NMB Bank Limited Information Security Standard Procedures PDF

Summary

This document is a procedure for acceptable use of IT resources at NMB Bank Limited, outlining rules, responsibilities, and guidelines for employees and external users. It covers topics such as desktop services, mobile devices, backup of critical files, and access control.

Full Transcript

NMB Bank Limited
Information Security Standard Procedures

Acceptable Use of Assets

Domain: Acceptable Use of IT Resources
Procedure Identifier: NMB-ISSP-P-41

Effective Date: 12st Aug 2024 Version: 1.0
Total No. of Pages: 12 including this
page Issued By: CISC

AMENDMENT RECORDS

Sl. Amendment Details Version No. Revision Date
1 New Release 1.0

Sl. Last Review Date Reviewed By

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 1 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

APPROVAL LOG

NAME SIGNATURE SIGNED DATE

Prepared By: Ram KC
Sr. Officer-ISD

Deepa Shrestha
Supported By:
ISO

Bikash Shrestha
Supported By:
Head IT

Dhruba Adhikari
Supported By:
Head Legal & Compliance

Niraj Sharma
Supported By:
Head Human Resource

Pramod Dahal
Supported By:
Chief Operating Officer

Navin Manandhar
Supported By:
Chief Risk Officer

Sudesh Upadhyaya
Supported By: DCEO

Sunil KC
Approved By:
CEO

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 2 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

Table of Contents

1 Introduction................................................................................................................................ 5
2 Scope......................................................................................................................................... 5
3 Executive Owner........................................................................................................................ 5
4 Responsibilities.......................................................................................................................... 5
5 Procedure.................................................................................................................................. 5
5.1 General............................................................................................................................. 5
5.2 Desktop Services............................................................................................................. 6
5.3 Mobile Devices................................................................................................................. 7
5.4 Backup of Critical Files..................................................................................................... 7
5.5 Access Control................................................................................................................. 8
5.6 Classified Information....................................................................................................... 8
5.7 Electronic messaging....................................................................................................... 8
5.8 Internet Browsing............................................................................................................. 9
5.9 Use of Social Media....................................................................................................... 11
5.10 Clear Desk and Clear Screen.................................................................................... 11
5.11 Unacceptable Use...................................................................................................... 12
6 Policy Compliance................................................................................................................... 12
6.1 Compliance.................................................................................................................... 12
6.2 Exception........................................................................................................................ 12
6.3 Non-Compliance............................................................................................................ 12

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 3 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

ABBREVATIONS

IT Information Technology
ISD Information Security Department
CISC Corporate Information Security Committee
MFA Multi Factor Authentication
PC Personal Computer
WiFi Wireless Fidelity
VPN Virtual Private Network
PAN Primary Account Number
CVV Card Verification Value
2FA Two Factor Authentication
PII Personal Identifiable Information
EOD End of Day

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 4 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

1 Introduction
This procedure makes employees and external party users aware of the rules for the
acceptable use of IT assets like software, hardware, communication channel etc
associated with information and information processing. While supporting the business
and operations of the Bank, staff performing regular duties may have access to data in
applications, emails, and file systems or on desktops, servers and networks, and other
systems, which must be protected. Similarly, the human chain being the weakest link in
cyber security chain, users should be aware of potential threats of cyber security to
become a cyber resilience bank.
In performing duties staff must comply with applicable Banks policies including the Banks
Information Security and Information Technology Policy on access to any sort of
information.

2 Scope

This procedure applies to all employees (permanent, contract, temporary etc) and all
other internal and external users having access to any system’s information or physical
infrastructure of the Bank, regardless of its form or format, created or used to support the
organization.

3 Executive Owner
CISC is executive owner for reviewing and releasing this procedure.

4 Responsibilities

Designation Role
Information Security
Department (ISD) Ensuring that this procedure is effectively implemented.
Responsible for arranging for the awareness of acceptable use
of information and assets to all employees of the Bank and
HR Department users.
Head of Departments Implementing the acceptable use procedure for compliance of
(HoDs) this procedure
Users and Staff at Bank Should be aware of this procedure and strictly adhere to it

5 Procedure

5.1 General
Each user is to be responsible for their own actions and act responsibly and
professionally, while using Banks IT assets. Users are expected to become familiar with,
and follow, the organization's security policies and procedures and any special
instructions relating to work.
Users must always comply with the legal, statutory or contractual obligations that the
organization informs users of are relevant to their role. Consistent with the foregoing,
the acceptable use of information and IT resources encompasses the following duties:

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 5 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

 Understanding the baseline information security controls necessary to protect the
confidentiality, integrity, and availability of information
 Protecting organizational information and resources from unauthorized use or
disclosure
 Protecting personal, private, sensitive, or confidential information from unauthorized
use or disclosure;
 Observing authorized levels of access and utilizing only approved IT technology
devices or services; and
 Immediately report suspected information security incidents or weaknesses to the
Information Security Department (ISD).

5.2 Desktop Services

When a new employee joins the Bank, a computing device (desktop / laptop) will be
provided to the user by the Project & Strategic Sourcing Department and access to the
user shall be provided by the IT department, based on the function to be carried out by
the User. Users should not try to access any Computer or IT equipment, unless
authorized to do so by the Information Security Department after getting proper
justification of use.

 Access to the IT systems is controlled using User IDs, passwords and/or MFA and
tokens (where applicable). All User IDs and passwords are to be uniquely assigned to
named individuals and consequently, individuals are accountable for all the actions in
IT systems having access to that system.
 PC installation, troubleshooting and maintenance shall be undertaken only by the IT
Department, or a service provider appointed by the Bank for this purpose. Users should
not do installation, troubleshooting or maintenance of any IT Resources on their own
or outsiders prior notifying to IT department.
 All the data, information and any other material stored in a computer, or any other IT
resource will be the sole property of NMB Bank. Users should not copy / store / transmit
in any form the data, information or software installed on any IT Resource, unless
specifically authorized by the Head of Department and IS department.
 Users must not:
a. Allow anyone else to use their user ID, token and password on any IT systems
and applications.
b. Leave their user accounts logged in at an unattended and unlocked computer.
c. Use someone else's user ID and password to access Banks IT systems
d. Leave their password unprotected, for example writing it down in diary, sticky
notes and sharing to others.
e. Perform any unauthorized changes to IT systems or information
f. Attempt to access data that they are not authorized to use or access
g. Connect any unauthorized device to the Banks network or IT systems
h. Store Banks data on any non-authorized equipment, device or platform.
i. Give or transfer Banks data or software to any person or organization outside
the company without the authority of the Bank
j. Line managers must ensure that individuals are given clear direction on the
extent and limits of their authority about systems and data
k. Use strong and unique password /passphrase for personal and official
platforms
 Users should not use IT assets for personal gain including commercial / social / cultural
purposes.

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 6 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

 Users are personally responsible for protecting the data and information of the Bank
being used by them. Users should not switch off any tools / services from the IT assets
set up by the IT Department like anti-virus etc.
 If users observe anything unusual in the IT resources or critical information, they
should immediately bring the same to the notice of IS and IT Department with full
details.
 The User shall be solely responsible for any damage to / loss of IT assets including
laptops and confidential information. The executive management of NMB Bank shall
decide, in its sole discretion, for disciplinary action on such damage, depending upon
the seriousness of the incident.

5.3 Mobile Devices

Mobile devices include items such as laptops, tablet devices and smartphones. Unless
specifically authorized, only mobile devices provided by the organization may be used
to hold or process classified information. An organization-provided device is for business
/official use only, it must not be shared with family or friends or used for personal
activities.

Acceptable use of mobile device:

 Users must not remove equipment or information from the organization's
personal devices without appropriate approval.
 Users must take precautions to protect all mobile devices and computer media
when carrying them outside the organization's premises, for example, not leaving
a laptop unattended that it would encourage an opportunist theft.
 The device must not be connected to non-corporate networks such as public Wi-
Fi or the internet unless a VPN Virtual Private Network is used.
 Users must not remove any identifying tags / labelling on the device such as a
company asset tag or serial number.
 Shall ensure that the device is locked away when stored in an office rack or
drawers and that the key is not easily accessible.
 Users should not add peripheral hardware to the device without approval.
 Where possible, the device will be secured so that all its data is encrypted and
only accessible if the password is known. Some drive in mobile devices are
encrypted for data security hence users should not disable it.
 Users using laptops or movable IT Resources are responsible to protect such IT
Resources from damage, loss, theft etc. as per Laptop security guideline.
 Users using sensitive confidential information in mobile devices like
smartphones, should protect such information and data for unauthorized access
and security breaches of data by setting appropriate security measures in mobile
phones.
 Users handling portable / mobile devices should refer to and understand the
laptop security procedure.

5.4 Backup of Critical Files

 Users shall keep backup of critical files on the shared drives allotted to them. If the
User is traveling, then the user can work on the laptop if provided by Bank. As soon as
the User is back in office, he/she should copy the updated files on to the server.
 Users should not directly share their files / directories / articles with other users. If
sharing of the files / directories / articles is necessary for coordination / effective

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 7 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

functioning in the office, he/she should seek authorization from the respective head of
department.
 Users should not share the confidential and internal use purpose files of the Bank to
external users through personal email or social sites.

5.5 Access Control

 Users are responsible for the use and protection of their credentials i.e. user account
and password, access token or other items which users are provided with.
 Use strong passwords that comply with organization policies and take
reasonable precautions to ensure that user’s passwords are only known by respective
users for example, not sharing passwords or writing them down.
 User should not use the same password (or close variation of the same password) for
multiple user accounts.
 Users must not use privileged user accounts (user accounts with higher-than-normal
system access) for business-as-usual activities.
 User shall never attempt to bypass or subvert system security controls or to use them
for any purpose other than that intended. Also, users must not connect unauthorized
devices to the organization network.

5.6 Classified Information

 User should ensure to label any classified document/s that user create appropriately
according to published guidelines so that it remains appropriately protected.
 Users should always protect any classified material that is send, receive, store or
process according to the level of classification assigned to it, including both electronic
and paper copies.
 Should not send classified information over the internet via email or methods unless
appropriate methods (for example encryption) have been used to protect it from
unauthorized access.
 Users should securely store classified printed material and ensure it is correctly
destroyed when no longer needed.
 On leaving the organization, the user must inform the line manager prior to departure,
or any important information held in user account or in a location to which the
organization has no, or limited, access.
 Refer NMB-ISSP-P-13 Information Classification Procedure for further details.

5.7 Electronic messaging
Electronic messaging covers email and various forms of instant and store-and-forward
messaging such as SMS texts, messaging apps, web chats and messaging facilities
within social media platforms. The organization-provided electronic messaging facilities
must always be used when communicating with others on official business. Users must
not use a personal account for this purpose.

All organization messages should be considered official communications from the
organization and treated accordingly. In particular, organization electronic messaging
facilities must not be used for below mentioned activities: -

 Users should not use the e-mail service facility to send / receive / store / transmit any
personal e-mails. If any such mails are received by the users, they should immediately
delete the same from their computer system simultaneously informing the sender/s of

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 8 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

such mails not to send in future any such mails as such actions are violation of NMB
Bank’s Email Security Procedure.
 Users should not give out their corporate email id on non-commercial web sites that
ask you to register with them. This will reduce spam email in your mailbox.
 To distribute any offensive, obscene or indecent images, data or other material or any
data capable of being resolved into obscene or indecent images or material
 To send anything which is designed or likely to cause annoyance, inconvenience or
needless anxiety to others
 To transmit material that either discriminates or encourages discrimination on the
grounds of race, gender, sexual orientation, marital status, disability, political or
religious beliefs
 Electronic Mail is not guaranteed to be private. Messages transmitted through the bank
email system or network infrastructure are the property of the bank and are therefore
subject to inspection. IS/IT Department shall monitor and escalate the activity for
suspicious email.
 Users must provide their name and designation along with the corporate Disclaimer
message at the end of every email message that is sent by them.
 Users shall not use the e-mail service for spamming. Spamming includes, but is not
limited to:
 Bulk sending of unsolicited messages or the sending of unsolicited emails.
 Use of distribution lists.
 E-mail harassment of other Internet User/s including but not limited to,
transmitting any abusive, bullying, threatening, libelous or obscene material, or
material of any nature which could be deemed to be offensive and against the
interests of NMB Bank.
 Users should not use any third-party e-mail service from within NMB Bank’s offices,
unless specifically allowed by the concerned authority.
 Users should not send any sensitive data outside NMB Bank without the express
written approval of their Heads. If not sure, users should clarify with their immediate
supervisor before any data is sent outside NMB Bank.
 Users must not share any sensitive data or payment card details such as full card
number (Primary Account Number or PAN), expiry date, security code (CVV2 etc.)
through email or messaging platforms.

5.8 Internet Browsing

Users Internet access on organization-owned devices is primarily provided for tasks
reasonably related to work including:

 Access to information and systems that is pertinent to fulfilling the organization's
business obligations
 The capability to post updates to organization-owned and or maintained web sites
and social media accounts
 An electronic commerce facility (e.g. purchasing equipment / services for the bank)
 Research and other tasks that is part of job role

Below list gives example of “unsuitable” usage but is neither exclusive nor exhaustive.
"Unsuitable" material will include data, images, audio files or video files the transmission
of which is illegal and material that is against the rule, essence and spirit of this and other
policies of the Bank.

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 9 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

 Internet access shall not be used for any illegal or unlawful purposes. Examples of
this would be the transmission of violent, threatening, defrauding, pornographic,
obscene or otherwise illegal or unlawful materials.
 The bank’s Internet connection shall not be used for commercial or political
purposes.
 Internet access shall not be used for performing work for personal profit with the
bank’s resources in a manner not authorized by the bank.
 Users shall not attempt to circumvent or subvert security measures on the bank's
network resources or any other system connected to or accessible through the
Internet.
 Bank’s users shall not use Internet access for interception of network traffic for any
purpose unless engaged in authorized network administration.
 Bank users shall not make or use illegal copies of copyrighted material, store such
copies on bank’s equipment, or transmit these copies internally or externally.
 Bank users who need to access the Internet will be provided with Internet access
by IT Department upon approval of the internet access form filled up by the
requesting user.
 Bank’s users shall not download any shareware or freeware or any other software
from the Internet.
 Bank’s users shall not change the internet connection settings by themselves.
 Bank’s users must not download audio or video files onto NMB Bank’s network as
this will cause congestion in the internet traffic. Streaming of audio and video is
also prohibited.
 Bank’s users should not use the Internet service to enter or attempt to enter any
network in an unauthorized manner.
 No peer-to-peer application is allowed from and within Bank’s network without any
approval.
 Creating, downloading or transmitting material that is designed to annoy, harass,
bully, inconvenience or cause needless anxiety to other people.
 Creating, downloading or transmitting data or material that is created for the
purpose of corrupting or destroying other user’s data or hardware.
 Bank’s user shall not allow any Hotspot VPN Service from their desktop or laptop
of the Bank.
 Internet access shall be controlled using VPN in banks owned mobile devices like
laptop.

Access to the Internet through the Bank’s network controls with strict guidelines
concerning the appropriate use of this information resources. Users who violate the
provisions outlined in this procedure are subject to disciplinary action as per HR By Laws.
In addition, any inappropriate use that involves a criminal offense will result in legal action.
All users must acknowledge receipt and understanding of guidelines in this document.

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 10 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

5.9 Use of Social Media

Bank makes extensive use of social media to communicate directly with customers as
part of marketing activity and communicating with customers for particular notice, to
provide support for products and services and to obtain useful feedback on how the
organization is perceived. Only authorized users shall have access to use corporate
social media accounts and to represent the organization to the public, and only if that is
part of the job role. Only authorized accounts should be used to publish messages and
respond to other users of relevant social media channels. Users shall not use their own
personal accounts for responding to the public. Bank respects user’s personal online
activity as a medium of self-expression, but user’s shall remember to have
responsibilities to the organization outside of working hours. When using social media
to engage on matters relevant to the organization, make it clear that it’s the user’s own
opinion that the user is expressing and not that of the organization.

Should anyone have a legitimate business need to access these sites they should have
a formal recommender and approver for the use of social networking site for Bank’s
purpose only and NMB-ISSP-F-24 Security Exceptions Authorization Form to be
recorded.

5.10 Clear Desk and Clear Screen

The following security measures must be followed for clear desk and clear screen policy:

Clear Desk
Sensitive or critical business information, e.g., paper or on electronic storage media,
must be secured when not required, especially when the office is vacated at the end of
the workday.

 Paper containing sensitive or classified information must be removed from
printers and faxes immediately.
 Faxes and printers used to print sensitive information should not be kept in public
areas.
 Documents containing sensitive information are being printed, the user must
ensure they know the proper printer is chosen and go directly to the printer to
retrieve it.
 Sensitive information on paper or electronic storage media that is to be shredded
must not be left in unattended boxes or bins to be handled later and must be
secured until they can be shredded.
 Files and documents containing sensitive information and personal identifiable
information (PII) must be kept appropriately in the proper place by locking before
leaving the office in EOD.

Clear Screen
 Whenever unattended or not in use, all computing devices must be left logged
off or password protected.
 When viewing sensitive information on a screen, users should be aware of their
surroundings and should ensure that third parties are not permitted to view the
sensitive information.
 All active application sessions should be terminated upon completion of the
work.
 Users must keep the desktop of PC/Laptop clean by clearing the unwanted files
and saving confidential information in separate folders.
_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 11 Acceptable Use of IT Resources
 NMB Bank Limited
Information Security Standard Procedures

5.11 Unacceptable Use

The following list is not intended to be exhaustive but is an attempt to provide a
framework for activities that constitute unacceptable use. Users, however, may be
exempted from one or more of these restrictions during their authorized job
responsibilities, after approval from management.

Unacceptable use includes, but is not limited to, the following:

 Unauthorized use or disclosure of organization information and resources;
 Distributing, transmitting, posting, or storing any electronic communications,
material or correspondence that is threatening, obscene, harassing,
pornographic, offensive, defamatory, discriminatory, inflammatory, illegal, or
intentionally false or inaccurate;
 Connecting unapproved devices to the organization’s network or any IT resource
 Connecting organizational IT resources to unauthorized networks;
 Connecting to any wireless network while physically connected to the
organization’s wired network
 Using an organization’s IT resources to circulate unauthorized solicitations or
advertisements for non-organizational purposes including religious, political, or
not-for-profit entities
 Providing unauthorized third parties, including family and friends, access to the
organization’s IT asset, information, resources or facilities
 Tampering, disengaging, or otherwise circumventing an organization or third-
party IT security controls.
 Using public wifi without VPN in the laptop
 Not updating latest security update and tools like Antivirus in computing device
 Auto forwarding official email to personal mailbox
 Not using 2FA in administrative profile /accounts

6 Policy Compliance
6.1 Compliance
It is the responsibility of the Authorized User to ensure compliance with the process
above. The Information Security department will randomly verify compliance to process
through various methods, including but not limited to, business tool reports,
internal and external audits, log reviews and audit trails for compliance of this
procedure and reports to CRO /CISC.

6.2 Exception
Any exception to the process must be as per NMB-ISSP-F-24 Security Exception Authorization
Form.

6.3 Non-Compliance
An employee found to have violated this procedure may be subjected to disciplinary action, as
per HR by Laws

_________________________________________________________________________________
INTERNAL-IT-ISSP-P-41 12 Acceptable Use of IT Resources