Beruflich Dokumente
Kultur Dokumente
Computer Department
Head Office, Dhaka-1000
Published by:
Computer Department
Bangladesh Krishi Bank
Head Office
83-85, Motijheel Commercial Area
Dhaka - 1000
December' 2007
PREFACE
The Information and Communication Technology (ICT) opens the door of
globalization and has become the backbone to modern banking operations. It is also a
critical component of the infrastructure for a competitive market economy. The
survival and success of a business organization mainly depends on the effective use of
ICT
In view of the above, Bangladesh Krishi Bank has already set up an Information
Technology platform for its branches and offices. The bank has a vision to expand and
to modernize the IT platform and information systems gradually. Notwithstanding the
level of computerization, the security requirements of information systems are
universal and significant to the sustainability of the IT platforms. Accordingly, the
bank requires policies to secure IT setup as well as information and to set standards
for IT operations.
It is indeed a great pleasure that computer department of the bank has
prepared a book titled Information and Communication Technology Security Policy
in accordance with the guideline given by Bangladesh Bank, existing rules and
regulations. The book contains the policies applicable to IT Management, IT
Operation Management, Information System Physical Security, Information Security
Standard, Business Continuity and Disaster Recovery plan, Procurement & Service
Management. The organization chart along with the job description of IT personnel is
also incorporated in the Appendix.
The Computer Department (Information Technology Department) and
members of the Technical Committee on Computerization headed by Professor Dr.
Muhammad Masroor Ali of BUET deserve thanks for intellectual and laborious efforts
in accomplishing such a tedious job. I also express my thanks and gratitude to the
Board of Directors of the bank for providing their kind approval of the policy.
However, implementation of the Policy is rather more important than its
existence. Henceforth all concerns are requested to accomplish their business in
accordance with the guidelines contained therein. The designated officers must
examine and adhere to the strict compliance of the policy.
5
INDEX OF CONTENTS
Serial
Chapter-1
Contents
Information and Communication Technology
Page
7-9
1.1
1.2
1.3
Chapter-2
10-11
2.1
Scope
10
2.2
Objective
10
2.3
Basic Principles
11
Chapter-3
12-14
3.1
IT Management Area
12
3.2
12
3.3
IT Related Documentation
12
3.4
Internal IT Audit
13
3.5
Training of IT Personnel
13
3.6
13
3.7
Problem Management
13
3.8
14
3.9
14
Chapter-4
IT Operation Management.
15-16
4.1
Change Management
15
4.2
Asset Management
15
4.3
15
4.4
Request Management
16
Chapter-5
17-22
5.1
17
5.2
19
5.3
20
5.4
21
6
Serial
Chapter-6
Contents
Information Security Standard
Page
23-26
6.1
23
6.2
25
6.3
Network Security
25
6.4
Data Encryption
26
6.5
Virus Protection
26
6.6
26
Chapter-7
27-28
7.1
27
7.2
27
7.3
28
Chapter-8
29-30
8.1
29
8.2
29
8.3
Outsourcing
30
IT Forms
31-40
ITF-1
33
ITF-2
34
ITF-3
35
ITF-4
Request Form
36
ITF-5
37
ITF-6
37
ITF-7
37
ITF-8
38
ITF-9
39
ITF-10
40
Appendix
41-48
Appendix-1
41
Appendix-2
42
GLOSSARY OF TERMS
49-52
CHAPTER 1
1.0: Information and Communication Technology
Information and Communication Technology (ICT) plays a vital role in present world.
The advancement of Communication and Information Technology is one of the major
attributing factors for the emergence of globalization of financial markets. The
banking industry has changed in the way they provide service to customers and
process information in recent years. Information Technology has brought about this
momentous transformation. Security of IT systems for a financial institution has
therefore gained much greater in importance, and it is vital to ensure that such risks
are properly identified and managed. Moreover Information and information
technology systems are essential assets of the bank and as well as for customers.
Protection and maintenance of these assets are important for sustainability of any
organization. Banks must take the responsibility of protecting this information from
unauthorized access, modification, disclosure and destruction to protect customers
interest.
This document will provide the policy for Information and Communication Technology
and ensures its secured use for Bangladesh Krishi Bank (BKB). It establishes general
requirements and responsibilities for protecting ICT systems. The policy covers such
common technologies such as computers and peripherals, data and network, web
system and other IT resources. The banks delivery of services depends on
availability, reliability and integrity of its information technology system.
The policy will require regular updates to cope with the evolving changes in the IT
environment both within the bank and overall industry. The senior management of
the bank must express a commitment to IT security by continuously upgrading,
awareness and ensuring training of the Bank officials. Compliance plans in case of
noncompliance issues should also be formulated time to time.
1.1: Information and Communication Technology in Bangladesh Krishi Bank:
In spite of all limitations, Bangladesh Krishi Bank has entered into the arena of
Information and Communication Technology to meet the demand of time and is
endeavoring to turn traditional banking operations into the most modern banking
system. Initially a computer section was started with two Micro Computers under the
Loan Recovery Division in 1987. Subsequently the Computer Section turned into
Computer Cell in a very limited scale. It began to expand with more microcomputers
and necessary system software time to time. In 1993, the span of Computer Cell
further extended by procurement of multi-user and multitasking machine i.e. Mini
Computer System. As the scope and working area of computer operations expanded
more, the Computer Cell of the Bank turned into a full-fledged department with the
approval of the Ministry of Finance. The Computer Department of the Bank started its
functioning in January, 2004.
8
1.2: Automation of Branch Banking Operations:
Introduction of the automated modern banking system, instead of traditional manual
banking, is the prime need of time. To meet the situation, Bangladesh Krishi Bank
prepared a 5-years plan during the financial year 1998-99. The plan was duly
approved by the Board of Directors of the Bank and subsequently by the Ministry of
Finance of the Government of the Peoples Republic of Bangladesh. The plan is to be
implemented in five phases as under:
1.2.1: First Phase: The implementation of the first phase of the computerization
plan was started in the year 1999 and it has been completed as under:
a. Branches: One-stop service facilities have been introduced under individual
local area network system in 28 branches of the bank including four corporate
branches in Dhaka, Chittagong, Khulna and Sylhet cities.
b. Head Office: The secretariat of the managing director, office of the deputy
managing directors and general managers along with most of the departments
in head office have been brought under computerization through standalone
personal computer or local area network system with necessary equipments.
c. Divisional Offices: Personal computers with related accessories have also
been supplied to all Divisional offices at field level to work on the basis of
standalone system.
1.2.2: Second and Third Phase: The implementation of the second and third phases
of the computerization program is under process. The automation processes are
described below:
a. Branches: One stop service will be introduced in 55 branches located at
different cities, district headquarters and in places having business
potentialities over the country.
b. Head Office: The computerization process comprises upgrading the existing
systems based on standalone personal computer into local area network and
expansion of the existing system with necessary equipments to the remaining
departments in Head Office.
c. Other Controlling Offices: The process comprises expansion of
computerized system to all Chief Regional Offices and Regional Offices
including Divisional Audit Offices of the Bank.
1.2.3: Fourth and Fifth Phase: On completion of the second and third phase of
computerization the implementation of fourth and fifth phase will start.
a. Branches: One Stop Service will also be introduced in 44 branches located
at different cities, urban areas and in places having business potentialities over
the country.
b. Head Office and Other Controlling Offices: The computerization process
includes upgrading the existing systems in Head Office. The bank also desires
9
to establish centralized banking operation system through setting up
appropriate servers for data center, disaster recovery sites and intends to
procure necessary hardware, software and equipments essential for connecting
business potential branches and also to connect field level controlling offices
with the Head Office. The process also includes expansion of computerized
system to all Chief Regional Offices and Regional Offices including Divisional
Offices of the Bank.
10
CHAPTER 2
2.0 Information and Communication Technology Security Policy
This chapter describes the Information and Communication Technology Security
Policy of Bangladesh Krishi Bank.
This Information and Communication Technology Security Policy comply with the
guideline supplied by Bangladesh Bank. The Board of Directors of Bangladesh Krishi
Bank approves this policy. It provides the policy for Information and Communication
Technology and ensures secured use for the bank. Information security means
protection of the data, applications, networks and computer system from
unauthorized access, alteration or destruction.
2.1 Scope
This Policy is a systematic approach required to formulate for ICT and also to ensure
security of information and information systems. It covers all information that is
electronically generated, received, stored, printed, scanned and typed. However, the
provisions of this policy shall be applicable to:
All activities and operations required to ensure data security including facility
design, physical security, network security, disaster recovery and business continuity
planning, use of hardware and software, data disposal and protection of copyrights
and other intellectual property rights.
All users, customers, agents, employees concerned with information and
information technology system.
2.2 Objective
The objectives of the Information and communication technology security policy of
Bangladesh Krishi Bank are as follows:
01. To establish a standard information technology management;
02. To help the bank for secure and stable setup of its IT platform;
03. To establish a secure environment for data processing;
04. To identify information security risks and their management;
05. To communicate the responsibilities for the protection of information and
provide training regarding information system security;
06. To prioritize information and information systems to be protected;
07. To review periodically the policy to formulate procedure and security
measures from time to time;
08. To provide automated banking facility to the customer;
09. To develop human resources with current electronic banking system;
10. To prescribe mechanisms that help to identify and prevent the compromise
of information security and the misuse of Bank data, applications, networks
and computer systems.
11
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10 Risk Mitigation: Risk analysis is to be carried out based on value, need
and type of different IT entities. Accordingly, risk mitigation plan is to be
framed for secured use of the IT entities.
12
CHAPTER- 3
3 .0
The Management must ensure that the functions relating to the Information and
Communication Technology are efficiently and effectively managed. They should
be aware of the capabilities of IT and be able to appreciate and recognize
opportunities and the risk of possible abuses. The management of the bank should
have a commitment to information technology security by continuously upgrading
awareness and ensuring training of the bank staff. IT Management deals in IT policy
formulation, system documentation and assistance to the internal IT audit, training
and insurance activities.
3.1
IT Management Area:
3.2.1
3.2.2
The policy will require regular updates to cope with the evolving changes in
the Information and Communication Technology environment.
3.3
3.3.1
IT related Documentation:
There shall be an Organization chart for Information Technology
Department. This shall be a part of the bank's overall organization chart
duly approved by the Government (Ref. Organization chart, Apendix-1).
There shall be documented job description for each IT personnel of
different Offices/ Branches (Apendix-2).
A roster for IT activities should be documented properly and be reviewed
time to time by the head of the department or office.
Segregation of duties for IT tasks shall be maintained and reviewed time to
time by the head of the department or office.
Fallback plans for various levels of system support personnel shall be
formulated, maintained and reviewed time to time by the head of the
department or office.
3.3.2
3.3.3
3.3.4
3.3.5
13
3.4
Internal IT Audit:
3.4.1
3.4.2
3.4.3
3.4.4
3.5
Training of IT Personnel:
3.5.1
3.5.2
3.5.3
3.5.4
All the network users should be trained about its operating and security
procedures.
3.6
3.6.1
Due to rapid fall in the market value of computer hardware, the bank
generally should consider obtaining insurance coverage only in case of
costly and/ or specialized computer hardware and software. This decision
will be taken on individual basis based on opinion of the management.
3.6.2
3.6.3
3.7
Problem Management:
3.7.1
3.7.2
Level-1 problems are those that can be resolved by the user with or
without telephonic assistance from the respective supplier.
Level-2 problems are those that can only be resolved by the local supplier
or the vendor of the product.
14
Level-3 problems are those that can be resolved only by the manufacturer
or principal of the product.
For level-1, stress should be given to solve the problems by the user
himself/herself. For level-2 and level-3 problems, the bank should enter
into a service level agreement with supplier/vendor of the respective IT
asset.
3.7.3
3.7.4
3.7.5
3.7.6
The necessary corrective action should be performed within the time frame
bounded by the problems severity.
3.7.7
Findings and action steps taken during the problem resolution process
should be documented.
3.7.8
3.7.9
3.8
3.9.1
3.9.2
15
CHAPTER- 4
4.0
IT Operation Management
Change Management:
Asset Management:
4.2.1 A register of inventory for hardware and software must be kept with all
significant details and will be reviewed on 30th June every year. A sample
form has been provided in ITF-3. A record of this review must be
maintained.
4.2.2 All data on equipment and associated storage device/media must be
destroyed or erased/overwritten before sale, disposal or reissue.
4.2.3 Bank must comply with the terms of all software licenses and must not use
any software that has not been legally purchased or otherwise legitimately
obtained.
4.2.4 Software used in production environments must be subject to a support
agreement.
4.2.5 No software shall be used in any computer without approval of the
competent authority. Use of unauthorized or pirated software must be
strictly prohibited throughout the bank. Random checks should be carried
out to ensure compliance.
4.3
ICT
(Information
and
16
4.3.2 Changes to operating procedures must be authorized by the competent
authority and documented properly.
4.3.3 Operating procedures cover the following where appropriate:
a. Documentation on handling of different process.
b. Scheduling processes, including target start and finish times.
c. Documentation on handling of error and exception conditions.
d. Documentation for secure disposal of output from failed processing runs.
e. Documentation on system start-up, closedown, re-start and recovery.
f. System maintenance schedule.
4.4
Request Management:
17
CHAPTER- 5
5.1.1.4
5.1.1.5
5.1.1.6
5.1.1.7
5.1.1.8
5.1.1.9
5.1.2
5.1.2.1
5.1.2.2
18
5.1.2.3
Floors should be raised and all the data cable and power cable should be
concealed through channels alongside the wall to keep them neat and safe
position. Electrical cables and data cables must not cross each other to
avoid possible disturbance.
5.1.2.4 Water detection devices shall be positioned below the raised floor, if it is
raised.
5.1.2.5 Accessories not related to data center should not be allowed to be stored
therein.
5.1.2.6 Closed Circuit Television (CCTVs) camera should be installed at suitable
places and be monitored by authorized officials.
5.1.2.7 Eating, drinking and smoking must be prohibited in the data center. A
signboard mentioning "No eating, drinking or smoking." must be placed at
a conspicuous/visible point.
5.1.2.8 Vehicles for any emergency purpose should always be available on site.
5.1.2.9 There should be a separate telephone/cell phone. Address and phone
numbers of all contact persons of fire service, police station, service
providers, vendor and all concerned IT organizations should be kept to
cope with any emergency situation.
5.1.2.10 Loading capacity of electrical outlets should be reviewed annually.
5.1.2.11 The following environmental control measures/equipments should be
installed in data centre and disaster recovery site:
a) Uninterruptible power supply(UPS) having sufficient loading capacity
with backup units;
b) Backup Power Supply i.e. Generator/Instant Power Supply (IPS);
c) Temperature and humidity measuring devices;
d) Air conditioners with backup units;
e) Water leakage precautions and water drainage system from Air
conditioner;
f) Emergency power cut-off switches;
g) Emergency lighting arrangement;
h) Dehumidifier.
5.1.2.12 The above environmental control measures/equipments should be tested
regularly:
5.1.2.13 There shall be appropriate maintenance agreement/contract for above
equipments on 24x7x365 basis.
5.1.3
Fire Prevention:
5.1.3.1
The Data Center wall, ceiling, doors and windows shall be fire resistant.
5.1.3.2
19
5.1.3.3
5.1.3.4
5.1.3.5
5.1.3.6
5.1.3.7
5.1.3.8
5.2.1.2
5.2.1.3
5.2.2
Environmental Control:
5.2.2.1
Desktop screen must be locked and screen saver must have password
protected that should be activated after 5 minute.
Administrative password of Operating System, Database and Banking
Application Software shall be written in sealed envelope and kept in the
personal custody of the Branch Manager/Head of the Department or
Office.
User should be created with the prior permission of the Branch Manager/
Head of the Department or office. User creation request form should be
maintained as per ITF-8. System Administrator will keep a list of Users
with assigned rights/permission with a copy to the Branch Manager/Head
of the Department or office.
There should have the provision for replacement of server within quickest
possible time in case of any disaster.
Server room should be air-conditioned and clean.
5.2.2.2
5.2.2.3
5.2.2.4
5.2.2.5
20
5.2.2.6
5.2.2.7
5.2.2.8
5.2.3
5.2.3.1
5.2.3.4
Fire Protection:
Appropriate channels alongside the wall must be placed to keep all the
cabling to be in neat and safe position. A layout of power supply cable and
data cables must be maintained.
Power supply must be switched off before leaving the Server room. System
Administrator must ensure this.
Fire extinguisher of suitable type, with expiry date mentioned, needs to
be placed outdoor of the server room. This must be maintained and
reviewed on an annual basis. All employees should be aware of the use of
the fire extinguisher.
Proper earthing of electricity to be ensured.
5.3
5.2.3.2
5.2.3.3
5.3.1
5.3.1.1
5.3.1.2
5.3.2
5.3.2.1
5.3.2.2
5.3.3
5.3.3.1
5.3.3.2
21
5.3.3.3
5.3.3.4
Power supply of the PC must be switched off before leaving the branch.
5.3.3.5
5.3.3.6
5.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
Desktop and laptop computers and monitors must be turned off at the end
of each workday.
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
Desktop and laptop computer users shall not write, compile, copy,
knowingly propagate, execute, or attempt to introduce any computer code
designed to self-replicate, damage, or otherwise hinder the performance
of any computer system (e.g. virus, worm, Trojan etc).
5.4.12
5.4.13
22
5.4.14
5.4.15
5.4.16
5.4.17
5.4.18
If in the bank premises, any packages like briefcases and similar objects
found in a commonplace is noticeably unusual as to become suspicious. In
such cases the police should be called immediately. The office must take
possible safety and security cautions. In no cases should be touched or
moved by non-police personnel.
5.4.19
23
CHAPTER- 6
6.0 Information Security Standard
This chapter specifies Information Security Policies and Standard to be adopted by
the bank for service delivery and data processing. This also covers the basic and
general information security controls applicable to all functional groups to ensure
that information and data are protected against risk.
6.1
Access control refers to the functions that limit access to information system or
information processing resources. These functions are:
6.1.1
6.1.1.1
6. 1.1.2
6.1.1.3
6.1.1.4
6.1.1.5
24
6.1.1.6
Password Handover Form (ITF-9) shall be used while the users are
changed.
6.1.1.7 In absence of password holding authorized officer, if it becomes
necessary to use the above password(s), the branch manager/ head of
the departments or offices will open the sealed envelop and use the
password(s) by observing formal documentary process.
6.1.1.8 All users shall sign a document stating that the password will be kept
confidential.
6.1.1.9 Password given during registration of a new user, which they are forced
to change during first access.
6.1.1.10 Nobody will use the "Remember Password" feature of applications,
where applicable.
6.1.1.11 Password history maintenance has to be enabled in the system to allow
same passwords can be used again after at least 4 times.
6.1.2
6.1.2.1
25
6.1.3.2
6.1.3.3
6.1.3.4
6.1.3.5
6.1.3.6
6.1.3.7
6.2
6.2.1
6.2.2
6.2.3
6.2.4
6.3
6.3.1
6.3.2
6.3.3
6.3.4
6.3.5
6.3.6
6.3.7
26
6.4
Data Encryption
6.4.1
6.5
Virus Protection
6.5.1
6.5.2
6.5.3
6.5.4
The Anti-Virus software should always be updated with the latest virus
definition file.
6.5.5
All users should be informed and trained about computer viruses and their
prevention mechanism.
6.5.6
6.6
6.6.1
6.6.2
27
CHAPTER- 7
7. Business Continuity and Disaster Recovery Plan
The Business Continuity Plan(BCP) is required to cover operational risks and should
take into account the potential for wide area disasters, data centre disasters and
the recovery plan. The BCP should take into account the backup and recovery
process. Keeping this into consideration this chapter covers BCP, Disaster
Recovery Plan and Backup/ Restore plan.
7.1
7.1.1
7.1.2
7.1.3
a)
i.
ii.
iii.
b)
c)
d)
7.1.4
7.2
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
28
7.2.8
7.2.9
7.3.1
7.3.2
7.3.3
7.3.4
At least one backup copy should be kept on-site office for time critical
delivery.
7.3.5
7.3.6
The backup media should be sent off-site immediately after the backup
has been taken.
7.3.7
The backup log book in form of ITF-10 should be maintained, checked and
signed by the Branch Manager/ Head of the Department/Office.
7.3.8
7.3.9
7.3.10 Backup media must be labeled properly indicating contents, date etc.
7.3.11 Hardcopy backup in applicable cases should also have to be taken.
29
CHAPTER- 8
8.0 Procurement and Service Management.
The purchase of computer hardware, software and peripherals requires careful
consideration of banks business needs because these are usually expensive to make
subsequent changes. The system must have adequate capacity or else it may not be
able to function properly. There shall have adequate arrangements for proper
maintenance of the system. However, the service of vendors is of utmost
importance for smooth operation of the business in modern business organizations.
This chapter specifies policies and procedure to be followed by the bank for
procuring and hiring different service to be rendered by each and every service
provider. This also covers the basic principles applicable to all service providers to
ensure spontaneous services so that banks operations are not hampered.
8.1 Computer Hardware and Software Procurement:
8.1.1 All purchase of new systems, computer hardware and software or new
component for existing systems must be made in accordance with the
applicable Government/Banks procurement policies and procedures as well
as technical standards.
8.1.2 Except for minor purchase (as is mandated by the delegation of financial
power), hardware and software must be purchased through a
structured/formal evaluation process.
8.1.3 Purchase must be done on the basis of the business needs and requirements
to be assessed by the competent authority.
8.1.4 All new hardware and software installation are to be planned formally and
notified to all interested parties ahead of the proposed installation date.
8.1.5 All hardware and software must be tested fully and comprehensively and
formally accepted by user before being transferred to the live operations.
8.1.6 All hardware and software under procurement shall have comprehensive
warranty to cover operational risk.
8.1.7 The period of warranty coverage should be determined by the procuring
entity depending on the nature of the components but the period should not
be less than twelve (12) months.
8.1.8 The description of warranty must clearly mention warranty coverage (parts,
labor and service), type of warranty (comprehensive), duration and any
provision for penalty when the said warranty is not complied with at an
acceptable level.
8.2
Service Level Agreement (SLA):
8.2.1 There should be maintenance service arrangement for all hardware and
software for post warranty period.
8.2.2 There should be service level agreement between the vendor and bank for
all sensitive hardware and software.
8.2.3 The Annual Maintenance Contact (AMC) with the vendor shall exist only for
usable hardware and software.
8.2.4 For sensitive hardware and software items, the concerned authority shall
exercise utmost care in having a contract without an interruption due to
delay in renewal of contract.
30
8.2.5 The user site should ensure that the equipment does not contain sensitive
live data when hardware is taken by the vendors for servicing/repair.
8.2.6 Service Contracts with all service providers including third-party vendors
should include:
a) Parties to the contract with address,
b) Definitions of terms, if necessary,
c) Measurable service/deliverables,
d) Timing/schedules, i.e. service levels,
e) Roles and responsibilities of contracting parties, including an escalation
matrix clearly mentioning response time and resolution time,
f) Pricing of the contract,
g) Penalty Clause,
h) Confidentiality clause,
i) Contact person names (on daily operations and relationship levels),
j) Renewal period,
k) Modification clause,
l) Frequency of service reporting,
m) Termination clause,
n) Warranties, including service suppliers employee liabilities, 3rd party
liabilities and the related remedies,
o) Geographical locations covered,
p) Ownership of hardware and software,
q) Documentation to be maintained (e.g. logs of changes, records of
reviewing event logs),
r) Audit rights of access (internal audit, external audit, other audit as may
be appropriate),
s) Any other clause considered fit for the contract.
8.3
Outsourcing:
8.3.1 Outsourcing shall be done for activities not usually performable using
normal capacity of man, materials and resources of the Bank.
8.3.2 The economic validity shall be studied before considering any shorts of
outsourcing.
8.3.3 The risk and security concerned with outsourcing shall be considered
carefully.
8.3.4 The legal implication behind outsourcing shall be carefully examined.
8.3.5 The technical aspect of any activities should be examined by the technical
committee or by the technical consultant according to the nature of the
activities concern.
8.3.6 Outsourcing proposal or working paper shall be prepared by the user
department/office.
8.3.7 Arrangements for possible acquire of the source code in case of software if
necessary through an escrow account.
8.3.8 Outsourcing service contract shall include terms and conditions mentioned
in chapter 8.2.6
31
32
IT FORMS
(30 - 40)
And
APPENDIX
(41 - 48)
33
ITF- 1
Date:
Change Description
Change Purpose
Request Date
Section II : Approvals
The undersigned agrees and accepts the change documented on this form.
Name
Designation
Comments
Date
Change Implementation
Details :
Was change successful?
Name :
Designation :
Signature and Seal :
Signature and Seal
(Head of Branch/Division)
(Ref: Para-4.1.1)
Yes
No
34
ITF- 2
Reference No:
Date:
Application/System Name :
Date :
Expected Result :
Actual Result :
(Ref: Para-4.1.4)
Failure
Success
35
ITF- 3
Brand &
Model
Description
with
Specification
/ Version
3
Quantity
Identification
No
Machine
Location
Supplier/
Vendor
Date of
Supply
Price
Signature
Remarks
10
11
36
ITF- 4
REQUEST FORM
Reference No.:
Date:
Section II : Approvals
The undersigned agrees and accepts the change documented on this form.
Name :
Designation :
Comments :
Date :
Signature and Seal :
Section III : Implementer Details
The undersigned has implemented the requested change on this form.
Request reference No. :
Date of Request Implementation :
Request Implementation Details :
Was Request done successfully?
Short description in case of failure :
Name :
Designation :
Signature and Seal :
(Ref: Para-4.4.2)
37
ITF- 5
Name and
Designation of the
authorized persons
Address
02
03
01
Authorization Validity
From
To
04
05
Authoriza
tion Card
No.
Authorized by
Remarks
06
07
08
Name and
Designation of the
Authorized Persons
Address
Authorization
Card No.
Time of
Access
Signat
ure of
the
perso
n
Purpose of
Access /
Work done
Time
of
Depar
ture
Signat
ure
of the
perso
n
Remar
ks
01
02
03
04
05
06
07
08
09
10
(Ref: Para-5.1.1.5)
ITF- 7
Date
of
Visit
01
Name
Address
of the
visitor.
02
Purpose
of Visit
03
04
Time
of
Access
Signature
of the
visitor
Work done
/Activities
during
stay
05
06
07
08
09
10
38
ITF- 8
II. Designation
III. Address
V. Transfer from
:
:
Administrator/Data Controller/Data
processor/ Data Operator/ Teller .
Module Name(s) :
(Read, Write, Delete, Copy, Change, Print)
Users'
Signature:
Signature :
Designation:
Signature :
(Manager/Head
of Department or Office).
User Created :
a)On: .. .
b)User ID: .
c)User Password Envelop No : .. .
39
ITF- 9
.............................Office
order
Signature:
(Receiving Officer)
Name :
Designation:
Address :
Counter Signature:
Name of the counter signing officer:
Designation:
Address :
NB: After receiving the passwords the receiving officer will open the sealed envelop alone and
confirm the passwords applying in the system/database. S/he will change the passwords just after
checking and again handed over the same in a sealed envelop to the Head of the Computer
Department/branch manager documentarily.
40
ITF- 10
01
Backup
Period/
Date
Backup
Media
02
(Ref: Para-7.3.7)
03
Backup Type
(full /
incremental)
04
Backup taken by
Backup
sent to
Name
Designation
Signature
05
06
07
08
09
10
11
41
Appendix-1
Operation Manager
(SPO)-2
(DC-1 & DRS-1)
Computer Operation
Supervisor (PO)-4
Senior Computer
Operator (SO)-6
Computer Operator
(Officer)-6
System Analyst
(SPO)-2
Senior
Programmer
(SPO)-2
Assistant System
Analyst (PO)-4
Programmer
(PO)-4
Principal Maintenance
Engineer (AGM)-1
Senior Maintenance
Engineer (SPO)-2
Asst System
Administrator/
Asst DBA(SPO)-2
Assistant Programmer
(SO)-12
Maintenance Engineer
(PO)-4
Peon-2
Synopsis
Peon-1
(Ref: Para-3.3.1)
42
43
Coordinating the test problems to debug the system and participating in
trial runs;
Determining computer hardware and software needed to set up the
system, designing application software;
Preparing system documentation and instructional/user manuals.
Also responsible for performing job whatsoever assigned by the competent
authority.
44
3. Computer Operation and Management:
A. Senior Operation Manager/Operation Manager/Computer Operation
Supervisor.
They are responsible for
Defining
and
structuring
appropriate
operation
procedure
for
45
C. Senior Data Entry/Control Operator, Data Entry/Control Operator
They are responsible for Maintaining physical aspects of the computer system including personal
computers, peripherals, operating systems and application software
media kits;
Performing all sorts of operations including desktop works using
computer system;
Maintaining inventory for all shorts Hardware, Software and peripherals
including software media kits;
Understanding information need and coordinating information sources
and destinations within the bank;
Coordinating system development groups for improving computer
operations;
Obeying operational procedure designed for information gathering.
Also responsible for performing job whatsoever assigned by the competent
authority.
4. Hardware Maintenance and Control:
Principal Maintenance Engineer/ Senior Maintenance Engineer/
Maintenance Engineer/ Assistant Maintenance Engineer.
They are responsible for Installation, configuration, maintenance, management and control of
the computer systems;
Examining and analyzing technical reports, manuals, brochures and
recommending purchases of servers, personal computers, hardware,
software and peripherals;
Testing and evaluating the hardware and software to determine
efficiency, reliability and compatibility with the system and upgrade
components;
Ensuring system security, installing system applications, distributing
software upgrades, monitoring related activities;
Enabling and enforcing software licensing agreements;
Developing storage management systems and providing for routine
backups;
Processing procurement of computer hardware, software, peripherals
and other accessories as required by the bank.
Managing vendors and directing the work of system technicians and
computer support staff.
Also responsible for performing job whatsoever assigned by the competent
authority.
46
5. System Administration and Control
A. System Administrator/ Assistant System Administrator.
They are responsible for Managing bank's information technology setup including computers,
peripherals and operating systems;
Testing and evaluating the hardware and software to determine
efficiency, reliability and compatibility with the system and upgrade
components;
Ensuring network security, installing new applications, distributing
software upgrades;
Maintaining given multi-user system and dealing control over the
information on the system;
Administering access control, creating and maintaining system users,
controlling users power/ right and managing system controls;
Monitoring daily activity, enabling and enforcing licensing agreements;
Designing and developing storage management program and providing
routine backups;
Managing vendors and directing the work of network technicians and
computer support staff;
Managing and maintaining the servers and computers in the following
levels:
o Data Center and DRS level: Operating System for Core Banking Database
Server and Switching Server, Application Server, Host Security Module
(HSM), Network Access Controller (NAC), Web Server, Mail Server,
Internet Banking Application server, Internet Banking DB server;
o Head office level: SWIFT Server, Application Servers including Backup
Server;
o ATM and POS level: ATM and POS Terminal Control Software.
Also responsible for performing job whatsoever assigned by the competent
authority.
B. Database Administrator/ Assistant Database Administrator.
They are responsible for System performance tuning as well as the structuring tables within the
database, the number of instances to run, and other parameters;
The physical aspect of the data warehouse, which includes physical
design, performance, and maintenance activities including backup and
recovery;
Administering access control, creating and maintaining database users,
controlling users power/ right and managing database controls;
Ensuring the username and password are encrypted properly;
Administering and managing Standby Servers;
Managing configuration of application clustering.
Also responsible for performing job whatsoever assigned by the authority.
47
48
C. Senior Teller/ Teller.
They are responsible for
Receiving cash from the customers over the counter against proper
authentication and observing rules and regulations;
Holding cash in hand, cash in counter and cash in vault over night;
49
GLOSSARY OF TERMS
A term is listed in this Glossary only if it is used in this document with a connotation
different from normal usage.
Access Control: Functions that limit access to information or information processing
resources to persons or applications.
Physical access controls are those, which are based on placing physical barriers
between unauthorized persons and the information resource being protected.
Logical access controls are those, which employ other means.
Alarm: Indication of an unusual or dangerous condition or security violation, which
may require immediate attention.
Application: Task or set of tasks to be accomplished by the information processing
system.
Audit: Function that seeks to validate that controls are in place, adequate for their
purposes and report inadequacies to the appropriate levels of management.
Audit Trail: Collection of records from an information processing facility indicating
the occurrence of certain actions, used to determine if unauthorized use or
attempted use of the facilities has taken place.
Authentication: Process that seeks to validate identity or to prove the integrity of
the information.
Authentication Token: Device that performs dynamic authentication.
Backup: The saving of business information in appropriate media to assure business
continuity in case of loss of resources at the production site.
Classification: Scheme that separates information into categories so that appropriate
controls may be applied. Separation may be by type of information, criticality, fraud
potential or sensitivity.
Code: Software instructions such as object code (the instructions the computer
executes) or sort code (the instructions the programmer writes). System of principles
or rules such as fire codes or building codes. Result of a cryptographic process such as
message authentication code.
Competent Authority: A designated official to perform specific job given by the
authority.
Contingency Plan: Procedure which, when followed, allows an organization to
resume operations after natural or other disasters.
Control: Measure taken to assure the integrity and quality of process.
50
Criticality: Requirements that certain information or information processing
resources be available to conduct business.
Customer Agreement: Contract with a customer that sets forth the customers
responsibilities and governs which security process will be used in the conduct of
business between the organization and the customer.
Destruction (of information): Any condition that renders information unusable,
regardless of the cause.
Digital Signature: Value that can serve in place of a handwritten signature. Normally,
a digital signature is the function of the contents of the message, the identity of the
sender and some cryptographic information.
Disclosure of Information: Unauthorized viewing or potential viewing of information.
Dual Control: Method of preserving the integrity of a process by requiring that two
individuals independently take some action before certain transactions is completed.
Encryption: Process of converting information so as to render it into a form
unintelligible to all except the holders of a specific cryptographic key. Use of
encryption protects information between the encryption process and the decryption
process (the inverse of encryption) against unauthorized disclosure.
Firewall: A Firewall is a collection of components placed between two networks that
collectively have the following properties:
1. All traffic from inside to outside and vice-versa must pass through the firewall.
2. Only authorized traffic, as defined by local security policy, will be allowed to pass.
3. The firewall is itself immune to penetration.
Guideline: Recommendation for information security controls to be implemented
against given threats. Guidelines should not be ignored unless sound business and
security reasons exist for doing so.
Image: Representation of a document for manipulation or storage within an
information processing system. Digital representations are implied.
Information: Any data, whether in an electronic form, written on paper, spoken at a
meeting or on any other medium, which is used by a financial organization to make
decisions, move funds, set rates, advance loans, process transactions and the like.
This definition includes software components of the processing system.
Information Asset:
organization.
Information
or
information
processing
resources
of
an
51
Integrity: Quality of information or a process that is free from error, whether
induced accidentally or intentionally.
Key: Cryptographic key, as discussed in this document.
Know Your Customer: Phrase used to indicate a desired attitude by the financial
organizations with respect to knowledge of customer activities.
Know Your Employee: Attitude of an organization which demonstrates a concern
for employees attitudes toward their duties and possible problems such as substance
abuse, gambling, financial difficulties etc., which may lead to security concerns.
Letter of Assurance: Document setting forth the information security controls that
are in place for the protection of information, held on behalf of the recipient of the
letter.
Modification of Information: The unauthorized or accidental change in information,
whether detected or undetected.
Need-to-Know: Security concept that limits access to such information and
information processing resources as are required to perform ones duties.
Owner (of information): Person or function responsible for the collection and
maintenance of a given set of information.
Network: Collection of communication and information processing systems, which
may be shared among several users.
Password: String of characters that serves as an authenticator of the user.
Risk: Possibility of loss due to occurrence of one or more threats to information. This
is not to be confused with financial or business risk.
Risk Acceptance: Identification and acceptance of risk associated with an exception
to the information security policy.
Server: Computer that acts as a provider of some service to other computers, such as
processing of communications, interfacing with file storage or printing facility.
Shareware: Software which is generally available and which carry a moral, though
not a legal, obligation for payment.
Sign-on: Completion of identification and authentication of a user.
Software Integrity: Confidence that the software being used performs only the
functions for which it was purchased or developed.
52
Standard: Definition of acceptance practices to meet a particular defined policy or a
document published by a standards setting body that provides industry wide methods
of performing certain functions.
Stored Value Card: A token, which is capable of storing and transferring electronic
money.
Tamper Evident Packaging: Protective packaging which will preserve an indication of
attempts to access its contents.
Threat: Condition that may cause information or information processing resources to
be intentionally or accidentally lost, modified, exposed, made inaccessible or
otherwise affected to the detriment of the organization.
Trusted Computer System: Computer system that employs hardware and software
integrity measures to allow it to be used for simultaneous processing of information
having a wide range of sensitivities or classification levels.
Unavailability of Service: Inability to access information or information processing
resources for any reason i.e. disaster, power failure or malicious actions.
User Id: A character string that is used to uniquely identify each user of a system.