Information System Security Policy

Information System Security Policy
Version No 3.0
Confidential and Proprietary

Document Release Notice:
Document Name SIB/IT/ISMS/POL/ISSP_v3.0

Date of release: 22-07-2021
Activity Name
Prepared by CISO Office
Information Security Committee (ISC)

Reviewed by
IT Strategy Committee of Board (ITSCB)
Approved by Board
Review milestone:
Review frequency Annual
Document history:
Release no. Release date Details Approved by
1.0 20-07-2013 First Release Board
1.1 11-03-2014 Second Release Board
1.2 25-08-2015 Third Release Board
1.3 01-09-2016 Fourth Release Board
1.4 10-10-2017 Minor Changes Board
Version 3.0 Confidential and Proprietary 1 |Page

1.5 21-09-2019 Review Board
2.0 20-12-2019 Major Changes Board
3.0 22-07-2021 Major Change Board

Contents
1 Policy Overview .............................................................................................................................................................4
1.1 Purpose .........................................................................................................................................................................4
1.2 Scope and Applicability .................................................................................................................................................4
1.3 Policy Review .................................................................................................................................................................4
1.4 Policy Exceptions ...........................................................................................................................................................4
2 Policy Statements ..........................................................................................................................................................5
2.1 Organization of Information Security ............................................................................................................................5
2.2 Access Management ...................................................................................................................................................16
2.3 Asset Management .....................................................................................................................................................21
2.4 Mobile Computing.......................................................................................................................................................23
2.5 Change Management .................................................................................................................................................25
2.6 Patch Management ....................................................................................................................................................26
2.7 Cloud Security..............................................................................................................................................................28
2.8 Communication Security .............................................................................................................................................31
2.9 Cryptography ..............................................................................................................................................................35
2.10 Data Protection ...........................................................................................................................................................36
2.11 HR Security ..................................................................................................................................................................40
2.12 Security Incident Management ...................................................................................................................................42
2.13 Information Security Compliance ................................................................................................................................45
2.14 Operations Security .....................................................................................................................................................48
2.15 Logging and Monitoring..............................................................................................................................................52
2.16 Physical and Environmental Security ..........................................................................................................................53
2.17 Risk Management .......................................................................................................................................................56
2.18 Information Systems Acquisition, Development and Maintenance ............................................................................59
2.19 Third Party Security .....................................................................................................................................................63
2.20 Vulnerability Management .........................................................................................................................................67
2.21 Customer Security and Awareness ..............................................................................................................................68
3 Abbreviations ..............................................................................................................................................................70

1 Policy Overview
1.1 Purpose
The purpose of this policy is to provide a framework to ensure the protection of Bank’s information assets,
and to allow the use, access and disclosure of such information in accordance with appropriate standards,
laws and regulations. This Information System Security Policy communicates management’s directives to
ensure consistent and appropriate protection of information throughout the bank.
1.2 Scope and Applicability

The security policies contained in this policy document have been established to cover information, data,
software, hardware and networks used by the Bank at all its branches and offices.
This security policy applies to any person (bank employees, system administrator/ in-charge, users,
auditors, contractors, consultants and third parties) who accesses information using the Bank’s
information systems.
The detailed procedures to be followed for complying with the Information Systems Security Policy shall
be documented and maintained. The applicable procedures shall be circulated to all relevant employees
of the Bank (including those in branches).
1.3 Policy Review

 Information security policies and procedures shall be reviewed every 12 months. However, the
information security policies and procedures shall require update/change depending on any
organizational or technological changes that might occur specifically to the bank operations.
 Information security policies and procedures shall be reviewed by external agency once in 5 years, or
as and when there is a major change in existing business processes or IT environment affecting IS
policies and procedures.
1.4 Policy Exceptions

Bank shall take a restrictive approach on exceptions to the information security policies and procedures.
However, it is recognized that in limited circumstances exceptions may be appropriate:
 Any requests for exceptions to Information security policies and procedures shall be formally
submitted to CISO Office along with the business justification.

 Based on CISO opinion, the concerned department shall place the exception request to Information
Security Committee (ISC).
 ISC reserves the right to approve or reject any Information Security policies and procedures level
exceptions and ISTC reserves the right to recommend or reject any exceptions to Information
Security policies and procedures before placing to ISC. Exceptions shall be based on a formal risk
assessment by CISO Office
 Where exceptions are granted, the CISO shall review the adequacy of compensating controls
 Concerned department shall ensure that all exception granted cases are revisited on quarterly basis.
2 Policy Statements
2.1 Organization of Information Security
Purpose: The purpose of Organization of Information Security is to ensure that Bank’s information assets
are protected in a manner that reduces the risk of unauthorized information disclosure, modification, or
destruction, whether accidental or intentional. This policy and supporting Information
Security policies deliver the minimum-security requirements that must be complied by the bank.
Scope: The scope of the Bank’s Organization of Information Security policy extends to all functional areas
and applies to all users where the term “users” shall include employees, consultants, contractors,
temporary staff, affiliates, third party vendors, using bank systems.
2.1.1 Information Security Objectives
Bank recognizes that significant effort is required to prepare for and respond to the evolving Information
Security risk landscape. It is planning to focus on the following strategic security objectives to improve the
overall Information Security posture of the organization.
1. Alignment of information security with business strategy to support organizational

objectives.
2. Manage and mitigate risks and reduce of potential impacts on information resources to an
acceptable level
3. Manage performance of information security by measuring, monitoring and reporting
information security governance metrics to ensure that organizational objectives are
achieved
4. Optimize information security investments in support of organizational objectives.

5. Defining appropriate standards to ensure that the bank’s information is secure at all times
and to create a foundation upon which sound internal control within the computerized
environment can be based
6. Prevent unauthorized disclosure of information stored or processed on the bank’s
information systems (Confidentiality)
7. Prevent unauthorized accidental or deliberate alteration of information (Integrity)
8. Prevent unauthorized accidental or deliberate destruction or deletion of information
necessary for operations with continuous availability of services in case of a
disaster(Availability)
9. Ensure that the data, transactions, communications or documents (electronic or physical)
are genuine (Authenticity)
10. Ensure that a party to a transaction cannot deny having received or having sent an
electronic record (Non- repudiation)
11. Ensure that all the subjects with access to the information assets of bank are identified,
authenticated, authorized, accountable and auditable (Identification, Authentication
Authorization, Accountability and Auditability)
12. Establish mechanism to track compliance with relevant laws, regulations and international
standards on information security management such as ISO 27001.
Refer to ‘Security Objectives Planning and Tracking report’ for regular tracking of Information System
Security Policy objectives.
2.1.2 Statement of Board/Senior Management Commitment
Board/Senior Management recognizes the role of Information Security in accomplishing the Bank’s
mission and achieving the strategic goals and hence they shall treat Information Security with utmost
priority. The ultimate responsibility of Information Security lies with the Board/Senior Management.
Board/Senior Management is fully committed to maintaining high standards of security over information
assets by:
1. Setting up an information security governance framework consisting of the leadership,
organizational structure and processes that protects the bank’s information and mitigation
of growing information security threats
2. Ensuring that information security goals are identified, meeting the organizational
requirements, and are integrated in relevant processes
3. Formulating, reviewing, approving and facilitating the effective implementation of the
information security policies
4. Providing clear direction and visible management support for security initiatives

5. Providing the resources needed for information security

6. Approving assignment of specific roles and responsibilities for information security across
the organization
7. Providing adequate support to maintain information security awareness posture at bank
level.
8. Identifying the need for internal or external specialist information security advice, and
review and coordinate results of the advice throughout the organization. Depending on
the size of the bank, such responsibilities shall be handled by a dedicated management
forum or by an existing management body, such as the board of directors.
9. Encouraging employees to join special interest groups like security focus, SANS Institute,
CERT, ISACA etc. to stay up to date with the relevant security information.
2.1.3 Information Security Organization Structure
BOARD
IT Strategy Committee of Board (ITSCB)
MD & CEO
Information Security Committee (ISC)

CRO
Information Security Technical Committee (ISTC)
CISO CIO
Information IT Digital
Security SOC Operations Banking
Governance Department Department

The overall development and implementation of Information Security shall be supported by the
Information Security Committee (ISC). ISC shall be formed with terms of reference and CISO shall be the
member secretary of the committee. Reconstitution of ISC shall be approved by MD & CEO as and when
required.
The ISC shall comprise of the following members:
1. Executive Vice President (Operations) - Chairman of ISC
2. Chief Credit Officer
3. Chief Information Officer (CIO)
4. Head - Human Resource Department
5. Head – Human Resource Technology
6. Head - Inspection & Vigilance Department
7. Head - Legal Department
8. Head - Customer Relationship Department
9. Chief Finance Officer (CFO)
10. Chief Risk Officer (CRO)
11. Head - IT Operations Department
12. Head - Digital Banking Department
13. Chief Compliance Officer (CCO)
14. Chief Security Officer (CSO)
15. Chief Information Security Officer (CISO)- Convener of ISC
Information Security Technical Committee (ISTC) is the subcommittee of ISC. Reconstitution of ISTC shall be
approved by Chairman of ISC as and when required. The ISTC shall comprise of the following members:
1. Chief Information Officer (CIO)
2. Head - IT Operations Department
3. Head - Digital Banking Department
4. Head - Inspection & Vigilance Department
5. Chief Risk Officer (CRO)
6. Chief Compliance Officer (CCO)
7. Chief Information Security Officer (CISO)- Convener of ISTC
Information security department shall consist of the following resources:

1. Chief Information Security Officer:
 A sufficiently senior level official, not less than the rank of AGM, shall be designated as
Chief Information Security Officer.
 CISO shall report directly to the ED or equivalent executive overseeing the risk
management function and shall not have a direct reporting relationship with the CIO.

However, the CISO shall have a working relationship with the CIO to develop the required
rapport to understand the IT infrastructure and operations and to build effective security
in IT across the bank, in tune with business requirements and objectives. CISO shall have
a robust working relationship with CRO to enable holistic risk management approach.
 CISO shall have the requisite technical background, expertise and shall be appointed for
a reasonable minimum term.
2. Information Security Officer/s (ISMS): Bank shall appoint Information Security Officer as part of a separate
information security team to focus exclusively on information security management. There shall be
segregation of the duties between Information Security Team and IT Department (IT Operations Dept and
Digital Banking Dept).
3. Information Security Coordinators: Bank shall appoint Information Security Coordinators as
part of a separate information security team to focus exclusively on information security
management
4. Bank shall establish Security Operations Center to manage, monitor, implement and drive the
cyber security related projects and it shall report to CISO.
5. ISMS Internal / External Audit Team: Bank shall identify the Internal/External audit team
based on experience and requisite qualification.
2.1.4 Information Security Roles and Responsibilities
Role Responsibility
1. The Board shall be ultimately responsible for information security.

Board of Directors/
2. The Board / Senior management shall ensure effective management
Senior Management
of risks, including information security risks, by integrating information
security governance in the overall enterprise governance framework
of the bank.
3. The Board shall be responsible for approving policy and ensuring
appropriate monitoring of the information security function.
4. Senior management shall be responsible for implementing the board
approved information security policy, establishing necessary
organizational processes for information security and providing
necessary resources for stronger information security.
5. Board shall establish an expectation for strong cyber security and that
all employees are made aware of their information security
responsibilities.
6. Board shall establish a structure for implementation of an information
security program to enable a consistent and effective solution apart
from ensuring the accountability of individuals for their performance
as it relates to cyber security.

Role Responsibility
7. Senior management shall ensure that adequate security systems are

fully integrated into the IT systems of the bank.
8. Senior management shall ensure that IT systems of the bank are
classified based on the risk analysis and specific risk mitigation
strategies are in place
1. ISC shall authorize the implementation and operation of Information
Information Security
Security Management System (ISMS).
Committee (ISC)
2. ISC shall approve information system security procedures for
management of ISMS as defined in Document and Record Control
Procedure.
3. ISC shall determine criteria for acceptable risk and approve residual
risk.
4. ISC shall review the effective implementation, operation of ISMS and
major initiatives to enhance information security. ISC shall
recommend new initiatives to improve information security as
deemed necessary.
5. ISC shall review the IS related audit findings, various information
security assessments and ensure that ISMS implementation of
information security controls is coordinated across the organization.
6. ISC shall ensure that minutes of the Information Security Committee
meeting capturing the committee’s activities and decisions are
documented
7. ISC shall ensure alignment of the security program with the bank’s
objectives.
8. ISC shall promote a culture that adheres to good security practices and
compliance with information system security policies.
9. ISC shall review and facilitate the implementation of information
security policies and procedures to ensure that all identified risks are
managed within the bank’s risk appetite
10. ISC shall review, approve or reject any exceptions to IS policies and
procedures as and when required.
11. ISC shall review, approve or reject any exceptions to IS Audit
Observations on quarterly basis.
12. ISC shall review the status of unusual cyber security incidents,
cybersecurity preparedness of the bank
13. ISC shall review the SOC operations on quarterly basis.
14. ISC shall review the new developments or issues relating to
information security as reported by ISTC
15. ISC shall review the Business impact analysis (BIA) of all applications
on quarterly basis.

Role Responsibility
1. ISTC shall review and recommend or reject any exceptions to IS Audit

Observations on quarterly basis before placing to ISC.
Technical Committee
2. ISTC shall review, recommend or reject any exceptions to IS policies
(ISTC) and procedures as and when required.
3. ISTC shall ensure that minutes of the ISTC meeting capturing the
committee’s activities and decisions are documented.
4. ISTC shall assess the new developments or issues relating to
information security.
5. ISTC shall review the IS related audit findings and various information
security assessment reports before placing to ISC.
Chief Information 1. The CIO shall be responsible to ensure operationalization of policies
Officer(CIO) involving IT strategy, value delivery, risk management, IT resource and
performance management
2. The CIO shall be responsible to work with the technology leadership
and the business leadership to embed information security into their
products/applications.
3. The CIO shall manage and roll out new releases by consulting
Information Security team for ensuring adequate information security
in releases
1. The CISO shall be responsible for articulating, implementing and

Chief Information
enforcing the information security policies and procedures apart from
Security Officer (CISO)
coordinating the security related issues / implementation within the
bank as well as relevant external agencies.
2. The CISO shall be responsible for bringing to the notice of the Board/IT
sub-committee of the board about the vulnerabilities and cyber
security risk the bank is exposed to by ensuring that periodic VA/PT, IS
audits, other relevant drills/tests are conducted.
3. The CISO shall ensure that current emerging cyber threats to banking
(including payment systems) sector and the bank's preparedness in
these aspects are discussed in relevant committees in which CISO is
present.
4. The CISO shall ensure competency for all personnel performing work
affecting the ISMS.
5. The CISO shall ensure that CISO’s office is adequately staffed with
technically competent people, if necessary through recruitment of
specialist officers, commensurate with the business volume, extent of
technology adoption and complexity.

Role Responsibility
6. The CISO shall be an invitee to the IT Strategy Committee and IT

Steering Committee.
7. The CISO shall determine the budget for IT security and CISO’s office
keeping in view the current / emerging cyber threat landscape.
8. CISO may be a member of (or invited to) committees on operational
risk where IT/IS risk is also discussed
9. The CISO shall obtain management support for security activities.
10. The CISO shall guide Information Security Officer (ISMS) and team to
implement & manage ISMS.
11. The CISO shall coordinate and report the Cyber security preparedness
status to ISC, ITSCB and Board.
12. The CISO shall coordinate with Information Security Officer (ISMS) to
close gaps during ISMS audits and provide status updates to the
Information Security Committee.
13. The CISO shall coordinate the activities pertaining to Cyber Security
Incident Response Teams (CSIRT) within the bank overseeing the
security of information and information infrastructure at the bank.
14. The CISO shall act as the convener of the Incident and Event Review
Committee (IERC), which will periodically review the operational and
cyber security incidents/events.
15. The CISO shall maintain IS policies, procedures and track any changes
to the same.
16. The CISO shall ensure that information Security training is conducted,
and security awareness is created among staff and interested parties
of the bank in consultation with the Human Resource Department.
17. The CISO shall develop cyber security KRIs and KPIs and get an
independent assessment of the same including its coverage at least on
a quarterly basis.
18. The CISO shall approve and monitor information security projects and
the status of information security plans establishing priorities,
approving standards and procedures
19. The CISO shall ensure that size of the IS team is commensurate with
the nature and size of activities of the bank including a variety of e-
banking systems and delivery channels of the bank.
1. The Head- ITOD & DBD shall be responsible to implement information
Head- IT Operations
security controls defined by the Board/ISC/ISTC/CISO.
and Digital Banking
2. The Head- ITOD & DBD shall ensure that the respective stakeholders
Departments (IT Ops & in their departments, record/log any suspected or actual security
DB) incidents and also ensure that such incidents are reported promptly to
CISO Office.

Role Responsibility
3. The Head- ITOD & DBD shall ensure that relevant and appropriate logs
of information assets under their control is integrated into SOC.
4. The Head- ITOD & DBD shall ensure that the employees in their
departments have awareness of security responsibilities including
reporting of any incidents/events.
5. The Head- ITOD & DBD shall ensure that appropriate corrective &
preventive actions are taken for incidents/events.
6. The Head- ITOD & DBD shall monitor the adherence with bank’s
information security policies, procedures and baseline documents.
7. The Head- ITOD & DBD shall ensure the closure of all audit findings
under their respective areas.
8. The Head- ITOD & DBD shall ensure that information asset
register/inventory is reviewed on an annual basis.
9. The Head- ITOD & DBD shall ensure that BCP/DR activities are planned
and conducted for their respective functions.
1. The IS Team shall be adequately resourced in terms of the number of
staff and level of skills.
Team (IS Governance)
2. The information security group/team shall function itself and
information security governance related structures shall not be
outsourced. Specific operational components relating to information
security shall be outsourced, if required resources are not available
within the bank. However, the ultimate control and responsibility shall
rest with the bank
3. The IS Team shall assist and coordinate with Information Security
Officer (ISMS) for the implementation of security initiatives.
4. The IS Team assist ISMS Officer in incident management activity to
handle incidents in a timely manner.
5. The IS team along with functional heads/administrators
shall ensure that related Non Conformities (NC’s) for their
section is closed.
1. The SOC Team shall be responsible for monitoring the Security

Security Operations
Incident and Event management tool (SIEM) and analysis of logs
Center (SOC Team)
through SOC function.
2. The SOC Team shall be responsible for regular briefing and reporting
to CISO against KPIs related to SOC.

Role Responsibility
3. The SOC Team shall be responsible for providing threat intelligence,

information security threat analysis across security domains and
information security incident management through SOC function
4. The SOC Team shall identify various threat vectors and
develop/maintain SIEM use cases for the monitoring the security and
handling the issues.
5. The SOC Team shall detect, identify and classify security incidents
related to attacks or anomalies through continuous monitoring of the
IT infrastructure.
6. The SOC Team shall escalate incidents to CISO and take appropriate
actions for the cyber-attacks as required.
7. The SOC Team shall analyze the logs in the event of crisis.
8. The SOC Team shall participate in regular cyber drills and incident
response exercises to measure the effectiveness of bank’s response to
an actual attack.
9. The SOC shall monitor information security intrusions and activities
and taking counter measures by coordinating with other departments.
1. The ISMS Officer shall assist Chief Information Security Officer (CISO)
in ensuring that the Information Security Risk Assessment is carried
Officer (ISMS Officer/s)
out for all new projects /major changes in the bank with the respective
functions within the department.
2. The ISMS Officer shall liaise and coordinate with the respective
function/department for the implementation of security initiatives.
3. The ISMS Officer shall coordinate within the function/department to
monitor implementation done and report the same to the CISO.
4. The ISMS Officer shall coordinate with the internal / external auditors
for audits of CISO office towards ISMS and other audit requirements.
5. The ISMS Officer shall coordinate within their function/department to
close gaps during ISMS audits and status updates shall be provided to
the CISO.
6. The ISMS Officer shall liaise and coordinate with respective
stakeholders to respond to IT security incidents in their respective
functions/areas
7. The ISMS Officer shall review Root cause analysis and preventive
measures in coordination with the asset owner/administrators as
applicable.
8. The ISMS Officer shall coordinate of information security committee
meetings
9. The ISMS Officer shall facilitate cyber security awareness training

Role Responsibility
1. ISMS users/ Bank Employees shall be accountable for the

ISMS Users (Users
implementation of information security to the extent of their roles
under the scope of
and responsibilities in their respective domains
ISMS)/ Bank Employees 2. ISMS users/ Bank Employees shall act in accordance with
the organization’s information security policies and
procedures.
3. ISMS users/ Bank Employees shall adhere to controls put in
place to protect assets from unauthorized access,
disclosure, modification, destruction or interference.
4. ISMS users/ Bank Employees shall execute defined security
processes or activities.
5. ISMS users/ Bank Employees shall report security incidents,
potential events or other security risks by following
approved processes.
6. ISMS users/ Bank Employees shall not use systems or
access information without authorization.
7. ISMS users/ Bank Employees shall comply with the
acceptable usage policy in addition to those specific to their
roles. Non-compliance may lead to disciplinary action.
8. ISMS users/ Bank Employees shall complete and pass
information security awareness and trainings on timely
basis.
1. The Internal/ External Audit team shall create audit
Internal/External Audit
schedule in a manner such that no audit team member is
Team
auditing his/her own department or process.
2. The Internal/ External Audit team shall audit and document
the findings (NC’s) for ISMS; as per the scope defined in
ISMS Framework Procedure.
3. The Internal/ External Audit team shall provide detailed
independent review and assurance on the quality and
effectiveness of Bank’s internal information security
controls.
Head of Departments 1. The HOD shall review and approve the baseline documents
(HOD)/Operations and SOPs of the concerned department.

Role Responsibility
2. The HOD shall be responsible to maintain the inventory of

critical information assets of the concerned department.
3. The HOD shall review the information/data classification
document for correctness.
4. The HOD shall participate in Information Security
Committee meetings as applicable.
5. The HOD shall plan and participate in BCP activities of their
respective functions.
6. The HOD shall ensure that the employees have an
awareness on information security
2.2 Access Management
Purpose: The purpose of this policy is to protect information systems and services against unauthorized
access by provisioning access based the principle of least privilege and business requirements.
Scope: The scope of this policy extends to:

 SIB’s technology resources such as operating systems, databases, application, network
devices and other infrastructure components,
 All employees, contractors, consultants and customers who have access to these technology
resources.

User Access Provisioning:
2.2.1 Bank shall define a formal user registration process to enable assignment of access rights post
approval from respective information asset owner or designated team.
2.2.2 Bank shall assign unique user IDs to individuals to ensure complete responsibility for actions
performed using their accounts; shared and generic user IDs shall be refrained, unless a
documented business justification and appropriate approvals are in place.
2.2.3 Bank shall assign distinct IDs to temporary staff, contractors that can be easily identified and shall
automatically expire (wherever technically feasible) after certain time interval.
2.2.4 Bank shall grant appropriate level of access based on the concepts of role-based access controls
(RBAC) and least privilege and governed by the principles of ‘need-to-know’ and ‘need-to-have’
basis.

2.2.5 Bank shall maintain a record/log of access requests for all technology resources across the
organization including approval and provisioning workflow, for a minimum of one year.
2.2.6 Bank shall eliminate conflicting duties and implement segregation of responsibilities to reduce
opportunities for unauthorized access to resources.
2.2.7 Bank shall maintain logs for addition, modification or deletion of user account/access rights.
2.2.8 Bank shall evaluate the risks before provisioning third party access to SIB’s systems. IDs used by
third parties to access, support, or maintain system components via remote access shall be
enabled only during the required time and monitored when in use.
User Access De-Provisioning/ Modification of Access Rights:
2.2.9 Bank shall define a formal de-registration process to enable revocation of access rights post
approval from respective information asset owner or designated team.
2.2.10 Bank shall revoke all access rights of an individual on the Bank’s information and information
processing systems on termination of employment or contractual agreement, within one business
day of the last working day.
2.2.11 Bank shall disable Employee IDs if any user does not require logon to the system for more than
thirty days. User accounts of staff on informed long absence (more than two months), shall be
disabled temporarily
2.2.12 Bank shall review and modify the access privileges upon change of job role as per the requirements
of the new job position.
Privileged Access rights:
2.2.13 Bank shall ensure creation and allocation of privilege user accounts/IDs (including emergency IDs)
on information systems are controlled through a formal authorization process
2.2.14 Bank shall log and monitor privileged user activities on a continuous basis
2.2.15 Bank shall employ multi-factor authentication for privileged users accessing critical technology
resources, as deemed necessary
2.2.16 Bank shall ensure administrator (permanent) accounts are used only for administrative activities
and restricted to limited personnel
Review of access rights:
2.2.17 Bank shall ensure that user access rights and privileges are reviewed as per defined frequency, or
after any significant organizational, systems or personnel changes
2.2.18 Bank shall ensure user activity logs on business-critical applications are generated and made
available to the respective business group for review and approval, on need basis
2.2.19 Bank shall ensure privileged accounts are reviewed by the business / application owners in
coordination with CISO periodically

2.2.20 Bank shall remove default access credentials and review access rights when application moves
from pre-production to production environment
Access to Program Source Code:
2.2.21 Bank shall restrict access to program source code to authorized individuals only. Approval from
technical application owner shall be required before provisioning such access.
2.2.22 Bank shall ensure that program source code is held in secure environment and all access are
logged.
Secure Log-In for Systems and Applications:
2.2.23 Bank shall implement centralized authentication and authorization system for accessing and
administering critical infrastructure components including enforcement of strong password policy,
two-factor/multi-factor authentication, following the principles of least privileges and separation
of duties.
2.2.24 Bank shall restrict access to business critical applications to only specified time windows (E.g.,
business hours) for business users unless the exception is approved based on business need.
2.2.25 Bank shall restrict concurrent logins to the technology resources, wherever technically feasible. In
an event of necessity for simultaneous login for business purposes, the logged in user is alerted of
the new user login, wherever technically feasible.
2.2.26 Bank shall implement the following setting for account control through Active Directory policies.
It shall also be enforced on all applications wherever possible.
 Account lockout threshold: It shall be maximum of 3 incorrect login attempts
 Account lockout duration: Account shall remain locked until the administrator enables it by
following “Account Lockout Reset” rule (or) users unlocks it using a SIB approved utility.
 Account Timeout: Wherever technically feasible technology resources shall timeout after a
period of 7 minutes.
 Dormancy Period: Account shall be made dormant if it is inactive for a period of more than
6 days.
Password Management:
2.2.27 Bank shall provide initial temporary password to the employees and they shall be forced to change
it on first logon and requirement for strong password will be system enforced.
2.2.28 Bank shall issue temporary and new passwords after verification of user’s identity
2.2.29 Bank shall enforce passwords to be a minimum of 8 characters and conform to password
standards. Passwords complexity shall meet any three of the following four categories.
 Uppercase characters [A to Z]

 Lowercase characters [a to z]
 Numeric characters [0 to 9]
 Special characters
2.2.30 Bank shall set password history to be minimum 5 for the critical applications, services, desktops
and non – critical systems
2.2.31 Bank shall set minimum password age: 1 [the period of time (in days) that a password can be used
before the system requires the user to change it]
2.2.32 Bank shall ensure that password expiration period of 45 days shall be set for normal user accounts.
However, System Administrator and other privileged users shall change their passwords every 30
days
2.2.33 Bank shall set account lock out to be 3 [ failed logons occur due to wrong passwords]
2.2.34 Bank shall ensure that passwords are not stored or transmitted in clear text.
2.2.35 Bank shall enforce controls to ensure passwords are masked and not visibly displayed when being
entered in the system.
2.2.36 Bank shall ensure that passwords are not be hard coded in log-in scripts or database without
encryption.
2.2.37 Bank shall ensure vendor supplied default passwords are modified before systems are moved to
production environment
2.2.38 Bank shall enforce password protected screensavers on all PCs and servers. Screensavers shall
activate after minimum 7 minutes of inactivity.
Service ID passwords:
2.2.39 Bank shall follow the below mentioned criteria for service id passwords:
 Password expiry shall not be set

 Account lockout shall not be enabled
 Service ID shall be non-interactive
Super User passwords:
2.2.40 Bank shall ensure super user passwords are allocated only to the system owners who have a
business need to login as super user.
2.2.41 Passwords of critical administrative accounts/Super User shall be enabled with password vaulting.

2.2.42 Passwords for non-critical administrative accounts/Super User shall be kept in a sealed cover with
the Functional Head (Data center- In charge).
2.2.43 Bank shall enforce disciplinary action including and up to termination & legal prosecution for
violation or unauthorized disclosure of the administrative accounts/Super User password by any
employee.
2.3 Asset Management
Purpose: The purpose of this policy is to ensure that all information assets are effectively managed
across the complete asset lifecycle in a secure, efficient and structured manner.
Scope: The scope of the policy applies to:

 All SIB owned or managed information assets and
 All employees, contractors, consultants and customers who have access to SIB information
assets
 Any non-SIB information assets that are connected to a SIB owned or managed network
Inventory of assets
2.3.1 Bank shall develop a detailed inventory of its information assets for effective control which shall
enable the bank to classify the assets and determine the level of protection to be provided to each
asset.
2.3.2 Asset Inventory shall include but not limited to:
 Asset Identification number
 Asset’s cost to the organization
 Asset Location
 Asset Criticality (CIA Value)
 Asset Security/Risk Classification
 Asset Group
 Asset Owner
 Asset Custodian
2.3.3 Bank shall classify assets into one of the following categories:
 Physical: e.g. Servers, desktops etc.
 Software: e.g. operating systems, application software.
 Information: e.g. all soft copies of information.
 Services: e.g. other services such as Internet connectivity, infrastructure services
 Company image and reputation: eq stamps & seals
 People: e.g. all employees based on their roles

 Paper: e.g. hardcopies/documents
2.3.4 Bank shall review the information asset inventory at defined frequency and ensure that any
changes in the environment are reflected in the asset inventory.
2.3.5 Bank shall use asset inventory as an input for the risk assessment, which provides the levels of
protection that commensurate with the value and importance of the assets.
Asset Labelling
2.3.6 Bank shall be prominently label assets to ensure that they are given the necessary protection in
use, storage and transport.
2.3.7 Bank shall ensure printed items, information, data and documents has appropriate classification
label so that users are aware of the classification of information.
2.3.8 Bank shall ensure labelling shall not reveal any information, related to the installed assets
Records Retention
2.3.9 Bank shall ensure records are identified as an IT Asset and appropriate classification levels are
applied.
2.3.10 Bank shall ensure retention period for records are clearly identified and documented.
2.3.11 Bank shall ensure maintenance and repair records for assets are maintained
Media Handling
2.3.12 Bank shall develop media handling guidelines to prevent unauthorized disclosure, modification,
removal or destruction of information stored on media.
2.3.13 Bank shall implement procedures for usage of removable media in accordance with the
classification scheme adopted by the organization.
2.3.14 Bank shall ensure media are handled and disposed as per Media Disposal Procedure and Asset
Management Procedure.
Return of Assets
2.3.15 Bank shall have process in place to ensure all employees and external parties return assets as per
contractual obligations/ employee service conditions in their possession upon termination of their
employment or completion of contractual agreement.
2.3.16 Bank shall control unauthorized copying of relevant information (e.g. intellectual property) in
adherence with all applicable regulations by terminated employees and contractors during their
notice period.

Disposal of assets
2.3.17 Bank shall develop media disposal procedure for secure disposal of media
2.3.18 Bank shall dispose of Media
 On expiry of media life
 When media access system is replaced making the media inaccessible
 When media is damaged
2.3.19 Bank shall ensure disposal of firm assets, including the sale, transfer, donation, write off or
sustainable disposal (recycling)in adherence with all applicable regulations.
2.3.20 The following items requires secure disposal:
 Paper documents like report printouts, discarded system documentation
 Voice or other recordings
 Computer output reports (Hard copies)
 Magnetic tapes
 Removable disks, DATs, cassettes
 Optical storage media
 Hard disks
 Program listings and test data
2.3.21 Bank shall use generally accepted methods for secure information removal, considering the
sensitivity of the information known or believed to be on the media.
2.3.22 Bank shall verify storage media and computer hardware to ensure that sensitive information and
licensed software have been removed prior to disposal.
2.3.23 Bank shall ensure that information required to be kept in terms of record retention policy should
be copied to other media before disposing of the media.
2.3.24 Bank shall ensure asset register is updated after asset disposal.
2.4 Mobile Computing
Purpose: Policy provides the security safeguards to be followed while using personal/corporate laptop
and mobile devices to access SIB information assets and business network.
Scope: This document applies to all the users (including but not limited to employees, contractors, and
vendors) at all locations of SIB

Mobile Device Management
2.4.1 Bank shall register and manage devices approved to be used for work purposes in the Mobile
Device Management (MDM) solution or mobile device inventory
2.4.2 Bank's data shall be created, processed, stored, communicated and configured on
personal/corporate laptop devices as per MDM security policies.
2.4.3 Bank shall ensure that Mobile devices are configured with a secure authentication mechanism
2.4.4 Bank shall ensure that all approved mobile devices support remote wipe capability and this feature
can be activated in the event of loss, theft or a change in a staff member’s employment status.
2.4.5 Bank shall implement measures to identify and categorize types of mobile devices and users in
order to manage the risks introduced by using mobile devices.
2.4.6 Bank shall periodically review the security configurations of MDM solution.
Bring Your Own Device (BYOD)
2.4.7 Bank shall evaluate the security risks for connecting BYOD devices to Bank’s network.
2.4.8 Bank shall define a list of applications which can be accessed from the BYOD/mobile devices for
business usage.
2.4.9 Bank shall ensure that users who wish to opt for BYOD shall be approved by authorized personnel
and shall agree to abide by the bank's policies.
2.4.10 Existing users who intends to change/decommission their existing device or upon loss/damage of
device shall raise the request to IT Operations Department.
2.4.11 Bank shall incorporate procedures for users to timely report lost or stolen devices that have ever
been used to access the business network or Information Asset.
2.4.12 Bank shall ensure that the device being used as BYOD shall be available and information on the
device should be accessible for forensic purpose.
2.4.13 Bank should reserve the right to control its information. This should include the right to backup,
retrieve, modify, determine access and/or delete Bank's data without reference to the owner or
user of the BYOD.
2.4.14 Bank shall implement authentication controls for remote access to networks, host data and/or
systems.
2.4.15 Bank shall ensure that PII/SPDI, confidential or secret information are not stored on the
BYOD/mobile device.
2.4.16 Bank shall ensure that Wireless LAN access is restricted and allows users\locations only after
authorization from IT Operations Department.
2.4.17 Bank shall ensure that the access list of remotely connecting users are maintained and reviewed
on periodic basis.

2.5 Change Management
Purpose: The purpose of this policy is to ensure that all changes to information assets are effectively
managed through a change management process, to achieve reduced impact due to change on other
applications and systems, minimize likelihood of outage and maintain compliance to applicable
regulations

 Any changes, upgrades, additions or modifications to be performed in the production
environment
 Applies to all hardware, software or applications
General Requirements
2.5.1 Bank shall perform changes to technology resources in a controlled manner via documented and
approved change management process, to ensure that the risks associated with changes are
managed to an acceptable level
2.5.2 Bank shall document the following as part of change management process including but not
limited to: classification and prioritization of changes, roles and responsibilities, obtaining prior
authorization, performing impact analysis, testing, obtaining necessary approvals, implementation
plan including fall back procedures, post implementation testing and maintaining up-to-date
current and historical documentation for the entire process
2.5.3 Bank shall ensure changes requiring testing are done in a non-production or test environment
before deployment in production
2.5.4 Bank shall ensure that the person approving the changes is not the same individual who is
implementing the changes, and the changes shall be implemented by authorized individuals
2.5.5 Bank shall define and document prerequisites for categorizing a change as an emergency change
2.5.6 Bank shall define separate procedures for managing emergency changes, which bypass the
outlined policies and procedures. Emergency changes shall be approved by appropriate authority,
prior to implementation
2.5.7 Bank shall evaluate security impact of major changes, and appropriate controls shall be assessed
and recommended

2.5.8 Bank shall ensure configuration change control such as changes to baseline configurations for
components, information systems, changes to configuration settings for information technology
products, unscheduled/unauthorized changes, and changes to remediate vulnerabilities will be
performed as per change management process
2.5.9 Bank shall formulate a review meeting calendar to keep track of the change requests and their
ageing
2.5.10 Bank shall ensure documentation related to change management are retained for tracking and
audit purpose
2.6 Patch Management
Purpose: The purpose of this policy is to define security requirements for patch management and ensure
that information systems of the bank are updated in a timely manner with security patches for known
vulnerabilities.
Scope: The scope of the policy applies to all SIB owned technology resources, as applicable, such as
operating systems, databases, application, network devices and other infrastructure components
2.6.1 Bank shall define a patch management process to address technical system and software
vulnerabilities; which includes roles and responsibilities for patch management, methods of
obtaining and validating patches, assessing risk & impact of patches and the process to deal with
failed deployment of patches & emergency patches.
2.6.2 Bank shall maintain a comprehensive inventory of Bank’s Technology resources with their patch
level.
Patch Identification
2.6.3 Bank shall periodically identify the patch requirements by performing vulnerability assessment &
patch scanning on relevant technology assets (such as perimeter assets, firewalls, network devices,
security devices etc.)
2.6.4 Bank shall continuously monitor the release of the patches by vendors, OEMs, and advisories
issued by regulators.
2.6.5 Bank shall apply patches released for publicly reported critical vulnerabilities impacting Bank
resources by following an emergency patch management process.
Patch Prioritization

2.6.6 Bank shall ensure that critical patches are prioritized and deployed, depending on the potential
impact to the systems and criticality of the assets.
2.6.7 Bank shall use a phased remediation deployment approach based on prioritization of patches and
systems.
2.6.8 Bank shall track the delay in patching of new vulnerabilities and ensure the timeline set forth in
the Patch Management procedure based on prioritization is adhered.
2.6.9 Bank shall handle exceptions to the patching timelines through an exception management process
with necessary approvals defined.
Patch Testing
2.6.10 Bank shall verify the patches obtained from OEMs for integrity to ensure that the patches
obtained are correct and unaltered.
2.6.11 Bank shall ensure patches are tested in a test environment, to evaluate any unexpected impact
on the systems being applied, before applying to production on enterprise systems.
2.6.12 Bank shall document the test results.
Patch Deployment
2.6.13 The patch deployment plan in line with Change management procedure, shall be communicated
to the appropriate stakeholders by system owners/administrators.
2.6.14 Bank shall define appropriate patch windows and, whenever possible, restrict the implementation
of patches to defined time frames to minimize business impact or potential down time.
2.6.15 Bank shall maintain audit log for patching activities undertaken for production instances.
2.6.16 Bank shall ensure that all patches installed in the production environment are also installed in the
disaster recovery environment.
2.6.17 Bank shall test the resulting system to validate the effectiveness of the applied patch.
2.6.18 Bank shall have a mechanism to roll back patches (wherever technically feasible), if systems
conflicts arise after deployment.
Patch Inapplicability
2.6.19 Bank shall devise compensating controls to mitigate the risk, where a patch is unavailable or
cannot be deployed due to impact on business functionality.
Patch Monitoring & Compliance
2.6.20 Bank shall monitor the compliance against this policy through regular checks on patching status
and periodic status review of patches by Head-IT Operations (Quarterly for Endpoints, Monthly for
other technology assets).

2.7 Cloud Security
Purpose : The purpose of this policy is to ensure all information stored and processed over a cloud
infrastructure is managed in a secure, efficient and structured manner.
Scope : The scope of this policy covers all information assets stored, transmitted and processed over a
cloud network.
Governance
2.7.1 Bank shall ensure that cloud infrastructure is designed, implemented and managed adequately to
protect confidentiality, integrity and availability of business operations.
2.7.2 Bank shall ensure that due diligence and technical risk assessment is performed before
information is hosted in a cloud network. Technical risk assessment shall cover the areas but not
limited to access controls, authentication, business continuity, configuration management, data
security, incident management, maintenance and support, media protection, personnel security,
physical security, security assessment, secure development, system security and integrity controls.
Necessary evidences shall be collected and evaluated for the compliance of CSP with relevant
security standards like ISO 27001, PCI DSS etc.
2.7.3 Bank shall ensure compliance with relevant laws and regulations governing the cloud service
provider e.g. – privacy regulations, cross border data transfer, data localization requirements.
2.7.4 Bank shall ensure that service of cloud service provider who have datacenters within the country
where the bank conducts business shall only be considered while availing cloud service so that
service provider and bank are bound by the same set of laws.
2.7.5 Bank shall ensure that controls are implemented to protect the privacy of personal identifiable
information stored in the cloud infrastructure. The controls implemented shall be inline with the
privacy laws and regulations.
2.7.6 Bank shall ensure that necessary approvals are received as per cloud security procedure before
provisioning of services from cloud service provider (CSP) /third party vendors or hosting
information on cloud infrastructure.
2.7.7 Bank shall ensure that information assets classified as confidential and highly sensitive are stored
in the cloud infrastructure with adequate controls.

2.7.8 Bank shall ensure that cloud service provider handling confidential data/ processing critical
information shall regularly undergo relevant audits like ISO 27001, Service Organization Control 2
(SOC 2) type II audits etc and provide the report to bank. Bank shall also verify SOC 3 reports from
the vendor if available.
Contracts and Agreements
2.7.9 Bank shall ensure that a confidentiality and non-disclosure agreement which also includes clauses
pertaining to intellectual property rights is signed with the cloud service provider.
2.7.10 Bank shall ensure that adequate service contracts and service level agreements are signed with
cloud service providers which will address the below information security requirements, including
but not limited to
 Protection of Bank’s information assets (Malware protection , Backup mechanism
,Cryptographic controls, Vulnerability management and Security testing, Incident
management, Security auditing ,Collection, maintenance and protection of evidence
including logs and audit trails etc.)
 Continuous compliance to statutory laws and regulatory guidelines
 Indemnification clauses Indemnifying the bank for all of acts and omissions by vendors
 Clauses pertaining to compliance to the Bank’s information security requirements
 Clauses pertaining to security breach notification including security breaches involving any
security/data breaches/incidents which happened to bank’s data, information system and /
or any security/data breaches/incidents which happened in cloud service provider
environment.
 Clauses pertaining to right to erasure or return of Bank’s data stored within the service
provider’s systems and backup, in the event of contract termination or expiry of service
contract.
 Clauses pertaining to agreed service levels and mechanism to monitor and measure the
service levels.
 Clauses pertaining to the rights of the Bank to perform an audit of the information security
controls implemented at vendor.
 Clauses pertaining to the rights of the Bank to perform an audit/obtaining independent audit
reports from the cloud service provider covering the information security controls
implemented at cloud service provider.
 Clauses pertaining to assurance provided by the cloud service provider on service continuity
as per the recovery time objective and recovery point objective defined by the Bank.

2.7.11 Bank shall ensure that elaborate set of information security roles and responsibilities of the cloud
vendor/service provider and the bank is defined and documented in the service agreement from
the perspective of shared security model.
2.7.12 Bank shall ensure liability clauses are defined and documented in the service level agreements
which are aligned to compensate for the intentional / unintentional damage caused by the cloud
service provider
2.7.13 Bank shall ensure that incident response clauses are defined and documented in the service level
agreement to ensure timely support from cloud service provider for forensic investigation.
2.7.14 Bank shall ensure that service level agreement signed with the cloud service provider addresses
the requirement of performing background checks for employees managing Bank’s information
assets.
2.7.15 Bank shall ensure that service contract and agreement signed with the cloud service provider is
reviewed and signed off by Legal Department.
2.7.16 Bank shall ensure that service contract signed with the vendor addresses the procedures for
termination of service that specifies the terms that should trigger the retrieval of bank’s assets in
the required timeframe
Operations
2.7.17 Bank shall maintain an updated inventory of information assets hosted in cloud infrastructure.
2.7.18 Bank shall ensure that configuration/ set of rules are defined, documented and implemented to
isolate the Bank’s network to achieve tenant isolation, in the case of shared environment.
2.7.19 Bank shall ensure that RTO and RPO is defined for critical services hosted on cloud environment
and mechanism is implemented to ensure adequate recovery mechanism within bank’s defined
RTO and RPO.
2.7.20 Bank shall ensure that any changes implemented for the cloud infrastructure directly managed by
bank follows the Bank’s change management process.
2.7.21 Bank shall ensure that periodic security testing is performed for cloud infrastructure directly
managed by bank as per the Bank’s vulnerability management policy
2.7.22 Bank shall ensure that logical access provided to cloud infrastructure is as per Bank’s access control
policy.
2.7.23 Bank shall implement adequate cryptographic controls to secure information in rest and in transit
over cloud infrastructure.
2.7.24 Bank shall ensure that incident management and escalation process is followed for cloud
infrastructure.

2.7.25 Bank shall ensure that relevant logs of cloud infrastructure directly managed by bank are
monitored, analyzed and reviewed on a periodic basis. Access to system logs shall be restricted to
authorized users.
2.7.26 Bank shall ensure information stored in cloud infrastructure is adequately backed up and retained
as per the Bank’s retention requirements.
2.7.27 Bank shall ensure that access to cloud infrastructure from mobile device is restricted and the
access is governed as per the Bank’s mobile computing policy.
2.7.28 Bank shall ensure that cloud infrastructure is protected with anti-malware / antivirus mechanism.
2.7.29 In case where the cloud deployment is SaaS model, Bank shall ensure that application conforms
to Open Web Application Security project (OWASP) guidelines on web application security. It shall
also be ensured that the application conforms to applicable security guidelines from relevant
standards e.g. payment applications need to comply with PCI-DSS.
2.7.30 Bank shall ensure that Cloud service provider has the appropriate physical security controls to
prevent unauthorized access to critical areas within facilities and access to physical assets and
systems by intruders or unauthorized users.
2.8 Communication Security
Purpose : The purpose of this policy is to ensure prevention of unauthorized access to communication
traffic, or to any written information that is transmitted or transferred across multiple communication
channels
Scope : The scope of the policy applies to:

 Communication across all channels
 Covers all users (employees, contractors and third-party users) connecting to SIB network
Network Security
2.8.1 Bank shall ensure Logical or physical segregation and segmentation of network segments using
firewalls and defense-in-depth principles
2.8.2 Bank shall ensure access to all external networks are passed through an access control point (i.e.
Firewall) before reaching any intended host and subjected authentication. Only authorized and
approved network device shall be connected to the network
2.8.3 Bank shall deploy Network Access Control (NAC) tool to verify security configuration and patch
level compliance of devices before granting access to the network.

2.8.4 Bank shall ensure clear demarcation of DMZ to secure sensitive data.
2.8.5 Bank shall ensure systems containing highly sensitive information are segregated virtually or
physically
2.8.6 Bank shall deploy network based Intrusion Prevention System (NIPS) to monitor the traffic to and
from all Bank's systems including application servers, web server, database servers and network
devices.
2.8.7 Bank shall ensure NIPS is always updated with the latest signature available.
2.8.8 Bank shall ensure secure browsing and Internet connectivity including restrictions on the use of
public file storage/sharing, remote access, websites and protection against suspicious websites.
2.8.9 Bank shall ensure network services, protocols and ports are managed and restricted based on
business and technical requirements
2.8.10 Bank shall ensure access to network devices are controlled by Access Control Lists (ACLs).
2.8.11 Bank shall ensure network jacks are disabled unless a network device; server or workstation is
attached
2.8.12 Bank shall ensure session time –out facility is configured on network terminal devices and
associated terminal emulation sessions shall be set on all network equipment in accordance with
access management policy
2.8.13 Bank shall ensure all network and security device clocks are synchronized with Bank’s NTP server
to ensure the accuracy of audit logs.
2.8.14 Bank shall ensure network devices are configured securely to prevent disclosure of internal IP
address and routing information to unauthorized users
2.8.15 Bank shall ensure logging is enabled on network devices and critical Network devices logs shall be
collected and maintained on a centralized log server
2.8.16 Bank shall ensure access to the network management systems are restricted to authorized
individuals and access is granted using unique user ID
2.8.17 Bank shall ensure that the current and backup network / security devices configuration files are
stored securely
2.8.18 Bank shall ensure default settings are changed before installing network and security devices
2.8.19 Bank shall ensure firewall rules are reviewed periodically
2.8.20 Bank shall ensure traffic from internal and external network to DMZ are routed through network
access control devices such as firewalls and inspected by network intrusion prevention techniques
2.8.21 Bank shall ensure adequate redundancy is built into the network at the link level as well as device
level. Redundant links shall have the same level of security as the primary links
2.8.22 Bank shall ensure all critical VoIP network and server components are located in a secure area.
Separate VLAN shall be created for VoIP network components and shall be deployed using private
address space

2.8.23 Network operation standards and protocols shall be documented and made available to the
operators, and shall be reviewed periodically to ensure compliance
Remote Network Access
2.8.24 Bank shall ensure all remote access requests are assessed for associated risks and appropriate
mitigation controls shall be put in place before granting access
2.8.25 Bank shall have a defined, approved and established documentation on methods of secure remote
access
2.8.26 Bank shall review all existing remote access at least quarterly, and disable if not required
2.8.27 Bank shall employ multi-factor authentication for connecting to the Bank's network remotely
2.8.28 Bank shall ensure capability to monitor and authorize remote access to information systems, and
enforce requirements for remote connections to the information system
2.8.29 Bank shall ensure in case remote desktop access is required, only a secure remote access solution
such as thin-client and remote desktop sharing solutions shall be used to ensure that all accessed
data, devices, systems, applications, and desktops are managed, tracked, monitored and secured
centrally
2.8.30 Bank shall ensure remote users are authenticated and data transfers are encrypted.
2.8.31 Bank shall ensure change management process and related service request management systems
are followed for all types of VPN requests, including creation, configuration, and setup of VPN
account
2.8.32 Bank shall have the right to terminate the VPN connection with immediate effect upon detection
of a problem, critical threat or security breach.
Wireless Security
2.8.33 Bank shall ensure security requirements for wireless networks are identified and documented,
such as use of authentication and encryption technologies, and service levels.
2.8.34 Bank shall ensure proposed wireless network are deployed after risk assessments, implementation
of mitigating controls and comprehensive information security review.
2.8.35 Bank shall ensure all wireless traffic uses a strong encryption standard and authentication
protocols. Access to wireless networks and devices shall be limited only to authorized users.
2.8.36 Bank shall conduct quarterly review to ensure that the wireless network is not accessible outside
the identified areas and no unauthorized wireless access points are used
2.8.37 Bank shall implement appropriate segregation of wireless and wired network.
2.8.38 Bank shall ensure all access attempts to the wireless network is logged as per appropriate
policy requirements

2.8.39 Banks shall ensure all wireless access points/base stations/wireless devices connected/deployed
in SIB’s corporate network are registered, secured with latest patches and approved by authorized
personnel.
2.8.40 Banks shall ensure Wireless Intrusion Prevention/ Detection System (WIPS/WIDS) is installed to
detect/prevent rogue access points connecting to SIB network, attack attempts and successful
compromise.
Data Transfer
2.8.41 Bank shall ensure relevant controls are put in place to protect the transfer of information
through various communication channels
2.8.42 Bank shall ensure agreements address the requirement for secure transfer of business
information between the organization and external parties
2.8.43 Bank shall have appropriate controls to protect electronic messaging related information
Email Security
2.8.44 Bank shall ensure email service management documents are in place and approved
2.8.45 Bank shall implement domain-based message authentication, reporting and conformance
(DMARC) for email domains
2.8.46 Bank shall scan all emails, attachments, and downloads both on the host and at the mail gateways
2.8.47 Bank shall ensure official email account are used primarily for business purposes; with limited
personal communication and non-SIB related commercial use is prohibited
2.8.48 Bank shall ensure emails are protected against Advanced Persistent Threats (APT) which usually
uses viruses and Zero-Day Malware
2.8.49 Bank shall restrict auto-Forwarding of messages from the Bank’s email system to personal
accounts, it is prohibited unless approved by the line management for valid business reasons
2.8.50 Bank shall use an approved encryption mechanism, when sending emails containing Restricted or
confidential information to all external domains.
2.8.51 Bank shall ensure generic email accounts are created on need to have basis
2.8.52 Bank shall ensure email accounts are terminated on request from user manager of separating
employee / third party, on the day of separation. HR data shall be utilized to identify e-mail
accounts for deletion.
2.8.53 Bank shall ensure mailbox size and email attachment limit are documented and provided based
on business requirement
2.8.54 Bank shall ensure email server, application and logs are monitored for security and performance
related issues. Audit trail shall be available for each mail
2.8.55 Bank shall ensure centralized email systems managed by IT department is used for all Bank offices

2.9 Cryptography
Purpose : The purpose of this policy is to ensure secure and effective implementation of cryptographic
controls to protect the confidentiality, integrity, authentication and non-repudiation of information.
Scope : The scope of this policy covers creation, storage and destruction of cryptographic keys used by
employees and third parties across the Bank.
2.9.1 Bank shall ensure that confidentiality, integrity, authentication and non-repudiation of business
sensitive information in transit and at rest is implemented through appropriate encryption/control
mechanisms, at various levels
2.9.2 Bank shall ensure that cryptographic controls implemented follow the regulatory and statutory
requirements.
2.9.3 Bank shall ensure that functional and technical requirements for Cryptography are part of security
design specification and the controls are developed, tested, implemented, configured, operated
and maintained throughout the system development life cycle.
2.9.4 Bank shall maintain a list of encryption standards and hashing techniques which is approved by
senior management. Bank shall ensure that key length for encryption is least 128 bits.
2.9.5 Bank shall use digital certificates to ensure authenticity, integrity and non – repudiation of stored
or transmitted information.
2.9.6 Bank shall define, document and implement a cryptographic procedure which outlines the
guidelines for key generation, key distribution, key installation, key lifecycle management, custody
of key.
2.9.7 Bank shall ensure that an inventory of cryptographic key is maintained which should be reviewed
on a periodic basis.
2.9.8 Bank shall report the loss, theft or compromise of security keys using security incident
management process.
2.9.9 Bank shall ensure that licensed external public key infrastructure approved by respective authority
is used for communicating with external entities
2.9.10 Bank shall ensure that standard operating procedure for digital certificate management is defined,
documented and implemented. The standard operating procedure shall define steps for issue of
certificates including but not limited to user request, user credential verification, certificate
approval and user undertaking.

2.10 Data Protection
Purpose: The purpose of this policy is to ensure the confidentiality, integrity and consistency of all data
stored in electronic form, such as databases, data warehouses and data archives. It also defines security
requirements for Data Loss Prevention (DLP) techniques or process to prevent unauthorized disclosure
of SIB’s sensitive data.
Scope : This document applies to:

 All the users (including but not limited to employees, contractors, and vendors) at all
locations of SIB and having access to SIB’s digital information;
 All SIB owned or managed information assets and;
 Any non-SIB information assets that are connected to a SIB owned or managed network.
2.10.1 Bank shall define and implement procedures to ensure the integrity and consistency of all data
stored in electronic form, such as databases, data warehouses and data archives.
2.10.2 Bank shall collect, use or process Personal Data relating to Customers, Suppliers and Business
partners only if the processing falls within the scope the legitimate Business purpose
2.10.3 Bank shall implement reasonable security practices and procedures to ensure all proprietary
information and data processing, including Personally Identifiable Information (PII) of clients and
employees, suppliers and business partners are not used for wrongful purpose.
2.10.4 Bank shall take appropriate commercially reasonable technical, physical and organizational
measures to protect Bank’s confidential data (including PII) from misuse or accidental, unlawful,
or unauthorized destruction, loss, alteration, disclosure, acquisition or access.
Data Integrity
2.10.5 Bank shall ensure that information in application service transactions shall be protected to
prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized
disclosure, unauthorized message duplication or replay.
2.10.6 Bank shall implement appropriate processing and transmission controls to protect the integrity
of systems and data (both at rest and in transit).

2.10.7 Bank shall ensure that changes are limited to necessary changes and all changes shall be
controlled through change management processes.
2.10.8 Bank shall secure audit trails so that they cannot be altered and limit the viewing of audit trails
to those with a job-related need.
2.10.9 Bank shall implement appropriate mechanisms to ensure that existing log data cannot be
changed, without generating alerts, in servers hosting business critical information.
2.10.10 Bank shall implement a process to review and respond to any alerts generated by appropriate
solutions.
2.10.11 Bank shall make arrangements to back up audit trail files such that they are protected from
alteration/tampering to aid incident analysis/forensic investigation procedures with accurate
information.
2.10.12 Bank shall monitor and review system security/correlated logs, audit logs, and the integrity of
system configurations for servers hosting business critical applications.
2.10.13 Bank shall conduct application control audit in a risk based manner as part of regular audit with
a focus on data integrity.
Data Storage
2.10.14 Bank shall retain all type of relevant data (including PII) only:
 for the period required to serve the legitimate purposes for which the Personal Data are
Processed; or
 to the extent reasonably necessary to comply with an applicable legal requirement; or
 as advisable in light of an applicable statute of limitations
2.10.15 Bank shall securely delete /destroy or archive the data after the applicable storage period has
ended.
Data Protection in Third party locations
2.10.16 Bank shall transfer Personal Data to a Third Party only to the extent necessary to serve the
applicable legitimate purposes.
2.10.17 Bank shall have a written contract or a contract in a similar form (e.g. electronic) with third
party (other than government agencies or other public bodies) who process personal data.
2.10.18 Bank shall also seek to contractually protect the data protection interests of the Individuals.

Data Leakage Prevention
2.10.19 Bank shall develop a data loss/leakage prevention approach to safeguard sensitive and
confidential business data and customer information.
2.10.20 Bank’s DLP approach shall consider the following:
 Data in motion: Data that needs to be protected when in transit using secure channels and
protocols. E.g., emails, file transfers, web traffic;
 Data in use: Data processed on the end user devices need to be protected from being leaked. E.g.,
Files/data processed on servers & workstations;
 Data at rest: Data stored in data stores shall be protected from loss/leakage. E.g., Data stored in
databases, tapes/disks, SAN/NAS storages.
2.10.21 Bank deployed DLP solution shall achieve following key objectives:
 Monitor and control the movement of sensitive information across bank’s networks
 Monitor and control the movement of sensitive information on end-user system
2.10.22 Bank shall locate and catalogue sensitive information stored throughout the bank.
2.10.23 Bank shall incorporate procedures to timely investigate the data loss incidents and remediate
data leaks or process gaps, as necessary, to prevent any further data loss.
2.10.24 Bank shall ensure data breach incidents are immediately reported and managed through incident
management process.
Data Security
2.10.25 The bank shall seek to establish uniform risk-based requirements for the protection of data
elements.
2.10.26 Bank shall use tools for data classifications to ensure that the protection is uniform within the
bank
2.10.27 Bank shall ensure that data at rest and transit is protected.
2.10.28 Bank shall implement policies and procedures regarding secure media handling, storage,
disposal, and transit shall be implemented to enable appropriate protection and otherwise
mitigate risks to data.

2.10.29 Bank shall apply extensive controls to guard against alteration of sensitive information and shall
minimize the distribution of sensitive information, including printouts that contain this type of
information.
2.10.30 Bank shall implement a mechanism to periodically review authorization levels and distribution
lists to ensure they remain appropriate and current.
2.10.31 Bank shall encrypt the sensitive data stored in portable devices, such as laptops and PDAs etc.
2.10.32 Bank shall maintain the security of media while in transit or when shared with third parties.
2.10.33 Bank shall encrypt customer account and transaction data which is transmitted.
2.10.34 Bank shall ensure appropriate controls are in place when the customer account
information/transaction data is transported, delivered or couriered to external parties or other
locations, taking into account all intermediate junctures and transit points from source to
destination.
2.10.35 Bank shall also put in place following additional controls for protection of data:
 Filtering and monitoring of electronic media
 Monitoring for unauthorized software, hardware like password cracking software, key loggers and
wireless access points etc.

2.11 HR Security
Purpose : The purpose of this policy is to ensure that all the employees, contractors, and third-party
personnel understand, and fulfil their information security responsibilities throughout the employment
lifecycle.
Scope : This policy covers the background verification, Information Security Awareness, Exit or
termination of employees, contractors as well as third party personnel
Background Verification:
2.11.1 Bank shall ensure that all new employees having high profile job roles, contractors and third-
party personnel are screened prior to employment. Corresponding Head of Department (HOD)
may recommend any exceptions to screening of new employees having high profile job roles
prior to employment with proper justifications to HR Department. HR Department shall reject or
approve any exceptions.
2.11.2 Bank shall ensure that all new employees are screened within three months from the date of on
boarding.
2.11.3 Bank’s background screening process shall include verification of employment history, academic
qualifications, character references (business and personal), criminal record, and personal
details. Additional background and credit checks shall be performed based on the sensitivity of a
particular job.
2.11.4 Bank shall ensure that contractors are subjected to similar screening procedures as outlined in
the HR Security Procedure.
2.11.5 Bank shall obtain background verification assurance from their respective organizations for third
party personnel.
Terms & Conditions of employment:
2.11.6 Bank shall ensure that all employees, contractors sign and agree terms and conditions of their
employment, prior to being granted access to SIB’s information assets. These terms and
conditions shall include banks and their responsibilities towards information security, clauses for
confidentiality and non-disclosure of SIB’s sensitive information.
Information Security Awareness and Training:
2.11.7 Bank shall implement an initial and ongoing training as part of the information security
awareness program to educate its employees. The program shall be updated on periodic basis.

2.11.8 Bank shall conduct targeted awareness/training for key personnel.

2.11.9 Bank shall develop a training plan and allocate adequate resources for smooth running of the
information security awareness and training program.
2.11.10 Banks’s awareness training shall, at the minimum, include acceptable use of information assets,
reporting of information security events, physical protection, password policies and, cyber
security attacks such as phishing attacks, social engineering, malware threats and insider threats.
2.11.11 Bank shall also conduct situational awareness when prompted by highly visible cyber events or
by regulatory alerts.
2.11.12 Bank shall evaluate the effectiveness of the trainings by conducting quizzes and maintain training
records for a period of at least one year.
2.11.13 The staff training college with co-ordination from ITOD shall ensure that all employees are
periodically trained on information security responsibilities.
Disciplinary process:
2.11.14 Bank shall define a formal disciplinary process to act against employees who have committed an
information security breach or violated security policies. All such violations shall be reported to
the CISO.
2.11.15 Bank shall ensure that the disciplinary process is communicated to all employees. Third party
personnel shall be dealt with as per the contractual agreements.
Exit or Termination:
2.11.16 Bank shall define, communicate and enforce the information security responsibilities and duties
that remain valid after termination for the employee or contractor.
2.11.17 Bank shall ensure that access rights (physical and logical) of all employees, consultants,
contractors and suppliers to information and information processing facilities, shall be removed
and SIB’s assets returned upon termination of their employment, contract or agreement, or
adjusted upon change.

2.12 Security Incident Management
Purpose : The purpose of this policy is to ensure secure and effective implementation of security
incident management to identify, report, respond, prevent and communicate information security
incidents.
Scope : The scope of this policy is applicable to all information security incidents identified in the Bank’s
internal and external environment.
2.12.1 Bank shall ensure that responsibilities and procedure are defined and documented to ensure
effective response and containment of information security incidents. The information security
incident management procedure defined shall include but not limited to type of incidents to be
reported, reporting methodology, types of security incidents, escalation matrix.
2.12.2 The information security incident management procedure shall comply with the applicable
regulatory requirements.
2.12.3 Bank shall ensure that a team of competent personals are deployed for effective implementation
of security incident management process.
Reporting of Incidents
2.12.4 Bank shall ensure that incident reporting mechanism is implemented to enable all employees and
third parties to report the identified / suspected information security incidents.
2.12.5 Bank shall ensure that all employees and third parties are aware of their responsibility to report
information security events.
2.12.6 Bank shall ensure that information security incidents or violations of security policies are notified
to the concerned Department Head and CISO.
2.12.7 The information security incident management procedure shall include mechanism to pro-actively
notify CERT-In/IDRBT/RBI regarding cyber security incidents.
Analysis of Incidents
2.12.8 Bank shall define an incident classification and prioritization criteria for classification of security
incidents based on the severity of impact identified post analysis.

2.12.9 Bank shall ensure that suitable arrangements are in place to investigate information security
incidents through various modes including but not limited to digital forensics, evidence collection
and preservation, log analysis and interviewing.
2.12.10 Bank shall analyze and improve incident detection and response process based on the learnings
from information security incidents.
2.12.11 Bank shall ensure that all identified incidents are logged centrally with the details including but
not limited to date of incident, impacted systems, impacted users, duration of incident, root
cause analysis, corrective action and preventive action.
Incident Response
2.12.12 Bank shall ensure that identified information security incidents are resolved in a timely manner
and escalated as per the escalation matrix defined.
2.12.13 Bank shall ensure that cyber security incident response team (CSIRT) is established consisting
stakeholders from concerned departments.

2.12.14 Bank shall ensure that an information security incident response procedure is defined and
documented covering aspects including but not limited to roles and responsibilities, incident
resolution timeframe, incident containment procedures, incident communication process, post
incident analysis and chain of custody of evidences. Bank shall ensure that information security
incident response procedure is integrated with cyber crisis management plan (CCMP), business
continuity and disaster recovery plan.
2.12.15 Bank shall have clear accountability and communication strategies defined to limit the impact of
information security incidents
2.12.16 Bank shall have appropriate mechanisms for informing incidents to customers and reporting to
the board and senior management, as applicable
2.12.17 Bank shall ensure that information security incident response is periodically tested through
various means like cyber drills, red team exercises etc.
Post Incident Analysis
2.12.18 Bank shall ensure that post-incident analysis is conducted to determine the business impact, root
cause and preventive actions to minimize recurrence of similar incidents.
Digital Evidence
2.12.19 Bank shall ensure evidences collected as part of forensic analysis are stored securely as per legal
requirements. They shall be used for further investigation and kept securely to produce in the
court of law if required.
2.12.20 Bank shall have contractual provisions with third parties for preservation of digital evidence and
reasonable cooperation with each other during an investigation.
2.12.21 Bank shall develop and follow procedures for the identification, collection, access, storage,
transfer, security and presentation / admissibility of digital evidence
2.12.22 Bank shall ensure trained information security official or skilled digital forensics examiners are
involved in the handling of evidence collection process to ensure that any material fact is properly
preserved and introduced
2.12.23 Bank shall ensure proper chain of custody is maintained while handling the evidence
2.12.24 Bank shall ensure admissibility of evidences are in adherence to the legal requirements and kept
securely to be produced in the court of law, as and when needed

2.12.25 Bank shall ensure each piece of evidence is marked with the date, time, location and initials of
the collector
2.12.26 Bank shall have process for securing evidences such as audit trails, log correlation, intrusion
prevention/detection system. All evidences and audit trails related to an incident shall be
collected and preserved in secure manner ensuring its authenticity, accuracy and completeness
2.12.27 Bank shall ensure information on forensic investigation are limited to a few nominated
individuals and shall be kept confidential
2.12.28 Bank shall ensure findings of a forensic analysis are documented and shared with authorized
personnel only
Communication of Incidents
2.12.29 Bank shall communicate the information security incident details to internal and external
stakeholders including vendors, as applicable.
2.12.30 Bank shall ensure that Contact details of authorities, other relevant agencies that handle the
issues related to incidents is documented and updated on a periodic basis.
2.13 Information Security Compliance
Purpose : The purpose of this policy is to establish the requirements to protect bank from breaches of
legal, statutory, regulatory and contractual obligations related to information security requirements.
Scope : This scope of this policy covers compliance with security policies, intellectual property rights,
data privacy as well as other legal, statutory, regulatory and contractual obligations which applies to all
business functions, processes, technology resources and staff members (employees, contractors and
third-party personnel) of the bank.
Compliance with Information Security Policies and Standards
2.13.1 Bank shall ensure that information security policies and procedures are defined, communicated,
implemented and enforced.
2.13.2 Bank shall ensure that the organization’s approach to managing information security and its
implementation (i.e. policies, processes and procedures for information security) are reviewed
independently at planned intervals or when significant changes occur.
2.13.3 Bank shall review areas within the organization including but not limited to information systems
(platforms, networks and applications); information systems service providers, information
security processes and responsibilities at least annually or as per the defined interval by internal
or third-party assessors.

2.13.4 Bank shall embed generic obligations to comply with information security policies within
employment contracts and third-party service contracts, while specific obligations shall be
included on the forms regarding user access to sensitive business systems.
2.13.5 Bank shall explicitly inform users that no use of IT systems is permitted unless specifically
authorized. If any un-authorized activity or misuse of Bank’s information systems is identified by
monitoring or other means, appropriate disciplinary or legal action shall be taken against the
individual.
Information Security related Legal compliance
2.13.6 Bank shall identify, document the relevant legal, statutory, regulatory and contractual
requirements pertaining to information security for all the information system processing
facilities.
2.13.7 Bank shall identify, document and implement specific controls and individual responsibilities to
meet these requirements, in consultation with CISO Office, ISC, Legal and other departments as
deemed necessary.
2.13.8 Bank shall review the compliance and completeness of the controls for these requirements at least
on an annual basis.
Protection of Organizational Records
2.13.9 Bank shall ensure that the records are protected from loss, destruction and falsification,
unauthorized access and unauthorized release in accordance with statutory, regulatory,
contractual, and business requirements to the extent necessary to minimize risks.
2.13.10 Bank shall define and implement procedures for storing records as per the statutory or regulatory
retention period, and destruction of records after the defined retention period if they are no
longer needed by the Bank.
Intellectual Property Rights
2.13.11 Bank shall ensure compliance with legislative, regulatory and contractual requirements, on the
use of material in respect of which there may be intellectual property rights, such as copyright,
design rights and trademarks.

2.13.12 Bank shall own the intellectual property developed by its employees (software, documents,
materials and email etc.) unless explicitly agreed between the parties. It shall also own all the
computer equipment, software and facilities used by the employees.
2.13.13 Bank shall ensure that all employees are restricted from copying, using or disseminating
proprietary material. Only information that is developed by and belongs to Bank, licensed or
provided by the developer to Bank or is legally placed without restriction in the public domain,
shall be used.
2.13.14 Bank shall ensure compliance to the terms and conditions, license requirements of the
copyrighted software or any other proprietary information used within the bank.
2.13.15 Bank shall protect its intellectual property rights by imposing similar legal obligations on third
parties where applicable (e.g. third-party use of computer programs developed by bank shall be
protected through suitable license agreements).
Technical Compliance Review
2.13.16 Bank shall ensure that the information systems and networks are reviewed at defined intervals
to ensure compliance with relevant technical security standards, security designs etc through
Vulnerability assessment, penetration testing and other technical review assessments. Any
identified issues shall be reported to the appropriate team for remediation.
2.13.17 Bank shall employ, internal or external experts/agencies to conduct technical compliance reviews
at defined intervals.
Information System Audit Controls
2.13.18 Bank shall ensure that IT systems, processes and controls are regularly audited by
internal/external auditors in accordance with defined audit standards and procedures, as per the
defined and approved audit schedule.
2.13.19 Bank shall define audit plans and policy including but not limited to scope, resource
requirements, sampling methodology, access provisions, schedule, audit techniques, reporting,
escalation and communication plan.
2.13.20 Bank shall ensure that audits involving checks on production systems and networks shall be
carefully planned in conjunction with management to minimize the risk of disruption.
2.13.21 Bank shall ensure that audit requirements are discussed with management before deciding the
audit scope.

2.13.22 Bank shall ensure that any access granted to the auditors other than read-only access shall be
disabled immediately after completion of the audit.
2.13.23 Bank shall ensure that appropriate confidentiality and non-disclosure agreements are signed with
the external auditors.
2.13.24 Bank shall ensure the independence of the audit team from the operations team.
2.13.25 Bank shall ensure that audit tools, if any, used by or provided to the auditors, are protected
against misuse and unauthorized access.
2.13.26 Bank shall ensure that review and audit results along with corrective actions shall be
documented. Audit report shall be submitted to the IT Departments, CISO and ISC.
2.13.27 Exceptions to the audit observations shall be reviewed and recommended or rejected by
Information Security Technical Committee (ISTC) and approved by Information Security
Committee (ISC).
2.13.28 CISO shall confirm that the mitigating controls are adequate for those audit observations for
which exceptions are sought and exception is not granted for those observations which are not
having adequate mitigating controls.
2.13.29 In order to confirm that the justification/ mitigating controls are adequate for those audit
observations for which exceptions are being sought, the services of an external agency or existing
auditor may be taken, in case, suitable skill sets are not available for detailed assessment of
mobile app or other domain related audit points, due to the specialized nature of such points.
2.13.30 Concerned Department shall ensure that all exception granted audit observation cases are
revisited on quarterly basis and consolidated review on the same shall be placed to ISC on
quarterly basis.
Data Privacy Compliance
2.13.31 Bank shall define and enforce the policies to comply with data privacy laws, regulations that have
been prescribed by the government or regulator in the jurisdiction in which SIB operates.
2.13.32 Bank shall ensure that privacy policies and procedures are reviewed in line with the requirements
of applicable laws and regulations at least annually or whenever changes to such laws and
regulations are made.
2.14 Operations Security
Purpose: Purpose of this policy is to ensure IT Operations are performed in an effective and secure manner
safeguarding the confidentiality, integrity and availability of information assets.
Scope : Scope of this policy covers day to day processes pertaining to information assets supporting the
business operations.

Backup and Restoration:
2.14.1 Bank shall ensure that a backup schedule is defined including but not limited to type of backup,
frequency of backup and archival, and type of backup media depending on the criticality of
information asset.
2.14.2 Bank shall ensure that all information assets are backed up on a periodic basis as per the defined
backup schedule.
2.14.3 Bank shall ensure that backup is stored in encrypted format and access to information backup is
provided only to authorized users.
2.14.4 Bank shall ensure that storage media containing backup d ata is stored in a secure physical vault
which is away from the primary storage location.
2.14.5 Bank shall ensure that a data retention schedule is defined which is aligned with the regulatory
and statutory requirements. Bank shall ensure that backup data is retained as per the retention
schedule.
2.14.6 Bank shall ensure periodic restoration testing is performed for backup data to ensure backups can
be retrieved and restored in a timely manner.
2.14.7 Bank shall ensure that standard operating procedures covering the backup and restoration process
for information assets is defined, documented and followed.
Software Management
2.14.8 Bank shall ensure that process is in place to ensure effective management, optimization, control
and protection of the software assets throughout all stages of its lifecycle.
2.14.9 Bank shall ensure that procurement of software is in line with the Bank’s purchase policy.
2.14.10 Bank shall ensure that purchased software in the Bank’s environment have appropriate licenses
in place.
2.14.11 Bank shall ensure that an updated inventory of all inhouse developed and third-party software is
maintained and reviewed on a periodic basis.
2.14.12 Bank shall ensure that software asset inventory shall include all the details as per the Asset
Management Policy.
2.14.13 Bank shall ensure that authorized list of softwares is maintained and updated on a periodic basis.
2.14.14 Bank shall ensure that application whitelisting is implemented across information assets.
2.14.15 Bank shall ensure that controls are designed and implemented to prevent unauthorized
installations of software.
2.14.16 Bank shall ensure that criticality level is defined for all application software based on Business
Impact Analysis (BIA).
2.14.17 Bank shall ensure that any changes to the software follows change management process and
appropriate version details are maintained.

2.14.18 Bank shall ensure that software disposal is performed by authorized individuals and any Bank’s
data is securely overwritten prior to asset disposal based on defined information disposal
procedures.
Antivirus Management
2.14.19 Bank shall ensure that antivirus / antimalware application is installed across information assets
2.14.20 Bank shall ensure that antivirus / antimalware application is updated with latest signatures.
2.14.21 Bank shall ensure that all information assets are scanned for viruses, trojans and malicious codes
on a periodic basis.
2.14.22 Bank shall ensure that external / removable / portable devices are scanned for malware / virus
before the device is connected to Bank’s network.
2.14.23 Bank shall ensure that servers, desktops, laptops don’t have auto-run feature for executing
contents from removable media.
2.14.24 Bank shall ensure that mechanism is implemented to move the malware infected information
asset to quarantine.
2.14.25 Bank shall ensure antivirus management is limited to authorized individuals and users are not
allowed to make changes to antivirus agent installed on endpoints.
Secure Configuration Management
2.14.26 Bank shall ensure that minimum baseline security document is defined and documented for all
information assets including but not limited to servers, workstations, network devices and
databases.
2.14.27 Bank shall ensure that minimum baseline security document is in line with the industry best
practices and applicable regulatory / statutory requirements.
2.14.28 Bank shall ensure that minimum security configuration parameters are implemented for all
information assets including but not limited to servers, workstations, network device and
databases.
2.14.29 Bank shall ensure that minimum security configuration parameters are tested in a test
environment before implementing in production environment.
2.14.30 Bank shall ensure that periodic compliance assessment is performed on information assets to
assess minimum security configuration requirements.
Virtualization
2.14.31 Bank shall ensure that creation of a new guest Virtual Machine (VM)'s on the hypervisor is
approved based on the information classification and application criticality of the other VM's that
are already present on the host OS.

2.14.32 Bank shall set limits on the use of resources (e.g., processors, memory, disk space, virtual network
interfaces) for each Virtual Machine (VM).
2.14.33 Bank shall perform operating system hardening for servers designated for virtualization.
2.14.34 Bank shall ensure that volumes or disk partitioning are used to prevent inadvertent denials of
service from VM (guest operating systems, OSs) filling up available space allocations, and allow
role-based access controls to be placed individually on each VM (guest OS).
2.14.35 Bank shall ensure that host and guests use synchronized time for investigative and forensic
purposes.
2.14.36 Bank shall ensure that all unnecessary programs are uninstalled, and all unnecessary services are
disabled in the hypervisor
2.14.37 Bank shall ensure that hypervisor is patched regularly and in a timely fashion in accordance with
Bank’s patch management procedure to ensure that the OS is protecting the system itself and
guest OSs properly. In addition, the same patching requirements shall also apply to the
hypervisor.
2.14.38 Bank shall ensure that individual VMs are configured to, directly or indirectly control peripheral
devices attached to the host system. VMs shall be configured by default to disable such
connections. Connections to peripheral devices shall be enabled only when necessary.
2.14.39 Bank shall ensure that virtual devices for guest OSs are associated with the appropriate physical
devices on the host system, such as the mapping between virtual network interface cards (NICs)
to the proper physical NICs.
2.14.40 Bank shall ensure that virtual systems are regularly backed-up based on backup policy for
recovery.
2.14.41 Bank shall carry out logging and monitoring of activities over virtual environment along with
correlation of server and network logs across virtual and physical infrastructures.
2.14.42 Bank shall ensure that network access for the hypervisor is restricted to management services
only.
2.14.43 Bank shall ensure that dedicated VLAN is in place for all hypervisors.
Data Migration
2.14.44 Bank shall ensure that mechanism is implemented to safeguard and secure information and
business operations while performing migration of data across varied technology platforms.
2.14.45 Bank shall ensure that risk assessment is performed before implementing the data migration
activity for critical applications.
2.14.46 Bank shall ensure that detailed migration plan is developed and approved prior to the planned
migration activity.

2.14.47 Bank shall ensure that migration plan documents pre-migration and post-migration activities,
roles & responsibilities, fallback plans and completion timelines.
2.14.48 Bank shall ensure that approval is received from respective stakeholders before implementation
of migration plan.
2.14.49 Bank shall ensure that information assets are sanitized before the planned migration activity.
2.14.50 Bank shall ensure completeness, accuracy, confidentiality, consistency, integrity , availability and
continuity of data and data conversion validation during a migration, pre and post migration.
2.14.51 Bank shall perform a post migration review to ensure that missing/incomplete data is managed
and reported.
2.14.52 Bank shall ensure that post-migration validation is performed to verify that the data has been
migrated as intended, and the access-rights and folder permissions for the data are replicated.
2.14.53 Bank shall ensure that the migrated data is tested and validated for accuracy, and the entire data
migration process meets the policy requirements outlined during planning stage.
2.14.54 Bank shall ensure that information asset owner maintains the last copy of data before migration
and first copy after migration separately in an archive for further reference.
2.15 Logging and Monitoring
Purpose : Purpose of this policy is to ensure logs of information assets are logged, monitored and reviewed
in an effective manner and logs are securely stored as per the retention requirements.
Scope : Scope of this policy covers logging and review of logs originating from information assets across
the Bank.
2.15.1 Bank shall ensure that all stakeholders are consulted before finalizing the scope, frequency and
storage of log collection.
2.15.2 Bank shall ensure that information assets providing critical services and processing / storing
confidential information shall log essential/critical, security and other operational information
(capture events including but not limited to user access to sensitive and confidential information,
privilege user access, invalid login access attempts, fault logging, configuration changes, alerts
generated from access control system, records of transactions generated).
2.15.3 Bank shall ensure that the system logs captures information including but not limited to date,
timestamp, source address, destination address other relevant packet/transaction/event
information elements.

2.15.4 Bank shall ensure that procedure for performing log monitoring and review is defined and
implemented to identify suspicious events and unusual activity patterns within Bank’s IT
environment.
2.15.5 Bank shall ensure that log rotation and backup process is defined and implemented.
2.15.6 Bank shall put in place adequate measures to ensure logs are protected from unauthorized access
and tampering.
2.15.7 Bank shall implement secure mechanisms for transporting log data from the system to the
centralized log management servers
2.15.8 Bank shall ensure that logs are retained as per the retention period stipulated by regulatory
bodies.
2.15.9 Bank shall ensure that System administrator activities logs of critical systems are monitored and
reviewed on a periodic basis.
2.15.10 Bank shall ensure that logs of critical information systems shall have a synchronized time stamp,
provided by an NTP server.
2.15.11 Bank shall ensure that level of monitoring required for individual systems shall be determined by
considering the factors including but not limited to criticality of the applications, sensitivity or
criticality of the information handled, information security threat and vulnerability levels.
2.15.12 Bank shall ensure that log monitoring activities and reports are reviewed by respective
stakeholder on a periodic basis.
2.15.13 Bank shall ensure that clear set of roles and responsibilities are defined and followed for log
monitoring and review activities.
2.15.14 Bank shall ensure that logs are stored in a secure manner to enable forensic investigation.
2.15.15 Bank shall ensure that security policies and operational procedures for security monitoring &
logging are documented, in use, and known to all affected parties.
2.16 Physical and Environmental Security
Purpose : Purpose of this policy is to ensure physical access to Bank's premises and supporting
infrastructure is controlled to prevent, detect and minimize the risk of unauthorized physical access and
damage due to environmental hazards.
Scope : Scope of this policy covers information assets located across all Bank’s locations.

2.16.1 Bank shall ensure that physical security for information process facilities shall be designed and
implemented with appropriate controls.
2.16.2 Bank shall ensure that information processing facilities are protected with appropriate and
relevant security perimeter controls including but not limited to.
 Use of walls, windows and doors, protected with bars, locks, alarms and adequate lighting.
 Use of appropriate intrusion detection systems, such as motion and perimeter alarms, audio
and video surveillance.
 Use of manned reception areas or lock/ID systems to control passage into the restricted
areas.
 Measures designed with sufficient redundancy such that a single point of failure does not
compromise security
2.16.3 Bank shall ensure that appropriate entry controls are implemented for physical security perimeter
to detect and prevent unauthorized physical access to information processing facilities. The
security controls shall include but not limited to
 Entry authentication mechanisms (e.g. Biometric access, Keycard and PIN).
 Recording of date/time of entry and exit or video recording of activities in the entry/exit
areas.
 Requirement for authorized personnel to wear visible identification, and to report them
without such identification.
 Appropriate authorization and monitoring procedures for third-party personnel who needs
to be given access to the restricted areas.
 Periodic review and monitoring of access rights.
 Revoking of access rights when no longer required
2.16.4 Bank shall ensure that secure guidelines are designed, defined and implemented for working in
secure areas.
2.16.5 Bank shall ensure that adequate physical security measures are implemented to safeguard and
secure data center and information storage facility. The security measures may include but not
limited to
 Restricting access to authorized individuals

 Revoking of access immediately if no longer required
 Ensuring appropriate notification mechanism and approval for staff members requiring
temporary access
 Maintaining a registry/log of visiting personnel
 Establishing signs to prohibit the bringing of food, cigarettes or drinks within the Datacenter
 Maintaining appropriate HVAC (heating, ventilation and air-conditioning) considerations,
ensuring adequate CCTV surveillance, deploying appropriate physical security systems and

other security mechanisms/controls.

 Deployment of adequate fire prevention mechanism
2.16.6 Bank shall ensure that loading and unloading area is separated from information processing
facilities.
2.16.7 Bank shall ensure that mechanism is implemented to inspect all inward and outward material
movement and a separate register is maintained for the material movement register.
2.16.8 Bank shall ensure controls to minimize physical threats to assets (e.g., theft or damage from
vandalism, fire, water, dust, smoke, electrical supply variance) and isolate items requiring special
protection.
2.16.9 Bank shall ensure that cables carrying sensitive information or supporting services shall be
protected from interference or damage.
2.16.10 Bank shall ensure that periodic preventive maintenance is performed for equipment’s and
maintenance is performed by authorized employees or contracted third parties.
2.16.11 Bank shall ensure that records are maintained for the periodic preventive maintenance
performed for equipment.
2.16.12 Bank shall ensure that testing of fire alarms is conducted on half yearly basis for branches and
administrative buildings and a record for the same shall be maintained. In addition, fire and
evacuation drills and automatic deactivation of access control devices for administrative
buildings shall be conducted on yearly basis. Government regulations and directions shall be
followed during fire drill.
2.16.13 Bank shall ensure that critical information processing facility has uninterrupted power supply
2.16.14 Bank shall ensure that information assets are removed or taken off-site only after receiving
approval from authorized stakeholders.
2.16.15 Bank shall ensure that unused and unattended equipment is protected from theft or misuse.
2.16.16 Bank shall ensure that mechanisms is implemented to prevent piggybacking and tailgating to data
center.
2.16.17 Bank shall ensure that frisking is performed for users before entering the data center.
2.16.18 Bank shall ensure that emergency response team is established, and adequate training is
provided to the team members where possible.
2.16.19 Bank shall ensure that emergency evacuation plan is defined and documented.

2.16.20 Bank shall ensure that ensure that emergency exit signages, emergency contact numbers ,
emergency evacuation plans, and floor plan are placed in the data center.
2.16.21 Bank shall ensure that visitors are escorted by Bank employee for the entire duration of time the
visitor is having physical access to data center.
2.16.22 Bank shall ensure that signage is not displayed outside the secure areas, which will reveal its
identification.
2.16.23 Bank shall ensure that screens on information systems used to handle sensitive information,
irrespective of location must be positioned such that unauthorized persons cannot look over the
shoulder of the person using the workstation.
2.17 Risk Management
Purpose: The objective of this policy is to provide guidance on risk assessment (risk identification, analysis
and evaluation), risk treatment, risk acceptance, risk monitoring, risk communication and detailing the
appropriate information security controls that shall be implemented for securing information assets as
well as personnel.
Scope: The scope of the policy covers risk assessment (risk identification, analysis and evaluation), risk
treatment, risk acceptance and risk monitoring which applies to SIB.
Risk Identification and Risk Assessment
2.17.1 Bank shall identify information as well as supporting assets (e.g., network, servers, applications,
data centers, tools, etc.) along with the risk owners within the organization and create risk profile
for each asset by assessing asset criticality regarding business operations.
2.17.2 Bank shall consider creating a risk profile for asset considering the underlying threats,
vulnerabilities, Likelihood of occurrence of risk, and business impact associated with each asset.
2.17.3 Bank shall conduct / perform risk assessments which shall identify, quantify and prioritize risk
based on the objectives relevant to the organization. The risk assessment results shall guide and
determine the appropriate management action and priorities for managing information security
risks and for implementing controls selected to protect against these risks.
2.17.4 Bank shall document risk assessment procedure which shall include the systematic approach of
assessment and treatment of the risks.
2.17.5 Risk assessments shall be conducted at least annually and upon significant changes to the
environment, including but not limited to the following scenarios:
 When new systems are implemented, or applications are developed or acquired
 When critical business processes, procedures are changed which can impact information
security
 When there are changes to IT infrastructure

 Whenever there is a change in internal and external context of the organization

 When new suppliers/third parties are being evaluated for services
 When new services are taken from existing suppliers
 When business is expanded to new geographic locations
 When there is a request from customer/regulator/investor or any other interested party
 Before a merger or an acquisition
 After any security incident with high classification is reported
2.17.6 Bank shall ensure that each of the information security risk assessment has a clearly defined scope.
The scope of a risk assessment can be either the whole organization, parts of the organization, an
individual information system, specific system components, or services where this is practicable
and realistic.
Risk Treatment
2.17.7 Bank shall decide upon the approach to address significant risks identified by risk assessment.
Below are the possible options for risk treatment:
 Risk Mitigation - Applying appropriate information security controls to reduce the risks
 Risk Transfer - Transferring risks to other parties e.g. insurers, business partners or any third
parties.
 Risk Avoidance - Avoiding risks by not allowing, avoiding or preventing actions and situation
that would cause the risks to occur.
 Risk Acceptance - Knowingly accepting risks, in line with the Risk Acceptance Policy.
2.17.8 Bank shall document the information Security Risk Treatment Plan consisting of the
implementation details along with the responsibilities assigned for implementing the
recommended treatment plan. The plan shall also clearly highlight the expected closure date.
2.17.9 Bank shall obtain approval from risk owners as well ISC for finalization of risk treatment plan.
2.17.10 Bank shall periodically review progress against the Risk Treatment Plan.
2.17.11 Bank shall ensure that risks are reduced to an acceptable level taking into account of the
following:
 Bank’s objectives and policies
 Regulatory requirements
 Operational constraints
 Cost of implementation and operations of the controls in relation to the risks being reduced,
while remaining in sync with the organization’s requirements and constraints

Risk Acceptance
2.17.12 Bank shall ensure that the organizational risk tolerance is determined and clearly expressed.
2.17.13 Bank shall obtain and document management acceptance of a risk when an information security
risk cannot be mitigated due to lack of practically implementable mitigation controls or the cost
of the control is not viable.
2.17.14 Bank’s management shall provide the risk acceptance only for a specific period of time.
2.17.15 Bank shall assess the risk by its potential impact on the bank’s infrastructure, data integrity and
possible loss of reputation prior to acceptance of risk. Risk owner is responsible for ensuring that
the risks are managed properly pertaining to his/her ownership.
Risk Ownership
2.17.16 Bank shall ensure that risk ownership is defined for accountability and management of risks. The
ultimate responsibility of organizational risk shall remain with ISC.
2.17.17 Bank shall ensure that respective department head acts as the risk owner if the risk is pertaining
to a specific department.
2.17.18 Risk owners shall be responsible for the following:
 Assume ownership of risk pertaining to their information asset(s).
 Be accountable to ensure that appropriate controls, commensurate with the security
classification level are maintained and the risks associated with the assets are managed.
 Communicate newer risks that are identified to CISO.
 Communicate the progress of risk treatment plan to CISO and ISMS team
Risk Monitoring and Communication
2.17.19 Bank shall ensure that risk owners provide periodical updates, as required, to the Chief
Information Security Officer regarding the progress made in reducing/removing risks. This
information shall be used to update the Risk Register which is the source of monitoring reports
for the ISC.
2.17.20 The ISC shall be responsible for the on-going monitoring and review of the Risk Assessment
Strategy and the effectiveness of the risk management processes.

2.18 Information Systems Acquisition, Development and Maintenance
Purpose: The purpose of the policy is to establish guidelines for building security practices and controls
into development/implementation life cycle of information systems and software.

 All users (including but not limited to employees, contractors, and vendors) at all locations
of SIB and having access to SIB’s digital information;
 Any non-SIB information asset connected to SIB owned or managed network
Requirement analysis, specification & Securing Transactional Services on Public Network
2.18.1 Banks shall identify, document, justify and agree with business process owner the security
requirements during the requirements gathering and analysis phase of acquisition, development
or change of information systems. Security requirements such as the following, but not limited to,
shall be identified:
 User authentication requirements
 Access/authorization controls
 Privileged-access management
 Protection of information assets
 Logging and monitoring
 Encryption of data in storage/in transit
 Session management
 Input/output management
2.18.2 Bank shall ensure publicly accessible systems are tested comprehensively using vulnerability and
penetration testing methods
2.18.3 Bank shall ensure end user authentication/authorization and information involved in application
processing are secured from fraudulent activity, unauthorized disclosure and unauthorized
modification when transferred over public network
2.18.4 Bank shall ensure systems facilitating direct interaction with customers for carrying out
transactions are designed to protect the confidentiality and integrity of information. Access over
public network shall be protected using secure protocols.
2.18.5 Bank shall ensure logs are generated, analyzed, monitored and they also capture details such as IP
address of user, referral log monitoring, date & time and transactions details.

Protecting Application Services Transactions
2.18.6 Bank shall have standard development process which ensures compliance with functional,
security, performance and applicable statutory, legal and regulatory requirements are followed
for in house and outsourced software development / customization
2.18.7 Bank shall ensure secure programming techniques are used both for new developments and in
code re-use scenarios
2.18.8 Bank shall employ secure coding practices for all software developed by internal teams and it shall
be formally documented. Code shall be reviewed based on the secure coding standards and
applicable coding standards.
2.18.9 Bank shall obtain assurance that the external party complies with secure coding standards, as per
industry best practices, if development activity is outsourced
System Change Control requirements
2.18.10 Bank shall document formal change control process and enforce the same to ensure the integrity
of system, applications and products, from the early design stages and throughout the whole
lifecycle
2.18.11 Bank shall ensure testing of new software are performed in an environment segregated from
both the production and development environments
2.18.12 Bank shall ensure personnel are given access to those parts of the system necessary for their task
/ activity to ensure that existing security and control procedures are not compromised.
2.18.13 Bank shall perform a post implementation review with inputs from business users and
development team.
2.18.14 Bank shall ensure operating system changes for business critical systems are reviewed and tested
to ensure no adverse impact on application functionality and security of all the applications
hosted on that operating system
Restriction to Change Software Package
2.18.15 Bank shall ensure modification to software package is restricted and is limited to authorized
personnel. Access rights shall not be given to an end user to modify software package.
2.18.16 Bank shall maintain list of approved licensed and freeware software along with corresponding
versions
2.18.17 Bank shall ensure all requests for software, application installation, troubleshooting and
hardware issues for all devices are managed by authorized team
2.18.18 Bank shall employ software update management process to ensure the most up-to-date
approved patches and application updates are installed for all authorized software
Secure Development

2.18.19 Bank shall ensure secure development environment are established. Secure development
procedures shall be documented, approved and implemented
2.18.20 Bank shall have a process to analyze sensitivity of data to be processed, stored and transmitted
by the system prior to development
2.18.21 Bank shall ensure regulatory, legal and statutory compliance requirements are considered during
system development lifecycle
2.18.22 Bank shall ensure developers do not have write/ update access to production systems
2.18.23 Bank shall ensure transfer of software from development to test and test to production shall
follow a controlled procedure to ensure that only the software that has undergone testing can
be released to production
2.18.24 Bank shall ensure compilers, editors, and other development/ testing tools or system utilities are
not accessible from production systems or to the production personnel
Outsourced Development
2.18.25 Bank shall assess the outsourcing requirement of any software development services for
supporting business processes to third parties.
2.18.26 Bank shall ensure all outsourcing arrangements have a well-defined service level agreement (SLA)
that specify information security requirements & controls, service levels and liability of third
parties in case of SLA violations. Third parties shall demonstrate compliance with all SLA
requirements. Important factors like Data Protection, forensic capabilities, non-repudiation,
Right to Audit, intellectual property rights and copyright etc. should be part of the SLA
2.18.27 Bank shall ensure all outsourcing contracts are reviewed for compliance with legal, regulatory,
statutory and contractual obligations
2.18.28 Bank shall ensure controls are put in place to ensure that critical data including customer
information that is with the outsourced third party is used for the intended purpose only and not
lost or shared
2.18.29 Bank shall ensure ownership and responsibilities of software, hardware, personnel or documents
are documented in the contract and third parties shall have processes to execute custodial
responsibilities.
2.18.30 Bank shall ensure continuity of service with original third party through contract signed for
support after transition. It may include technical support on queries; support on process
implementation or in case of software a provision for future upgrades
2.18.31 Bank shall ensure ESCROW agreements are in place for critical applications based on the
categories defined by the Bank.

2.18.32 Bank shall ensure engagement of any other entity by the Third party shall have prior consent of
the Bank and the relevant clauses equally binding the other entities at par with the Third Party’s
liability with the Bank, shall also be made part of the SLA between Third party and other entity
System Security Testing
2.18.33 Bank shall ensure testing strategy are defined based on the system and type of development to
ensure confidentiality and integrity of the information (end to end)
2.18.34 Bank shall ensure system security testing are performed based on the test plans developed
considering the security requirements defined in System Requirement Specification (SRS) and
design documents.
2.18.35 Bank shall test plans for system security testing are reviewed and approved. Testing shall be
carried out before and after deployment of all applications
2.18.36 Bank shall ensure acceptance testing are undertaken (both for in-house and for outsourced
developments) to ensure that the system works as expected
System Acceptance Testing
2.18.37 Bank shall ensure system acceptance testing are performed based on the test plans considering
the functional and performance requirements of the system
2.18.38 Bank shall ensure testing is performed in appropriate test environment to validate that the
system will not introduce vulnerabilities to the Bank’s environment and that the tests are reliable
2.18.39 Bank shall ensure system acceptance testing to include testing of information security
requirements and adherence to secure system development practices
Protection of Test Data
2.18.40 Bank shall ensure access control procedures are applied to development and test systems
2.18.41 Bank shall ensure test data used for testing are carefully selected, sanitized, protected and
controlled
2.18.42 Bank shall ensure separate approvals are made each time operational information is copied to a
test environment
2.18.43 Bank shall ensure operational information are erased from test environments immediately after
the testing is complete

2.19 Third Party Security
Purpose: The purpose of the policy is to ensure information security risks related to outsourcing of
services to third party shall be assessed and managed at an acceptable level.

 All users (including but not limited to employees, contractors, and vendors) at all locations
of SIB and having access to SIB digital information and office premises;
 Any non-SIB information assets that are connected to a SIB owned or managed network.
 Any type of contractual or other arrangement (agreement/s) between SIB and third party
vendors
Addressing security within third party agreements
2.19.1 Bank shall include requirement for third parties to comply with Bank's Information Security Policy
and relevant procedures are mentioned in the third party contract and agreed with each third
party that who may access, process, store, communicate, or provide IT for Bank's information
assets. For guidelines on managing outsourcing in general, IT outsourcing procedure may be
referred
2.19.2 Bank shall ensure agreement addresses the third party's responsibility for security and
confidentiality of Bank's information assets
2.19.3 Bank shall ensure background verification requirements for the employees of the third party are
included and are mandated as a requirement in the third-party contract.
2.19.4 Bank shall ensure handling incidents and contingencies associated with third party access are
included in responsibilities of both the Bank and third party
2.19.5 Bank shall ensure legal and regulatory requirements, including data protection, intellectual
property rights and copyright are included in the third party agreements

2.19.6 Bank shall ensure entire data relating to payment systems operated by third party providers is
stored in system only in India as per regulatory requirements. This data shall include the full end-
to-end transaction details / information collected / carried / processed as part of the message /
payment instruction
2.19.7 Bank shall ensure that process or data sharing with third parties shall comply with the applicable
laws.
2.19.8 Bank shall ensure service description and acceptable and non-acceptable level of service is
captured in the agreement with third party service providers
2.19.9 Bank shall ensure all the relevant regulations for sub-contracting, including the controls that need
to be implemented are included in the third-party agreements
2.19.10 Bank shall ensure right to audit the third party's facilities, processes and controls related to the
engagement are mentioned in the third-party agreement
2.19.11 Bank shall ensure third party agreements include confidentiality clauses or NDA (non-disclosure
agreements), where applicable and the same shall be vetted by Legal Department.
2.19.12 Bank shall maintain a list of third parties along with services performed by each outsourced
vendor
2.19.13 Bank shall ensure the agreement includes clauses for indemnification against any liabilities
arising on account of a breach of the information security requirements.
2.19.14 Bank shall ensure that agreement with third party shall have binding upon the third party, not to
enter into any business relationships with the entities blacklisted by the bank for the services
related to the bank
2.19.15 Bank shall ensure that applications and tools from the third party are subject to security review
before installing it on Bank's production environment
Security Training
2.19.16 Bank shall provide security awareness to onsite third-party personnel involved in third party
relationship management
2.19.17 Bank shall keep track of third-party training records and confirmation to adhere to Bank’s
Information Systems Acceptable Use Policy
2.19.18 Bank shall define metrics for periodically measuring performance and effectiveness of
information security awareness level of the onsite third-party personnel.

Third Party Access
2.19.19 Bank shall ensure access to bank’s systems for third party is granted after necessary
documentations (NDA, contracts) are signed and acknowledged by both bank and 3rd party.
2.19.20 Bank shall ensure unique user ID for each user shall be created if multiple users from same third
party need access
2.19.21 Bank shall ensure user registration and revocation process shall be established for the third
parties in case of a requirement for a user ID
2.19.22 Bank shall ensure third party personnel are supervised by Bank staff at branches/offices, if they
have been provided physical access to server room for any troubleshooting
2.19.23 Bank shall ensure third party personnel are escorted into the data center and other areas within
bank premises only after proper authorization formalities have been completed
2.19.24 Bank shall ensure third party access to premises is restricted to the respective departments
2.19.25 Bank shall ensure physical and logical access request for the third party personnel are approved
by the designated authority. The access approval shall contain the duration of access and also
the necessary privileges
2.19.26 Bank shall ensure third party devices (e.g. laptops/ tablets/ cell phone) or any other end points
are not allowed to connect to Bank’s network without explicit and individual device permissions.
2.19.27 Bank shall ensure external networks that are required to be permanently connected to the Bank's
network are separated by firewall.
2.19.28 Bank shall ensure for third parties connecting remotely for privileged activities, the entire session
shall be recorded and periodically reviewed by the authorized personnel.
2.19.29 Bank shall ensure that remote access is provided to vendors in the Bank’s Dev/UAT environments
using secure VPN or other solutions provided by the Bank with recording option using
appropriate security solution to facilitate activity logging.
2.19.30 Bank shall provide access to production environments only in emergency situations using secure
Webex or other solutions with the recording/activity logging feature utilizing appropriate
security solution and session controlled and monitored by Bank staff.
Monitoring and Review of Third-Party Services
2.19.31 Bank shall regularly monitor, review third party service delivery and conduct audit of third parties
from security perspective, at least annually
2.19.32 Bank shall review and update third party agreements on a periodic basis, at least annually.
Transition of Activities
2.19.33 Bank shall ensure transition of activities from Bank to third party are controlled and monitored

2.19.34 Bank shall make fall back arrangements/contingency plan commensurate to the criticality of
outsourced activity and risk of its failure. Fall back arrangements including but not limited to
following should be considered:
 Maintain documentation of all processes, maintain back up of critical data and applications
with itself
 Split critical activities across third parties
 Maintain scaled down facilities in-house
 Reciprocal arrangements with other Banks/ third parties for sharing of hardware, software
or services in contingencies
 Ensure critical data including customer information is not lost or shared.
2.19.35 Bank shall ensure for third party or third party’s employees(s) leaving the Bank’s project, it shall
be ensured that no confidential / sensitive information is taken away. All sensitive information
such as system architecture, process documents, and credentials should be taken in custody by
the Bank.
IT Service Outsourcing
2.19.36 Bank shall approve outsourcing based on nature of risks in and ‘materiality’ of outsourcing in
accordance with Bank’s IT Purchase Policy.
2.19.37 Bank shall ensure that risk evaluation is performed prior to entering into an outsourcing
agreement. The risk evaluation shall include the below aspects but not limited to :
 Identification of the role of outsourcing in the overall business strategy and objectives, and
inter-linkages with corporate strategic goals
 Due diligence on the nature, scope and complexity of the outsourcing arrangement to
identify the key risks and risk mitigation strategies
 Analysis of the impact of the outsourcing arrangement on the overall risk profile of the bank,
and whether adequate internal expertise and resources exist to mitigate the identified risks
2.19.38 The bank shall ensure that all outsourced information systems and operations are subject to
information security and privacy policies.
2.19.39 Bank shall undertake periodic review of its outsourced processes to identify new outsourcing
risks as they arise (such as when the service provider has further subcontracted work to other
service providers or has undergone a significant change in processes, infrastructure, or
management).

2.19.40 Bank shall ensure during negotiating / renewing an outsourcing arrangement, due diligence will
be performed by the bank to assess the capability of the technology service provider to comply
with obligations in the outsourcing agreement.
2.19.41 Bank shall consider obtaining independent reviews and market feedback (such as caution lists
and scoring information) about the service providers to supplement the internal findings and
ensure that the information used for due diligence is current and not more than 12 months old
2.19.42 Bank shall report to RBI regarding outsourcing arrangements if it meets the laid down criteria
2.19.43 Bank shall ensure contracts contain clauses for contingency plans and testing thereof, to maintain
business continuity
2.19.44 Bank shall ensure contracts has termination clauses and minimum periods to execute a
termination provision, as deemed necessary
2.19.45 Bank shall ensure agreements specify dispute resolution process, the events of default,
indemnities involved and the remedies and recourse of the respective parties to the agreement
2.19.46 Bank shall include SLAs in the outsourcing contracts to agree and establish accountability for
performance expectations.
2.20 Vulnerability Management
Purpose: The purpose of this policy is to define the rules by which SIB shall address threats and
vulnerabilities towards its technology resources.
Scope: This scope of this policy covers to identification, monitoring and mitigation of vulnerabilities and
security misconfigurations for all information assets within the bank.
2.20.1 Bank shall ensure that both internal and external facing servers shall undergo independent
security vulnerability and penetration testing prior to go live to provide assurance that data or
services will not be exposed to any security threats.
2.20.2 Bank shall ensure that all Information infrastructure including applications, databases, operating
systems, network devices, end to end processes and architecture/design should be reviewed for
security vulnerability.
2.20.3 Bank shall ensure that the schedule for various security testing exercises, such as application
security testing, vulnerability assessment, penetration testing, code review, configuration review,
network review, process review, etc., is defined.
2.20.4 Bank shall periodically and actively participate in cyber drills conducted under the aegis of Cert-IN,
IDRBT etc.

2.20.5 Bank shall undertake red team exercise to identify the vulnerabilities and the business risk, assess
the efficacy of the defenses and check the mitigating controls already in place by simulating the
objectives and actions of an attacker.
2.20.6 Bank shall ensure that Vulnerability Assessment-Penetration Testing (VA-PT) is conducted for all
applications and systems on periodic basis. Periodicity shall be decided based on the criticality. All
open issues shall be tracked and closed expeditiously.
2.20.7 Bank shall ensure that, for critical applications, a separate security test region / environment is
created during Penetration testing.
2.20.8 Bank shall exercise Configuration review of the critical assets in accordance to the Bank's approved
Baseline document.
2.20.9 Bank shall ensure that source code review should be completed prior to Go-live and wherever not
possible the same should be completed within 3 months from Go-live. In the case of outsourced
software development, bank should ensure that vendor has documented coding standards.
Assurance/ source code report from OEM should be collected within 3 months from Go-Live.
2.20.10 Bank shall ensure that security reviews are conducted periodically throughout the lifecycle of the
engagement (transition / changes to services and during continuance of services).
2.20.11 Bank shall define and implement an application security assessment / testing calendar based
upon the application’s/system's risk classification.
2.20.12 Bank shall ensure that circulation of security review report is controlled and shared with
concerned department / teams for analysis and implementation of recommended mitigation
controls
2.20.13 Bank shall proactively develop preventive mechanism for various security incident scenarios
2.20.14 Banks shall ensure that the status of the closure of VAPT findings are put up to respective
committees as defined in the inspection policy.
2.21 Customer Security and Awareness
Purpose: The purpose of this policy is to establish a safe and secure environment for customer records
within and outside the Bank and make the customers aware of the prevention of fraudulent activities.
Scope: This scope of this policy covers the security and awareness for the Bank’s Customers.
2.21.1 Bank shall ensure mechanisms are put in place to make customers aware of online threats/frauds
and the program is overseen by senior management

2.21.2 Bank shall provide customer awareness to ensure that bank’s objectives are achieved. It shall
include the need to protect its PINs, security tokens, personal details and other sensitive
information in order to increase security awareness.
2.21.3 Bank shall impart periodic education, training and awareness including but not limited through
security mailers, newsletters, DOs and DONTs, screensavers, web banners etc.
2.21.4 Bank shall ensure that customers have enough instruction and information to properly utilize,
when new operating features, particularly those relating to security, integrity and authentication
are introduced.
2.21.5 Bank shall help customers identify areas vulnerable to fraud attempts and make them aware of
their fraud prevention obligations.
2.21.6 Bank shall convey information related to various frauds in general, concentrating specifically on
social engineering fraud, fake websites, phishing, vishing, skimming, etc. through various
communication channels.

3 Abbreviations
Term Abbreviation
ACLs Access Control Lists
APT Advanced Persistent Threats
BCP Business Continuity Planning
BIA Business Impact Analysis
BYOD Bring Your Own Device
CCMP Cyber Crisis Management Plan
CCO Chief Compliance Officer
CERT-In Indian Computer Emergency Response Team
CFO Chief Finance Officer
CIA Confidentiality Availability Integrity
CIO Chief Information Officer
CISO Chief Information Security Officer
CRO Chief Risk Officer
CSIRT Cyber Security Incident Response Team
CSO Chief Security Officer
CSP Customer Security Programme
DATs Digital Audio Transmission Service
DBD Digital Banking Department
DLP Data Loss Prevention

Domain-based Message Authentication, Reporting and

DMARC
Conformance
DMZ Demilitarized Zone
DR Disaster Recovery
ED Enforcement Directorate
HOD Head of Departments
HVAC Heating, Ventilation and Air-Conditioning
IDRBT Institute for Development and Research in Banking Technology
IERC Incident and Event Review Committee
ISC Information Security Committee
ISMS Information Security Management System
ISTC Information Security Technical Committee
ITOD IT Operations Department
ITSCB IT Strategy Committee of Board
KPIs Key Performance Indicators
KRIs Key Risk Indicators
LAN Local Area Network
MDM Mobile Device Management
NAC Network Access Control
NAS Network Attached Storage
NC Non-Conformities
NDA Non-Disclosure Agreements

NIC Network Interface Card
NIPS Network based Intrusion Prevention System
NTP Network Time Protocol
OEM Original Equipment Manufacturer
OS Operating System
OWASP Open Web Application Security project
PCI DSS Payment card Industry Data Security Standard
PII Personally Identifiable Information
PT Penetration Testing
RBAC Role-based Access Controls
RPO Recovery Point Objective
RTO Recovery Time Objective
SAN Storage Area Network
SIEM Security Information and Event Management
SLA service level agreement
SOC Security Operations Center
SOC 2 Service Organization Control 2
SPDI Sensitive Personal Data or Information
SRS System Requirement Specification
UAT User Acceptance Testing
VA Vulnerability Assessment
VLAN Virtual Local Area Network

VM Virtual Machine
VPN Virtual Private Network
WIDS Wireless Intrusion Detection System
WIPS Wireless Intrusion Prevention System

Information System Security Policy - V3.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information System Security Policy - V3.0

Uploaded by

Copyright:

Available Formats

Confidential and Proprietary

Document Release Notice:

Document Name SIB/IT/ISMS/POL/ISSP_v3.0

Prepared by CISO Office

Information Security Committee (ISC)

Review frequency Annual

Release no. Release date Details Approved by

1.0 20-07-2013 First Release Board

1.1 11-03-2014 Second Release Board

1.2 25-08-2015 Third Release Board

1.3 01-09-2016 Fourth Release Board

1.4 10-10-2017 Minor Changes Board

1.5 11-07-2018 Minor Changes Board

Version 3.0 Confidential and Proprietary 1 |Page

1.5 21-09-2019 Review Board

2.0 20-12-2019 Major Changes Board

2.1 28-09-2020 Minor Changes Board

3.0 22-07-2021 Major Change Board

Version 3.0 Confidential and Proprietary 2 |Page

1 Policy Overview .............................................................................................................................................................4

1.1 Purpose .........................................................................................................................................................................4

1.2 Scope and Applicability .................................................................................................................................................4

1.3 Policy Review .................................................................................................................................................................4

1.4 Policy Exceptions ...........................................................................................................................................................4

2 Policy Statements ..........................................................................................................................................................5

2.1 Organization of Information Security ............................................................................................................................5

2.2 Access Management ...................................................................................................................................................16

2.3 Asset Management .....................................................................................................................................................21

2.4 Mobile Computing.......................................................................................................................................................23

2.5 Change Management .................................................................................................................................................25

2.6 Patch Management ....................................................................................................................................................26

2.7 Cloud Security..............................................................................................................................................................28

2.8 Communication Security .............................................................................................................................................31

2.9 Cryptography ..............................................................................................................................................................35

2.10 Data Protection ...........................................................................................................................................................36

2.11 HR Security ..................................................................................................................................................................40

2.12 Security Incident Management ...................................................................................................................................42

2.13 Information Security Compliance ................................................................................................................................45

2.14 Operations Security .....................................................................................................................................................48

2.15 Logging and Monitoring..............................................................................................................................................52

2.16 Physical and Environmental Security ..........................................................................................................................53

2.17 Risk Management .......................................................................................................................................................56

2.18 Information Systems Acquisition, Development and Maintenance ............................................................................59

2.19 Third Party Security .....................................................................................................................................................63

2.20 Vulnerability Management .........................................................................................................................................67

2.21 Customer Security and Awareness ..............................................................................................................................68

Version 3.0 Confidential and Proprietary 3 |Page

1.2 Scope and Applicability

1.3 Policy Review

1.4 Policy Exceptions

Version 3.0 Confidential and Proprietary 4 |Page

2.1 Organization of Information Security

2.1.1 Information Security Objectives

1. Alignment of information security with business strategy to support organizational

Version 3.0 Confidential and Proprietary 5 |Page

2.1.2 Statement of Board/Senior Management Commitment

Version 3.0 Confidential and Proprietary 6 |Page

5. Providing the resources needed for information security

2.1.3 Information Security Organization Structure

IT Strategy Committee of Board (ITSCB)

Information Security Committee (ISC)

Information Security Technical Committee (ISTC)