectual property
rights of the bank are well protected from third party service provider’s entities and
controls by taking adequate measures.

20. Business Continuity

20.1 Purpose

To fulfil the bank’s commitment to protect its customers and in the interest of rendering
uninterrupted banking services it would be prudent for the bank to thwart all kinds of
threats to its business which could have the potential to disrupt its operations. In other
words bank shouldensure robust systems such that its business continuity is not
threatened. In view of this, critical information systems of the bank should be planned and
suitably designed to ensure continuity of operations, even in the event of a disaster. IS is
one such critical aspect. Thus the purpose is to counter interruptions to business
activities and to protect critical business processes from the effects of major failures of
information systems or disasters and to ensure their timely resumption.

20.2 Policy Statement

Bank shall ensure the safeguard of its information and information assets to minimize the
risk, costs & duration of disruption to business operations. Bank will establish and
maintain integration between response plans, DRP & BCP. Bank will have a plan for
effective continuity of business & a well-rehearsed recovery process or a combination of
these which will enable the resumption of critical business activities.

21. ATM

18 | P a g e
21.1 Purpose

The objective of this policy is to prevent misuse and minimize security risks to ATMs
installed in the bank premises and at off-site locations. The ATMs being an important
delivery channel offering financial and non-financial services, the security risks must be
considered on top priority for prevention of frauds.

21.2 Policy Statement

A network of ATMs exists in the bank where a secret ATM operation code will be issued
to the customer in the form of Personal Identification Number i.e. PIN for ATM operations.
The concept of PIN prevents an unauthorized user from gaining access to the ATM
network as a combination of physical card and PIN number is required for accessing the
account for withdrawal of cash and/ or any other services offered by bank through card
and ATM. ATMs will also be guarded suitably against theft, unauthorized access etc.
PART II

INFORMATION SYSTEMS SECURITY POLICY

POLICIES AND PROCEDURES

For all the policies stated in part I the descriptions and procedures are given below.

2. Environment and Physical Security Policy

2.1 Purpose
Control of Physical and electronic access to confidential information and computing
resources is must to ensure IS. To ensure appropriate levels of access, a variety of
security measures must be instituted based on business needs and as recommended by
the Chief Information Security Officer (CISO).

2.2 Policy Statement
Mechanisms to control access to confidential information and IT assets shall include all
sites situated within the bank. The assets shall be protected against unauthorized
environment and physical threats. For this purpose the bank will give clear guidelines on
authority and responsibility for its employees and other authorized stake holders to
access the information and IT assets. Bank employees will strictly adhere to these
norms/guidelines. Detailed rules on this regard will be issued by the bank.

2.3 Procedures: Scope
All sites, which house bank’s critical IT assets, shall provide resistance to unauthorized
physical access and have protection against environmental threats. All physical access
and movement of IT assets shall be monitored and reviewed.

2.4 Access Control

2.4.1 All critical information processing facilities shall have adequate protection against
unauthorized access.

2.4.2. Every employee shall be provided with name, identification/access cards consisting
of banks name the details of time of arrival, duration of the activity, and reasons of access
shall be recorded. In case of emergency, approval for access can be given on the phone

19 | P a g e
or e-mail with a proviso that detailed request form shall be sent after activity.

2.4.3 Access to secured areas shall be allowed only after necessary approval.
2.4.4 A log book shall be maintained to track all access to critical information processing
facilities.
2.4.5 An updated list of personnel who have access to critical information processing
facilities shall be maintained.
2.4.6 Security guards must check IT equipment and media carried by all personnel
entering or leaving information processing facilities.
2.4.7 Visitors, vendors and external people shall be accompanied by bank staff when
working in critical information processing facilities.
2.4.8 An access control register shall be maintained at the entry point of Data Centre.
People who are not Data Centre employees and third party (external) visitors shall
make appropriate entry in the register before entering.

2.5 Environmental Protection

2.4 There shall be adequate provisions for fire - detection, fire fighting and control.

2.5 All personnel shall be trained for fire-fighting.

2.6 Air Conditioning Systems shall be implemented to ensure that the operational
environment conforms to the equipment manufacturer’s specifications.

2.7 All critical equipment such as air conditioners, gen-sets, etc. shall remain under
Annual maintenance contract, at all times.

2.6 Data Centre Security

4. Critical processing area in Data Centre shall be accessed only by authorized
personnel. They alone will be allowed inside/access.

5. Emergency exit shall be provided in the data centre for use in emergency situation
(it shall not be available as a matter of routine).

2.7 Identification of Devices

2.7.1.For easy identification, data cables and electrical cables must be properly labelled.

2.7.2. Proper labelling of racks shall also be ensured. All devices shall also be similarly
numbered (as contained in the racks). Rack number shall form part of the device
identification number which must be pasted on all devices.

2.8 CCTV Monitoring

2.8.1. CCTV monitoring systems shall be installed at the Data Centre and a proper
monitoring system shall be put in place at entry and exit points at the Data Centre as also
in area having critical IS assets. The CCTV footage shall be maintained – kept on record
for a specific period – a Minimum period of 90 days.

2.9 Power at the Data Centre

20 | P a g e
2.9.1. Power Systems shall be designed and provided to ensure uninterrupted and quality
power supply at the Data Centre. UPS shall be provided for backup.

2.9.2. UPS Systems shall be checked once in a quarter or as recommended by the
manufacturer for its proper functioning/efficacy. Additionally, test checks shall also be
carried out, on a quarterly basis.

2.9.3 A backup power system shall be provided to all access control systems, physical
security systems such as fire and smoke alarms, emergency lighting systems, fire
detection & suppression systems, etc.

2.9.4. The electrical power supply to the Data Centre shall be segregated from other
power circuits of the building. Similarly, the power supply to the IT equipment/assets at
the Data Centre shall be segregated from all other equipment.

2.9.5 Switches shall be provided in easily accessible locations within the Data Centre and
outside the Data Centre to be used to switch off the power, in case of an emergency.

2.10 Fire Prevention and Control

2.10.1 Infrastructure at the Data Centre shall be erected from fire-resistant material.
Automatic fire detection systems shall be installed for detection as also for alerting. Gas
based fire suppression systems shall be installed to control outbreak of fire. Fire detection
and suppression systems shall be capable to automatically shut off electrical power.

2.10.2 No combustible material shall be provided or stored at the Data Centre.

2.10.3 Basic training on fire-fighting techniques shall be provided to staff at the Data
Centre. Periodical fire-drills shall be conducted, as per the security policy of the bank.

2.11 Environmental Safeguards

2.11.1. Temperature and humidity shall be monitored and controlled at the Data

Centre. 2.11.2 Air shall be filtered and circulated to remove dust and contamination at

the Data Centre.

2.11.3. Water/Moisture detectors shall be placed below the false floor in the Data Centre,
if the area is prone to moisture and water seepage.

2.11.4. Raised false floor shall be erected to provide proper environment, temperature,

cabling, etc. 2.11.5. The Data Centre shall always be maintained dust and dirt-free.

2.12. Preventive Maintenance

a. Preventive maintenance of all equipment, electrical installations, alarm
systems, back-up power supply, UPS, etc. shall be carried out periodically.

b. Proper monitoring of such maintenance by personnel posted at the Data

21 | P a g e
 Centre shall be ensured.

2.13. Monitoring

a. Automatic alerting systems shall be installed at all access points to critical
information processing facilities.

b. Monitoring systems shall be deployed to track any suspicious activity.

2.14 Document Security

a. Sensitive documents shall be stored in locked cabinets.

b. Fax machines and printers shall be protected against

unauthorized access.

2.15 Enforcement

Compliance with the security policies of the bank shall be a matter of periodic
review by the ISC. Any employee found to have violated this policy may be
subjected to disciplinary action, up to and including termination of employment as
deemed appropriate by the management of the bank.

3. Acceptable Usage Security

3.1 Purpose

The purpose of this policy is to clarify users’ rights, responsibilities, information assets
and rights, to shield the organization against potential threats and liabilities. Bank assets
are provided for business purpose. User of information is expected to access information
only in support of authorized job responsibilities or role. This will

- Minimize security threats by promoting awareness and good practices
- Encourage effective and positive use of information assets and resources.
- Ensure that users follow safe usage practices that do not hamper business
objectives, not to bring disrepute or to attract legal liability

3.2 Policy Statements

Bank assets are l be provided for business purpose and not for the personal use of its
employees or other authorized users of information and information assets. To ensure
this users shall follow to safe usage practices that do not hamper business objectives,
bring disrepute to or attract legal liability. Violations to the usage policy by an employer
/user will attract strict action and penalties including disciplinary action.

3.3 Procedures for Acceptable Users and Usage Security: Scope

Users’ rights, responsibilities, information assets and rights shall be specified to shield the
organization against potential threats and liabilities. Minimize security threats by

22 | P a g e
promoting awareness and good practices. Encourage effective and positive use of
information assets and resources.

3.4 Desktop Users

 All desktops shall be configured by system administrators as per the secure
configuration standards provided by IS Committee (ISC).
 Users shall not install any software or applications on their desktop that is not
authorized or not essential to bank’s business.
 Users shall not connect modems to their machines unless and otherwise approved
by the appropriate authority.
 Necessary measures shall be adopted by users to prevent the risk of unauthorized
access.
 Desktops as also external devices like CD, pen drives, etc. shall be configured by
IT teams in accordance secured configuration by IT team be as per standards.
 Users shall not install any software, application on their desktop that is not
authorized. Users can effect changes in the desk top only through IT department.
 Approved products only can be installed on desktops/laptops.
 The servers shall be configured and maintained only by the I T department or
authorized officials.
 Internal LAN shall be segregated from the external Internet. User shall not connect
through modems. Also for connecting to external access, network team will
configure all desktops as per secure configuration.
 User must log out of all applications when leaves; if not used, desktop shall
automatically log-out for extended period of time.
 Screen saver shall be enabled with Password. Access through pass word is
essential if the PC is unattended for short time.

 It should be ensured that there is sharing in any user’s folders in desktops over

network.

3.5 Laptop Users

 Laptop users need to adopt the following measures

 Ensure that laptop is configured as per the secure configuration documents
provided by ISC.

 Enable boot level password in the laptop.

 Encryption or password protection shall be enabled for protection of data.

 Antivirus agent with latest signatures shall be installed, before laptop is connected
to the LAN.

 All necessary patches / hot fixes for the operating system and applications
installed shall be periodically updated.

 Log off laptops when not working for extended period and enable screen saver

23 | P a g e
 with password for protection during short period of inactivity.

 Backup critical files from laptop to Users’ desktop or removable media like CD/Pen
drives

 User to take adequate measures for physical protection of laptop including not
leaving laptops unattended in public places or while traveling.

 If the laptop has modem / dial up facility for Internet, users shall disconnect
Internet connection before connecting to the bank’s LAN.

 Loss of laptop shall be reported immediately to the department head and ISC.

 Third party laptop connecting to the bank’s network shall be restricted. Prior
approval from IT head shall be taken before connecting third party laptops to
bank’s network.

 Laptops Security– Configuration as per policies shall be carried out by security
team.

 Enable booting passwords and additional protection.

 Shall take precaution for physical protection by backing up critical files to central
server.

 The system shutdown option which allows users to shut down the system without
logging in first, will be restricted on all servers housing sensitive information.

 A logon banner shall appear on all information systems prior to login on to the
system stating that the information system shall only be accessed by authorized
users and un-authorized access is prohibited, monitored and liable for punitive
actions.

 The number of unsuccessful logon attempts will be limited to (say five) after which
the system will lock that particular User ID. All unsuccessful login attempts will be
recorded.

 On completion of a successful log-on the following information will be logged: (a)
date and time of the previous successful log-on (b) details of any unsuccessful
log-on attempts since the last successful log-on.

3.6 Password Security

 Users (employees and other authorized personnel) are responsible for all activities
originating from their computer accounts.

 Users shall choose passwords that are easy to remember but difficult to guess.

 Protection

24 | P a g e
  Users shall not disclose/share their passwords with anyone including colleagues
and IT staff

 Users shall ensure that nobody is watching when they are entering password into
the system

 User shall not keep a written copy (in paper or electronic form) of password in
easily locatable places.

 Users shall change their password regularly.

 User shall report to the system administrator if account is locked out before 3 bad
attempts.

3.7 Internet Usage

 Internet access is provided to users for the performance and fulfilment of job
responsibilities.

 Employees shall access Internet only through the connectivity provided by the
bank and shall not set up Internet access without authorization from IT
department.

 All access to Internet will be authenticated and will be restricted to business
related sites.

 Users are responsible for protecting their Internet account and password.

 In case misuse of Internet access is detected, bank can terminate the user
Internet account and take other disciplinary action as bank may deem fit.

 Users shall ensure that security is enabled on the Internet browser.

 Users shall ensure that they do not access websites by clicking on links provide in
emails or in other websites.

 Bank reserves the right to monitor and review Internet usage of users to ensure
compliance to this policy.

3.8. Clear Desk

 While users work in an online environment, at times they are required to use
papers/ storage devices for information exchange. Information on important
customers & sensitive business data is also available on other media like
computer generated printouts, office papers, CDs, pen drives, diskettes etc.

 Cabins/ Desks & meeting rooms with papers piled high not only poses fire risk but
also may be in legal breach for not preserving confidentiality of customer
information. The act places a legal obligation on employees concerned to protect
sensitive personal information.

25 | P a g e
  To prevent such data leakage due to non-clean desks, user/ authorized personnel
shall ensure that confidential documents and media files are not left unattended.
Unused documents/ papers shall be destroyed using shredder machine.

4. Incident Management

4.1. Purpose

IS incident could be a single or a series of unwanted or unexpected IS events that have a
significant probability of compromising business operations and threatening IS. IS
incidents are those which impact IT security. Incident management call for plan and
procedures to deal with the incidents so as to protect the information and or information
assets. The purpose of this policy is to develop and implement processes for identifying
and responding to IS incidents. The CISO and his/her team shall conduct reviews to
identify reasons for IS incidents, evaluate the same and also develop corrective and
preventive actions to manage and /or avoid recurrence of the incidents. It is necessary
that IS events and weaknesses associated with information systems are communicated
in a manner allowing timely corrective action to be taken.

4.2. Policy Statement

Every employee and user must report such I S events (breach or attack) to his/her
immediate supervisor and also to the IS department. The banks IS committee, based on
the CISO recommendations define Roles and responsibilities for the department heads,
branch heads to identify, and manage IS incidents. Events, incidents and problems
should be reported to the
Appropriate authority. Persons vested with the responsibility should respond promptly
with a view to contain loss and damage if any and to avoid reoccurrence.

4.3 Scope

Maintain processes to investigate and document incidents to be able to respond
appropriately. To determine their causes, adhere to legal regulatory and organizational
requirement.

4.4 Incident Identification

4.4.1. All users and administrators of IT systems shall be responsible for identifying
incidents. An incident is the act of violating an explicit or implied security policy. The
following actions can be classified as incidents:

i. Attempts to gain unauthorized access to a system or its data; masquerading, spoofing
as authorized users.

ii. Unwanted disruption or denial of service.

iii. The unauthorized use of a system for the processing or storage of data by authorized
users.

26 | P a g e
iv. Changes to system hardware, firmware or software characteristics and data without
the owner's knowledge, instruction or consent.

v. Existence of stray user accounts.

4.5 Incident Reporting

4.5.1. If a user suspects that an incident has occurred, it shall be reported immediately to
the branch system administrator / department head or to the helpdesk. The administrator
shall do a preliminary analysis to ascertain the cause and extent of damage.

4.5.2.An incident report shall be sent to the IS Committee (ISC) containing the following
details
- Description of the incident
- Possible causes
- Damages observed
- Supporting evidence
- Remedial steps taken
4.5.3. Based on data available and level of criticality of incident, ISC shall send out
incident alerts to application groups and user departments which could possibly be
affected by similar incidents.

4.5.4 Users of the IT system shall report security incidents identified.

4.5.5. Users are required to provide their identity and contact details while reporting
incidents for effective follow up.

4.6. Incident Verification

4.6.1. The ISC shall analyse the incidents based on the data received from the
administrator. The ISC shall seek more information from the system administrators, if
required.
4.6.2. The ISC shall record the incident and allocate an incident number for tracking and
future reference.

4.6.3.Once the incident validity has been verified, ISC shall draw up an action plan.

4.6.4. Head of IT shall be updated about the incident, impact on business and proposed
action plan

4.7. Incident Recovery
4.7.1. System personnel required for executing the recovery plan shall be contacted by
the application team.

4.7.2. Additional monitoring mechanisms shall be deployed for a short duration of time
after recovery to ensure that all incident related activities have ceased.

4.8. Incident Prevention
4.8.1. Based on the learning from the incident, ISC shall make necessary changes (if
required) to security policies.

27 | P a g e
4.8.2.ISC shall maintain a database of incidents and recovery steps.

5. Asset Classification & Handling

5.1. Purpose

Bank provides the medium for the purpose of exchanging transaction details through
clients/servers. Failure to properly protect information could have serious effect on the
bank. As such, they would have to be protected with stringent security controls.

Information is classified to ensure its proper protection. Immediately after information has
been created, modified or acquired, information must be evaluated to determine its
classification. Also it should be decided as to how it must be handled. Information asset
is any asset that has value for bank & consequently needs to be suitably protected.
5.2. Policy Statement

Every employee and authorized functionaries of the bank has responsibility in protecting
the information asset from unauthorized access, generation, modification, disclosure,
transmission or destruction. This is achieved by strictly following laid down procedures. In
order to ensure that the security, reliability, integrity & availability of information is not
compromised bank has laid down specific procedures and rules for each information
activity. Bank will specify authority for appropriate asset handling schemes for labels
shall be adapted by the bank for marking guidelines for IS.

5.3. Scope

Information assets apply to all users of the bank housed with the institution as and/or with
the outsourced/ third parties.
5.4. Accountability

5.4.1 All major information assets like application software and databases shall have a
nominated Data Owner.

5.4.2. The Branch Head/ Regional Head/ Administrative Office Head will initiate
measures for nominating functional owners for all major information assets of bank.

5.5. Information Classification
5.5.1.All information system assets will be classified under one of the following
categories:

5.5.2.Secret Information: Secret Information is highly sensitive to internal and external
exposure.

5.5.3. Confidential Information: Confidential Information is sensitive to external exposure,
the unauthorized disclosure of which would cause administrative embarrassment or
difficulty.

5.5.4. Corporate Confidential Information: Any confidential information of the Bank’s
internal affairs, which cannot be shared with employees, Branches / Regional /
Administrative Offices, unless, needed for the purpose of routine operations or
conducting business.

28 | P a g e
5.5.5. Branch/ Regional/ Administrative Office Confidential Information: Any confidential
information, which can be shared across Branches/ Zones/ Administrative Offices, but is
not intended to be shared as Public Information, will be classified as Branch/ Regional/
Administrative Office Confidential Information. Public: Public Information includes
information such as various services, marketing brochures and promotional literature,
advertising media and Bank web sites.

5.5.6. A given security classification cannot be downgraded to a lower category except by
the Data Owner.

5.6. Document Classification
5.6.1. Appropriate security classification will be clearly stated for all hardcopy collections
of documents consistent with the information classification, except for Public information.
The following classification standards will be maintained.

5.7. Secret Documents: Secret documents will be marked as ‘SECRET’ on the
first/heading page.

5.8. Confidential Documents: Confidential documents will be marked as ‘CONFIDENTIAL’
on the first/heading page.

5.9. General Documents: All un-labelled documents will fall into this category.
5.10. Media Handling

5.10.1. All computer media like tapes, disks, CDs pen drive etc. will be stored in a safe,
secure environment, in accordance with the manufacturer's specifications.

5.10.2. Procurement, distribution and use of blank CDs, tapes, pen drive/floppies, etc. will
be inventoried and controlled by the respective Administrative Head.

5.10.3. No printed output or removable media will be taken out of the office premise
unless authorized in writing by the respective Administrative Head with a copy to the Gate
Security In-charge, if any, wherever practical.

5.10.4. No printed output or removable media containing, Secret or Confidential data will
be taken out from the Computer Room premises unless approved in writing by immediate
controlling authority.

5.10.5. Personal media like tapes, disks and cassettes will not be carried and used in the
office premise.

5.10.6. Inventory of software media containing system software, operating system and
such other software and application utilities will be maintained.

5.11. Enforcement
5.11.1. Compliance with security policies will be a matter for periodic review by the ISC.
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment as deemed appropriate by the management.

6. Asset-Media Disposal

29 | P a g e
6.1 Purpose

Information can be compromised through careless disposal or re-use of media. Storages
devices containing sensitive information should be physically destroyed or security
overwritten. Rather than using the standard delete functions, all storages media should
be checked prior to its disposal to ensure that sensitive data and licensed software, if any
is not remained. It should be ensured that such data or software is either removed or
overwritten.

6.2 Policy Statement

Employees, users and authorized officials of the bank shall ensure that banks owned
computers, devices storages media shall have all data and licensed software reliable
erased from all device at the time of disposal of the media or its movement out of bank
control using best practices for each type of media.

6.3 Scope

6.3.1. This policy is applicable to any electronic information storage or paper- based
media containing internal use classification or confidential data.

6.3.2. Policy applies to all employees and third party personnel who have access to,
develop, use, copy, print, exchange information, earlier internally within the organisation
or externally with third parties.

6.3.3.Policy applies also on all I T Assets

6.3.4. Policy also applies on the employees of the third party who are involved in the
disposal procedure.

6.4. Disposal of Information Assets

Media containing sensitive information (Secret or Confidential) will be disposed of
securely and safely when it is no longer required e.g. by incineration or destroyed by
securely deleting. Such disposals will be authorized by the Administrative Head at the
location.

6.5 Disposal of Electronic Media

6.5.1. The departmental heads are responsible for overseeing compliance with data and
disk disposal in his or her area on a yearly basis.

6.5.2. Information on storage media like hard disk drives or removable media like tape
drives, USB, CD drives shall be formatted or erased three times if the media is to be
reused.

6.5.3. Low level formatting shall be done for hard disk drives of all desktops and laptops
three times before reusing or sending them for maintenance.

6.5.4. Magnetic media like floppy disk, hard drives, zip disks, etc. shall be erased using a
degaussing device or disk wiping software before being discarded.

30 | P a