Operational Procedures: I. T. Policy

Apna Microfinance Bank
Information Technology Department
I. T. Policy
Operational Procedures
_____________________________________________________________
Information Technology Division
I.T. Policy – 2012 Page 1 of 50
Table of Contents
Page No.
A) Background
Use of Information Technology (IT)……………………………….03

Security……………………………………………………………….03
Need for I.T. Policy………………………………………………….03
I.T. Policy Coverage………………………………………………...04
B) Procedures
1. Network & Telecommunication Policy……………………………...06
2. Intrusion Deduction Policy…………………………………………..10
3. Internet & Email Policy………………………………………………15
4. Website Policy………………………………………………………..17
5. Anti Virus Policy………………………………………………………21
6. Server Security Policy………………………………………………..23
7. Dial-In-Access Policy…………………………………………………25
8. Data Security Policy……………………………………………….....26
9. Physical & Environmental Security Policy………………………….29
10. Logical Security & Access Control Policy…………………………..33
11. Hardware & Software Acquisition Policy…………………………....35
12. Software Development, Implementation & Maintenance Policy….38
13. Software Outsourcing Policy…………………………………………44
14. Business Continuity Plan & Disaster Recovery Policy…………….45
15. Documentation Policy…………………………………………………47
_____________________________________________________________
A. BACKGROUND:
Use of Information Technology (I.T.):
Increasing use of computers prompted by automation drive of AMBL has
changed the references of the organizational security aspects. It has become
essential to have a reference framework for the security and control for
Information Technology. Management and users should understand and
implement the controls to assure security of AMBL’s assets that use Information
Technology.
With the induction of latest technology to do banking, effective management of

I.T. is foremost and critical because of the:
 increasing dependency on information systems
 potential for technology to change business processes, procedures and
practices
 increasing chances of vulnerabilities
 scale and cost of the current and future investments in information
technology
Security:
Security is old, older than computers. Security builds trust amongst customers,
employees and stakeholders. Security procedures are defined to avoid risk. Just
as bank uses the procedures of double-entry bookkeeping, internal audits, and
external audits to secure its financials, same way bank needs to use a series of
procedures to protect its I.T. assets, infrastructure, and networks.
Nowhere else in society we put so much faith in technology. Products work to a

certain extent, but organizations need processes in place to leverage their
effectiveness.
Need for I.T. Policy:

Conformity with processes is the key to minimize risks. Compliance with effective
processes begins with the definition of effective processes. This is the basis of
the need for documented policy. Without documented policy, each person is free
to interpret effective practice based on their own knowledge and experience.
With documented policy, AMBL at least has the specified minimum acceptable
practice, beyond that people can strive for continuous improvement.
I.T. Policy is first step towards building the security infrastructure for technology
based operations. I.T. Policy establishes guideline for everyone who uses I.T. in
one way or other. It is critical in different circumstances starting from planning to
disaster recovery. I.T. policy establishes rules and regulations like how, where,
when and which resources should be used in a given circumstance. With time,
_____________________________________________________________
resources become ineffective for one or other reason (technology becomes

obsolete, human resource turnover etc). In this case I.T. policy helps to take over
operation with new resource in the same manner which is established in I.T.
Policy. It is required for business continuity.
I.T. Policy Coverage:

An entity wide program for process planning and management is the foundation
of an entity's security control structure and a reflection of management's
commitment to addressing security risks. Without a well designed program,
security controls may be inadequate; responsibilities may be unclear,
misunderstood, and improperly implemented; and controls may be inconsistently
applied. Such conditions may lead to insufficient protection of sensitive or critical
resources. Therefore, AMBL’s I.T. policy is designed to cover:
1. Network and Telecommunication Policy

2. Intrusion Detection Policy
3. Internet and E-mail Policy
4. Dial-In Access Policy
5. Data Security Policy
6. Anti-Virus Policy
7. Physical & Environmental Security policy
8. Logical Security and Access Control policy
9. Hardware & Software Acquisition Policy
10. Software Development, Implementation and Maintenance Policy
11. Software Outsourcing Policy
12. Internet and E-mail Policy
13. Web Site Policy
14. Backup & Restoration Policy
15. Business Continuity Planning and Disaster Recovery Policy
16. Documentation Policy
B. GENERAL:
These I.T. policies and guidelines are designed to ensure that users of AMBL are
aware of their responsibilities and appropriate usage of computer
hardware/software.
These policies will be reviewed regularly to take into account the changing nature
of the I.T. and the laws surrounding its use.
This Policy document is a guide, defining ‘what to do’. Information Technology

Department and other concerned Department should apply the provided
information as a foundation to further plan and define the procedures –
explaining ‘How to do’.
_____________________________________________________________
C. SCOPE
Throughout this document, reference to the I.T. should be taken to include all
computing facilities including but not limited to computers, computer accessories,
software, online services including Network & Communication, World Wide Web,
e-mail,
Application servers, other servers, hosts and Internet connected devices. The
policies and guidelines apply to all users of the AMBL using computers, Local
and Wide area network and Internet Services. These users are defined for the
purposes of this document as:
 all employees of AMBL, their contractors and sub- contractors
 any other person using the AMBL computing facilities
D. POLICY OBJECTIVE
The objective of these policies and guidelines is to secure I.T.
environment, provide and maintain appropriate access to the computing
facilities to further business goals and objectives of AMBL.
E. BREACH OF POLICIES AND GUIDELINES

Any breach of these policies and guidelines will be investigated and dealt
with. Any user found to be in breach of these policies may be subject to
termination of network access (network login, printing, access to AMBL
software/hardware, Internet resources including email etc), disciplinary
review, suspension, expulsion, and termination of employment, legal
action or other disciplinary action.
_____________________________________________________________
1 - Network & Telecommunication Policy
1) Purpose:
The purpose of this document is to establish procedures to ensure

the continuous operation of AMBL’s data network. The network
must be designed and configured to deliver high performance and
reliability to meet the needs of the business whilst providing a high
degree of access control and a range of privilege restrictions.
2) General:
a) Network equipment such as switches, routers, DNS servers

can allow further access into the network, and are therefore
either medium or high risk devices. It is also possible that
corruption of this equipment could cause the network itself to
collapse. Such a failure can be extremely disruptive to the
business. It is therefore, important to assign a risk level to this
equipment and to identify the types of users of that system.
The most common types of users are:
 Administrators Internal users responsible for network

resources.
 Privileged Internal users with a need of greater access.
 Users Internal users with general access.
 Others External users or customers.
b) The identification of the risk level and the types of access

required of each network system forms the basis of the
following security matrix. The security matrix provides a quick
reference for each system and a starting point for further
security measures, such as creating an appropriate strategy for
restricting access to network resources.
_____________________________________________________________
System Description Risk Types of Users

Level
ATM Core network Administrators for device configuration
Switches device High (support staff only); All others for use as a
transport
Network Distribution Administrators for device configuration
Routers network High (support staff only); All others for use as a
device transport
Access Administrators for device configuration
Dial up network Medium (support staff only); Partners and
servers device privileged users for special access.
Access Administrators for device configuration

Firewall network High (support staff only); All others for use as a
device transport
DNS Network Administrators for configuration; General

Servers applications Medium and privileged users for use.
(Domain
Controller)
External Network Administrators for configuration; All
E-Mail application Low others for mail transport between Internet
Server and the internal mail server.
Internal E- Network Administrators for configuration; All other

Mail application Medium internal users for use.
Server
Administrators for system administration;

Databases Network Medium Privileged users for data updates;
application or High General users for data access;
All others for partial data access.
c) Additional steps have to be defined for installation,

configuration, maintenance, intrusion detection of above
equipment.
________________________________________________________________
_____________________________________________________________
3) Guidelines:
a) All network devices, including switches, routers, hubs and

access points, must be set up, configured, and administered by
the I.T. Department.
b) All devices, which will be attached to the network or use
network services, must first have their hardware addresses
(MAC address: Media Access Control) registered with the I.T.
Department along with up to date demographic information
about the party responsible for the device. Devices that are not
so registered are subject to disconnection from the network
without notice.
c) Hostnames and Domain Name Services for the AMBL will be
administered by the I.T. Department.
d) Private IP addressing scheme as defined internationally, will be
used for equipment attached to the network. Devices found to
be using an IP address other than the one they were assigned
are subject to disconnection from the network without notice.
e) All firewalls on the AMBL network will be configured,
administered and managed by the I.T. Department.
f) Procedures will have to be defined for all areas of networking,
including but not limited to firewall, VPN Services, etc.
g) Schedule Downtime is necessary for all areas of the network in
order to perform maintenance and upgrades on the network
electronic devices. I. T. Department shall notify and work with
affected users to create reasonable scheduling of the
downtimes that will mitigate the effect of these necessary
downtimes on users’ operations.
h) Cabling vendors must conform to all AMBL cable labeling and
documentation procedures.
i) Bandwidth Utilization: Procedures has to be in place for
bandwidth utilization.
j) Quarantine Networks:
(i) New Servers and other networked equipment shall be set

up and configured while connected to Networks. These
networks are not public and devices connected to them
cannot exchange data packets with most other devices on
the main AMBL network or internet
_____________________________________________________________
(ii) Responsibilities:
I.T. Department shall administer the Networks at AMBL.
(iii) Procedure:
 Vendors and server administrators or custodians may

only assemble and set up new servers either standing
alone or connected to a network. IP addresses will be
in the pre-defined form, and the specific address
appropriate for the location where the server is being
set up physically should be obtained. When its
administrator believes that the server is ready to go
into production, the server will be scanned tested for
known network security fallibilities.
(iv) Exceptions
AMBL acknowledges that under rare circumstances, certain

workers will need to employ systems that are not compliant
with this policy. All such instances must be approved in
writing and in advance by the Information Security Officer.
_____________________________________________________________
2 - Intrusion Detection Policy
1) Purpose:
To have procedures in place to detect signs of intrusion and manage

in a controlled way to eliminates potential errors or omissions in
advance of an attack.
With advance planning, documentation, and education, trained staff

members are able to more effectively coordinate their activities when
detecting suspicious activity, an intrusion, or an intrusion attempt.
Without the proper knowledge and skills, users may inadvertently
expose parts of the organization to security threats.
2) Initial Steps:
a) Document the important and critical information assets and the

level of protection (confidentiality, availability, integrity) required for
each. Designations for the level may range from “cannot be
compromised under any circumstances” (maximum protection) to
“contains no sensitive information and can be easily restored”
(minimal protection).
b) Document the types of threats or event that indicate possible signs
of intrusion and also document to respond to them if they are
detected. Types of threats may include:
 Attempts (either failed or successful) to gain unauthorized

access to a system or its data
 Unintended and unauthorized disclosure of information
 Unwanted disruption or denial of service
 The unauthorized use of a system to process, store, or transmit
data
 Changes to system hardware, firmware, or software
characteristics without the knowledge or consent of I.T.
management or of the assets owner
c) Document the requirement to establish and maintain secure,

reliable configuration information for all assets that represent
known, expected state. Periodically compare this information with
current state to determine if anything has been altered in an
unexpected way.
d) Document the roles, responsibilities, and authority of system

administrators, security personnel, and users regarding the use
_____________________________________________________________
and administration of all assets when they participate in detecting

signs of suspicious behavior, including intrusions.
e) Document what data to collect, why to collect it, and where and
when to collect it. Document how to conduct review of all collected
data. Because there is a large volume of system and network data
that can be collected, and because there are increasing demands
on an administrator’s time, it needs to be carefully determined.
 The order in which specific data will be reviewed

 The frequency of data review
 Tools and other mechanisms, such as alerts, that can aid in
better identifying suspicious and unexpected behaviors.
 The types of event that warrant further investigation and in-
depth analysis
 Administrator authority, actions to be taken, and what
circumstances warrant what actions
3) Training:
Training the users who have authorized accounts on systems.

During the training process, users should learn:
 What is expected of them

 How to identify suspicious behavior and who to notify what
behaviors can reduce the exposure of systems to possible
compromise
 What information is being gathered as part of routine security
procedures, and the degree to which this information gathering
may affect them?
4) Determine & Identify the data to be collected.
A table of data categories and possible types of data to collect is

shown below: -
Data Category Types of data to collect
 Total traffic load in and out over time (packet, byte, and
Network connection counts) and by event
performance  Traffic load (percentage of packets, bytes, connections) in and
out over time sorted by protocol, source address, destination
address, other packet header data
 Error counts on all network interfaces
 Service initiation requests
 Name of the user/host requesting the service
_____________________________________________________________
 Network traffic (packet headers)

 Successful connections and connection attempts (protocol, port,
source, destination, time)
Other network  Connection duration
data  Connection flow (sequence of packets from initiation to
termination)
 States associated with network interfaces (up, down)
 Network sockets currently open
 Whether or not network interface card is in promiscuous mode
 Network probes and scans
 Results of administrator probes
 Total resource use over time (CPU, memory, disk)
 Status and errors reported by systems and hardware
 Charges in system status, including shutdowns and restarts
 File system status (where mounted, free space by partition, open
System files, biggest file_ over time and at specific times
performance  File system warnings (low free space, too many open files, files
exceeding allocated size)
 Disk counters (input/output, queue lengths) over time and at
specific time
 Hardware availability (modems, network cards, memory)
Other system  Actions requiring special privileges
data  Successful and failed logins
 Modem activities
 Presence of new services and devices
 Configuration of resources and devices
Process  Amount of resources used (CPU, memory, disk, time) by specific
performance processes over time; top ‘x” resource-consuming processes
 System and user processes and services executing at any given
time
Other process  User executing the process
data  Process start-up time, arguments, file names
 Process exit status, time, duration, resources consumed
 The means by which each process is normally initiated
(administrator, other users, other programs or processes), with
what authorization and privileges
 Devices used by specific processes
 Files currently open by specific process
Files and  Lists of files, directories, attributes
directories  Cryptographic checksums for all files and directories
 Access (open, create, modify, execute, delete), time date
 Changes to sizes, contents, protections, types, locations
 Charges to access control lists on system tools
 Additions and deletions of files and directories
 Results of virus scanners
 Login/logout information (location, time): successful attempts,
_____________________________________________________________
failed attempts, attempted logins to privileged accounts.

 Login/logout information on remote access servers that appears
in modem logs
Users  Charges in user identity
 Changes in authentication status, e.g. enabling privileges
 Failed attempts to access restricted information (such as
password files)
 Keystroke monitoring logs
 Violations of user quotas
 Applications- and services-specific information such as network
traffic (packet content), mail logs, FTP logs, web server logs,
modem logs, firewall logs, SNMP logs, DNS logs, intrusion
detection system logs, database management system logs.
Services specific information could be:
 For FTP requests: files transferred and connection statistics
 For web requests: pages accessed, credentials of the
requestor, connection statistics, user requests over time, which
pages are most requested, and who is requesting them
Applications  For mail requests: sender, receiver, size, and tracing
information; for a mail server, number of messages over time,
number of queued messages
 For DNS requests: questions, answers, and zone transfers
 For a file system server: file transfers over time
 For a database server: transaction over time
 Results of scanning, filtering, and reducing log file contents
Log files  Checks for log file consistency (increasing file size over time use
consecutive, increasing time stamps with no gaps)
Vulnerabilities  Results of vulnerability scanners (presence of known
vulnerabilities)
 Vulnerability patch logging
5) Determine which events should produce an alert.
Events that require immediate administrator attention and that need

to be given the highest priority should be designated as alerts. Alerts
can be in the form of a message displayed on workstation, a phone
call or voice mail, email, or pager messages.
6) Characterize expected system behavior and performance.
Document the procedure by which it is verified that systems are

performing as expected.
7) Characterize expected process and user behavior.
_____________________________________________________________
Document the procedure by which it is verified that the processes

executing on systems are operating only as expected and attributed
only to authorize activities of users, administrators, and system
functions.
8) Characterize expected file and directory information.
Document the procedure to verify that the files and directories on

systems are as expected and that they were created, modified,
accessed and deleted as expected.
9) Generate an inventory of system hardware
Create an inventory of all computing hardware assets. Ensure that

procedures are in place to update hardware inventory when the
physical location of equipment changes, when its hardware
configuration is upgraded (e.g., memory is added), and when
equipment is added to or removed from systems.
10) Network infrastructure information
Produce and maintain complete, up-to-date network infrastructure

information that captures the architecture, connectivity, and identity
of all network devices.
11) Monitoring:
Identify network monitoring and management mechanisms to keep

this information up-to-date and to alert relevant personnel to
anomalies
a) Monitor and inspect network activities for unexpected behavior

b) Monitor and inspect system activities for unexpected behavior
c) Review system performance statistics and investigate anything
that appears anomalous.
d) Identify any unexpected, unusual, or suspicious process
behavior and the possible implications.
e) Identify any unexpected, unusual, or suspicious user behavior
and the possible implications.
f) Identify other un-expected, unusual, or suspicious behavior and
the possible implications.
g) Periodically execute network mapping and scanning tools to
understand what intruders who use such tools can learn about
networks and systems.
h) Inspect files and directories for unexpected changes.
_____________________________________________________________
i) Verify the integrity of directories and files according to

established schedule.
j) Identify any unexpected, unusual, or suspicious changes to files
and directories and their possible implications.
k) Investigate unauthorized hardware attached to your
organization’s network
l) Inspect physical resources for signs of unauthorized access.
_____________________________________________________________
3 - Internet & Email Policy
1) Internet Usage Guidelines:
a) Accuracy of Information. Users should be aware that

Information on the Internet may be inaccurate or untimely and
there is a danger that opinions may be presented as facts.
b) Authenticity and Security of Information. Unless you take

steps to encrypt your messages do not use the Internet to
communicate anything that you wouldn’t put on a postcard.
c) Appropriate Activities: Users of the Internet must ensure that

the use they make is ‘appropriate’. Examples of appropriate
use include:
 Conducting research & investigation in support of AMBL’s

business objectives;
 Communication and information exchange with

Government agencies and other organizations as required
by business;
 Retrieving news stories or other information of interest to

AMBL;
 Professional development activity, such as maintaining

currency with and/or debating issues in, a field of
knowledge related to AMBL business effectiveness.
d) Prohibited Activities:
Users must not use the Internet for inappropriate purposes.

Inappropriate use includes but is not limited to:
 Visiting sites or receiving communications that contain

material that is obscene, objectionable, or likely to be
offensive.
 Gambling.
 Soliciting for personal gain or profit.
 Making or posting indecent remarks and proposals
_____________________________________________________________
 Uploading or downloading commercial software in violation

of its copyright.
 Downloading any software or electronic files without

reasonable virus protection measures in place.
 Passing off personal views as representing those of AMBL.
 Any activity that violates national or international law.
 Extensive private usage.
It is not the role of this Policy or its guidelines to define

“extensive”, this is a matter to be addressed between the
manager and their staff member. Use is likely to be
extensive when it interferes with production of outputs,
costs an unacceptable amount of money or reduces the
ability of users to engage in normal authorized activities.
When considering impairment of authorized activities these
include all use of computer facilities – not just Internet.
 E-Mail Usage Guidelines:
Email facility available to AMBL employees is subject to

following guidelines to ensure the efficient use of the service:
a) Broadcast Emails: Spam (unsolicited ‘junk’ email),

creating of forwarding “chain letters”, or other “pyramid”
schemes of any type, sending out large numbers of
messages are not allowed.
b) Large emails: Large emails are discouraged (greater

than attachments. They should also be aware of the
impact of the size of the email on the recipient’s mail
account – many have restrictions on the size of incoming
mail.
c) Virus Alerts: Users should be aware that many email

virus alerts are hoaxes, designed to the up system
resources by intentionally encouraging users to forward
on such alerts. If you receive such a notification DO
NOT immediately email it to all your colleagues. Send it
to the I.T. Department Help Desk – who will assess its
veracity and take appropriate action, including, if
necessary, alerting the AMBL community.
_____________________________________________________________
d) Attachments: Consider whether you really need to

attach a file to your email. If the attachment is short and
requires no special formatting, consider including it in the
body of the email. Attachments on emails that are
forwarded to mailing lists can create a large additional
amount of traffic. It is your responsibility to ensure that
all attachments are scanned for viruses before being
sent and when received.
e) Harassment: Users should not use email facility to carry

out any form of harassment.
_____________________________________________________________
4 - Web–Site Policy
1) Purpose:
The purpose of this policy is to:
a) provide guidelines for quality assurance in preparing

information for the AMBL website and its associated pages;
b) and provide a framework for the administration of the AMBL

website in accordance with guidelines setup by the SECP.
2) General
a) Establish the AMBL website as the entry point for accessing

maximum information related to AMBL.
b) Make the AMBL website and those with official links from it
appear as consistent in format, inter-linkages, and functionality
as possible.
c) Insure information available through the AMBL website is

structured in such a way that users can logically and quickly
access specific information.
3) AMBL Website Goals:
The AMBL website is provided as a public service. Bank’s goals for

the development of this site are:
a) To advance AMBL activity on the World Wide Web and improve

public access to information, programs and services.
b) To help make AMBL more efficient, effective, and responsive to

the public through the use of online forms and response tools.
4) Assessment and Public Information:
AMBL is a broad organization, producing volumes of data and

information with many owners and maintainers. In order to insure a
managed transition to the online environment for much of this
information, it is necessary to have a team that will be responsible
for updating and maintaining the AMBL website. The team will:
a) Be responsible for the oversight in developing the format,

content and organization of the AMBL website.
_____________________________________________________________
b) Facilitate a shared responsibility for presenting the best

representation of AMBL through the use of the AMBL website.
c) Strive to build on what is already in place and to provide a

forum for continuous improvement of the AMBL website.
5) AMBL Website Guidelines:
The following guidelines are intended to assist in the development

and preparation of information for the AMBL website and those
pages linked to the AMBL website:
1) DESIGN GUIDELINES:
a) Uniform Design. Throughout the AMBL website, all pages

will have a consistent design application, at the top and
bottom of the page, which easily establishes the site as the
AMBL website in the user’s mind, regardless of the entry
point.
b) Signature on each page. A signature will be required for

placement on each page of the AMBL website. The page
signature should include an e-mail address for a
“Webmaster”, or “responsible point of contact” (phone or fax
optional), the URL address of the page and/or the date of
the last page up-date. If this information is not on each
page, a link should be available that contains this
information.
c) Link back to the AMBL website. All official AMBL subsidiary

web pages that have a link from the AMBL website shall
have incorporated, at appropriate points, easy links back to
the AMBL homepage. This is designed to facilitate easy
return by a user to the AMBL website so that he or she may
continue exploration of the information accessible through
the AMBL website.
d) Webmaster Contact. All web pages with links from the

AMBL website will provide a single point of contact for
communications purposes. A “Webmaster or responsible
point of contact”. Will be identified on each
division/branch/regional office’s home page for questions or
follow-up on the part of users of the information. A method
of contact (telephone, mail, e-mail) will be made available.
_____________________________________________________________
e) Browser Independent. AMBL website is to be browser

independent. In addition, the AMBL website should be
designed to accommodate non-graphical browsers.
6) Content Guidelines:
a) Private Organizations and Associations. Normally, the AMBL

website is not intended to display information from private
organizations and associations of either non-profit or for-profit
nature. However, where such an organization or association
has a clear and beneficial relationship to AMBL’s activities, an
assessment should be made on an individual basis.
b) Third Party Data. If AMBL uses information acquired from

third parties on its website, it should be insured that such
providers have approved the use of information and that
adequate up-date and maintenance of such information is
provided.
c) Information Maintenance. AMBL website is expected to

maintain the most current publicly available data and
information on its website. A statement about accuracy of
information present on website must be properly displayed on
AMBL website stating that ‘In the event of a significant
difference between the information on this website and official
information available at AMBL offices, the official information
should prevail.’
d) Partisan Political Information. The AMBL website is not

intended as a forum for partisan political activity. No links to
such websites can be provided.
e) Commercial Advertising. The AMBL website is not intended

as a means of promoting an individual firm’s commercial
activities.
f) Disclaimer. The AMBL website will incorporate an appropriate

disclaimer.
g) Copyright. The AMBL website intend to present information

that is in the public domain. Information that is not in the public
domain should not be displayed without the written permission
of the copyright holder.
_____________________________________________________________
7) Website Hosting:
a) Proper agreement for hosting of AMBL’s website must be

signed with the hosting company mentioning details of services
available.
8) Domain Name Registration:
Domain name registration must be in the name of ‘Apna

Microfinacne Bank Limited’. I.T. Department should be listed as
administrative and technical contact authority with PKNIC.
9) Hyperlink Procedures:
Generally, no hyperlink from AMBL website should be established.

If a need is felt the requested website must at least fulfill the
following criteria:
a) website must be from financial sector
b) Website must be reviewed and/or updated with current and

accurate information as needed and on regular basis.
c) Website must be available 24 hours/day, 7 days/week, and is

hosted on a server with adequate capacity to reasonably meet
visitor demands (e.g., download times of home page must be
consistent with competitive sites).
d) Website must NOT include offensive, obscene and/or libelous

material or any other material that may lead to civil or criminal
liability and cannot be directly linked to any other sites that may
include offensive, obscene and/or libelous material or any other
material that may lead to civil or criminal liability.
e) Website must commit to hyperlink back to the AMBL website.
f) Website must not be a personal homepage. Links from AMBL’s

website will not link directly to any personal web pages.
g) In order to establish a hyperlink from AMBL website on request,

applicant must submit an application (written or via e-mail) to
the webmaster (webmaster@apnabank.com.pk) of AMBL
providing the following information:
_____________________________________________________________
 The name of website(s) and date of commencement;
 The name and address of the producer and registered

administrative contact of website(s);
 A profile of company;
 And acknowledge the following terms and conditions:
- AMBL’s trademarks and name, and their contents are

and shall remain the sole property of AMBL;
- Nothing in this Agreement shall give them any right of

ownership in the AMBL’s Website;
- They shall not now or in the future contest the validity of

the Marks; and
- They shall not take any action that would impair the
value or goodwill associated with the Marks or AMBL’s
image or reputation and in particular they shall not use
the Marks in any way that might be misleading or seek
to promote any goods or services not certified by the
AMBL.
_____________________________________________________________
5 - Anti Virus Policy
1) Purpose:
To protect information assets of the AMBL against virus attacks.
2) Recommended processes to prevent virus problems:
a) Always run the approved and supported anti-virus software

available from the I.T. Department, or download and run the
recommend version; download and install the recommended
anti-virus software updates as they become available.
b) NEVER open any files or macros attached to an email from

an unknown, suspicious or untrustworthy source. Delete
these attachments immediately, then “double delete” them
by emptying your Trash.
c) Delete spam, chain, and other junk email without forwarding.
d) Never download files from unknown or suspicious sources.
e) Avoid direct disk sharing with read/write access unless

where is absolutely a business requirement to do so.
f) Always scan a floppy diskette for viruses before using it.
g) Back-up critical data and system configurations on a regular

basis and store the data in a safe place.
f) New viruses are discovered almost every day,. Periodically

check with I.T. Department for list of updates.
g) I.T. Services will have available up to date virus scanning

software for the scanning and removal of suspected viruses.
h) Corporate file-servers will be protected with virus scanning

software.
i) All workstations used by users will be protected by virus

scanning software
j) All systems will be built from original, clean master copies

whose write protection has always been in place. Only
original master copies will be used until virus scanning has
taken place.
_____________________________________________________________
l) All demonstrations by vendors will be run on their machines

and not the AMBL’s.
m) Shareware is not to be used, as shareware on USB

downloaded from a bulletin board is one of the most common
infection sources. If it is necessary to use shareware, it must
be thoroughly scanned before use.
n) New commercial software will be scanned before it is installed

as it occasionally contains viruses.
o) to enable data to be recovered in the event of virus outbreak

regular backups must be taken.
p) Users will be notified of virus incidents by I.T. Department.
q) In the event of an uncontrolled virus infection the user must

inform I.T. Department immediately. I. T. Department will then
scan the infected machine and any disks or other workstations
to which the virus may have spread and eradicate it.
_____________________________________________________________
6 - Server Security Policy
1) Purpose:
The purpose of this policy is to establish standards for the base

configuration of internal server equipment that is owned and/or
operated by the AMBL Effective implementation of this policy will
minimize unauthorized access to AMBL proprietary information and
technology. This policy applies to server equipment owned and/or
operated by the AMBL, and to servers registered under any AMBL
owned internal network domain.
2) Ownership and Responsibilities:
a) All servers deployed at AMBL must be owned by operational

team of I.T. Department responsible for system administration.
Approved server configuration guides must be established and
maintained by this team, based on business needs. It must be
noted that data owners are the business users who are using
these servers. Therefore, any access or change to these
servers should be approved by the respective users’
management.
b) Configuration changes for production servers must follow the

appropriate change management procedures.
c) Application development or maintenance teams will not have

access to the servers.
3) General Configuration Guidelines
a. Operating System and software applications configuration should

be in accordance with approved guidelines.
b. Services and applications that will not be used must be disabled

where practical.
c. The most recent security patches must be installed on the system
as soon as practical.
d. Always use standard security principles of least required access to

perform a function.
e. Does not use root when a non-privileged account will do the job.
_____________________________________________________________
f. Servers should be physically located in an access-controlled

environment
4. Monitoring
All security related events on critical or sensitive systems must be logged and
Audit trails saved as follows:
a. All security related logs will be kept online for a minimum of 1 week
b. Daily incremental tape / external HD backups will be retained for at

least 1 month.
c. Weekly full backups of logs will be retained for at least 1 month.
d. Monthly full backups will be retained for a minimum of 2 years.
e. All root logins will be kept documented.
5) Compliance
a. Authorized personnel within AMBL will perform audits on a regular

basis.
b. The audit & inspection division in accordance with the Audit Policy
will manage audit.
c. Every effort will be made to prevent audits from causing operational

failures or disruptions.
_____________________________________________________________
7 - Dial-In Access Policy
1) Purpose
The purpose of this policy is to protect AMBL’s electronic

information from being inadvertently compromised by authorized
personnel using a dial-in connection.
2) Guidelines:
a) AMBL Employees and authorized third parties (customers,

vendors, etc.) can use dial-in connections to gain access to the
corporate network. Dial-in access should be strictly controlled.
b) It is the responsibility of employees with dial-in access privileges

to ensure a dial-in connection to AMBL network is not used by
non-employees to gain access to bank’s information system
resources. An employee who is granted dial-in access
privileges must remain constantly aware that dial-in connections
between their location and AMBL are literal extensions of
AMBL’s corporate network, and that they provide a potential
path to the AMBL’s most sensitive information. The employee
and/or authorized third party individual must take every
reasonable measure to protect AMBL’s assets.
c) Where dial-in modems are used, the modem will be unplugged

from the telephone network and the access software disabled
when not in use.
d) All the dial-in accesses made must be documented and

approved by user’s management.
_____________________________________________________________
8 - Data Security Policy
1) Purpose:
Data Security Policy is intended to help employees determine

who is owner of what data, as well as the relative sensitivity of
information that should not be disclosed without proper
authorization.
2) Scope:
The information covered in this policy include, but is not limited to

information and data that is stored on servers or PCs. Included is
information that should be protected very closely, such as
development programs, customer and business data of
branches/offices, and other information integral to the success of
AMBL.
3) Guidelines:
The guidelines below provide details on how to protect

information at varying sensitivity levels.
a) Data & applications:
All the data and applications must be categorized like Most

Sensitive, Sensitive, Less sensitive, etc. Further, for
categorized data and applications following information must
be provided:
 Owner: Users are considered as owner of the application

and data. Once an application is handed over to the
respective users, it cannot be modified or updated without
proper approval and information to the users and/or related
management. The users collect the information stored in
the form of data therefore they are responsible for its
correctness and validity.
 Access: Only those individuals (AMBL employees and

non-employees) designated with approved access and
signed non-disclosure agreements. Data processing
personnel should be restricted from initiating data changes
except when formally authorized by user management. All
such data changes must be adequately documented and
_____________________________________________________________
 reviewed and unauthorized change attempts should be

reviewed by I.T. Department on a timely basis.
 Distribution within AMBL: Delivered direct – signature

required, envelopes stamped confidential, or approved
electronic file transmission methods.
 Distribution Outside of AMBL internal mail: Delivered

direct; signature required; approved private carriers.
 Electronic distribution: No restriction to approved

recipients within AMBL, but it is highly recommended that
all information be strongly encrypted.
 Storage: Individual access controls are highly

recommended for electronic information. Information
should be stored in a physically secured computer.
 Disposal/Destruction: Electronic data should be deleted

reliably, completely erase or physically destroy media.
 Penalty for deliberate or inadvertent disclosure: Up to

and including termination, possible civil and/or criminal
prosecution to the full extent of the law.
2) Access of AMBL Systems to other business concerns:
Connections shall be sent up to allow other businesses to see

only what they need to see. This involves setting up both
applications and network configurations to allow access to only
what is necessary.
3) AMBL Information System Resources:
Information System Resources include, but are not limited to,

all computers, their data and programs, as well as all paper
information and any information at the ‘Internal Use Only’ level
and above.
_____________________________________________________________
4) Expunge:
Reliably erase or expunge data on a PC or server. Otherwise,

the PC’s normal erasure routine keeps the data intact until
overwritten.
Individual Access Controls:
Steps to protect files from being accessed by people other

than those specifically designated by the owner. On Stand
Alone PCs or Domain Controller LAN On PC’s, user access
should be passwords protected.
5) Physical Security:
Physical security means either having actual possession of a

computer at all times. Methods of accomplishing this include
having a special key or password to unlock the computer so it
can be used, thereby ensuring that the computer cannot be
simply rebooted to get around the protection.
_____________________________________________________________
9 - Physical & Environmental Security Policy
1) Purpose:
To protect against possible damage, theft, or misuse of

computers and accessories.
2) General Guidelines:
a) All computer hardware should be prominently security marked

by branding or etching with the name of the establishment and
branch code. Advisory signs informing that all property has
been security marked should be prominently displayed
externally. The following are considered inferior methods of
security marking; text comprised solely of initials or
abbreviations, marking by paint or ultra violet ink (indelible or
otherwise), or adhesive labels that do not include an etching
facility.
b) The server should be housed in a purpose built room. Secure

doors should give access to the room. The server room
should contain adequate air system to provide a stable
operating environment to reduce the risk of system crashes
due to component failure.
c) No water, rainwater or drainage pipes should run within or

above the server room to reduce the risk of flooding.
d) Where possible UPS /generator power should be provided to

help protect the computer systems in the case of a mains
power failure.
e) Access to the server room is restricted to authorized staff only.
f) All contractors / service providers working on computers are to

be supervised at all times and the I.T. Department is to be
notified of their presence.
g) LAN equipment, hubs, switches, routers, will be kept in secure

rooms. Hub racks will be kept locked at all times. Access to
racks will be restricted to authorized staff only. Contractors /
Service Providers requiring access to racks will notify I.T.
Department in advance so that the necessary supervision can
be arranged.
_____________________________________________________________
3) Server Room Access
Proper measures must be taken to control physical access to

the Domain server
4) Environment Controls:
Following computer environmental controls must be installed:
a) Fire suppression equipment (e.g., extinguishers)
b) Uninterruptible power supply (UPS)
c) Emergency Power System (e.g., generators)
d) Make sure the above are regularly tested and that maintenance
contracts are signed.
5) Workstations:
a) Users must logout of their workstations when they leave their

workstation for any length of time.
b) All unused workstations must be switched off outside working

hours.
6) Wiring:
a) All network wiring will be fully documented.
b) All unused network points will be de-activated when not in

use
c) Users must not place or store any item on top of network

cabling.
7) Servers:
a) All servers will be kept under Password protected
b) Access to the system console and server disk/CD/USB

devices will be restricted to authorized staff only
8) Electrical Security:
_____________________________________________________________
a) All servers will be fitted with UPS’s that also condition the
power supply.
b) All hubs, switches, routers and other critical network

equipment will also be fitted with UPS’s.
c) In the event of a mains power failures, the UPS’s will have

sufficient power to keep the network running until the
generator takes over.
d) All UPS will be tested periodically.
9) Inventory Management:
a) I.T. Department will keep a full up-to-date inventory of all

computer equipment and software in use throughout the
AMBL.
b) Computer hardware and software audits will be carried out

periodically. These audits will be used to track unauthorized
copies of software and unauthorized changes to hardware
and software configurations.
10) Smoke & Dust Free Zone:
All computers and related equipment must be protected from

smoke and dust.
a) Smoking is not allowed in areas where computers and

related equipments are placed.
b) “No smoking” signs must be clearly displayed.
c) Computers and equipments vicinity must be well protected

from dust. .
d) All windows and other openings must be securely closed to

keep the dust away.
e) Procedures must in place to regularly clean computers and

equipments.
_____________________________________________________________
10 – Logical Security & Access Control Policy
1) Purpose:
Purpose of this policy is to minimize the risk involved in data and

information loss to AMBL by restricting the users’ access as per job
assignment only.
2) Guidelines:
f) User’s access to data and applications will be limited by the

access control features.
I) Users will change their passwords every week.
J) Approved TCP/IP naming scheme will be used to identify the

computers, routers, printers, etc. on the network.
k) Users will only be given sufficient rights to all systems to enable

them to perform their job function. User rights will be kept to a
minimum at all times.
n) Access to the network/servers and systems will be by individual

username and password.
o) Usernames and passwords must not be shared by users.
p) Usernames and passwords should not be written down.
q) Usernames will consist of initials and name up to 8 characters

in length.
r) All users will have an alphanumeric password of at least 8

characters.
s) Users will be given a username and password to login to the

network/servers and another password to login to individual
systems.
t) All system access must be removed as and when an employee

gets transferred or leaves the AMBL.
u) Network/server supervisor passwords and system supervisor

passwords will be stored in the fire safe in I.T. Department in
case of an emergency.
_____________________________________________________________
v) Auditing will be implemented on all systems to record login

attempts/failures, successful logins and changes made to all
systems.
w) Default passwords on systems will be changed after installation.
x) Access to the network/servers will be restricted to normal

working hours.
_____________________________________________________________
11 – Hardware & Software Acquisition Policy
1) Objective
The purpose of this document is to establish a standardized

procurement policy for acquisition of Computer software, hardware,
and related equipment
2) Competitive Evaluation Process:
The competitive evaluation process will be used for procurements

during the course of a fiscal year. It involves two stages:
a) Request for Qualification (RFQ)
The AMBL will issue an RFQ to pre-qualify hardware & software

suppliers. The RFQ will contain descriptions of the following:
 The mandatory and desirable requirements to be used throughout

the process;
 The evaluation process and criteria as well as the testing that will
be conducted on evaluation copies of the proposed software
product, if any.
 The notice of intent to procure is advertised in the newspapers.

Potential suppliers will be provided with at least 15 calendar days
to develop and submit proposals.
 Suppliers must provide dealership/license rights for hardware,

software products they propose in their submissions.
 The RFQ process should result in a list of qualified vendor(s).
 Each step of the RFQ process is documented thoroughly.
b) Request for Tender (RFT)
AMBL will issue an RFT to select and acquire the

hardware/software products from the vendors.
 IT Department will forward the RFT to the reputed vendors for

the quotations.
_____________________________________________________________
 The RFT will describe a clear, concise description of the

materials or equipment being purchased, evaluation process
and criteria, to ensure a minimum amount of interpretation by
the bidder.
 Clearly define delivery terms and conditions.
 The method or formula for determining the lowest bidder

meeting specifications.
 In case of bids invited, the closing date and exact time and
location of opening sealed bids.
 Notification that bids received after the closing date and time
will not be considered.
 If needed, organize briefing sessions to provide answers to

vendors’ questions.
 Select the highest ranked proposal that meets all the

mandatory requirements.
 Select the vendor or product with the lowest evaluated cost

and enter into an agreement with the successful supplier of
the selected hardware/software product.
 In case of software procurement, I.T. Department may request

to test the proposed software to determine its functionality as
described in the proposal and its effectiveness in the
business environment to which it will be used.
 If the lowest price quoted is unacceptable, an explanation of

why it cannot be considered must be noted in the file.
 Inform unsuccessful bidders of the results of selection,

upon request.
 Any deviation from this procedure must be approved in

advance by the management in writing.
 Price Quotation Procedure for items not over Rs.5,000/-
A price or cost analysis should be made in connection with every

procurement action. Quotations will be solicited from a minimum
of three pre-qualified vendors. Quotations must be obtained in
_____________________________________________________________
writing, using the following criteria: However, petty computer

items such as Key Board, mouse modem router may be excluded
a) Off-the-shelf item.
b) No special modifications or alternations.
c) Delivery will be made within a short but reasonable time span.
4) Sole-Source/Sole-Brand Exceptions:
a) Limiting the bidding to one bidder and/or one brand or trade

name is prohibited, except in cases where an article of a
specified brand or trade name is the only article, which will
properly meet the needs of the AMBL.
b) Requests that limit the bidding to one source and/or brand or

trade name must include a written justification, approved by
the AMBL management, explaining why the product specified
is necessary for the successful accomplishment of the
requesting department’s functions. The justification should
include the following:
 The unique performance factors of the product specified.
 Why these factors are required.
 What other products have been evaluated, rejected and

why.
c) A copy of the management’s approved justification for a sol-

source/sole-brand purchase should be filed with the purchase
order or contract for audit purposes.
_____________________________________________________________
12 – In-House Software Development,

Implementation & Maintenance Policy
1) Objective:
The objectives of this policy are:
a) To establish a standardized and coherent process for the

development of software
b) To provide reference for common terminology and vocabulary for

software development;
c) To establish clear expectations between acquirer and developer.

This standard shall establish common expectations about the
process and documentation to be prepared.
d) The requirements of this policy shall be applicable to all phases

of the software development life cycle. It shall be applicable for
software to be developed, modified, reused, and procured.
2) Application Development:
Application development has a complete life cycle that must be

properly followed. These steps not only ensure the development of a
robust application but also become great help to the individuals who
will join the organization later-on when the persons who developed
the system would not be available (developers usually leave the
organizations for better prospective).
Application development is done using a customized development

methodology. In this methodology, the following stages are included:
 Study & Analysis stage
 Design stage
 Development stage
 Deployment stage.
a) Study & Analysis Stage:
 A software system exists for one reason: to provide value to its

users. All decisions should be made with this in mind.
_____________________________________________________________
 This step is concerned with gaining a good understanding of

the business and information needs of the business area
under consideration. It highlights unsatisfactory services
within the current environment and additional functions and
data required in the new environment. The purpose is to
investigate to a level of details that allow the key requirements,
which determine the feasibility options to be defined.
 The study result in defining feasibility options that are possible

logical solutions to the requirements described in the user
requirements. This step aims to develop several options that
meet the defined requirements, from which users can select.
b) At study and analysis stage, the following activities are carried

out:
 Business requirements are gathered from the end-users.
 Functionality of the current system (usually manual system) is

evaluated.
 Definition & prioritization of the business requirements.
 Thorough study of the existing business rules.
 If converting from an existing application, its in-depth analysis

of the database, I/O and interface of the system.
 Identify the problems associated with the current environment

that are to be resolved by the new system.
 Preparing and defining business solution options.
 Feedback from the end-users to approve the analysis and

select a business solution option.
c) After successful completion of this stage, following

documents should be generated and kept in record.
 Current Environment Description
 Proposed Environment Description
 User Catalogue
_____________________________________________________________
 User Requirements
 List of business/system processes which will be change. The

changes must be approved by the competent authorities, before
proceeding further.
 A decision about in-house development or to buy off-the-shelf

package.
3) Design Stage:
Software design is not a haphazard process. There are many factors

to consider in any design efforts. All design should be as simple as
possible. This facilitates having a more easily understood, and easily
maintained system. This is not to say that features, even internal
features, should be discarded in the name of simplicity. Indeed, the
more elegant designs are usually the more simple ones. Simple also
does not mean “quick and dirty.” In fact, it often takes a lot of thought
and work over multiple iterations to simplify. The payoff is software
that is more maintainable and less error-prone.
a) At this stage, the following modules are designed:
 The input/output, database, and interface for the target

application.
 Functional specification of the system.
 Prototype of the target system.
 Feedback from the users to approve the design.
d) After successful completion of this stage, following

documents should be generated and kept in record.
 Technical system details
 Database structure/dictionary
 Entity relationship (ER) diagram
 Functional Specifications (FS)
 Approved FS.
_____________________________________________________________
If design of an application is changed after implementation, proper

record of all changes in design duly supported by reasons behind
the change should be kept. Version number must number these
design changes.
4) Development Stage:
In one-way or other, someone else will use, maintain, documents,

or otherwise depend on being able to understand a system. So,
always specify, design, and implement knowing someone else will
have to understand what is being done now. The audience for any
product of software development is potentially large. Specify with
an eye to the users. Design, by keeping the implementers in mind.
Code with concern for those that must maintain and extend the
system. Someone else may have to debug the code written by an
individual now, and that makes them a user of an individual’s code.
Making their job easier adds value to the system.
a) The following activities will be carried out at this stage:
 Review of functional specifications for the target application.
 Identification of inputs/outputs of the designed application.
 Development/Coding of the target application.
 Application testing:
 Application /database/file structure is checked to comply with

quality standards.
 Development of units and integration test plans for the new

system.
 Testing of the target system’s units/modules.
 Further testing of the system as a whole
 Documents to be prepared after testing:
 Source Code listings
 Unit Test Report
 Software Test procedure
_____________________________________________________________
 Code walkthrough Report.
 The testing usually involves Quality Assurance (SA) staff.

QA Staff should not be reporting or related to development
team, in the I.T. Department’s hierarchy. They will ensure
that the developed application has followed the proper
procedures, works properly on destined operating system
and hardware. Concurrent users will not face any problem
on accessing data and using the application. Any
data/information changes are properly kept by the system,
which could be tracked and reported on demand.
b) After completion of development stage, following will be

the outcomes:
 Developed Application
 System/Technical Manual: ‘System/Technical Manual’ contains

database/data-file structure, purpose of each program / module
in the application, its dependencies / relationship to other
programs / modules and its affect on the data and on the
system as a whole.
 User Manual: ‘User Manual’, is a guide for users about using

the new system.
 These manuals should be detailed enough so that a new

developer/user may easily learn/understand the application and
its usage.
 These manuals keep on changing depending upon user and/or

system requirements. All the changes must be incorporated in
these manuals and properly numbered by version numbers.
c) Deployment Stage:
The final stage of this methodology will contain the following

activity:
 Data entry testing by users to ensure that all fields accept valid
input]
 Data entry/modification is done at one place only, and it should

reflect wherever applicable.
 Proper reports, as approved, are being generated by the system

_____________________________________________________________
 All possible data entry scenarios and combinations must be

tried by the users to ensure the reliability/flexibility of the new
system
 The respective users and their in charge must sign off all input
screens, and reports generated by the system during UAT.
d) Development of the target application in production

environment.
 Data Conversion:
It is important to ensure that data converted from existing

system (manual or automated) to new system is done
accurately and completely with correct removal of redundant
data. Data conversion process must pursue the following steps.
 Conversion Plan: Make sure that a conversion plan is

produced which details the tasks required to convert data from
the existing systems to new system in controlled manner.
 Source Data Integrity: The existing systems source data

must be reviewed and processed for validity, accuracy and
completeness prior to conversion to the new system.
 Data inconsistencies: It must be ensured that data

inconsistencies on the existing systems are resolved prior to
conversion to the new systems.
 Legacy Systems Records: A complete copy of the existing

system’s data is retained in a permanent format. Which
should be made available whenever required.
 Conversion Records: Records of the converted data files

and of the results of the results of the conversion process are
retained for a reasonable time period. Records should show
who made what entry at what time.
 Conversion Reconciliation: After conversion the existing

and new system must be reconciled.
 Monitor: After deployment of application it needs to be

monitored if it is in conformity with user requirements and
management’s objectives.
3) Change Control Procedures:

_____________________________________________________________
Frequent maintenance of applications is needed because of

changes in management policies, government regulations, or
user requirements. All such changes should follow the proper
change procedure and proper version number of applications
should be maintained.
a) I.T. management should ensure that all requests for

changes, system maintenance, and supplier maintenance
are standardized and are subject to formal change
management procedures.
b) Changes should be categorized and prioritized and specific

procedure should be in place to handle urgent matters.
Change requestors should be kept informed about the
status of their request.
c) Change procedures are clear and known and they are

rigorously and systematically implemented.
d) Change management is strongly integrated with release

management and is an integral part of configuration
management.
e) Methods and comprehensive acceptance test procedures

are in place for tracking and following individual changes, as
well for hand-over from development to operations team.
f) There is segregation of duties between development and

operations.
_____________________________________________________________
13 – Software Outsourcing Policy
1) Purpose:
There could be instances when I.T. Department may lack resources

or time to develop and implement certain applications. In such
situations outsourcing of software development may be done.
2) Guidelines:
a) I.T. Department should prepare a proper case to obtain

approval of the management for outsourcing.
b) Awarding of contract should follow procedures as defined in

‘Hardware & Software Procurement Policy’.
c) The selected software house/vendor must be asked to follow

the software development methodology as defined in
‘Software Development & Maintenance Policy’.
d) Proper support and maintenance agreement should be made

with the vendor.
e) Clear clause should be signed in the agreement about custody

of source code, system & user documentation.
f) Escrow arrangements should be made, if necessary.
_____________________________________________________________
14 – Business Continuity Plan & Disaster Recovery Policy
1) Purpose:
Maximize the effectiveness of contingency operations through an

established plan that consists of the following phases:
 Notification / Activation Phase: to detect and assess damage and to

activate the plan.
 Recovery Phase: to restore temporary IT operations and recover

damage done to the original system.
 Reconstitution Phase: to restore I.T. system processing

capabilities to normal operations.
2) Background:
I. T. systems are vulnerable to a variety of disruptions, ranging from

mild (e.g., short-term power outage, disk drive failure) to server (e.g.,
equipment destruction, fire) from a variety of sources such as natural
disasters to terrorists actions. While much vulnerability may be
minimized or eliminated through technical, management, or operational
solutions as part of the organization’s risk management effort, it is
virtually impossible to completely eliminate all risks. In many cases,
critical resources may reside outside the organization’s control (such
as electric power or telecommunications), and the organization may be
unable to ensure their availability. Thus effective contingency
planning, execution, and testing are essential to mitigate the risk of
system and service unavailability.
3) Guidelines:
a) Identify the activities, resources, and procedures needed to carry

out respective systems’ processing requirements during prolonged
interruption to normal operations.
b) Assign responsibilities to designated personnel and provide

guidance for recovering systems during prolonged period of
interruption to normal operations.
c) Ensure coordination with other AMBL staff who will participate in

the contingency planning strategies.
_____________________________________________________________
4) Information Regarding Critical Activities in I.T. Department.
I.T. Department will identify the applications and systems that support
critical business processes; and for each application and system,
following information must be collected and procedures documented,
to properly define the BCP&DR:
a) Functions and their inter-departmental/office dependencies
b) Identify Disruption Impacts and Allowable Outage Times.
c) Develop Recovery Priorities
d) Backup / alternative processing site
e) Key personnel and their backup
f) Key documents and their backup
g) Alternative processing methods
h) Key resources required to continue operation
i) Who will authorize what
k) Who will do what – who will report to whom
l) Contact list for Server Room Team
m) Who will go where
n) Priority Salvage list.
o) Departmental Client contact list
p) Supplier / Vendor contact list
r) Items for offsite storage
s) Essential items required at alternate location.
_____________________________________________________________
15 – Documentation Policy
1) General:
I.T. is a highly dynamic field. Applications and procedures in use at

a certain point in time may be considered outdated within few
years, and I.T. professionals would have switched organizations.
Therefore, it is very important from organizational perspective that
all the work done by I.T. Department is properly documented. This
documentation must be detailed enough that new I.T. personnel
may take over the work by following this documentation.
“Document what you do, do what you document, Prove it.”
It is highly recommended that all the documentation is put into

practice by alternate I.T. personnel to confirm that it is detailed
enough to result in proper setting up and working of equipment or
application on pursuing the steps mentioned therein.
2) Documentation Guidelines:
a) Hardware: Detailed steps describing how to install and

configure servers, Routers, PCs, Printers, etc. need to be kept
in record.
b) Network: Procedures to setup a functional network with all the

cable labeling and diagrams.
c) System Software Configuration: Operating system is usually

installed on default settings. It is important that un-necessary
services are disabled and proper configuration is done as per
requirements. Detailed document containing all the steps
involved in configuring the system must be kept in record.
d) Application Software Configuration: How and what path to

install the application software, including the directory structure,
program and data files, mentioning functions and limitations.
e) Procedures Documentation: All procedures to perform

functional tasks must be documented in an easy to understand
and easy to follow way. For example, steps involved in
automating a manual branch, how to troubleshoot certain
problems etc.
_____________________________________________________________

Operational Procedures: I. T. Policy

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Operational Procedures: I. T. Policy

Hochgeladen von

Copyright:

Verfügbare Formate

Apna Microfinance Bank

Information Technology Department

Use of Information Technology (IT)……………………………….03

1. Network & Telecommunication Policy……………………………...06

2. Intrusion Deduction Policy…………………………………………..10

3. Internet & Email Policy………………………………………………15

5. Anti Virus Policy………………………………………………………21

6. Server Security Policy………………………………………………..23

8. Data Security Policy……………………………………………….....26

9. Physical & Environmental Security Policy………………………….29

10. Logical Security & Access Control Policy…………………………..33

11. Hardware & Software Acquisition Policy…………………………....35

12. Software Development, Implementation & Maintenance Policy….38

13. Software Outsourcing Policy…………………………………………44

14. Business Continuity Plan & Disaster Recovery Policy…………….45

15. Documentation Policy…………………………………………………47

With the induction of latest technology to do banking, effective management of

Nowhere else in society we put so much faith in technology. Products work to a

Need for I.T. Policy:

resources become ineffective for one or other reason (technology becomes

I.T. Policy Coverage:

1. Network and Telecommunication Policy

This Policy document is a guide, defining ‘what to do’. Information Technology

E. BREACH OF POLICIES AND GUIDELINES

1 - Network & Telecommunication Policy

The purpose of this document is to establish procedures to ensure

a) Network equipment such as switches, routers, DNS servers

 Administrators Internal users responsible for network

 Privileged Internal users with a need of greater access.

 Users Internal users with general access.

 Others External users or customers.

b) The identification of the risk level and the types of access

System Description Risk Types of Users

Access Administrators for device configuration

DNS Network Administrators for configuration; General

Internal E- Network Administrators for configuration; All other

Administrators for system administration;

c) Additional steps have to be defined for installation,

a) All network devices, including switches, routers, hubs and

(i) New Servers and other networked equipment shall be set

I.T. Department shall administer the Networks at AMBL.

 Vendors and server administrators or custodians may

AMBL acknowledges that under rare circumstances, certain

2 - Intrusion Detection Policy

To have procedures in place to detect signs of intrusion and manage

With advance planning, documentation, and education, trained staff

a) Document the important and critical information assets and the

 Attempts (either failed or successful) to gain unauthorized

c) Document the requirement to establish and maintain secure,

d) Document the roles, responsibilities, and authority of system

and administration of all assets when they participate in detecting

 The order in which specific data will be reviewed

Training the users who have authorized accounts on systems.

 What is expected of them

4) Determine & Identify the data to be collected.

A table of data categories and possible types of data to collect is

 Network traffic (packet headers)

failed attempts, attempted logins to privileged accounts.

5) Determine which events should produce an alert.

Events that require immediate administrator attention and that need

6) Characterize expected system behavior and performance.

Document the procedure by which it is verified that systems are

7) Characterize expected process and user behavior.