Bangladesh Krishi Bank: Information and Communication Technology Security Policy

BANGLADESH KRISHI BANK
INFORMATION AND COMMUNICATION TECHNOLOGY

SECURITY POLICY
Computer Department
Head Office, Dhaka-1000
Published by:
Computer Department
Bangladesh Krishi Bank
Head Office
83-85, Motijheel Commercial Area
Dhaka - 1000
For Official use only.
Information And Communication Technology Security Policy

Version : 1.0
December' 2007
PREFACE
The Information and Communication Technology (ICT) opens the door of
globalization and has become the backbone to modern banking operations. It is also a
critical component of the infrastructure for a competitive market economy. The
survival and success of a business organization mainly depends on the effective use of
ICT
In view of the above, Bangladesh Krishi Bank has already set up an Information
Technology platform for its branches and offices. The bank has a vision to expand and
to modernize the IT platform and information systems gradually. Notwithstanding the
level of computerization, the security requirements of information systems are
universal and significant to the sustainability of the IT platforms. Accordingly, the
bank requires policies to secure IT setup as well as information and to set standards
for IT operations.
It is indeed a great pleasure that computer department of the bank has
prepared a book titled Information and Communication Technology Security Policy
in accordance with the guideline given by Bangladesh Bank, existing rules and
regulations. The book contains the policies applicable to IT Management, IT
Operation Management, Information System Physical Security, Information Security
Standard, Business Continuity and Disaster Recovery plan, Procurement & Service
Management. The organization chart along with the job description of IT personnel is
also incorporated in the Appendix.
The Computer Department (Information Technology Department) and
members of the Technical Committee on Computerization headed by Professor Dr.
Muhammad Masroor Ali of BUET deserve thanks for intellectual and laborious efforts
in accomplishing such a tedious job. I also express my thanks and gratitude to the
Board of Directors of the bank for providing their kind approval of the policy.
However, implementation of the Policy is rather more important than its
existence. Henceforth all concerns are requested to accomplish their business in
accordance with the guidelines contained therein. The designated officers must
examine and adhere to the strict compliance of the policy.
(M. Fazlul Hoque)

Managing Director
Dated : December2007
Dhaka
5
INDEX OF CONTENTS
Serial
Chapter-1
Contents
Information and Communication Technology
Page
7-9
1.1
Information and Communication Technology in Bangladesh Krishi

Bank
1.2
Automation of Branch Banking operations
1.3
Long term ICT vision of the bank
Chapter-2
Information and Communication Technology Security Policy
10-11
2.1
Scope
10
2.2
Objective
10
2.3
Basic Principles
11
Chapter-3
Information and Communication Technology Management
12-14
3.1
IT Management Area
12
3.2
Implementation of Information and Communication Technology

Policy
12
3.3
IT Related Documentation
12
3.4
Internal IT Audit
13
3.5
Training of IT Personnel
13
3.6
Insurance and Depreciation
13
3.7
Problem Management
13
3.8
Job Description of IT Related Personnel
14
3.9
Compliance of Government / Bangladesh Bank Guidance
14
Chapter-4
IT Operation Management.
15-16
4.1
Change Management
15
4.2
Asset Management
15
4.3
Operating Procedure Management
15
4.4
Request Management
16
Chapter-5
Information System Physical Security
17-22
5.1
Physical Security Standard Level-1
17
5.2
Physical Security Standard Level -2
19
5.3
Physical Security Standard Level -3
20
5.4
General Security Guidelines.
21
6
Serial
Chapter-6
Contents
Information Security Standard
Page
23-26
6.1
Access control for information Systems
23
6.2
Audit trail and follow up
25
6.3
Network Security
25
6.4
Data Encryption
26
6.5
Virus Protection
26
6.6
Internet and e-mail
26
Chapter-7
Business Continuity and Disaster Recovery Plan
27-28
7.1
Business Continuity Plan (BCP)
27
7.2
Disaster Recovery Plan (DRP)
27
7.3
Backup/Restore Plan (BRP)
28
Chapter-8
Procurement and Service Management
29-30
8.1
Computer Hardware and Software procurement
29
8.2
Service Level Agreement (SLA)
29
8.3
Outsourcing
30
IT Forms and Appendix

Form No.
IT Forms
31-40
ITF-1
Change Request Form
33
ITF-2
User Acceptance Test(UAT)
34
ITF-3
Stock Register of Hardware and Software
35
ITF-4
Request Form
36
ITF-5
Access Authorization List
37
ITF-6
Access Log Book
37
ITF-7
Visitors Log Book
37
ITF-8
User Creation Form
38
ITF-9
Password Handover Form
39
ITF-10
Backup Log Book
40
Appendix
41-48
Appendix-1
Organization Chart of Computer Department
41
Appendix-2
42
GLOSSARY OF TERMS
49-52
CHAPTER 1
1.0: Information and Communication Technology
Information and Communication Technology (ICT) plays a vital role in present world.
The advancement of Communication and Information Technology is one of the major
attributing factors for the emergence of globalization of financial markets. The
banking industry has changed in the way they provide service to customers and
process information in recent years. Information Technology has brought about this
momentous transformation. Security of IT systems for a financial institution has
therefore gained much greater in importance, and it is vital to ensure that such risks
are properly identified and managed. Moreover Information and information
technology systems are essential assets of the bank and as well as for customers.
Protection and maintenance of these assets are important for sustainability of any
organization. Banks must take the responsibility of protecting this information from
unauthorized access, modification, disclosure and destruction to protect customers
interest.
This document will provide the policy for Information and Communication Technology
and ensures its secured use for Bangladesh Krishi Bank (BKB). It establishes general
requirements and responsibilities for protecting ICT systems. The policy covers such
common technologies such as computers and peripherals, data and network, web
system and other IT resources. The banks delivery of services depends on
availability, reliability and integrity of its information technology system.
The policy will require regular updates to cope with the evolving changes in the IT
environment both within the bank and overall industry. The senior management of
the bank must express a commitment to IT security by continuously upgrading,
awareness and ensuring training of the Bank officials. Compliance plans in case of
noncompliance issues should also be formulated time to time.
1.1: Information and Communication Technology in Bangladesh Krishi Bank:
In spite of all limitations, Bangladesh Krishi Bank has entered into the arena of
Information and Communication Technology to meet the demand of time and is
endeavoring to turn traditional banking operations into the most modern banking
system. Initially a computer section was started with two Micro Computers under the
Loan Recovery Division in 1987. Subsequently the Computer Section turned into
Computer Cell in a very limited scale. It began to expand with more microcomputers
and necessary system software time to time. In 1993, the span of Computer Cell
further extended by procurement of multi-user and multitasking machine i.e. Mini
Computer System. As the scope and working area of computer operations expanded
more, the Computer Cell of the Bank turned into a full-fledged department with the
approval of the Ministry of Finance. The Computer Department of the Bank started its
functioning in January, 2004.
8
1.2: Automation of Branch Banking Operations:
Introduction of the automated modern banking system, instead of traditional manual
banking, is the prime need of time. To meet the situation, Bangladesh Krishi Bank
prepared a 5-years plan during the financial year 1998-99. The plan was duly
approved by the Board of Directors of the Bank and subsequently by the Ministry of
Finance of the Government of the Peoples Republic of Bangladesh. The plan is to be
implemented in five phases as under:
1.2.1: First Phase: The implementation of the first phase of the computerization
plan was started in the year 1999 and it has been completed as under:
a. Branches: One-stop service facilities have been introduced under individual
local area network system in 28 branches of the bank including four corporate
branches in Dhaka, Chittagong, Khulna and Sylhet cities.
b. Head Office: The secretariat of the managing director, office of the deputy
managing directors and general managers along with most of the departments
in head office have been brought under computerization through standalone
personal computer or local area network system with necessary equipments.
c. Divisional Offices: Personal computers with related accessories have also
been supplied to all Divisional offices at field level to work on the basis of
standalone system.
1.2.2: Second and Third Phase: The implementation of the second and third phases
of the computerization program is under process. The automation processes are
described below:
a. Branches: One stop service will be introduced in 55 branches located at
different cities, district headquarters and in places having business
potentialities over the country.
b. Head Office: The computerization process comprises upgrading the existing
systems based on standalone personal computer into local area network and
expansion of the existing system with necessary equipments to the remaining
departments in Head Office.
c. Other Controlling Offices: The process comprises expansion of
computerized system to all Chief Regional Offices and Regional Offices
including Divisional Audit Offices of the Bank.
1.2.3: Fourth and Fifth Phase: On completion of the second and third phase of
computerization the implementation of fourth and fifth phase will start.
a. Branches: One Stop Service will also be introduced in 44 branches located
at different cities, urban areas and in places having business potentialities over
the country.
b. Head Office and Other Controlling Offices: The computerization process
includes upgrading the existing systems in Head Office. The bank also desires
9
to establish centralized banking operation system through setting up
appropriate servers for data center, disaster recovery sites and intends to
procure necessary hardware, software and equipments essential for connecting
business potential branches and also to connect field level controlling offices
with the Head Office. The process also includes expansion of computerized
system to all Chief Regional Offices and Regional Offices including Divisional
Offices of the Bank.
1.3: Long term ICT vision of the Bank:

In continuation to the five-year computerization program, the bank has an intention
to provide modern business facilities at the doorsteps of the valued customers
through computerization of almost all branches gradually. Besides these, to face the
challenges of the millennium under stiff competition in the banking sector, the bank
also has a vision to introduce On-line banking facility within its computerized
corporate branches, important urban and district level branches. Bank in the near
future would provide better services to the valued clients by implementing modern
banking products and services like ATM Transactions and other packages including
utility service operations.
The business operations in the banking and financial sector have been increasingly
dependent on the computerized information systems over the years. It has now
become impossible to separate information technology from the business of the banks
and financial institutions. There is increasing need for focusing highest attention on
the issues of the corporate governance of the information systems and security
controls to safeguard information.
10
CHAPTER 2
2.0 Information and Communication Technology Security Policy
This chapter describes the Information and Communication Technology Security
Policy of Bangladesh Krishi Bank.
This Information and Communication Technology Security Policy comply with the
guideline supplied by Bangladesh Bank. The Board of Directors of Bangladesh Krishi
Bank approves this policy. It provides the policy for Information and Communication
Technology and ensures secured use for the bank. Information security means
protection of the data, applications, networks and computer system from
unauthorized access, alteration or destruction.
2.1 Scope
This Policy is a systematic approach required to formulate for ICT and also to ensure
security of information and information systems. It covers all information that is
electronically generated, received, stored, printed, scanned and typed. However, the
provisions of this policy shall be applicable to:
Bangladesh Krishi Bank for all of its information technology systems.
All activities and operations required to ensure data security including facility
design, physical security, network security, disaster recovery and business continuity
planning, use of hardware and software, data disposal and protection of copyrights
and other intellectual property rights.
All users, customers, agents, employees concerned with information and
information technology system.
2.2 Objective
The objectives of the Information and communication technology security policy of
Bangladesh Krishi Bank are as follows:
01. To establish a standard information technology management;
02. To help the bank for secure and stable setup of its IT platform;
03. To establish a secure environment for data processing;
04. To identify information security risks and their management;
05. To communicate the responsibilities for the protection of information and
provide training regarding information system security;
06. To prioritize information and information systems to be protected;
07. To review periodically the policy to formulate procedure and security
measures from time to time;
08. To provide automated banking facility to the customer;
09. To develop human resources with current electronic banking system;
10. To prescribe mechanisms that help to identify and prevent the compromise
of information security and the misuse of Bank data, applications, networks
and computer systems.
11
2.3: Basic Principles

The following are the generally accepted principles that provide policy in the
security of information:
2.3.1
Accountability: The responsibility and accountability of information/data

custodians, information/data providers, users and other parties concerned
with the security of information should be explicit.
2.3.2
Awareness: To foster confidence in information systems, custodians,

providers and users shall have access to all documentation about
information security policies and procedures.
2.3.3
Ethics: In the provision of information systems and the establishment of

information security, the rights and legitimate interests of the
organisation's personnel, its customers and business partners should be
respected.
2.3.4
Business Perspective: Security processes shall take account of and

address the relevant business considerations and viewpoints; these
include
commercial,
technical,
administrative,
organisational,
operational, behavioral, ethical and legal/ statutory aspects.
2.3.5
Proportionality: The level and cost of security processes should be

appropriate and proportionate to the value and degree of reliance on
information systems and to the severity, probability and extent of
potential or actual harm to the organisation.
2.3.6
Integration: Security processes should be coordinated and integrated with

each other and with other measures, procedures and practices of the
bank to create a coherent system of information security.
2.3.7
Timeliness: Action to respond to a information security breach should be

timely and coordinated to prevent and overcome the breach of security.
2.3.8
Reassessment: The security of information systems should be reassessed

periodically recognising that information systems and the requirements
for their security vary over time.
2.3.9
Freedom of Information: The freedom of information should be

compatible with the legitimate use and flow of data and information as
statutes in the e-governance policy(s) of the government.
2.3.10 Risk Mitigation: Risk analysis is to be carried out based on value, need
and type of different IT entities. Accordingly, risk mitigation plan is to be
framed for secured use of the IT entities.
12
CHAPTER- 3
3 .0
Information and Communication Technology Management
The Management must ensure that the functions relating to the Information and
Communication Technology are efficiently and effectively managed. They should
be aware of the capabilities of IT and be able to appreciate and recognize
opportunities and the risk of possible abuses. The management of the bank should
have a commitment to information technology security by continuously upgrading
awareness and ensuring training of the bank staff. IT Management deals in IT policy
formulation, system documentation and assistance to the internal IT audit, training
and insurance activities.
3.1
IT Management Area:
3.1.1 The IT Management should ensure maintenance of appropriate system

documentations, particularly for systems which support financial reporting.
3.1.2 The IT Management should participate in planning relating to the Information
and Communication Technology to ensure that allocated resources are
consistent with business objectives.
3.1.3 The IT Management should ensure that sufficient properly qualified technical
staff is employed so that continuance of the IT operation area is unlikely to
be at risk at all times.
3.2
Implementation of Information and Communication Technology Policy
3.2.1
The IT Management will ensure the implementation of the Information and

Communication Technology policy in the Bank. The policy covers common
technologies like computers and peripherals, data and network, web system
and other IT resources.
3.2.2
The policy will require regular updates to cope with the evolving changes in
the Information and Communication Technology environment.
3.3
3.3.1
IT related Documentation:
There shall be an Organization chart for Information Technology
Department. This shall be a part of the bank's overall organization chart
duly approved by the Government (Ref. Organization chart, Apendix-1).
There shall be documented job description for each IT personnel of
different Offices/ Branches (Apendix-2).
A roster for IT activities should be documented properly and be reviewed
time to time by the head of the department or office.
Segregation of duties for IT tasks shall be maintained and reviewed time to
time by the head of the department or office.
Fallback plans for various levels of system support personnel shall be
formulated, maintained and reviewed time to time by the head of the
department or office.
3.3.2
3.3.3
3.3.4
3.3.5
13
3.4
Internal IT Audit:
3.4.1
Internal Audit shall have sufficient IT expertise/resources capable of

conducting IT Audit. At least one IT expert/resource person shall be
included in the audit team while auditing IT related branches and offices.
3.4.2
Internal IT audit shall be done on periodical basis according to the banks

internal audit policy.
3.4.3
The IT audit report should be treated as confidential and must be

preserved for respective Audit and Inspection including Bangladesh Bank
officials as and when required.
3.4.4
The bank/branch shall take appropriate measures to implement the

recommendations made in the last Audit Report. This must be documented
and kept along with the Audit Report as mentioned above.
3.5
Training of IT Personnel:
3.5.1
IT personnel should be given adequate training on relevant IT tasks.
3.5.2
The employees should be trained on aspects of importance and awareness

of Information and Communication Technology.
3.5.3
IT personnel should be trained for the purpose of any contingency/ health

security hazard in the IT area.
3.5.4
All the network users should be trained about its operating and security
procedures.
3.6
Insurance and Depreciation:
3.6.1
Due to rapid fall in the market value of computer hardware, the bank
generally should consider obtaining insurance coverage only in case of
costly and/ or specialized computer hardware and software. This decision
will be taken on individual basis based on opinion of the management.
3.6.2
All insurance matter for computer hardware should be conducted by the

Department assigned by the management of the Bank.
3.6.3
Depreciation at the rate of 20% per annum shall be charged on Computer

Hardware on straight-line method.
3.7
Problem Management:
3.7.1
Problems relating to Information Technology should be resolved quickly.

Resolving steps should be taken according to the nature of the troubles or
problems (level-1, level-2 and level-3 problems).
3.7.2
Level-1 problems are those that can be resolved by the user with or
without telephonic assistance from the respective supplier.
Level-2 problems are those that can only be resolved by the local supplier
or the vendor of the product.
14
Level-3 problems are those that can be resolved only by the manufacturer
or principal of the product.
For level-1, stress should be given to solve the problems by the user
himself/herself. For level-2 and level-3 problems, the bank should enter
into a service level agreement with supplier/vendor of the respective IT
asset.
3.7.3
Problems that hamper bank's operational activities directly should be logged

on daily basis. Other problems should be logged on weekly basis.
3.7.4
Responsibility for problem resolution should be accepted and be assigned to

a team for internal action.
3.7.5
The problem log should be examined/ investigated immediately.
3.7.6
The necessary corrective action should be performed within the time frame
bounded by the problems severity.
3.7.7
Findings and action steps taken during the problem resolution process
should be documented.
3.7.8
Problem information from remote systems should be referred to specific

support unit and Regional Help Desk and Support Teams.
3.7.9
Help-line support should be provided to remote units.
3.8
The job descriptions of the individuals posted in the services related to

Information Technology are shown in Apendix-2.
3.9
Compliance of Government / Bangladesh Bank Guidance
3.9.1
The Bank shall implement any instruction or recommendation given or to

be given by the Government / Bangladesh Bank from time to time in
connection with the management of Information and Communication
Technology.
3.9.2
The DGM (Information Technology) shall confirm compliance of the

instructions or recommendations that are given by the Government/
Bangladesh Bank within the stipulated time or within the shortest possible
time.
15
CHAPTER- 4
4.0
IT Operation Management
IT Operation Management covers the dynamics of technology operation

management including change management, asset management, operating
procedure management and request management. The objective of IT operation
management is to achieve the highest levels of technology service quality by
minimum operational risk.
4.1
Change Management:
4.1.1 All changes implemented in the production environment must be governed/

supported by a formal documented process including forms with necessary
change details. A sample document form has been provided in ITF- 1.
4.1.2 Audit Logs of changes should be maintained available for ready references.
4.1.3 Signed off declaration from the vendor should be obtained before
implementation of changes in production.
4.1.4 User Acceptance Test (UAT) should be completed before implementation of
the application related change. A sample form for UAT has been given in
ITF-2. This document should be preserved for ready reference.
4.2
Asset Management:
4.2.1 A register of inventory for hardware and software must be kept with all
significant details and will be reviewed on 30th June every year. A sample
form has been provided in ITF-3. A record of this review must be
maintained.
4.2.2 All data on equipment and associated storage device/media must be
destroyed or erased/overwritten before sale, disposal or reissue.
4.2.3 Bank must comply with the terms of all software licenses and must not use
any software that has not been legally purchased or otherwise legitimately
obtained.
4.2.4 Software used in production environments must be subject to a support
agreement.
4.2.5 No software shall be used in any computer without approval of the
competent authority. Use of unauthorized or pirated software must be
strictly prohibited throughout the bank. Random checks should be carried
out to ensure compliance.
4.3
Operating Procedure Management:
4.3.1 Operating procedures must exist for all

Communication Technology) related functions.
ICT
(Information
and
16
4.3.2 Changes to operating procedures must be authorized by the competent
authority and documented properly.
4.3.3 Operating procedures cover the following where appropriate:
a. Documentation on handling of different process.
b. Scheduling processes, including target start and finish times.
c. Documentation on handling of error and exception conditions.
d. Documentation for secure disposal of output from failed processing runs.
e. Documentation on system start-up, closedown, re-start and recovery.
f. System maintenance schedule.
4.4
Request Management:
4.4.1 IT Services means any services relating to installation, maintenance

replacement of computer hardware and peripherals, communication
hardware and media, operating and application software including efforts for
development of human resources.
4.4.2 Before any IT service a formal request process must be established. A sample
Request Form has been provided in ITF- 4.
17
CHAPTER- 5
5.0 Information System Physical Security

Sound business and management practices should be implemented in the Bank to
protect information and technology resources. It is the responsibility of each
branch and offices/departments to protect technology resources from unauthorized
access in terms of both physical hardware and data perspectives. Physical security
involves environmental safeguards as well as controlling physical access to
equipment and data.
The Policy is applicable for all units having information and communication
technology infrastructures. It is logical that infrastructure and operational
environment of all the production units are not equally important. Therefore
depending on the information and communication technology setup and operational
environment, security standard should be categorized into three Levels as under:
5.1 Physical Security Standards Level-1

Security standards for centralized operation under which Data Center, Disaster
Recovery Site and Branches/Offices are connected through WAN and attend
24x7x365 basis operations.
5.1.1
5.1.1.1
5.1.1.2
5.1.1.3
5.1.1.4
5.1.1.5
5.1.1.6
5.1.1.7
5.1.1.8
5.1.1.9
5.1.2
5.1.2.1
5.1.2.2
Data Center Access Control:

Data Center must be a restricted area and unauthorized access shall be
prohibited.
Number of entrance into the Data Center shall be limited, locked and
secured.
Access authorization procedures based on biometric features should exist
and apply to all persons e.g. employees and vendors. An employee must
escort vendors and cleaning crews during their stay in the Data Center.
Bank shall maintain Access Authorization list, as provided in ITF-5,
documenting individuals who are authorized to access the data center,
reviewed and updated periodically.
Access log book with date and time, shall be maintained in form of ITF-6
Visitor Log must exist and need to be maintained in ITF-7. Visitors to the
data center must be escorted to and from the entry point by an employee.
(Visitors: A person whose name does not appear on the active access
authorization list.)
Security guard must be available in the data center for 24 hours.
Emergency exit door should be available in the data center.
Carrying of briefcases, handbags and other packages into the data center
must be prohibited.
Environmental Control:
Documents regarding physical layout of the data centre should be
prepared and maintained.
The layout of power supplies of the data centers and network connectivity
should be prepared.
18
5.1.2.3
Floors should be raised and all the data cable and power cable should be
concealed through channels alongside the wall to keep them neat and safe
position. Electrical cables and data cables must not cross each other to
avoid possible disturbance.
5.1.2.4 Water detection devices shall be positioned below the raised floor, if it is
raised.
5.1.2.5 Accessories not related to data center should not be allowed to be stored
therein.
5.1.2.6 Closed Circuit Television (CCTVs) camera should be installed at suitable
places and be monitored by authorized officials.
5.1.2.7 Eating, drinking and smoking must be prohibited in the data center. A
signboard mentioning "No eating, drinking or smoking." must be placed at
a conspicuous/visible point.
5.1.2.8 Vehicles for any emergency purpose should always be available on site.
5.1.2.9 There should be a separate telephone/cell phone. Address and phone
numbers of all contact persons of fire service, police station, service
providers, vendor and all concerned IT organizations should be kept to
cope with any emergency situation.
5.1.2.10 Loading capacity of electrical outlets should be reviewed annually.
5.1.2.11 The following environmental control measures/equipments should be
installed in data centre and disaster recovery site:
a) Uninterruptible power supply(UPS) having sufficient loading capacity
with backup units;
b) Backup Power Supply i.e. Generator/Instant Power Supply (IPS);
c) Temperature and humidity measuring devices;
d) Air conditioners with backup units;
e) Water leakage precautions and water drainage system from Air
conditioner;
f) Emergency power cut-off switches;
g) Emergency lighting arrangement;
h) Dehumidifier.
5.1.2.12 The above environmental control measures/equipments should be tested
regularly:
5.1.2.13 There shall be appropriate maintenance agreement/contract for above
equipments on 24x7x365 basis.
5.1.3
Fire Prevention:
5.1.3.1
The Data Center wall, ceiling, doors and windows shall be fire resistant.
5.1.3.2
A waterless fire extinguishing system(e.g. FM 200) which does not leave

any trace and does not cause any physical harm to sensitive equipments is
to be installed. There shall also be sensors for automatic activation of the
system along with facility for suctioning out polluted air in case of fire.
19
5.1.3.3
5.1.3.4
5.1.3.5
5.1.3.6
5.1.3.7
5.1.3.8
Employees must be aware of the fire extinguishing system and method of

use. All equipments must be sealed and tagged indicating type and
serviceability. Workability of the system shall be tested /examined
periodically.
An emergency alarm should be installed for giving immediate alarm/signal
of fire and any fire incident must be reported immediately to the fire
services. Workability of alarm shall be tested/examined periodically.
Fire detectors should be placed in the ceiling and below the raised floor, if
it is raised.
There shall be a separate dedicated electrical line. Electrical cables/
wires in the data center must maintain a quality and be concealed.
Any flammable items shall not be kept in the Data Center.
All concerned should be aware of steps to be taken in case of a fire. The
authority must ensure display of proper directions in conspicuous places.
5.2 Physical security standards Level-2

Security standards for Branches and offices having server to which all or a part of
the computers of that location are connected through LAN.
5.2.1
5.2.1.1
5.2.1.2
5.2.1.3
Server Room Access Control:

Server room should have a glass enclosure with lock and key. If it is not
possible in branch level to provide separate enclosure, Server shall be kept
in the chamber of the branch manager. Keys of the server room must be
kept with the Branch Manager or with the person authorized by the Branch
Manager/Head of the Department in Head Office/Controlling office.
Physical access in sever room shall be restricted. Visitors logbook must
have to be maintained as provided in ITF-7.
Access authorization list in form of ITF-5 must be maintained and reviewed
on regular basis.
5.2.2
5.2.2.1
Desktop screen must be locked and screen saver must have password
protected that should be activated after 5 minute.
Administrative password of Operating System, Database and Banking
Application Software shall be written in sealed envelope and kept in the
personal custody of the Branch Manager/Head of the Department or
Office.
User should be created with the prior permission of the Branch Manager/
Head of the Department or office. User creation request form should be
maintained as per ITF-8. System Administrator will keep a list of Users
with assigned rights/permission with a copy to the Branch Manager/Head
of the Department or office.
There should have the provision for replacement of server within quickest
possible time in case of any disaster.
Server room should be air-conditioned and clean.
5.2.2.2
5.2.2.3
5.2.2.4
5.2.2.5
20
5.2.2.6
5.2.2.7
5.2.2.8
5.2.3
5.2.3.1
Power Generator/IPS should be in place to continue banking operations in

case of power failure.
UPS should be in place to provide uninterrupted power supply to the
server during power failure.
Proper attention must be given on overloading electrical outlets with too
many devices.
5.2.3.4
Fire Protection:
Appropriate channels alongside the wall must be placed to keep all the
cabling to be in neat and safe position. A layout of power supply cable and
data cables must be maintained.
Power supply must be switched off before leaving the Server room. System
Administrator must ensure this.
Fire extinguisher of suitable type, with expiry date mentioned, needs to
be placed outdoor of the server room. This must be maintained and
reviewed on an annual basis. All employees should be aware of the use of
the fire extinguisher.
Proper earthing of electricity to be ensured.
5.3
Physical security standards Level-3
5.2.3.2
5.2.3.3
5.3.1
5.3.1.1
5.3.1.2
5.3.2
5.3.2.1
5.3.2.2
5.3.3
5.3.3.1
5.3.3.2
Security standards for Branch and offices having standalone computer(s) or

ATMs.
Computer Room Access Control:
The PC running the Branch Banking Application Software must be placed in
a clear glass enclosure with lock and key. In other offices PCs should be
placed in separate enclosure or room. A responsible person should keep
keys of such enclosure.
Access authorization list in form of ITF-5 must be maintained and
reviewed on regular basis.
User must have the desktop password only known to him and kept written
in sealed envelop in the personal custody of the Branch Manager/Head of
Department or office.
PC must have password-protected screen saver which should activate
after 5 minute of inactivity.
Fire Protection:
Power distribution board for the PC with a circuit breaker should be
placed outside the enclosure and covered with a box under lock and key
held by the senior most operators.
All power and other connecting cables for PCs must be kept secured from
physical damage.
21
5.3.3.3
UPS for backup power supply to be placed in the enclosure.
5.3.3.4
Power supply of the PC must be switched off before leaving the branch.
5.3.3.5
Fire extinguishers, of suitable type, with expiry date mentioned, to be

placed beside the Power distribution board. This must be maintained and
reviewed on an annual basis.
5.3.3.6
Proper earthing of electricity to be ensured.
5.4
General Security Guidelines.
5.4.1
Desktop and laptop computer should be connected to UPS to prevent

damage of hardware and data.
5.4.2
When leaving a desktop or laptop computer unattended, users should

apply the Lock Workstation feature.
5.4.3
Password protected screen saver must be used to protect desktop and

laptop from unauthorized access.
5.4.4
Automatic screen saver should be activated after a period of inactivity.

This period should not be more than 5 (five) minute.
5.4.5
Laptop computers that store confidential or sensitive information must

have encryption technology.
5.4.6
Desktop and laptop computers and monitors must be turned off at the end
of each workday.
5.4.7
Laptop computers actively connected to the network or information

systems must not be left unattended.
5.4.8
Laptop computers, computer media and any other forms of removable

storage (e.g. diskettes, CD ROMs, zip disks, PDAs, flash drives, etc) must
be stored in a secure location or locked cabinet when not in use.
5.4.9
Other information storage media containing confidential data such as

paper, files, tapes etc. must be stored in a secure location or locked
cabinet when not in use.
5.4.10
Individual users must not install or download software applications and/or

executable files to any desktop or laptop computer without prior
authorization.
5.4.11
Desktop and laptop computer users shall not write, compile, copy,
knowingly propagate, execute, or attempt to introduce any computer code
designed to self-replicate, damage, or otherwise hinder the performance
of any computer system (e.g. virus, worm, Trojan etc).
5.4.12
Any kind of viruses must be reported immediately.
5.4.13
Viruses must not be deleted without expert assistance unless instructed by

the Information Technology Department.
22
5.4.14
User identification (name) and authentication (password) must be required

to access all desktop and laptop whenever turned on or restarted.
5.4.15
Standard virus detection software must be installed on all desktop and

laptop computers, mobile, and remote devices and should be configured to
check files when read and routinely scan the system for viruses.
5.4.16
Desktop and laptop computers must be configured to log all significant

computer security relevant events. e.g. password guessing, unauthorized
access attempts or modifications to applications or systems software, etc.
5.4.17
On holiday occasions computers should be removed from floors, if any, and

should be kept away from windows.
5.4.18
If in the bank premises, any packages like briefcases and similar objects
found in a commonplace is noticeably unusual as to become suspicious. In
such cases the police should be called immediately. The office must take
possible safety and security cautions. In no cases should be touched or
moved by non-police personnel.
5.4.19
Computer room should be away from the basement, water /drainage

system and above the flood level.
23
CHAPTER- 6
6.0 Information Security Standard
This chapter specifies Information Security Policies and Standard to be adopted by
the bank for service delivery and data processing. This also covers the basic and
general information security controls applicable to all functional groups to ensure
that information and data are protected against risk.
6.1
Access control for information systems
Access control refers to the functions that limit access to information system or
information processing resources. These functions are:
6.1.1
Password Policy and Control:
6.1.1.1
Password is a security method that identifies a specific authorized user

of a computer system or network, by a unique string of alphanumeric
characters that a user types as an identification code.
6. 1.1.2
6.1.1.3
6.1.1.4
6.1.1.5
To make a strong password the following principles should be followed:

a) The length password shall be at least 6 characters, combination of
uppercase, lowercase, numbers and special characters.
b) All users shall keep the passwords confidential and will not share/
disclose to anybody others.
c) Password should never be written down in unsecured paper and must
not be inserted into e-mail messages or other forms of electronic
communications.
d) The maximum validity period of password will not be more than 90
days.
e) The maximum number of invalid logon attempts should be 3
consecutive times.
f) One should not use password using names of family, pets, friends,
co-workers, fantasy characters, computer terms and names, commands,
sites, hardware, software, personal information like birthdays, address,
phone numbers, etc.
g) Password entries must be masked.
All system-level passwords (i.e. root, enable, network administration,
application administration, database administration, etc) must be hold
by the officer authorized by the branch manager or head of the
departments /offices where applicable. (ITF-9).
All user-level passwords shall be kept with the individual users.
All the system-level and user-level passwords shall be written in
separate sealed envelope and be kept in the personal custody of the
branch manager/head of the departments/offices with movement
records for usage in case of emergency.
24
6.1.1.6
Password Handover Form (ITF-9) shall be used while the users are
changed.
6.1.1.7 In absence of password holding authorized officer, if it becomes
necessary to use the above password(s), the branch manager/ head of
the departments or offices will open the sealed envelop and use the
password(s) by observing formal documentary process.
6.1.1.8 All users shall sign a document stating that the password will be kept
confidential.
6.1.1.9 Password given during registration of a new user, which they are forced
to change during first access.
6.1.1.10 Nobody will use the "Remember Password" feature of applications,
where applicable.
6.1.1.11 Password history maintenance has to be enabled in the system to allow
same passwords can be used again after at least 4 times.
6.1.2
6.1.2.1
User registration and maintenance:

There should be a formal user registration and de-registration procedure
for granting access to all multi-user information systems and services.
The access to the multi-user information systems and services should be
controlled through the following process:
6.1.2.2 The User registration with access privileges, duly approved by the
Branch Manager/Head of the Department/Office, should be maintained
in form of ITF-8.
6.1.2.3 Each user must have a unique User ID and a valid password, so that the
users can be linked to and be made responsible for their actions
6.1.2.4 All users have to ensure that user ID and password are not same.
6.1.2.5 The terminal inactive time for the users should be set at maximum 30
minutes.
6.1.2.6 The respective branch manager/ head of the department/office should
fix operating time schedule for the users where necessary.
6.1.2.7 Access privileges have to be changed/ locked within 24 hours when
users' status changed or left the bank.
6.1.2.8 A written statement of the users access rights has to be given to the
user by the System Administrator.
6.1.2.9 An acknowledgement should have to be obtained from the user
signifying that he/she understands the conditions and obligations of the
access.
6.1.2.10 Use of Group ID's to be permitted where they are suitable for the work
to be carried out.
6.1.3
6.1.3.1
Input Control and Data Processing:

Data Input should be done by the persons authorized by the competent
authority.
25
6.1.3.2
6.1.3.3
6.1.3.4
6.1.3.5
6.1.3.6
6.1.3.7
6.2
6.2.1
6.2.2
6.2.3
6.2.4
6.3
6.3.1
6.3.2
6.3.3
6.3.4
6.3.5
6.3.6
6.3.7
All financial transaction input must be supported with proper voucher,

document or formal procedures according to their business power.
Non-financial data inputs should be done on the basis of the proper
records, statements, reports or returns.
The software should not allow the same person to be both the maker
and checker of the same transaction.
The system should be restricted from being accessed especially sensitive
data or fields.
Start-of-Day and End-of-Day operations of the banking application software
should be performed by authorized officers. The day end process should
be completed with the generation of all prescribed reports.
Proper records with appropriate authentication should be maintained if
any corrective operations are made in the database.
Audit trail and follow up:

The Audit trails are records of activity used to provide a means for
restructuring events and establishing accountability.
Audit trail should provide for the operations when sensitive information
is accessed, network services are accessed and special privileges or
authorities such as the security administration commands, emergency
User ID, supervisory functions etc., overriding the normal processing
flow.
The audit trail should include user identification, functions, resources
and information used or changed, date and time stamp, work-station
address and network connectivity path.
The management should review the audit trail information regularly,
usually daily for financial operations and investigate and report
suspicious activity immediately.
Network Security
The Network and its security shall be implemented under a documented
design plan.
Physical security for network equipments must be housed in a secured
environment and access therein must be restricted and controlled.
The sensitive information should be kept in restricted area in the
networking environment.
Unauthorized access and electronic tampering must be controlled strictly.
Security of the network should be under dual administrative control.
Firewalls should be placed on the network for any external connectivity if
and when necessary.
There shall be a system to detect the unauthorized intruder for network.
26
6.4
Data Encryption
6.4.1
There should be mechanism in place to encrypt and decrypt the highly

sensitive data traveling through LAN/WAN or public network.
6.5
Virus Protection
6.5.1
Whenever possible a system which is not susceptible to virus attack is to

be used. Examples of such systems are Unix and Linux based environment.
6.5.2
Anti-Virus software should be installed in each server and computer

whether it is connected to LAN or not.
6.5.3
Virus auto protection mode should be enabled.
6.5.4
The Anti-Virus software should always be updated with the latest virus
definition file.
6.5.5
All users should be informed and trained about computer viruses and their
prevention mechanism.
6.5.6
All incoming e-mail messages must be scanned for viruses to prevent

infection to the banks network.
6.6
Internet and e-mail
6.6.1
Redundant communication links have to be used for WAN/Internet.
6.6.2
All Internet connections should be routed through a Firewall for PCs

connected to network.
27
CHAPTER- 7
7. Business Continuity and Disaster Recovery Plan
The Business Continuity Plan(BCP) is required to cover operational risks and should
take into account the potential for wide area disasters, data centre disasters and
the recovery plan. The BCP should take into account the backup and recovery
process. Keeping this into consideration this chapter covers BCP, Disaster
Recovery Plan and Backup/ Restore plan.
7.1
7.1.1
7.1.2
7.1.3
a)
i.
ii.
iii.
b)
c)
d)
7.1.4
7.2
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
Business Continuity Plan (BCP):

There must be a Business Continuity Plan, in line with business, for IT in
place.
All the documents related to business continuity and disaster recovery plan
must be kept in a safe and secured locations. One copy can be stored in the
office for ready reference.
Business Continuity Plan (BCP) must contain the following:
Action plan for:
During office hours disaster,
Outside office hours disaster, and
Immediate and long term action plan in the line with business.
Emergency contact addresses and phone numbers including vendors.
Grab list of items such as backup tapes, Laptops etc. in case of an
immediate evacuation.
Disaster recovery site map.
Business Continuity Plan (BCP) must be reviewed at least once a year.
Disaster Recovery Plan (DRP):
A Disaster Recovery Site (DRS) must be in place replicating the Data Center
/ Production Site.
Disaster Recovery site should be at a minimum of 30 (thirty) kilometers
radial distance from the central data center.
Disaster Recovery Site should not be placed under same utility services as
the data center.
Disaster Recovery Site should be equipped with compatible hardware and
telecommunications equipment to support the live systems in the event of a
disaster.
Appropriate physical and environmental security should be provided at the
Disaster Recovery Site.
Information security should properly be maintained throughout the fallback
and DR recovery process.
An up-to-date and tested copy of the DR plan is to be securely held off-site.
DR plans exist for all the critical services where DR requirement is agreed
with the business.
28
7.2.8
DR test is to be successfully carried out at least once a year.
7.2.9
DR Test documentation should include at a minimum:
a) Scope - defines scope of planned tests - expected success criteria.

b) Plan - detailed actions with timetable.
c) Test Results.
7.3
Backup/ Restore Plan (BRP):
7.3.1
Backup means saving of data or information to assure business continuity

in case of a loss of resources at the production site.
7.3.2
There should be a documented backup procedure. Information technology

department/computer department of the bank should formulate backup
procedure and that will be reviewed annually.
7.3.3
Backup copies of information should be stored off-site at a geographically

separate and safe environment.
7.3.4
At least one backup copy should be kept on-site office for time critical
delivery.
7.3.5
The backup cycle is based on the following:

Backup for branch-banking operation should be taken daily in appropriate
media /device. Provision for both incremental and full backup should be
kept to avoid corruption of data as well as save time and money.
In other cases, backup should be taken daily/weekly/ monthly/ quarterly
and half-yearly basis depending on the nature of the database and or
operations whatever the DGM (IT) decides fit.
DGM (IT) will formulate action plan and implementation procedure for
backup and restore.
7.3.6
The backup media should be sent off-site immediately after the backup
has been taken.
7.3.7
The backup log book in form of ITF-10 should be maintained, checked and
signed by the Branch Manager/ Head of the Department/Office.
7.3.8
The back up inventory is maintained, checked and signed by supervisor.
7.3.9
The ability to restore from backup media is tested at least quarterly.
7.3.10 Backup media must be labeled properly indicating contents, date etc.
7.3.11 Hardcopy backup in applicable cases should also have to be taken.
29
CHAPTER- 8
8.0 Procurement and Service Management.
The purchase of computer hardware, software and peripherals requires careful
consideration of banks business needs because these are usually expensive to make
subsequent changes. The system must have adequate capacity or else it may not be
able to function properly. There shall have adequate arrangements for proper
maintenance of the system. However, the service of vendors is of utmost
importance for smooth operation of the business in modern business organizations.
This chapter specifies policies and procedure to be followed by the bank for
procuring and hiring different service to be rendered by each and every service
provider. This also covers the basic principles applicable to all service providers to
ensure spontaneous services so that banks operations are not hampered.
8.1 Computer Hardware and Software Procurement:
8.1.1 All purchase of new systems, computer hardware and software or new
component for existing systems must be made in accordance with the
applicable Government/Banks procurement policies and procedures as well
as technical standards.
8.1.2 Except for minor purchase (as is mandated by the delegation of financial
power), hardware and software must be purchased through a
structured/formal evaluation process.
8.1.3 Purchase must be done on the basis of the business needs and requirements
to be assessed by the competent authority.
8.1.4 All new hardware and software installation are to be planned formally and
notified to all interested parties ahead of the proposed installation date.
8.1.5 All hardware and software must be tested fully and comprehensively and
formally accepted by user before being transferred to the live operations.
8.1.6 All hardware and software under procurement shall have comprehensive
warranty to cover operational risk.
8.1.7 The period of warranty coverage should be determined by the procuring
entity depending on the nature of the components but the period should not
be less than twelve (12) months.
8.1.8 The description of warranty must clearly mention warranty coverage (parts,
labor and service), type of warranty (comprehensive), duration and any
provision for penalty when the said warranty is not complied with at an
acceptable level.
8.2
Service Level Agreement (SLA):
8.2.1 There should be maintenance service arrangement for all hardware and
software for post warranty period.
8.2.2 There should be service level agreement between the vendor and bank for
all sensitive hardware and software.
8.2.3 The Annual Maintenance Contact (AMC) with the vendor shall exist only for
usable hardware and software.
8.2.4 For sensitive hardware and software items, the concerned authority shall
exercise utmost care in having a contract without an interruption due to
delay in renewal of contract.
30
8.2.5 The user site should ensure that the equipment does not contain sensitive
live data when hardware is taken by the vendors for servicing/repair.
8.2.6 Service Contracts with all service providers including third-party vendors
should include:
a) Parties to the contract with address,
b) Definitions of terms, if necessary,
c) Measurable service/deliverables,
d) Timing/schedules, i.e. service levels,
e) Roles and responsibilities of contracting parties, including an escalation
matrix clearly mentioning response time and resolution time,
f) Pricing of the contract,
g) Penalty Clause,
h) Confidentiality clause,
i) Contact person names (on daily operations and relationship levels),
j) Renewal period,
k) Modification clause,
l) Frequency of service reporting,
m) Termination clause,
n) Warranties, including service suppliers employee liabilities, 3rd party
liabilities and the related remedies,
o) Geographical locations covered,
p) Ownership of hardware and software,
q) Documentation to be maintained (e.g. logs of changes, records of
reviewing event logs),
r) Audit rights of access (internal audit, external audit, other audit as may
be appropriate),
s) Any other clause considered fit for the contract.
8.3
Outsourcing:
8.3.1 Outsourcing shall be done for activities not usually performable using
normal capacity of man, materials and resources of the Bank.
8.3.2 The economic validity shall be studied before considering any shorts of
outsourcing.
8.3.3 The risk and security concerned with outsourcing shall be considered
carefully.
8.3.4 The legal implication behind outsourcing shall be carefully examined.
8.3.5 The technical aspect of any activities should be examined by the technical
committee or by the technical consultant according to the nature of the
activities concern.
8.3.6 Outsourcing proposal or working paper shall be prepared by the user
department/office.
8.3.7 Arrangements for possible acquire of the source code in case of software if
necessary through an escrow account.
8.3.8 Outsourcing service contract shall include terms and conditions mentioned
in chapter 8.2.6
31
IT Forms and Appendix
32
IT FORMS
(30 - 40)
And
APPENDIX
(41 - 48)
33
ITF- 1

.............................Office
CHANGE REQUEST FORM

Reference No:
Date:
Section I : Requester Information

Branch/Division Name :
Submitted by
Change Description
Change Purpose
Request Date
Signature and Seal (Requester)
Signature and Seal (Head of the Office)
Section II : Approvals
The undersigned agrees and accepts the change documented on this form.
Name
Designation
Comments
Date
Signature and Seal
Section III : Implementer Details

The undersigned has implemented the requested change on this form.
Change reference No. :
Date of change
Implementation
Change Implementation
Details :
Was change successful?
Name :
Designation :
Signature and Seal :
Signature and Seal
(Head of Branch/Division)
(Ref: Para-4.1.1)
Yes
No
34
ITF- 2

.............................Office
USER ACCEPTANCE TEST (UAT)
Reference No:
Date:
Application/System Name :
Change Request Reference :
Date :
Test Scope (Detail plan of test) :

Hardware / Software
Performance Test/ Security Test
Black box/ White box
Expected Result :
Actual Result :
User Acceptance Test

Comments :
(Ref: Para-4.1.4)
Failure
Success
35
ITF- 3

.............................Office
STOCK REGISTER OF HARDWARE AND SOFTWARE

Name of the item:
SL
#
Brand &
Model
Description
with
Specification
/ Version
3
(Ref: Para- 4.2.1 )
Quantity
Identification
No
Machine
Location
Supplier/
Vendor
Date of
Supply
Price
Signature
Remarks
10
11
36
ITF- 4

.............................Office
REQUEST FORM
Reference No.:
Date:
Section I : Requester Information

Branch/Division Name :
Submitted by :
Contact No. :
Request Details :
Justification :
Request Date :
Signature and Seal (Requester)
Signature and Seal (Head of the Office)
Section II : Approvals
The undersigned agrees and accepts the change documented on this form.
Name :
Designation :
Comments :
Date :
Section III : Implementer Details
The undersigned has implemented the requested change on this form.
Request reference No. :
Date of Request Implementation :
Request Implementation Details :
Was Request done successfully?
Short description in case of failure :
Name :
Designation :
(Ref: Para-4.4.2)
Yes / No (put details below)
37
ITF- 5

.............................Office
ACCESS AUTHORIZATION LIST

Serial
No.
Name and
Designation of the
authorized persons
Address
02
03
01
Authorization Validity
From
To
04
05
Authoriza
tion Card
No.
Authorized by
Remarks
06
07
08
(Ref: Para-5.1.1.4, 5.2.1.3 and 5.3.1.2)

ITF- 6

.............................Office
ACCESS LOG BOOK

(for the use in the Data Center, Server Room, Computer Room)
Date of
Access
Name and
Designation of the
Authorized Persons
Address
Authorization
Card No.
Time of
Access
Signat
ure of
the
perso
n
Purpose of
Access /
Work done
Time
of
Depar
ture
Signat
ure
of the
perso
n
Remar
ks
01
02
03
04
05
06
07
08
09
10
(Ref: Para-5.1.1.5)
ITF- 7

.............................Office
VISITORS LOG BOOK

(For the use in the Data Center, Server Room, and Computer Room)
Date
of
Visit
01
Name
Address
of the
visitor.
02
Purpose
of Visit
03
04
(Ref: Para-5.1.1.6 and 5.2.1.2)
Time
of
Access
Signature
of the
visitor
Work done
/Activities
during
stay
05
06
07
Time of Signature Remarks

Departure of the
visitor
08
09
10
38
ITF- 8

.............................Office
USER CREATION FORM

(For the use of the user section of branch/department)
01. I. Name of the User
II. Designation
III. Address
IV. Date of Joining
V. Transfer from
02. Name of the

System/Software
03. User Status
:
:
04. User Rights Proposed
Administrator/Data Controller/Data
processor/ Data Operator/ Teller .
Module Name(s) :
(Read, Write, Delete, Copy, Change, Print)
Recommended/Proposed by: Approved By :
Users'
Signature:
Signature :
Designation:
Signature :
(Manager/Head
of Department or Office).
(For use of computer section of the branch/computer department/system owner department)
Accepted for implementation for the

following rights:
1.
2.
3.
4.
5.
User Created :
a)On: .. .
b)User ID: .
c)User Password Envelop No : .. .
Signature with seal

Signature :
Designation:
( Branch Manager/ Head of Department officesystem owner)
(Ref: Para-5.2.2.3 and 6.1.2.2)
(In charge of System Admistrator)
39
ITF- 9
.............................Office
PASSWORD HANDOVER FORM

We, the undersigned handing over and receiving respectively today the
...............(date) at am/pm the sealed cover in respect of the followings:
(1).
(2).
(3).
in
terms
of
the
no......................dated..
order
of (name of the order issuing office) ..in

presence of the following witness (officer/staff).
Signature:
(Handing over Officer)
Name :
Designation:
Address :
Signature:
(Receiving Officer)
Name :
Designation:
Address :
Counter Signature:
Name of the counter signing officer:
Designation:
Address :
NB: After receiving the passwords the receiving officer will open the sealed envelop alone and
confirm the passwords applying in the system/database. S/he will change the passwords just after
checking and again handed over the same in a sealed envelop to the Head of the Computer
Department/branch manager documentarily.
(Ref: Para-6.1.1.3 and 6.1.1.6)
40
ITF- 10

.............................Office
BACK UP LOG BOOK

Name of the System:.
Serial
no.
01
Backup
Period/
Date
Backup
Media
02
(Ref: Para-7.3.7)
03
Backup Type
(full /
incremental)
04
Backup taken by
Backup
sent to
Name
Designation
Signature
05
06
07
08
Reference/ Signature Remarks

code no.
of the
recipient
09
10
11
41
Appendix-1
ORGANIZATION CHART OF COMPUTER DEPARTMENT
Deputy General Manager

(Information Technology) -1
Peon-1
Senior Operation Manager

(AGM)-1
Operation Manager
(SPO)-2
(DC-1 & DRS-1)
Computer Operation
Supervisor (PO)-4
Senior Computer
Operator (SO)-6
Computer Operator
(Officer)-6
Senior System Analyst/ System

Administrator/ Database Administrator
(AGM)-3
System Analyst
(SPO)-2
Senior
Programmer
(SPO)-2
Assistant System
Analyst (PO)-4
Programmer
(PO)-4
Principal Maintenance
Engineer (AGM)-1
Senior Maintenance
Engineer (SPO)-2
Asst System
Administrator/
Asst DBA(SPO)-2
Assistant Programmer
(SO)-12
Maintenance Engineer
(PO)-4
Data Entry Control

Supervisor (Officer)-2
Assistant Maintenance
Engineer (SO)-8
Data Entry/ Control
Operator (Jr Assistant)-2
Peon -1
Senior Data Entry/

Control Operator
(Supervisor)-2
Peon-2
Synopsis
Peon-1
(Ref: Para-3.3.1)
1 Deputy General Manager

1 Senior Operation Manager (AGM)
1 Senior System Analyst (AGM)
1 System Administrator (AGM)
1 Database Administrator (AGM)
1 Principal Maintenance Engineer (AGM)
2 Operation Manager (SPO)
2 System Analyst (SPO)
2 Senior Programmer (SPO)
1 Assistant System Administrator (SPO)
1 Assistant database Administrator (SPO)
2 Senior Maintenance Engineer (SPO)
4 Computer Operation Supervisor (PO)
4 Assistant System Analyst (PO)
4 Programmer (PO)
4 Maintenance Engineer (PO)
6 Senior Computer Operator (SO)
12 Assistant Programmer (SO)
8 Assistant Maintenance Engineer (SO)
6 Computer Operator (Officer)
2 Data Entry control Supervisor (Officer)
2 Senior Data Entry/Control Operator (Supervisor)
2 Data Entry/Control Operator (Jr Assistant)
5 Peon
TOTAL = 75
42

Appendix-2
1. Deputy General Manager of Information Technology (IT) Department

DGM(IT) is responsible for Planning, organizing, directing, coordinating, controlling and
implementing of the policies and procedure as contained in the
Information Technology Security Policy of the bank;
Formulation of plans and programs for organizing, developing and
managing
computerization
information
technology
system
infrastructure;
Taking appropriate steps and measures needed for implementation of
the computerization plan;
Coordinating procurement committee and banks technical committee
on computerization;
Present working papers on computerization to the management.
Approving changes in production site, data center, communication
media in respect of the asset management, operating procedure
management and request management.
Managing procurement of computer hardware, software, peripherals
and other accessories as required by the bank.
Also responsible for performing job whatsoever assigned by the competent
authority.
2. System Analysis, Design and Programming:
A. Senior System Analyst/ System Analyst/ Assistant System Analyst.
They are responsible for Evaluating business procedures and problems reasonably;
Understanding the capabilities of the bank's equipment, software and
providing recommendations about selection of new equipment or
software packages;
Analyzing systems for the banks own use ;
Interviewing method of data collection, conducting surveys and
observing employees performances;
Preparing charts and diagrams that constitute a representation of the
new system which Banks executives can understand;
Analyzing cost benefit for implementing the proposed system;
Preparing specifications for programmers to follow;
43
Coordinating the test problems to debug the system and participating in
trial runs;
Determining computer hardware and software needed to set up the
system, designing application software;
Preparing system documentation and instructional/user manuals.
authority.
B. Senior Programmer/ Programmer/ Assistant Programmer.

They are responsible for Writing programs creating a logical series of instructions the computer
can follow, applying knowledge of computer capabilities, subject
matter, and symbolic logic;
Coding instructions into programming languages, test and debug
programs to get intended results;
Analyzing, reviewing, and rewritings programs using workflow charts
and diagrams, converting detailed logical flow charts into language that
computers can process;
Preparing flow charts and block diagrams and encoding resultant
equations for processing, developing programs from workflow charts or
diagrams, considering computer storage capacity, speed, and intended
use of output data;
Preparing detailed workflow charts and diagrams from programs to
illustrate sequence of steps to describe input, output, and logical
operation, write documentation of program development and
subsequent revisions;
Revising existing programs to increase operating efficiency or to adapt
new requirements;
Consulting managerial and technical personnel to clarify program
intent, identify problems and suggest changes;
Writing instructions to guide operating personnel during production
runs;
Preparing records and reports as per requirement;
Collaborating vendors and users in developing new programming
methods;
Assisting system analysts or computer operators to resolve problems in
running computer programs;
Imparting training to subordinates in programming and program coding.
authority.
44
3. Computer Operation and Management:
A. Senior Operation Manager/Operation Manager/Computer Operation
Supervisor.
They are responsible for
Managing all sorts of operations using computer hardware, software and

peripherals;
Understanding management need for information and banks obligations

for providing or presenting information to the government, central bank
and other bodies;
Coordinating information sources and destinations within and outside of

the bank, coordinating system development groups, vendors for
improving computer systemic operations;
Defining
and
structuring
appropriate
operation
procedure
for
information gathering, data capture, data validation and processing

using computer systems;
Supervising implementation of the structured operational systems and

procedures according to the requirement of the bank;
Recommending information system needs and requirements to the

management.

authority.
B. Senior Computer Operator/Computer Operator/ Data Entry/ Control
Supervisor.
Implementing all sorts of operations using computer hardware, software

and peripherals;
Understanding management need for information and banks obligations

for providing or presenting information to the government, central bank
and other bodies;
Coordinating information sources and destinations within and outside

the bank;
Coordinating system development groups for improving computer

operations;
Implementing operation procedure designed for information gathering;

authority.
45
C. Senior Data Entry/Control Operator, Data Entry/Control Operator
They are responsible for Maintaining physical aspects of the computer system including personal
computers, peripherals, operating systems and application software
media kits;
Performing all sorts of operations including desktop works using
computer system;
Maintaining inventory for all shorts Hardware, Software and peripherals
including software media kits;
Understanding information need and coordinating information sources
and destinations within the bank;
Coordinating system development groups for improving computer
operations;
Obeying operational procedure designed for information gathering.
authority.
4. Hardware Maintenance and Control:
Principal Maintenance Engineer/ Senior Maintenance Engineer/
Maintenance Engineer/ Assistant Maintenance Engineer.
They are responsible for Installation, configuration, maintenance, management and control of
the computer systems;
Examining and analyzing technical reports, manuals, brochures and
recommending purchases of servers, personal computers, hardware,
software and peripherals;
Testing and evaluating the hardware and software to determine
efficiency, reliability and compatibility with the system and upgrade
components;
Ensuring system security, installing system applications, distributing
software upgrades, monitoring related activities;
Enabling and enforcing software licensing agreements;
Developing storage management systems and providing for routine
backups;
Processing procurement of computer hardware, software, peripherals
and other accessories as required by the bank.
Managing vendors and directing the work of system technicians and
computer support staff.
authority.
46
5. System Administration and Control
A. System Administrator/ Assistant System Administrator.
They are responsible for Managing bank's information technology setup including computers,
peripherals and operating systems;
Testing and evaluating the hardware and software to determine
efficiency, reliability and compatibility with the system and upgrade
components;
Ensuring network security, installing new applications, distributing
software upgrades;
Maintaining given multi-user system and dealing control over the
information on the system;
Administering access control, creating and maintaining system users,
controlling users power/ right and managing system controls;
Monitoring daily activity, enabling and enforcing licensing agreements;
Designing and developing storage management program and providing
routine backups;
Managing vendors and directing the work of network technicians and
computer support staff;
Managing and maintaining the servers and computers in the following
levels:
o Data Center and DRS level: Operating System for Core Banking Database
Server and Switching Server, Application Server, Host Security Module
(HSM), Network Access Controller (NAC), Web Server, Mail Server,
Internet Banking Application server, Internet Banking DB server;
o Head office level: SWIFT Server, Application Servers including Backup
Server;
o ATM and POS level: ATM and POS Terminal Control Software.
authority.
B. Database Administrator/ Assistant Database Administrator.
They are responsible for System performance tuning as well as the structuring tables within the
database, the number of instances to run, and other parameters;
The physical aspect of the data warehouse, which includes physical
design, performance, and maintenance activities including backup and
recovery;
Administering access control, creating and maintaining database users,
controlling users power/ right and managing database controls;
Ensuring the username and password are encrypted properly;
Administering and managing Standby Servers;
Managing configuration of application clustering.
Also responsible for performing job whatsoever assigned by the authority.
47
6. Branch Banking Operations and Management.

A. IT Operation Manager.
They are responsible for Managing and maintaining physical aspects of the information
technology setup including server, personal computers and other
peripherals;
Managing and maintaining physical aspect of the computer Local Area
Network (LAN) including physical design of the LAN, power supply
system, performance and maintenance activities;
Managing and maintaining media kits for system software, application
software and utility software including banking application software;
Maintaining multi-user system and dealing control over the
information on the system;
Administering access control, creating and maintaining system users,
controlling users power/ right and managing system controls;
Ensuring timely backup of data and managing backup media for onsite
and offsite preservation;
Ensuring that the username and password are encrypted properly;
Maintaining inventory for computer hardware, software including
licenses, ancillary documents, reports and registers;
authority.
B. Second Passing Officer/ Verification Officer.
They are responsible for Ensuring customer service over the counter for banking purpose;
Ensuring verification of customers digital specimen signature online
or otherwise if online fails before payment;
Ensuring cash payment made by the teller over the counter according
to their business power/limit after observing rules and regulations;
Ensuring authentication of fund transfer from and to the accounts
within the bank;
Ensuring transaction entry into the respective modules of the banking
application software for processing;
Managing generation statements and reports relating to the customers
accounts for use of the customers or for the purpose of the bank;
authority.
48
C. Senior Teller/ Teller.
Serving customers over the counter for banking purpose;
Receiving cash from the customers over the counter against proper
authentication and observing rules and regulations;
Ensuring verification of customers digital specimen signature online

or otherwise if online fails before payment;
Making cash payment to customers over the counter according to their

business power limit after observing rules and regulations;
Transferring fund from and to the accounts within the bank;
Ensuring transaction entry into the respective modules of the banking

application software for processing;
Holding keys of the safe vault with appropriate formalities.
Holding cash in hand, cash in counter and cash in vault over night;

authority.
49
GLOSSARY OF TERMS
A term is listed in this Glossary only if it is used in this document with a connotation
different from normal usage.
Access Control: Functions that limit access to information or information processing
resources to persons or applications.
Physical access controls are those, which are based on placing physical barriers
between unauthorized persons and the information resource being protected.
Logical access controls are those, which employ other means.
Alarm: Indication of an unusual or dangerous condition or security violation, which
may require immediate attention.
Application: Task or set of tasks to be accomplished by the information processing
system.
Audit: Function that seeks to validate that controls are in place, adequate for their
purposes and report inadequacies to the appropriate levels of management.
Audit Trail: Collection of records from an information processing facility indicating
the occurrence of certain actions, used to determine if unauthorized use or
attempted use of the facilities has taken place.
Authentication: Process that seeks to validate identity or to prove the integrity of
the information.
Authentication Token: Device that performs dynamic authentication.
Backup: The saving of business information in appropriate media to assure business
continuity in case of loss of resources at the production site.
Classification: Scheme that separates information into categories so that appropriate
controls may be applied. Separation may be by type of information, criticality, fraud
potential or sensitivity.
Code: Software instructions such as object code (the instructions the computer
executes) or sort code (the instructions the programmer writes). System of principles
or rules such as fire codes or building codes. Result of a cryptographic process such as
message authentication code.
Competent Authority: A designated official to perform specific job given by the
authority.
Contingency Plan: Procedure which, when followed, allows an organization to
resume operations after natural or other disasters.
Control: Measure taken to assure the integrity and quality of process.
50
Criticality: Requirements that certain information or information processing
resources be available to conduct business.
Customer Agreement: Contract with a customer that sets forth the customers
responsibilities and governs which security process will be used in the conduct of
business between the organization and the customer.
Destruction (of information): Any condition that renders information unusable,
regardless of the cause.
Digital Signature: Value that can serve in place of a handwritten signature. Normally,
a digital signature is the function of the contents of the message, the identity of the
sender and some cryptographic information.
Disclosure of Information: Unauthorized viewing or potential viewing of information.
Dual Control: Method of preserving the integrity of a process by requiring that two
individuals independently take some action before certain transactions is completed.
Encryption: Process of converting information so as to render it into a form
unintelligible to all except the holders of a specific cryptographic key. Use of
encryption protects information between the encryption process and the decryption
process (the inverse of encryption) against unauthorized disclosure.
Firewall: A Firewall is a collection of components placed between two networks that
collectively have the following properties:
1. All traffic from inside to outside and vice-versa must pass through the firewall.
2. Only authorized traffic, as defined by local security policy, will be allowed to pass.
3. The firewall is itself immune to penetration.
Guideline: Recommendation for information security controls to be implemented
against given threats. Guidelines should not be ignored unless sound business and
security reasons exist for doing so.
Image: Representation of a document for manipulation or storage within an
information processing system. Digital representations are implied.
Information: Any data, whether in an electronic form, written on paper, spoken at a
meeting or on any other medium, which is used by a financial organization to make
decisions, move funds, set rates, advance loans, process transactions and the like.
This definition includes software components of the processing system.
Information Asset:
organization.
Information
or
information
processing
resources
of
an
Information Resources: Equipment that is used to manipulate, communicate or store

information whether they are inside or outside the organization. Telephones,
facsimiles and computers are examples of information processing resources.
51
Integrity: Quality of information or a process that is free from error, whether
induced accidentally or intentionally.
Key: Cryptographic key, as discussed in this document.
Know Your Customer: Phrase used to indicate a desired attitude by the financial
organizations with respect to knowledge of customer activities.
Know Your Employee: Attitude of an organization which demonstrates a concern
for employees attitudes toward their duties and possible problems such as substance
abuse, gambling, financial difficulties etc., which may lead to security concerns.
Letter of Assurance: Document setting forth the information security controls that
are in place for the protection of information, held on behalf of the recipient of the
letter.
Modification of Information: The unauthorized or accidental change in information,
whether detected or undetected.
Need-to-Know: Security concept that limits access to such information and
information processing resources as are required to perform ones duties.
Owner (of information): Person or function responsible for the collection and
maintenance of a given set of information.
Network: Collection of communication and information processing systems, which
may be shared among several users.
Password: String of characters that serves as an authenticator of the user.
Risk: Possibility of loss due to occurrence of one or more threats to information. This
is not to be confused with financial or business risk.
Risk Acceptance: Identification and acceptance of risk associated with an exception
to the information security policy.
Server: Computer that acts as a provider of some service to other computers, such as
processing of communications, interfacing with file storage or printing facility.
Shareware: Software which is generally available and which carry a moral, though
not a legal, obligation for payment.
Sign-on: Completion of identification and authentication of a user.
Software Integrity: Confidence that the software being used performs only the
functions for which it was purchased or developed.
52
Standard: Definition of acceptance practices to meet a particular defined policy or a
document published by a standards setting body that provides industry wide methods
of performing certain functions.
Stored Value Card: A token, which is capable of storing and transferring electronic
money.
Tamper Evident Packaging: Protective packaging which will preserve an indication of
attempts to access its contents.
Threat: Condition that may cause information or information processing resources to
be intentionally or accidentally lost, modified, exposed, made inaccessible or
otherwise affected to the detriment of the organization.
Trusted Computer System: Computer system that employs hardware and software
integrity measures to allow it to be used for simultaneous processing of information
having a wide range of sensitivities or classification levels.
Unavailability of Service: Inability to access information or information processing
resources for any reason i.e. disaster, power failure or malicious actions.
User Id: A character string that is used to uniquely identify each user of a system.

Bangladesh Krishi Bank: Information and Communication Technology Security Policy

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Bangladesh Krishi Bank: Information and Communication Technology Security Policy

Hochgeladen von

Copyright:

Verfügbare Formate

BANGLADESH KRISHI BANK

INFORMATION AND COMMUNICATION TECHNOLOGY

For Official use only.

Information And Communication Technology Security Policy

(M. Fazlul Hoque)

Information and Communication Technology in Bangladesh Krishi

Automation of Branch Banking operations

Long term ICT vision of the bank

Information and Communication Technology Security Policy

Information and Communication Technology Management

Implementation of Information and Communication Technology

Insurance and Depreciation

Job Description of IT Related Personnel

Compliance of Government / Bangladesh Bank Guidance

Operating Procedure Management

Information System Physical Security

Physical Security Standard Level-1

Physical Security Standard Level -2

Physical Security Standard Level -3

General Security Guidelines.

Access control for information Systems

Audit trail and follow up

Internet and e-mail

Business Continuity and Disaster Recovery Plan

Business Continuity Plan (BCP)

Disaster Recovery Plan (DRP)

Backup/Restore Plan (BRP)

Procurement and Service Management

Computer Hardware and Software procurement

Service Level Agreement (SLA)

IT Forms and Appendix

Change Request Form

User Acceptance Test(UAT)

Stock Register of Hardware and Software

Access Authorization List

Access Log Book

Visitors Log Book

User Creation Form

Password Handover Form

Backup Log Book

Organization Chart of Computer Department

Job Description of IT Related Personnel

1.3: Long term ICT vision of the Bank:

Bangladesh Krishi Bank for all of its information technology systems.

2.3: Basic Principles

Accountability: The responsibility and accountability of information/data

Awareness: To foster confidence in information systems, custodians,

Ethics: In the provision of information systems and the establishment of

Business Perspective: Security processes shall take account of and

Proportionality: The level and cost of security processes should be

Integration: Security processes should be coordinated and integrated with

Timeliness: Action to respond to a information security breach should be

Reassessment: The security of information systems should be reassessed

Freedom of Information: The freedom of information should be

Information and Communication Technology Management

3.1.1 The IT Management should ensure maintenance of appropriate system

Implementation of Information and Communication Technology Policy

The IT Management will ensure the implementation of the Information and

Internal Audit shall have sufficient IT expertise/resources capable of

Internal IT audit shall be done on periodical basis according to the banks

The IT audit report should be treated as confidential and must be

The bank/branch shall take appropriate measures to implement the

IT personnel should be given adequate training on relevant IT tasks.