Professional Documents
Culture Documents
ICT Security
ICT Security
ForScheduledBanksandFinancialInstitutions
April,2010
Version2.0
BangladeshBank
TechnicalTeam
Coordinator
SalimaKhatun
SeniorSystemsAnalyst
ITOperation&CommunicationDepartment
BangladeshBank
Members
MohammedIshaqueMiah
SystemsAnalyst
ITOperation&CommunicationDepartment
BangladeshBank
Md.RaihanUddin
JointDirector
DepartmentofBankingInspection1
BangladeshBank
ManojKumarHowlader
JointDirector
ForeignExchangeInspection&VigilanceDepartment
BangladeshBank
JayantaKumarBhowmick
Programmer
ITOperation&CommunicationDepartment
BangladeshBank
Md.LutfulHaidarPasha
AssistantDirector
BankingRegulationsandPolicyDepartment
BangladeshBank
MuhammedAnwarulIslam
SeniorAssistantVicePresident&HeadofITSecurity
EasternBankLimited
Sk.ZaminurRahman
SeniorSystemsAnalyst
InformationTechnologySystemDepartment
JanataBankLimited
ANMKamrulIslam
RelationshipManager(IT)
StandardCharteredBank
M.AsheqRahman
VicePresident
HeadofRegulatory&InternalControl
BRACBankLimited
Md.MashuqurRahman
SeniorPrincipalOfficer
ITDivision
ABBankLimited
Contents
CHAPTER1......................................................................................................................................1
1.
Introduction........................................................................................................................................1
1.1 Scope....................................................................................................................................................1
1.2 Objectives.............................................................................................................................................2
1.3 Categorizationofbanks/branches/unitsdependingonICTOperation................................................2
CHAPTER2......................................................................................................................................4
2.
ICTSecurityManagement...................................................................................................................4
2.1 ICTSecurityPolicy................................................................................................................................4
2.2 Documentation.....................................................................................................................................5
2.3 InternalInformationSystemAudit......................................................................................................5
2.4 TrainingandAwareness.......................................................................................................................6
2.5 InsuranceorRiskCoverageFund.........................................................................................................6
2.6 ProblemManagement..........................................................................................................................6
2.7 RiskManagement.................................................................................................................................6
CHAPTER3......................................................................................................................................8
3.
ICTOperationManagement................................................................................................................8
3.1 ChangeManagement...........................................................................................................................8
3.2 AssetManagement..............................................................................................................................8
3.3 OperatingProcedures..........................................................................................................................9
3.4 RequestManagement..........................................................................................................................9
CHAPTER4....................................................................................................................................10
4.
PhysicalSecurity...............................................................................................................................10
4.1 PhysicalSecurityforTier1.................................................................................................................10
4.1.1 DataCenterAccess....................................................................................................................10
4.1.2 EnvironmentalSecurity..............................................................................................................11
4.1.3 FirePrevention..........................................................................................................................12
4.2 PhysicalSecurityforTier2.................................................................................................................13
4.2.1 ServerRoomAccess...................................................................................................................13
4.2.2 EnvironmentalSecurity..............................................................................................................13
4.2.3 FireProtection...........................................................................................................................14
4.3 PhysicalSecurityforTier3.................................................................................................................14
4.3.1 ComputerRoomAccess.............................................................................................................14
4.3.2 EnvironmentalSecurity..............................................................................................................14
4.3.3 FireProtection...........................................................................................................................14
4.4 PhysicalSecurityforDesktopandLaptopComputers........................................................................15
CHAPTER5....................................................................................................................................17
5.
InformationSecurityStandard..........................................................................................................17
5.1 AccessControlforInformationSystems............................................................................................17
5.1.1 UserIDMaintenance.................................................................................................................17
5.1.2 PasswordControl.......................................................................................................................17
5.1.3 InputControl.............................................................................................................................18
5.2 NetworkSecurity................................................................................................................................18
5.3 DataEncryption..................................................................................................................................19
5.4 VirusProtection..................................................................................................................................19
5.5 Internetandemail.............................................................................................................................19
5.6 TransactionsthroughAlternativeChannels.......................................................................................20
5.6.1 ServicesthroughMobile............................................................................................................20
5.6.2 InternetBanking........................................................................................................................21
5.6.3 PaymentCards...........................................................................................................................22
CHAPTER6....................................................................................................................................24
6.
SoftwareDevelopmentandAcquisition.............................................................................................24
6.1 InhouseSoftware..............................................................................................................................24
6.2 OutsourcedSoftware.........................................................................................................................25
6.2.1 VendorSelection.......................................................................................................................25
6.2.2 SoftwareDocumentation...........................................................................................................25
6.2.3 OtherRequirements..................................................................................................................26
CHAPTER7....................................................................................................................................27
7.
BusinessContinuityandDisasterRecoveryPlan................................................................................27
7.1 BusinessContinuityPlan(BCP)...........................................................................................................27
7.2 DisasterRecoveryPlan(DRP).............................................................................................................28
7.3 BackupandRestorePlan(BRP)..........................................................................................................28
CHAPTER8....................................................................................................................................30
8.
ServiceProviderManagement...........................................................................................................30
8.1 ServiceLevelAgreement(SLA)...........................................................................................................30
8.2 Outsourcing........................................................................................................................................31
8.3 CrossborderSystemSupport.............................................................................................................31
GLOSSARYANDACRONYMS.....................................................................................................32
ANNEXURE1.................................................................................................................................35
ANNEXURE2.................................................................................................................................36
ANNEXURE3.................................................................................................................................37
ANNEXURE4.................................................................................................................................38
Chapter1
1.
Introduction
The banking industry has changed the way they provide services to
their customers and process information in recent years. Information
and Communication Technology (ICT) has brought about this
momentous transformation. Security of Information for a financial
institutionhasthereforegainedmuchimportance,anditisvitalforus
to ensure that the risks are properly identified and managed.
Moreover, information and information technology systems are
essentialassetsforthebanksaswellasfortheircustomersandstake
holders.Informationassetsarecriticaltotheservicesprovidedbythe
bankstotheircustomers.Protectionandmaintenanceoftheseassets
are critical to the organizations sustainability. Banks must take the
responsibilityofprotectingtheinformationfromunauthorizedaccess,
modification,disclosureanddestruction.
BangladeshBankhaspreparedaGuidelineforICTSecurityforbanks&
FIs to be used as a minimum requirement and as appropriate to the
levelofcomputerizationoftheiroperations.
1.1
Scope
ThisICTSecurityGuidelineisasystematicapproachtopoliciesrequired
tobeformulatedforensuringsecurityofinformationandinformation
systems.
ThisGuidelinecoversallinformationthatareelectronicallygenerated,
received, stored, printed, scanned, and typed. The provisions of this
Guidelineareapplicablefor:
Scheduledbanks&FIsforalloftheirInformationSystems.
1|Page
1.2
Objectives
ThisGuidelinedefinestheminimumrequirementstowhicheachbank
mustadhere.TheprimaryobjectivesoftheGuidelineare:
TohelpthebanksandFIsforsecuredandstablesetupofitsICT
platform
Toestablishasecuredenvironmentfortheprocessingofdata
Toidentifyinformationsecurityrisksandtheirmanagement
Toprioritizeinformationandinformationsystemsthoseneedto
beprotected
ToawareandtraintheusersassociatedwithmanagingtheICT
infrastructure
Toensurethebestpractices(industrystandard)oftheusageof
ICTthatisnotlimitedtothisguideline.
1.3
Categorizationofbanks/branches/unitsdependingonICT
Operation
ThelocationsforwhichtheICTSecurityGuidelineisapplicablei.e.,the
Head Office, Zonal Office, Branch and/or Booth/Unit of a bank or FI
may be categorized into three tiers depending on their ICT setup and
operationalenvironment/proceduresas:
Tier1:
2|Page
Tier2:
HeadOffice,ZonalOffice,BranchorboothhavingServer
to which all or a part of the computers of that locations
areconnectedthroughLAN.
Tier3:
TheproposedICTSecurityGuidelinewillbeapplicableforallthethree
tiersifnotmentionedotherwise.
3|Page
Chapter2
2.
ICTSecurityManagement
ICT Security Management must ensure that the ICT functions and
operations are efficiently and effectively managed. They should be
awareofthecapabilitiesofICTandbeabletoappreciateandrecognize
opportunities and risks of possible abuses. They have to ensure
maintenanceofappropriatesystemsdocumentations,particularlyfor
systems,whichsupportfinancialreporting.Theyhavetoparticipatein
ICTsecurityplanningtoensurethatresourcesareallocatedconsistent
with business objectives. They have to ensure that sufficient and
qualified technical staffs are employed so that continuance of the ICT
operationareaisunlikelytobeseriouslyatriskalltimes.
2.1
ICTSecurityPolicy
2.1.1
This document provides the guideline for Information System and its
secured usage for the banks. It establishes general requirements and
responsibilitiesforprotectingInformationandInformationSystem.The
policy covers common technologies such as computers & peripherals,
data and network, web system, and other specialized ICT resources.
The banks delivery of services depends on availability, reliability and
integrity of its information technology system. Therefore, each bank
mustadoptappropriatemethodstoprotectitsinformationsystem.The
senior management of the bank must express a commitment to ICT
securitybycontinuouslyincreasingawarenessandensuringtrainingof
thebank'sstaff.
The policy will require regular update to cope with the evolving
changes in the ICT environment both within the bank and overall
industry.
4|Page
2.1.2
2.2
Documentation
2.2.1
Thefollowingshallbedocumented:
a) OrganogramchartforICTdepartment/division(centralized/
decentralized)
b) BranchorganogramwiththeICTsupportunit/section/personnel
(Business/ICT)
c) Jobdescription(JD)foreachindividualwithinICTdepartment/
division
d) Ascheduledrosterforpersonneldoingshiftingduties
e) SegregationofdutiesforITtasks
f) Fallbackplansforvariouslevelsofsystemsupportpersonnel
2.3
InternalInformationSystemAudit
2.3.1
InternalInformationSystemAuditshallbecarriedoutbyInternalAudit
orrelevantDepartment(otherthanICTDepartment).
2.3.2
2.3.3
2.3.4
5|Page
2.4
2.4.1
2.4.2
TrainingandAwareness
Bank shall ensure that all relevant personnel are getting proper
training,education,updatesandawarenessoftheICTsecurityactivities
asrelevantwiththeirjobfunction.
2.5
InsuranceorRiskCoverageFund
2.5.1
Adequateinsurancecoverageorriskcoveragefundshallbemaintained
sothatcostsoflossand/ordamageofthehardwareassetsrelatedto
ICTcanbemitigated.
2.6
ProblemManagement
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.7
Problemfindingsandactionstepstakenduringtheproblemresolution
processshallbedocumented.
Processshallbeestablishedtoreviewandmonitortheincidents.
RiskManagement
2.7.1
2.7.2
6|Page
2.7.3
Theriskmanagementprocessshallinclude:
a) Adescriptionandassessmentoftheriskbeingconsideredand
acceptedforacknowledgementbytheowneroftherisk;
b) Identificationofmitigationcontrols;
c) Formulationofaremedialplantoreducetherisk;
d) Approvaloftheriskacknowledgementfromtheownerofthe
riskandseniormanagement.
7|Page
Chapter3
3.
ICTOperationManagement
3.1
ChangeManagement
3.1.1
Auditlogsofchangesshallbemaintained.
3.1.2
3.1.3
3.1.4
3.2
AssetManagement
3.2.1
Assetinventorymustbereviewedatleastonceayear.
3.2.2
3.2.3
3.2.4
3.2.5
8|Page
Bankmustcomplywiththetermsofallsoftwarelicensesandmustnot
use any software that has not been legally purchased or otherwise
legitimatelyobtained.
3.2.6
3.2.7 Softwareusedinanycomputermustbeapprovedbytheauthority.Use
of unauthorized or pirated software must strictly be prohibited
throughout the bank. Random checks shall be carried out to ensure
compliance.
3.3
3.3.1
3.3.2
3.3.2
OperatingProcedures
Operating procedures shall be documented, maintained and available
fortheusersrelatedtotheirjobfunction.
Operatingproceduresshallcoverthefollowingswhereappropriate:
a) Documentationonhandlingofdifferentprocesses;
b) Documentationonschedulingprocesses,systemstartup,close
down,restartandrecovery(centralized/decentralized);
c)
Documentationonhandlingofexceptionconditions;
d)
Schedulesystemmaintenance.
3.4
RequestManagement
3.4.1
9|Page
ToavailanyservicerelatedtoICT,aformalrequestprocessmustbe
established.AsampleformhasbeenprovidedinAnnexure4.
Chapter4
4.
PhysicalSecurity
4.1
PhysicalSecurityforTier1
4.1.1
DataCenterAccess
4.1.1.1
4.1.1.2
4.1.1.3
4.1.1.4
4.1.1.5
4.1.1.6
4.1.1.7
4.1.1.8
10 | P a g e
Physicalsecurityshallbeappliedtotheinformationprocessingareaor
DataCenter.
DataCentermustbearestrictedareaandunauthorizedaccessshallbe
prohibited.
EntranceintotheDataCentershallberestricted.
Access authorization procedures shall exist and be applied to all
persons (e.g. employees and vendors). Unauthorized individuals and
cleaningcrewsmustbeescortedduringtheirstayintheDataCenter.
Accessauthorizationlistshallbemaintainedandreviewedperiodically
fortheauthorizedpersontoaccesstheDataCenter.
Access log with date, time and purpose shall be maintained for the
vendors,serviceprovidersandvisitorsenteredintotheDataCenter.
Securityguardshallbeavailablefor24hours.
Emergencyexitdoorshallbeavailable.
4.1.2
4.1.2.1
4.1.2.2
4.1.2.3
4.1.2.4
4.1.2.5
4.1.2.6
4.1.2.7
4.1.2.8
4.1.2.9
4.1.2.10
4.1.2.11
4.1.2.12
11 | P a g e
EnvironmentalSecurity
Protection of Data Center from the risk of damage due to fire, flood,
explosionandotherformsofdisastershallbedesignedandapplied.To
buildDataCenterandDisasterRecoverySiteinmultitenantfacilitated
buildingisdiscouraged.
4.1.2.13
4.1.2.14
Thefollowingenvironmentalcontrolsshallbeinstalled:
a)
b)
c)
d)
e)
f)
g)
h)
UninterruptedPowerSupply(UPS)withbackupunits
BackupPowerSupply
Temperatureandhumiditymeasuringdevices
WaterleakageprecautionsandwaterdrainagesystemfromAir
Conditioner
Air conditioners with backup units. Industry standard cooling
systemmaybeintroducedtoavoidthewaterleakageandfaults
in the water drainage system with the conventional air
conditioningsystem.
Emergencypowercutoffswitcheswhereapplicable
Emergencylightingarrangement
Dehumidifierforhumiditycontrol
4.1.3
4.1.3.1
4.1.3.2
4.1.3.3
4.1.3.4
4.1.3.5
12 | P a g e
FirePrevention
Wall,ceilinganddoorofDataCentershallbefireresistant.
Firesuppressionequipmentsshallbeinstalled.
Automatic fire alarming system shall be installed and tested
periodically.
Thereshallbefiredetectorbelowtheraisedfloor,ifitisraised.
ElectricanddatacablesintheDataCentermustmaintainaqualityand
beconcealed.
4.1.3.6
AnyflammableitemsshallnotbekeptintheDataCenter.
4.2
PhysicalSecurityforTier2
4.2.1
4.2.1.1
4.2.1.2
4.2.1.3
ServerRoomAccess
Server room must have a glass enclosure with lock and key with a
responsiblepersonoftheBranch.
Physical access shall be restricted, visitors log must exist and to be
maintainedforserverroom.
Accessauthorizationlistmustbemaintainedandreviewedonregular
basis.
4.2.2
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6
4.2.2.7
4.2.2.8
13 | P a g e
EnvironmentalSecurity
Server must have password protected screen saver that shall be
activatedafteraperiodasperbank'spolicy.
Thereshallbeaprovisiontoreplacetheserverwithinshortestpossible
timeincaseofanydisaster.
Serverroomshallbeairconditioned.
Water leakage precautions and water drainage system from Air
Conditionershallbeinstalled.
Power generator shall be in place to continue operations in case of
powerfailure.
UPS shall be in place to provide uninterrupted power supply to the
server.
Proper attention must be given on overloading electrical outlets with
toomanydevices.
Channelalongsidethewallshallbepreparedtoallowallthecablingto
beinneatandsafepositionwiththelayoutofpowersupplyanddata
cables.
4.2.2.9
4.2.2.10
Properearthingofelectricityshallbeensured.
Addressandtelephoneormobilenumbersofallcontactpersons(e.g.
fire service, police station, service providers, vendors and all ICT/
responsiblepersonnel)mustbeavailabletocopewithanyemergency
situation.
4.2.3
4.2.3.1
4.2.3.2
FireProtection
Powersupplymustbeswitchedoffbeforeleavingtheserverroom.
Fireextinguishershallbeplacedoutdooroftheserverroom.Thismust
bemaintainedandcheckedonanannualbasis.
4.3
PhysicalSecurityforTier3
4.3.1
ComputerRoomAccess
4.3.1.1
4.3.1.2
4.3.2
4.3.2.1
4.3.3
4.3.3.1
4.3.3.2
4.3.3.3
14 | P a g e
EnvironmentalSecurity
PCmusthavepasswordprotectedscreensaverwhichshallbeactivated
afteraperiodasperbank'spolicy.
FireProtection
Preventive measures shall be taken to protect computer room from
shortcircuits.
PowerandotherconnectingcablesforPCsmustbekeptsecuredfrom
physicaldamage.
Power supply of the PC shall be switched off before leaving the
branch.
4.3.3.4
4.3.3.5
Fire extinguishers with expiry date shall be placed beside the power
distributionboard.Thismustbemaintainedandcheckedonanannual
basis.
Properearthingofelectricityshallbeensured.
4.4
PhysicalSecurityforDesktopandLaptopComputers
4.4.1
4.4.2
4.4.3
Passwordprotectedscreensavershallbeusedtoprotectdesktopand
laptopfromunauthorizedaccess.
4.4.4
Laptopcomputersthatstoreconfidentialorsensitiveinformationmust
haveencryptiontechnology.
4.4.5
Desktopandlaptopcomputersandmonitorsshallbeturnedoffatthe
endofeachworkday.
4.4.6
Laptopcomputers,computermediaandanyotherformsofremovable
storage(e.g.diskettes,CDROMs,zipdisks,PDAs,flashdrives)shallbe
storedinasecuredlocationorlockedcabinetwhennotinuse.
4.4.7
4.4.8
4.4.9
Desktop and laptop computer users shall not write, compile, copy,
knowingly propagate, execute, or attempt to introduce any computer
code designed to selfreplicate, damage, or otherwise hinder the
performanceofanycomputersystem(e.g.virus,worm,Trojanetc).
4.4.10
Anykindofvirusesshallbereportedimmediately.
4.4.11
Virusesshallnotbedeletedwithoutexpertassistanceunlessotherwise
instructed.
4.4.12
Useridentification(ID)andauthentication(password)shallberequired
toaccessalldesktopsandlaptopswheneverturnedonorrestarted.
15 | P a g e
4.4.13
Standardvirusdetectionsoftwaremustbeinstalledonalldesktopand
laptopcomputersandshallbeconfiguredtocheckfileswhenreadand
routinelyscanthesystemforviruses.
4.4.14
Desktopandlaptopcomputersshallbeconfiguredtologallsignificant
computer security relevant events. (e.g. password guessing,
unauthorized access attempts or modifications to applications or
systemssoftware.)
4.4.15
All computers shall be placed above the floor level and away from
windows.
16 | P a g e
Chapter5
5.
InformationSecurityStandard
TheobjectiveofthischapteristospecifyInformationSecurityPolicies
and Standards to be adopted by all scheduled banks in Bangladesh
usingInformation and Communication Technology for servicedelivery
and data processing. This chapter covers the basic and general
information security controls applicable to all functional groups of a
businesstoensurethatinformationassetsareprotectedagainstrisk.
5.1
AccessControlforInformationSystems
5.1.1
UserIDMaintenance
5.1.1.1
5.1.1.2
5.1.1.3
5.1.1.4
5.1.1.5
5.1.2
5.1.2.1
5.1.2.2
5.1.2.3
17 | P a g e
EachusermusthaveauniqueUserIDandavalidpassword.
UserIDshallbelockedupafter3unsuccessfulloginattempts.
UserIDandpasswordshallnotbesame.
UserIDMaintenanceformwithaccessprivilegesshallbedulyapproved
bytheappropriateauthority.
Access privileges shall be changed/ locked within 24 hours or as per
bank'spolicywhenusers'statuschangedoruserleftthebank.
PasswordControl
5.1.2.4
5.1.2.5
Passwordhistorymaintenanceshallbeenabledinthesystemtoallow
samepasswordstobeusedagainafteratleast4times.
5.1.2.6
Session timeout period for users shall be set in accordance with the
bank'sPolicy.
5.1.2.7
5.1.2.8
5.1.3
InputControl
5.1.3.1
5.1.3.2
5.1.3.3
Softwareshallnotallowthesameusertobebothmakerandchecker
of the same transaction. Management approval must be in place for
delegationofauthority.
AudittrailmustbeclearlymarkedwithUserIdanddatetimestamp.
The system shall be restricted from being accessed especially in
sensitivedata/fields.
5.2
NetworkSecurity
5.2.1
5.2.2
Physicalsecurityforthenetworkequipmentsshallbeensured.
Specifically:
a) Accessshallberestrictedandcontrolled.
b)
Networkequipmentsshallbehousedinasecureenvironment.
5.2.3
18 | P a g e
Groupsofinformationservices,users,andinformationsystemsshallbe
segregatedinnetworks,e.g.VLAN.
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
Firewallshallbeinplaceonthenetworkforanyexternalconnectivity.
RedundantcommunicationlinksshallbeusedforWAN.
Thereshallbeasystemtodetectunauthorizedintruderinthenetwork.
Connection of personal laptop to office LAN or any personal wireless
modemwiththeofficelaptop/desktopmustbesecured.
5.3
5.3.1
DataEncryption
Mechanism shall be in place to encrypt and decrypt sensitive data
travellingthroughWANorpublicnetwork.
5.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.5
VirusProtection
Antivirus software shall be installed in each server and computer
whetheritisconnectedtonetworkornot.
Virusautoprotectionmodeshallbeenabled.
Allcomputersinthenetworkshallgetupdatedsignatureofantivirus
softwareautomaticallyfromtheserver.
Bank may arrange awareness program for the users about computer
virusesandtheirpreventionmechanism.
Internetandemail
5.5.1
19 | P a g e
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
Emailsystemandinternetshallbeusedaccordingtothebank'spolicy.
Concerneddepartmentshallperformregularreviewandmonitoringof
emailservice.
Usersshallnotuseprofanities,obscenities,orderogatoryremarksine
mail messages regarding employees, customers, competitors, or
others.
Allattachmentswiththeincomingemailmessagesshallbemonitored
especiallyforviruses.
Mailservermusthavelatestantivirussignature.
5.6
TransactionsthroughAlternativeChannels
5.6.1
ServicesthroughMobile
5.6.1.1
5.6.1.2
5.6.1.3
5.6.1.4
20 | P a g e
b)
c)
5.6.1.5
5.6.1.6
5.6.2
InternetBanking
5.6.2.1
Informationinvolvedininternetbankingpassingoverpublicnetworks
shall be protected from fraudulent activity, contract dispute, and
unauthorized disclosure and modification. Therefore, bank shall
establishfollowingcontrolprocedures:
IbankingstandardsshallbeincludedintheBank'sICTSecurityPolicy.
5.6.2.2
NetworkandDatabaseadministratorshallensurethesecurityissuesof
Ibanking.
5.6.2.3
5.6.2.4
Bankshallensurerealtimesecuritylogforunauthorizedaccess.
5.6.2.5
BankshalldefinetechnologysecurityprotocolsforIbankingsolutions
like PKI (Public Key Infrastructure), SSL (Secured Socket Layer), 2FA
(TwoFactorAuthentication),RSA,VASCOetc.
5.6.2.6
21 | P a g e
5.6.2.7
Theinformationsecurityofficer,systemauditororanyotherconcerned
shall undertake periodic penetration tests of the system, which may
include:
a)
b)
c)
d)
e)
f)
g)
h)
Attemptingtoguesspasswordsusingpasswordcrackingtools.
Searchingforbackdoortrapsintheprograms.
Attempting to overload the system using DDoS (Distributed
DenialofService)&DoS(DenialofService)attacks.
Checking of commonly known holes in the software, especially
thebrowserandtheemailsoftwareexist.
Checkingtheweaknessesoftheinfrastructure.
Takingcontrolofports.
Causeapplicationcrash.
Injectingmaliciouscodestoapplicationanddatabaseservers.
5.6.2.8
All applications of bank shall have proper record keeping facilities for
legal purposes. Bank may keep all received and sent messages in
restrictedform.
5.6.2.9
5.6.3
5.6.3.1
22 | P a g e
PaymentCards
Bank providing the payment card services must comply with the
industrysecuritystandards,e.g.Payment CardIndustryDataSecurity
Standard(PCIDSS)toensurethesecurityofcardholder'sdata.ThePCI
DSSincludesfollowingrequirementsforsecuritymanagement,policies,
procedures, network architecture, software design and other
protectivemeasures:
PINs used in transactions shall be processed using equipment and
methodologiestoensurethattheyarekeptsecured.
5.6.3.2
CryptographickeysusedforPINencryption/decryptionandrelatedkey
managementshallbecreatedusingprocessestoensurethatitisnot
possible to predict any key or determine that certain keys are more
probablethanotherkeys.
5.6.3.3
5.6.3.4
5.6.3.5
5.6.3.6
Keysshallbeadministeredinasecuredmanner.
5.6.3.7
23 | P a g e
Chapter6
6.
SoftwareDevelopmentandAcquisition
For any new application or function for the bank requires analysis
beforeacquisitionorcreationtoensurethatbusinessrequirementsare
met in an effective and efficient manner. This process covers the
definition of needs, consideration of alternative sources, review of
technological and economic feasibility, execution of risk analysis and
costbenefit analysis and conclusion of a final decision to 'make' or
'buy'.
6.1
InhouseSoftware
6.1.1
6.1.2
6.1.3
6.1.4
Applicationsecurityandavailabilityrequirementsshallbeaddressed.
Developed functionality in the application shall be in accordance with
designspecificationanddocumentation.
6.1.5
6.1.6
Source code shall contain title area, the author, date of creation, last
dateofmodificationandotherrelevantinformation.
6.1.7
6.1.8
SystemdocumentationandUserManualshallbepreparedandhanded
overtotheconcerneddepartment.
6.1.9
24 | P a g e
6.2
OutsourcedSoftware
All the software procured and installed by the bank shall have legal
licensesandrecordofthesameshallbemaintainedbytherespective
unit/departmentoftheBank.
6.2.1
6.2.1.1
6.2.1.2
6.2.2
6.2.2.1
6.2.2.2
VendorSelection
There must be a core team comprising of personnel from Functional
Departments,ITDepartmentandInternalAuditDepartmentforvendor
selection.
Vendorselectioncriteriaforapplicationmustaddressthefollowing:
a) Marketpresence
b) Yearsinoperation
c) Technologyalliances
d) Extentofcustomizationandworkaroundsolutions
e) Performance&Scalability
f) Numberofinstallations
g) Existingcustomerreference
h) Supportarrangement
SoftwareDocumentation
Documentationofthesoftwareshallbeavailableandsafelystored.
Documentshallcontainthefollowings:
a)
b)
c)
25 | P a g e
Functionality
Securityfeatures
Interfacerequirementswithothersystems
d)
e)
f)
6.2.3
6.2.3.1
6.2.3.2
6.2.3.3
6.2.3.4
6.2.3.5
26 | P a g e
SystemDocumentation
InstallationManual
UserManual
OtherRequirements
There shall have a test environment to ensure the software
functionalitiesbeforeimplementation.
UserAcceptanceTest shallbecarriedoutandsignedoffbeforegoing
live.
Necessary Regulatory Compliance requirements for banking
proceduresandpracticesintheapplicationmustbetakenintoaccount
bytheBank.
Anybugsand/orerrorsfoundduetodesignflaws,mustbeescalatedto
higherlevelsinSoftwareVendorsorganizationandbank,andmustbe
addressedintime.
Support agreement must be maintained with the provider for the
softwareusedinproductionwiththeconfidentialityagreement.
Chapter7
7.
BusinessContinuityandDisasterRecoveryPlan
BCP shall also address the backup, recovery and restore process.
Keepingthisintoconsideration,thischaptercoversBusinessContinuity
Plan(BCP),DisasterRecoveryPlan(DRP)forcentralizedoperationand
BackupandRestorePlan(BRP)fordistributedoperation.
7.1
7.1.1
7.1.2
7.1.3
BusinessContinuityPlan(BCP)
BankmusthaveaBusinessContinuityPlanaddressingtherecoveryof
disastertocontinueitsoperation.
DocumentsrelatedtoBCPmustbekeptinasecuredoffsitelocation.
Onecopyshallbestoredintheofficeforreadyreference.
BCPshalladdressthefollowings:
a)
b)
c)
d)
7.1.4
27 | P a g e
BCPmustbetestedandreviewedregularlytoensuretheeffectiveness.
7.2
DisasterRecoveryPlan(DRP)
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
PhysicalandenvironmentalsecurityoftheDRsiteshallbemaintained.
Information security shall be maintained properly throughout the
recoveryprocess.
AnuptodateandtestedcopyoftheDRplanshallbesecurelyheldoff
site. DR plan shall exist for all the critical services where DR
requirementisapprovedbythebusiness.
7.2.7
DRtestshallbecarriedoutsuccessfullyatleastonceayear.
7.2.8
DRtestdocumentationshallincludeataminimum:
a) Scope,b)Plan,andc)TestResult.
7.3
BackupandRestorePlan(BRP)
7.3.1
7.3.2
7.3.3
7.3.4
Thereshallbeadocumentedbackupprocedure.
Bank shall ensure the safety and security of the backup copies of
informationfromnotbeingdamagedbynaturalcalamitiesandtheft(if
possibletobesentatoffsitelocation).
At least one copy of backup shall be kept onsite for the time critical
delivery.
Thebackupshallbedoneperiodicallyconsideringthecycleof:
a) Weekly,b)Monthly,c)Yearlyorasrequiredbyregulatoryauthority.
28 | P a g e
7.3.5
7.3.6
7.3.7
7.3.8
29 | P a g e
Chapter8
8.
8.1
ServiceProviderManagement
ServiceLevelAgreement(SLA)
8.1.1
8.1.2
8.1.3
8.1.4
ThereshallbeServiceLevelAgreementbetweenthevendorandbank.
The Annual Maintenance Contract (AMC) with the vendor shall be
activeandcurrentlyinforce.
Bank shall ensure that the equipment does not contain sensitive live
data when hardware is taken by the service provider for servicing/
repairing.
Service contracts with all service providers including thirdparty
vendorsshallinclude:
a)
b)
c)
d)
e)
f)
Pricing
Measurableservice/deliverables
Timing/schedules
Confidentialityclause
Contact person names (on daily operations and relationship
levels)
Roles and responsibilities of contracting parties including an
escalationmatrix
g)
h)
i)
j)
k)
Renewalperiod
Modificationclause
Frequencyofservicereporting
Terminationclause
Warranties, including service suppliers employee liabilities, 3rd
partyliabilitiesandtherelatedremedies
l)
30 | P a g e
Geographicallocationscovered
m) Ownershipofhardwareandsoftware
n) Documentation(e.g.logsofchanges,recordsofreviewingevent
logs)
8.2
Outsourcing
8.2.1
a)
b)
c)
8.2.2
ObjectivebehindOutsourcing
Economicviability
Risksandsecurityconcerns.
8.3
CrossborderSystemSupport
8.3.1
Thebankshallprovideofficialauthorization/assurancefromthegroup
ensuring the data availability and continuation of services for any
circumstances e.g. diplomacy changes, natural disaster, relationship
breakdown,discontinuityofservices,orothers.
8.3.2
31 | P a g e
GlossaryandAcronyms
2FA
TwoFactorAuthentication
AMC
AnnualMaintenanceContract
AML
AntiMoneyLaundering
BCP
BusinessContinuityPlan
BRP
BackupandRestorePlan
CCTV
CloseCircuitTelevision
CDROM
CompactDiskReadOnlyMemory
DC
DataCenter
DDoS
DistributedDenialofService
DoS
DenialofService
DR
DisasterRecovery
DRP
DisasterRecoveryPlan
DRS
DisasterRecoverySite
ElectronicMail
FIs
FinancialInstitutions
Ibanking
InternetBanking
ICT
InformationandCommunicationTechnology
IDS
IntrusionDetectionSystem
IPS
IntrusionPreventionSystem
IT
InformationTechnology
JD
JobDescription
32 | P a g e
LAN
LocalAreaNetwork
PCIDSS
PaymentCardIndustryDataSecurityStandard
PCs
PersonalComputers
PDA
PersonalDigitalAssistant
PIN
PersonalIdentificationNumber
PKI
PublicKeyInfrastructure
SDLC
SoftwareDevelopmentLifeCycle
SLA
ServiceLevelAgreement
SSL
SecuredSocketLayer
UAT
UserAcceptanceTest
UPS
UninterruptedPowerSupply
UserID
UserIdentification
VLAN
VirtualLocalAreaNetwork
WAN
WideAreaNetwork
33 | P a g e
Annexure
(Sample)
34 | P a g e
Annexure1
DispensationForm
Reference:
Date:
SectionI:RequesterInformation
BankName
Branch/DivisionName
Requestedby
Requestor'sDesignation
Requestor'sTelephone
RequestDate
:
:
:
:
:
:
SectionII:RiskOverview
Guidelinereference(Clause)anddescription:
.
.
RiskDetails(Process/Application/System/Product):
.
.
Justification:.
Planofmitigation:
.
.
MitigationDate:
SectionIII:Approvals
Theundersignedagreeandaccepttheriskdocumentedonthisform.
Name
Designation
Comments
Date
Signature&Seal
35 | P a g e
:
:
:
:
:
Annexure2
ChangeRequestForm
Reference:
Date:
SectionI:RequesterInformation
Branch/DivisionName
Submittedby
ChangeDescription
ChangePurpose
RequestDate
:
:
:
:
:
Signature&Seal
(Requester)
SectionII:Approvals
Signature&Seal
(HeadofBranch/Division)
Theundersignedagreeandacceptthechangedocumentedonthisform.
Name
Designation
Comments
Date
Signature&Seal
:
:
:
:
:
SectionIII:ImplementerDetails
Theundersignedhasimplementedtherequestedchangeonthisform.
ChangeReferenceNo.
:
DateofChangeImplementation:
ChangeImplementationDetails :
Waschangesuccessful?
Name
:
Designation
:
Signature&Seal :
36 | P a g e
YesNo
Annexure3
UserAcceptanceTest(UAT)
Reference:
Date:
Application/SystemName :
ChangeRequestReference:
TestScope(Detailplanoftest):
ExpectedResult
:
ActualResult
:
Comments
:
Signature&Seal :
37 | P a g e
Date :
Annexure4
RequestForm
Reference:
Date:
SectionI:RequesterInformation
Branch/DivisionName
Submittedby
ContactNo.
RequestDetails
Justification
RequestDate
:
:
:
:
:
:
Signature&Seal
(HeadofBranch/Division)
Signature&Seal
(Requester)
SectionII:Approvals
Theundersignedagreeandacceptthechangedocumentedonthisform.
Name
Designation
Comments
Date
Signature&Seal
:
:
:
:
:
SectionIII:ImplementerDetails
Theundersignedhasimplementedtherequestedchangeonthisform.
RequestReferenceNo.
:
DateofRequestImplementation :
RequestImplementationDetails:
WasRequestdonesuccessfully?
Name
:
Designation
:
Signature&Seal :
38 | P a g e
YesNo