Beruflich Dokumente
Kultur Dokumente
ABC Bank………
SL No Particulars Details
1 Document Reference ITCSP/HO/2018
2 Document Date
3 Prepared By
4 Reviewing Authority & Date of Review
5 Board Approval Date & Reference
6 Published on Date
VERSION CONTROL
SL No Particulars Details
1 Cyber Security Policy Version 1.0
2
1. Introduction 3
2. Cyber Security Framework and its significance 4
3. General Cyber Security Policy : Acceptable Use (AU) 10
4. Organization Roles and Responsibilities 18
5. Preventing Access to Unauthorized Software 25
6. Environmental Controls & Physical Security 28
7. Network Management and Security 31
8. Secure Configuration Management 38
9. Operating System and Patch Management 41
10. End Point Security 43
11. User Access Right - Control / Management 46
12. Secure email and Messaging System 50
13. Delivery Channels, Digital Products 53
14. User/Employee/Management Awareness 56
15. Customer Education and Awareness 60
16. Disaster Recovery Site Establishments 63
17. Vendor / Outsourcing Risk Management 66
18. Incident Management and Reporting 71
19. Incident Reporting to Regulatory Authority 75
20. Cyber Crisis Management Plan 78
Reserve Bank of India has taken a step in the appropriate direction by realizing the
inherent need of Banks to strengthen their cyber security posture in the wake of
increasingly sophisticated Cyber Attacks. The guidelines issued by RBI in this regards has
comprehensive coverage and clearly indicates distinct necessity of adoption of cyber
security practices from a focus purely on information security and its related compliance
to be furnished by the Banks in stipulated time. Further, the guideline lays and insists on
establishment of cyber security operation center for continual improvement and from
the view of be vigilant in this most versatile environment.
Banks are in a race of providing various digital experiences to their customers which has
been formed necessity to be remained in the competition and to retain the customer
base. At the same time, the challenges of maintaining the underlined IT infrastructure
for non-disruptive services has also increased and Banks needs to ensure the related
arrangements within their operational mechanism.
Banks are in the verge to create cyber security programs, reviewing and formulating the
governance practices, awareness initiatives, policies, devices and solutions for alerting
cyber non-visible attempts being used by the cybercriminals and deeply exercising on
reduction of the organization’s reputation risks which has destructive impact on
business operations. Formulating Cyber Security Policy and its related eco-system
framework has become need of an hour and this document emphasizes on various
aspects towards implementation by the Bank.
Banks are dependent on the availability of Critical Infrastructure for providing customer
service. Cyber Security threats exploit the increased complexity and connectivity of
critical infrastructure systems, placing the Nation’s security, economy, and public safety
and health at risk. Similar to financial and reputational risks, cyber security risk affects
an organization’s bottom line. It can drive up costs and affect revenue. It can harm an
organization’s ability to innovate and to gain and maintain customers. Cyber security
can be an important and amplifying component of an organization’s overall risk
management.
The cyber security framework focuses on using business drivers to guide cyber security
activities and considering cyber security risks as a part of the organization’s risk
management process. It offers a flexible way to address cyber security, including cyber
securities effect on physical, cyber and people dimensions. It is applicable to all
organizations those are relying on Technology, the same is the scenario in Banking. All
Banking operations are now relying on Technology by using cyberspace ie.,
Communication Technology Network, Integrated web facing applications, Independent
Applications those are responsible for internal process automations, Servers, Desktops
and other systems like infrastructure management systems.
The framework and the eco-system around it is not one size fit to all for managing cyber
security risks for critical infrastructure. Organizations will continue to have unique risks,
different cyber threats, vulnerabilities, different risk tolerance. They also vary from Bank
to Bank; depends on how they customize practices, monitor the adherence of those
cyber security policies, digital platforms operational at the Bank and the risks associated
with it.
Due to the increasing pressures from external and internal threats, organizations
responsible for critical infrastructure need to have a consistent and iterative approach
to identifying, assessing, and managing Cyber Security risks.
The above framework describes cyber security maturity model and has four key
segments i.e., Scope, Risks, Assessment and Effectiveness. Core Domain areas broadly
classify the various control areas into logical groups. The model defines five Core Areas
i.e., Security Management, Infrastructure Management, Cyber security Engineering,
Delivery Channels, Situational Awareness. Each of the domain areas have multiple
controls areas based on its thematic categorization for assessing maturity in a particular
area to track and assess process and operational effectiveness. The control areas are
further sub-divided into Control Principles for maturity assessments.
The inherent risk of the organization depends upon the products and services that it
operates, the assets that are needed to provide financial services to its customers, the
delivery channels it uses and its track record on cyber incidents. The maturity
assessment enables a financial institution to assess its process and control maturity. The
operational effectiveness measures the effectiveness of the firm in implementation of
the controls in the various control areas.
Following highlighted are the areas taken into consideration while formulating the
Cyber Security Policies which ultimately frames Cyber Security Maturity Framework of
the Bank.
People and Awareness is the only effective way of synthesizing cyber security
technology or processes within the organization. It is the responsibility of the Bank’s
Management to ensure the proper trainings in this area at all the levels and have
necessary knowledge about risk management process.
The cyber risk comprises of various business and strategic risk that arises out of cyber
security concerns. The overall Risk Management shall consist of Assessment, Cyber
Security Crisis Management Plan (CCMP), Business Continuity & Risk Management and
mitigation plan.
3rd Party Risk Management covers the centralized vendor management, vendor
training, SLA Agreement that comprises of rules of engagement in cyber crisis.
End Point Security control area comprises of all end point devices connected across the
Bank’s network such as but not limited to Laptops, Desktops, Mobile Devices, IoT
devices, Telephones, Printers and similar IT enabled devices.
Server Security area comprises of all the servers those are responsible for providing
Banking Services to customers, Non production servers, Servers for providing internal
control services to Bank Employees, Test Servers etc..
Database Security area comprises of all Database Servers. Database security concerns
the use of broad range of information security controls to protect the databases
(potentially include the data, the database applications, stored procedures, the
database systems, the database servers and associated network links) against
compromises of their confidentiality, integrity and availability. It involves various types
of categories of controls such as technical, procedural/administrative and physical.
Cyber Security Policy
ABC Bank Page 7
Platform Security is also considered as significant component since the security best
practices needs to be applied to the hardware and the operating system on which the
application runs. Many devices provides default credentials, the system may be require
some additional steps to make it more secure. The platform security covers areas such
as Operating System, Device Hardening mechanism, regulatory platforms and its related
applications management.
Security Architecture covers areas that Bank shall take into consideration to strengthen
the security of the enterprise systems as a whole. DNS Governance, Anti-phishing
controls, enterprise security designs, API and Interface management are some of the
areas.
Data Protection relates to securing the data at rest, data in motion and access to the
data. This is an important control area that includes data classification, DLP mechanism,
Data Life Cycle Management, data retention policies and tokenization.
Identity and Access Management covers mechanism that enables right individuals to
access the right resources at the right times and for right reasons.
Application Security Life Cycle – Majority of the incidents happens because of poor
application design, inadequate security consideration either in design or in configuration
of the system. This domain covers application security life cycle that includes secure
software coding, threat modeling, using standard development practices, security
testing and stress testing of the Application. Banks shall not use the Application which is
not following the above mentioned criteria.
Delivery Channels -
ATM/POS/ECOMM – The security of the delivery channels has specific significance since
the mechanism associated with it has to be integrated with the third party / regulated
entities infrastructure. Any loophole identifies increases the risk of cyber-attack.
Mobile Banking & Internet Banking since providing the access of various applications
and information to customers through websites or handheld devices for availing
Cyber Security Policy
ABC Bank Page 8
Banking Service, has become most error prone are and vulnerable from the view of
cyber risk. The usage of standard mobile application, its related management,
reconciliation, Internet Banking Application with web security controls such as SSL
Certificates and multi-factor authentication become necessity and shall have complete
visible controls over its related operations management.
Bill Payment Systems such as Bharat Bill Payment, UPI, third party utility bill payment
interfaces etc.. also has same significance towards cyber security since the products and
services are technically associated with third party/ regulatory infrastructure.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1001
2 Name of the Policy Acceptable Use Policy
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All employees, Management of the Bank, Board of
Directors, Stakeholders, Vendors, Associates
6 Revision History
1. Overview
IT Department intentions for publishing “Acceptable Use Policy” are not to impose
restrictions that are contrary to {ABC Bank} culture of openness, trust and integrity. IT
Department is committed to protecting {ABC Bank} employees, partners, and the Bank
from illegal, damaging actions by individuals either knowingly or un-knowingly.
Effective security is a team effort involving the participation and support of every <ABC
Bank> employee and affiliate who deals with information and/or information systems. It
is the responsibility of every computer user to know these guidelines, and to conduct
their activities accordingly.
The purpose of this policy is to outline the acceptable use of computer equipment at
<ABC Bank>. These rules are in place to protect the employee and <ABC Bank>.
Inappropriate use exposes <ABC Bank> to risks including virus attacks, compromise of
network systems and services, and legal issues.
3. Scope
This policy applies to the use of information, electronic and computing devices, and
network resources to conduct <ABC Bank> business or interact with internal networks
and business systems, whether owned or leased by <ABC Bank>, the employee, or a
third party. All employees, contractors, consultants, temporary, and other workers at
<ABC Bank> and its subsidiaries are responsible for exercising good judgment regarding
appropriate use of information, electronic devices, and network resources in accordance
with <ABC Bank> policies and standards, and local laws and regulation.
4. Policy
4.1 General Use and Ownership
4.1.6 <ABC Bank> reserves the right to audit networks and systems on a periodic
basis to ensure compliance with this policy.
4.2.1 All mobile and computing devices that connect to the internal network must
comply with the Minimum Access Policy.
4.2.2 System level and user level passwords must comply with the Password Policy.
Providing access to another individual, either deliberately or through failure
to secure its access, is prohibited.
4.2.3 All computing devices must be secured with a password-protected
screensaver with the automatic activation feature set to 10 minutes or less.
You must lock the screen or log off when the device is unattended.
4.2.4 Postings by employees from a <ABC Bank> email address to newsgroups
should contain a disclaimer stating that the opinions expressed are strictly
their own and not necessarily those of <ABC Bank>, unless posting is in the
course of business duties.
The lists below are by no means exhaustive, but attempt to provide a framework
for activities which fall into the category of unacceptable use.
15. Interfering with or denying service to any user other than the employee's host
(for example, denial of service attack).
16. Using any program/script/command, or sending messages of any kind, with the
intent to interfere with, or disable, a user's terminal session, via any means,
locally or via the Internet/Intranet/Extranet.
When using <ABC Bank> resources to access and use the Internet, users must realize
they represent the company. Whenever employees state an affiliation to the company,
they must also clearly indicate that "the opinions expressed are my own and not
necessarily those of the company". Questions may be addressed to the IT Department
1. Sending unsolicited email messages, including the sending of "junk mail" or other
advertising material to individuals who did not specifically request such material
(email spam).
3. Employees shall not engage in any blogging that may harm or tarnish the image,
reputation and/or goodwill of <ABC Bank> and/or any of its employees.
Employees are also prohibited from making any discriminatory, disparaging,
defamatory or harassing comments when blogging or otherwise engaging in any
conduct prohibited by <ABC Bank>’s Non-Discrimination and Anti-Harassment
policy.
Apart from following all laws pertaining to the handling and disclosure of
copyrighted or export controlled materials, <ABC Bank>’s trademarks, logos and
any other <ABC Bank> intellectual property may also not be used in connection
with any blogging activity.
5. Policy Compliance
The IT Department team will verify compliance to this policy through various methods,
including but not limited to, business tool reports, internal and external audits, and
feedback to the policy owner.
5.2 Exceptions
Any exception to the policy must be approved by the DGM, IT Department in advance.
5.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
Cyber Security Policy
ABC Bank Page 16
6 Related Standards, Policies, Processes
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1002
2 Name of the Policy Cyber Security - Roles and Responsibilities
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All employees, Management of the Bank, Board of
Directors, Stakeholders, Vendors, Associates
6 Revision History
Overview
The management officials & Board of Directors of the Bank shall understand the
cyber risks to which the Bank can be exposed. Robust oversight and engagement
on cyber risk matters at the Board Level promotes a security risk conscious
culture within the Bank.
Purpose
The policy applies to all management officials of the Bank as described above. The
roles and responsibilities are confined to the concept of Cyber Security Program
of the Bank and the Cyber Risks associated with the tools, technologies, products,
services, cyberspace operational at the Bank.
Policy
Board must ensure that they understand the legal implications of Cyber
Security Risks.
Board must undertake a thorough analysis of Bank’s most valuable IT assets
and the assess Bank’s preparedness with regard to the Cyber risks
associated with each component.
Understand and Review the Bank’s exercise on Cyber Security and its
related compliances once in a quarter and if management of Cyber Risk
allocated to a committee, full board should also review the Bank’s
preparedness at least semiannually.
Board may decide to hire the outside expertise / engage a company
services to assess the Bank’s preparedness about Cyber Security and its
related compliance prepared by the officials of the Bank.
Ensure IS Security Audit & VAPT exercise is being carried out by the Bank
officials along with the Cyber Security Audit once in a year. The compliance
of such observations also has to be reviewed by the Board once in a year.
Review Bank’s management response plan to potential cyber security
breaches. The plan shall identify who will be responsible for making
decisions when a breach occurs and what action Bank Official will take in
the event of breach / cyber-attack.
Ensure Bank is entrusting the audit exercise to an expert of the Cyber
Security Domain and verify the proposals in detail accordingly before
approving for the Audit Process.
Prepare Cyber Security Policy as per the guidelines issued by Reserve Bank
of India / IDRBT / NIST and appraise to senior management for onward
approval by the Board.
Prepare detailed IT Asset Inventory document for all critical & non critical
Business IT assets operational at the Bank which consists of Details of IT
Assets (Hardware, Software, Network Devices, Key Personnel, Services,
Vendors, Software Licenses, Details of Systems responsible for storing of
Customer Information, Transaction Data, Business Applications etc..). Also
document and periodical review of Service wise / Application wise
Dependency of each component.
Ensure Bank’s Network Devices, its related configuration, Security
Mechanism/Systems, Anti-Virus, Updates, Security of configuration files.
Classify data/information based on the sensitivity criteria of the
information.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through various methods,
including but not limited to, business tool reports, internal and external audits, and
feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the DGM, IT Department in advance.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1004
2 Name of the Policy Preventing Access to Unauthorized Software
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All System Users of the Bank irrespective of his Profile.
6 Revision History
Overview
This policy set forth the guidelines for usage of Software, interface, API Programs those
are authorized to use for Banking Operations. Any un-authorized use of such software /
programs may lead into fraudulent activities, malpractices where the vigilance control of
such software do not have seamless integration with other software programs in use for
production banking business functions.
Purpose
The purpose of the policy is to guide users for usage of secured and authorized software
within the Bank for banking operations. In order to establish the security practices, it is
essential to use only authorized / recommended software / piece of software / interface
by the OEM / Supplier of the host application software those are being used for Banking
Business. In case third-party software is being used to carry out such banking
transaction, a written consent has to be obtained from the supplier for usage of the
same.
Scope
This policy is applicable to all the Systems, Cyber space which is being used for
production / non-production activities within the Bank premises irrespective of its use /
user in the Bank. The applicability of this policy is for but not limited to :
a. All Servers, Desktop, Laptops Systems operational for production activities in the
Bank.
Policy
Policy Compliance
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1005
2 Name of the Policy Environmental Controls & Physical Security
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All system users, Employees of the Bank, Management
Officials, Premises Department, Vigilance Department,
Infrastructure Management Department officials.
6 Revision History
Overview
Purpose
Scope
This policy applies to all employees, second staff, agency workers, associates,
contracted companies, consultants of the Bank. Asset or premises of IT / Non-
IT Infrastructure of the Bank and which is responsible to provide production or
non-production activities to the business operations of the Bank.
Policy Compliance
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1006
2 Name of the Policy Network Management and Security
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All system users, Employees of the Bank, Information
Technology Department, Communication Service
Management Officials, Infrastructure Management
officials.
6 Revision History
Overview
Network & its related security management is the most critical aspect to ensure
to protect the most valuable asset i.e., Customer Information from un-authorized
access. Banks in general establishes layered security approach in network
security management. However, considering the present cyber threat scenario,
layered security may not be adequate practice to combat the cyber threat. In
layered security, commonly “Trust but Verify” kind of approach is taken care with
implementation of policies / access control and event log mechanism. Banks are
to implement Zero Trust Security Model which “Don’t Trust always verify” kind of
approach. Moreover, no user / event / component is treated as “insider” while
designing the policies / implementing the security mechanism.
Purpose
This policy is guiding over and above the present orchestration of network
mechanism operational in the Bank. It is not adequate only to ensure the device
security, policy implementation but the design approach shall have to be
corrected and implemented by the Banks.
Policy
There are some sub-policies under this master policy and are applicable as per
the scope and purpose defined in this policy.
While these tools can save significant time and money by eliminating travel and
enabling collaboration, they also provide a back door into the Bank’s network
that can be used for theft of, unauthorized access to, or destruction of assets. As
a result, only approved, monitored, and properly controlled remote access tools
may be used on Bank’s computer systems with prior approval from the
competent authority of IT Department.
Purpose
This policy defines the requirements for remote access tools used at Bank.
Scope
This policy applies to all remote access where either end of the communication
terminates at a Bank’s computer asset.
a) All remote access tools or systems that allow communication to Bank resources
from the Internet or external partner systems must require multi-factor
authentication. Examples include authentication tokens and smart cards that
require an additional PIN or password.
b) The authentication database source must be Active Directory or LDAP, and the
authentication protocol must involve a challenge-response protocol that is not
susceptible to replay attacks. The remote access tool must mutually
authenticate both ends of the session.
c) Remote access tools must support the Bank’s application layer proxy rather than
direct connections through the perimeter firewall(s).
d) Remote access tools must support strong, end-to-end encryption of the remote
access communication channels as specified in the Bank’s network encryption
protocols policy.
All Bank’s antivirus, data loss prevention, and other security systems must not be
disabled, interfered with, or circumvented in any way.
Purpose
The purpose of this policy is to secure and protect the information assets owned
by the Bank. Bank provides computer devices, networks, and other electronic
information systems to meet missions, goals, and initiatives. Bank grants access
to these resources as a privilege and must manage them responsibly to maintain
the confidentiality, integrity, and availability of all information assets.
Scope
All employees, contractors, consultants, temporary and other staff at the Bank,
including all personnel affiliated with third parties that maintain a wireless
infrastructure device on behalf of Bank must adhere to this policy. This policy
Policy
General Requirements:
All wireless infrastructure devices that reside at a Bank’s site and connect to a
Bank’s network, or provide access to information classified as Bank’s
Confidential, or above must:
Abide by the standards specified in the Wireless Communication Standard.
Be installed, supported, and maintained by an approved support team.
Use Bank approved authentication protocols and infrastructure.
Use Bank approved encryption protocols.
Maintain a hardware address (MAC address) that can be registered and
tracked.
Not interfere with wireless access deployments maintained by other support
organizations.
All lab wireless infrastructure devices that provide access to Bank’s Confidential
or above, must adhere to section above. Lab and isolated wireless devices that
do not provide general network connectivity to the Bank’s network must:
Be isolated from the corporate network (that is it must not provide any
corporate connectivity) and comply with the Lab Security Policy.
Not interfere with wireless access deployments maintained by other support
organizations.
Bank shall adopt DNS Security to protect their valuable IT Asset rather than just
relying on layered security approach i.e., deploying multiple security solutions
like firewall, secure web gateways, intruder prevention system, end-point anti-
virus solutions etc... Even after such deployments, malicious actors are persistent
to gain access to critical system by exploiting security weaknesses. One such gap
is vulnerable back door access that is recursive DNS.
DNS resolvers perform one function i.e., they take human-readable domain
name and find the corresponding IP Address of the server where the resource is
located. The resolver either find IP address in cache or use recursive DNS server
to reach through a hierarchy of DNS name servers and authorative DNS Servers.
By implementing DNS based security solution, Bank will no longer resolve these
DNS requests blindly.
The DNS based Security solution will act as Bank’s enterprise DNS server. It will
check domain names against comprehensive up-to-date threat intelligence
before resolving IP address.
Policy
Bank shall adopt DNS Based Security Solution and put in place such a mechanism
to continuously verify the up-to-date threat intelligence before resolving the IP
address to the requestor. There should not be anything treated “insider” while
configuring the DNS based security solution.
The threat intelligence that Bank’s DNS Based Security solution shall be able to :
Deliver intelligence that focuses on threats that are current and relevant.
Draw from a broad and comprehensive volume of DNS and IP traffic so it
is able to quickly identify global threat trends and detect threats before
they are widely active.
Differentiate between dedicated domains that have been created
specifically for malicious use and legitimate domains that have been
compromised.
Provide very low rate of false-positive security alert so that Bank’s
security team isn’t wasting time and efforts investigating them.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the DGM, IT Department
in advance.
Non-Compliance
An employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1007
2 Name of the Policy Secure Configuration Management
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders Information Technology Department Officials, Network
Administrator, Communication Service Management
Officials, Infrastructure Management officials.
6 Revision History
Overview
Cyber security is a risk management; yes it is, but this risk management end-up
with the answers of the questions with regard to the Configuration Management.
It is a detailed recording and updating of information that describes hardware
and software. The Configuration Management consists of - Inventory of
authorized and un-authorized devices, Secure configuration of hardware and
software, Controlled use of administrative privileges.
Purpose
This policy set forth the guidelines with regard to ensuring the secure
configuration management practices within the Bank. Bank shall ensure these
practices are in place and reduce the risk of cyber threat due to malicious change
in configuration management of the devices operational for the business
operations. Moreover, good configuration management practices reduce the
downtime in case of compromised by the intruder.
Scope
Configuration Management Practices shall put in place for all the Hardware and
Software components, all cyber space, critical and non-critical IT infrastructure
operational at the Bank. The practices shall have to be reviewed on periodical
interval for its correctness.
Bank shall adopt standard secure configuration management practices and create
repository for all the component described here in this policy and also ensure
user privileges carefully to access such repository for authorized officials only i.e.,
Specifically to Head of the IT Department / CIO/CTO and the mechanism put in
place shall have complete control with event management log practices.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Non-Compliance
An employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1008
2 Name of the Policy Operating System and Patch Management
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders Information Technology Department Officials, Network
Administrator, System Administrator, IT Infrastructure
Management officials.
6 Revision History
Overview
Operating System and patch management practices will ensure the un-
interrupted services on the critical production system responsible for the
business operations of the Bank. Patch management is not an event; it is a
process for identifying, acquiring, installing, and verifying patches for the
operating system and other software programs resides on it. Patches corrects
security and functionality bugs / problems in software and firmware of the server
and its operating system. From a security perspective, patches are most often of
interest because they are mitigating software flaw vulnerabilities. Proper
application of the relevant patches will eliminate the vulnerabilities and reduce
the risk of exploitation.
Purpose
This policy set forth the procedure to be adopted for technical vulnerability and
patch management.
Scope
All the critical and non-critical systems those are operational for production and
non-production activities applicable in the Bank.
Policy
All the systems i.e., production and non-production systems shall be regularly
scanned for vulnerabilities, identify the patches released by the OEM company of
Cyber Security Policy
ABC Bank Page 41
the Operating System operational on the Servers, desktop systems, laptops,
SAN/NAS/Storage systems, Network Devices, Security Mechanism
devices/appliances, Firewalls, Load balancers, Web Application Servers, Core
Application Servers and all other software and hardware components deployed in
the IT Infrastructure of the Bank.
All vendor updates shall be assessed for criticality and applied at least monthly.
Critical updates should be applied as quickly as possible.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the DGM, IT Department
in advance.
Non-Compliance
An employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
Cyber Security Policy
ABC Bank Page 42
10. End Point Security
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1009
2 Name of the Policy End Point Security
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All Staff of the Bank, Information Technology
Department Officials, Network Administrator, System
Administrator, IT Infrastructure Management officials,
Management executives those are system users.
6 Revision History
Overview
The objective of this policy is to reduce the cyber security risks associated with
the end-points i.e., user’s desktop / laptop systems being used for the business
operations. The un-secured / without anti-virus protection application, end-
points may attract the scenario of information goes out of the organization and
may be used for planning of cyber-attack on the Bank by the intruders / cyber
criminals.
Purpose
Ensuring staff are aware of the requirements and restrictions around end-
point devices.
Enabling protective measures and controls to manage End-point security
and software compliance risks.
Scope
This policy is applicable to all the end-points connected to the Bank’s network for
accessing the information / being used for business operations.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the DGM, IT Department
in advance.
Non-Compliance
An employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1010
2 Name of the Policy User Access Right - Control / Management
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All Staff of the Bank, Information Technology
Department Officials, Network Administrator, System
Administrator, IT Infrastructure Management officials,
Management executives those are system users.
6 Revision History
Overview
User rights management is a security feature controlling which resources (eg. Assets,
applications, data, devices, files, networks, and systems) a user can access and what
actions a user can perform on those resources. User rights management typically entails
– creating a rights profile granting privileges to access specific resources and perform
particular actions, creating groups and /or roles, assigning groups or roles to a particular
rights profile, assigning individual user to one or more groups, adding, updating or
deleting profiles, groups, roles or users.
Purpose
This policy set forth the guidelines pertaining to user rights management to access a
particular information/piece of information, data, file, application suit, application,
software program, hardware operating system programs, configuration, document,
stored procedures, repository, critical information, classification of information,
database records, business applications, business functions, profile functions available
or operational / resides within the Bank. This policy also advises the applicability of the
user management for the third-party sites connected to the corporate network of the
Bank, DR Sites, Near DR locations, external / internal storage systems.
This policy is applicable to all the users / group of users / profiles / individuals
accessing the information / business information users / transaction information
users operational / active in the Bank.
Policy
Need to Know – users or resources will be granted access to the systems that are
necessary to fulfill their roles and responsibilities.
Existing user accounts and access rights will be reviewed at least annually
to detect dormant accounts and accounts with excessive privileges.
All user accounts and their access rights, granted privileges for usage of
the systems shall be documented and approved by the competent
authority of the Bank.
Where possible, all default users will be disabled or changed. These
accounts includes “Guest”, “Temp”, ”Default Admin” or any other
commonly known user / user groups.
Test accounts are only be created if they are justified by the relevant
business area. Such test accounts will be disabled or suspended once the
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the DGM, IT Department
in advance.
Non-Compliance
An employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1011
2 Name of the Policy Secure email and Messaging System
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All Staff of the Bank to whom email facility is provided
by the Bank irrespective of his profile in the Bank.
Management officials (Senior Management, Board of
Directors) to whom an email facility is provided by the
Bank
6 Revision History
Overview
Electronic email is pervasively used in almost all industry verticals and is often the
primary communication and awareness method within an organization. At the
same time, misuse of email can post many legal, privacy and security risks, thus
it’s important for users to understand the appropriate use of electronic
communications.
Purpose
The purpose of this email policy is to ensure the proper use of Bank’s email
system and make users aware of what Bank deems as acceptable and
unacceptable use of its email system. This policy outlines the minimum
requirements for use of email within Bank’s Network.
Scope
This policy covers appropriate use of any email sent from a Bank’s email address
and applies to all employees, vendors, and agents operating on behalf of the
Bank.
All use of email must be consistent with Bank’s policies and procedures of
ethical conduct, safety, compliance with applicable laws and proper
business practices.
Bank’s email account should be used primarily for Bank’s business-related
purposes; personal communication is permitted on a limited basis, but
non-Bank related commercial uses are prohibited.
All bank’s data contained within an email message or an attachment must
be secured according to the Data Protection Standard.
Email should be retained only if it qualifies as a Bank’s business record.
Email is a bank’s business record if there exists a legitimate and ongoing
business reason to preserve the information contained in the email.
Email that is identified as a Bank’s business record shall be retained
according to Bank’s Record Retention Schedule.
The Bank’s email system shall not to be used for the creation or
distribution of any disruptive or offensive messages, including offensive
comments about race, gender, hair color, disabilities, age, sexual
orientation, pornography, religious beliefs and practice, political beliefs, or
national origin. Employees who receive any emails with this content from
any Bank’s employee should report the matter to their supervisor
immediately.
Users are prohibited from automatically forwarding Bank’s email to a third
party email system. Individual messages which are forwarded by the user
must not contain Bank’s confidential or above information.
Users are prohibited from using third-party email systems and storage
servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Bank’s
business, to create or memorialize any binding transactions, or to store or
retain email on behalf of Bank’s. Such communications and transactions
should be conducted through proper channels using Bank’s-approved
documentation.
Using a reasonable amount of Bank’s resources for personal emails is
acceptable, but non-work related email shall be saved in a separate folder
from work related email. Sending chain letters or joke emails from a
Bank’s email account is prohibited.
Bank’s employees shall have no expectation of privacy in anything they
store, send or receive on the company’s email system.
Opening an email which doesn’t reflect the purpose of the profile,
business or other / un-known email is serious concern to this policy. Such
Phishing attacks are the preferred exercise by the intruder. Email System and
its user accounts, usage restrictions, awareness can only way of prevention
from such invisible malware or advanced persistent threats.
Email system compromise is easiest way to get the information about the
organization and since multiple users with varied privileges are the
participants of this system which has similar significance to the business
operations, it is easy for the intruder to focus on and poor management of the
email system may lead into disastrous scenario.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the DGM, IT Department
in advance.
Non-Compliance
An employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1012
2 Name of the Policy Delivery Channels, Digital Products
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All Staff of the Bank to whom email facility is provided
by the Bank irrespective of his profile in the Bank.
Management officials (Senior Management, Board of
Directors) to whom an email facility is provided by the
Bank
6 Revision History
Overview
Developments in Digital Banking has grown-up in last few years which is specifically
using internet & mobile as communication channel responsible for providing the 24x7
banking services to the customers. Simultaneously, the cyber security concerns also gets
evolved over the period and Banks need to more cautious while establishing and
maintaining the underline IT infrastructure for the same. On the other side, the systems
those are providing such applications or services necessarily has to be under continuous
surveillance from technology perspective and are to be prevented from un-authorized
access become prime responsibility of the Banks.
Banks are to be in the race of providing the digital experience to its customers and
establish various delivery channels, services and products to remain in the competitive
market and acquire more and more customers. These services includes primarily ATM,
POS, E-commerce, Internet Banking, Mobile Banking, UPI, Bill payment platforms,
Bharat Bill Payment System, Aadhaar Enabled Payment Systems etc..
Purpose
This policy depicts cyber security significance and set forth the precautions to be taken
up by the Bank while providing such delivery channels and digital services to its
customers.
all the related users of systems operational in the Bank for providing digital
services and delivery channels,
IT Assets, Networks, Systems, Third-Party Technical arrangements, Servers,
Desktop Systems, Devices, Interfaces and applications,
Switching applications & its related Infrastructure to regulatory and governing
establishments
Third party network establishments necessary for providing the services
Digital Products and Services operational at the Bank.
Production and UAT Setup responsible for such digital products and services,
delivery channels.
Officials responsible for monitoring and maintenance of delivery channels,
digital products and services
Associated vendors, Service Providers, Technical Service Providers
Policy
- Bank intends to provide the delivery channel, digital product, service shall
have the regulatory approval / permission / license to use the platform /
establish the infrastructure for the service / product.
- Bank shall adhere to the procedural guidelines issued by regulatory
authorities i.e., Reserve Bank of India, NPCI, UIDAI
- Production IT Infrastructure and UAT IT Infrastructure should be separately
established and shall be networked / orchestrated in different demilitarized
zone.
- Users of the IT Infrastructure with regard to the delivery channels, digital
products and services shall be authorized users and their access rights /
profiles / privileges shall be documented and approved by the competent
authority of the Bank.
- Security guidelines / best practices suggested by the regulatory authorities
shall be adhered in all respects.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Exceptions to this policy are not suggestible and in any case exceptions
should not be allowed.
Non-Compliance
An employee, associate, service provider found to have violated this policy
may be subject to disciplinary / legal action, up to and including
termination of employment / service contracts.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1013
2 Name of the Policy User/Employee/Management Awareness
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All Staff of the Bank irrespective of his profile in the
Bank. Management officials, Board of Directors
6 Revision History
Review
Purpose
This policy applies to all the employees of the Bank, Senior Management Officials,
All system users, Board of Directors of the Bank from the awareness point of view
and ensuring successful implementation of the same within the organization.
Policy
Management Officials shall ensure that the employee awareness programs about Cyber
Security / Information Security are being conducted on periodical interval.
- Unawareness about cyber security / information security risks may lead into
compromise and leakage of the critical information of the organization.
- Desktops / Laptops where critical information is stored and do not have
control from the systems put in place by the Bank, leads to gain easy access to
the intruder / attract cyber-attack.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Exceptions to this policy are not suggestible and in any case exceptions
should not be allowed.
Non-Compliance
An employee, associate, service provider found to have violated this policy
may be subject to disciplinary / legal action, up to and including
termination of employment / service contracts.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1014
2 Name of the Policy Customer Education and Awareness
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All Staff of the Bank, Planning and Development
Department, Training Facility Officials, Management
officials, Board of Directors
6 Revision History
Overview
With the fraudsters constantly creating more diverse and complex fraudulent scenario
using advance technology and social engineering techniques to access their victim’s
accounts, spreading awareness among consumers become imperative. Continual
education and timely information provided to customers will help them to understand
security requirements and take appropriate steps in reporting security problems.
Bank shall also run the awareness programs to its employees so that they can act as
resource person for customer queries, law and enforcement personnel for more
understanding response to customer complaints and media for dissemination of
accurate and timely information.
Purpose
This policy set forth the standard practices required for customer education about
information security / cyber security so as to enable them to avail the Bank’s services
safely and protect their transaction information against cyber threats.
Scope
Policy
- Provide focal point and driving force for a range of awareness, training and
educational activities.
- Provide generic and basic information on fraud risk trends, types and controls
to people who need to know.
- Help consumers identify the areas vulnerable to fraud attempts and make
them aware of their responsibilities in relation to the fraud prevention.
The bank shall ensure that the content of the awareness programs is in interest
of its users is relevant to their banking needs.
The Bank shall identify and segment the target users and customize the
awareness program for specific target groups.
The Bank shall build consensus amongst decision makers and stakeholders and
administrative support for conducting such awareness programs. In this respects,
Bank shall identify fixed and variable costs which may include personnel,
operations costs, awareness material, technology support cost, advertisement,
promotions and maintenance of website.
Effective medium of communication shall be considered to conduct such
awareness programs.
Deliver the right message to the right audience using the most effective
communication channel.
The message shall state the risks and threats facing the users, why it is relevant
to them, what not to do and what to do, and finally how to be protected.
The message shall be compelling and clearly state why security is important.
The Bank shall establish more than one communication channel and use them to
engage its customers successfully.
Evaluate the visibility of such awareness communication and its qualitative use to
the customers.
No initiative in this regard may lead into loss of customer confidence on the
services of the Bank from security point of view.
Intruders can target un-aware customers of the Bank to use their tactics for
intrusion.
Leakage of the crucial information of the organization is possible and Bank will
not have legal evidences that they have educated to the customers about the
cyber risks associated with it.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Exceptions to this policy are not suggestible and in any case exceptions
should not be allowed.
Non-Compliance
An employee, associate, service provider found to have violated this policy
may be subject to disciplinary / legal action, up to and including
termination of employment / service contracts.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1015
2 Name of the Policy Disaster Recovery Site Establishments
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders IT Department Officials, DR Site Officials, Service
Providers with whom Bank executed the Service
Agreement, Management Officials of the Bank
6 Revision History
Overview
It is mandated by the Reserve Bank of India to every Bank to ensure the Disaster
Recovery Site for all the services operational at the Bank. It is imperative to ensure the
cyber security practices for your multiple / single DR Site establishments / Outsourced
to a third party vendor as DRaaS Service. This area is often treated as secondary site
whereas the entire infrastructure is connected to the corporate network of the Primary
site of the Bank to ensure the data, application sync in all respects. Remember the
reasons Bank originally moved to outsource / collocate the DR setup such as to free up
the floor space, reduce the cost of establishments etc.. while co-relating the security
arrangement required to ensure the enterprise security.
Purpose
The purpose of this policy is to prevent the organization from intrusion to steal the
critical information of the primary site by accessing it from secondary site
establishments i.e., Disaster Recovery Site.
Scope
The scope of this policy is with regard but not limited to IT Infrastructure, Assets,
Network arrangement of Primary and DR Site establishments.
Authorized System & Network Users / officials of the Bank, outsourced vendors,
communication channel vendors, monitoring and management officials of the Bank and
Outsourced vendor.
Cyber Security Policy
ABC Bank Page 63
Policy
It is common misconception that Disaster Recovery and Cyber Security Recovery are one
and the same concepts. Although they are similar and have some overlap, disaster
recovery’s primary objective is to provide business continuity after disruption from man-
made or natural causes, Security recovery, on the other hand, protects data assets after
a data breach. Following policy guidelines are to be ensured by the responsible officials
i.e., CIO / CTO / Senior Executives of IT Department of the Bank from the point of cyber
security.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Exceptions to this policy are not suggestible and in any case exceptions
should not be allowed.
Non-Compliance
An employee, associate, service provider found to have violated this policy
may be subject to disciplinary / legal action, up to and including
termination of employment / service contracts.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1016
2 Name of the Policy Vendor / Outsourcing Risk Management
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders Management officials, IT Department Officials,
Hardware and Software Vendors / Service Providers,
Consultants / Contractors, IT or business process
outsourcing firms, Hardware and Software maintenance
and support staff, DRaaS / PaaS/IaaS/ASP/Cloud Service
providers.
6 Revision History
Overview
Moreover, it is seen in Banking environment that the service level agreements its
terms and conditions are being imposed by the service providers stating their
company standard and Bank is missing important aspects of the service or cannot
stand legally in case agreed services are not provided or become victim of cyber
threat in case compromised due to poor control of the service provider.
Purpose
The purpose of this policy is to set forth the standard guidelines / precautions to
be taken into consideration while outsourcing of any of the function / activity of
the Bank.
Scope
This policy also applies to all the activities those are non-core activities defined by
the Bank, Core Activities where Bank cannot execute the service because of
regulatory guidelines / infrastructure doesn’t support to establish the
requirements for providing the service / product.
Policy
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Exceptions to this policy are not suggestible and in any case exceptions
should not be allowed.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1017
2 Name of the Policy Incident Management and Reporting
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All Employees, Management Officials, Board of
Directors, Service Providers, Consultants / Contractors,
Service Providers.
6 Revision History
Overview
Purpose
The purpose of this policy is to define Bank’s Incident response program. The goal
is to establish an approach to manage and report the incident to reduce the
adverse impact of the incident on the Bank.
This policy applies to physical and electronic information systems being operated
at the Bank. The policy also addresses the information system that is operated by
third-party service providers or agencies/agents on behalf of the Bank. All bank
employees, temporary / contracted employees, contractors, service providers are
covered by this policy.
Policy
Bank’s responsible officials are to classify the incident basis on its severity
and use the information to manage and report the incident as per the
hierarchy structure operational in the Bank.
The term “incident” refers is defined as any irregular or adverse event that
occurs to any asset / information or personally identifiable information or
that involves availability, integrity and confidentiality of Bank’s systems
and network. Incident can be a physical / electronic in nature.
Incident has to report immediately to the escalation authority on notice by
the employee or individual. Any delay may lead to increase the complexity
of the incident.
It is the responsibility of the Board of Directors and Management officials
of the Bank to disclose the information of the incident to the customers /
make it public / inform to law and enforcement agencies.
Possible incident categories i.e.,
o Non availability of the Information / System / Network for the
business operations / customer service,
o Denial of system resources, cyber-incident, cyber-attack, malware-
attack, virus-attack, erroneous behavior of any of the system /
mechanism operational at the Bank.
o Change to System Hardware, firmware or software characteristics
without the management’s knowledge.
o Criminals obtaining large volume of credentials (User Names,
Passwords, email addresses) and other forms of identification used
by customers, employees and third parties to authenticate to
systems.
Policy Compliance.
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Exceptions to this policy are not suggestible and in any case exceptions
should not be allowed.
Non-Compliance
An employee, associate, service provider found to have violated this policy
may be subject to disciplinary / legal action, up to and including
termination of employment / service contracts.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1018
2 Name of the Policy Incident Reporting to Regulatory Authority
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders IT Department Officials, Management Officials, Board of
Directors.
6 Revision History
Overview
Cyber incidents have serious consequences for societies, nations, and those who
are victimized by cyber criminals. The theft, exploitation, breach of information,
financial or other sensitive personal and commercial data and cyber-attacks
which damages the computer systems is capable of causing lasting harm.
Purpose
This policy set forth the guidelines to report the incident to regulatory authority
ie., Reserve Bank of India / NPCI / UIDAI, CERT-IN for analyzing its impact at
Scope
Policy
All the incidents with full details, depends on their severity level / business
impact, are to be reported to regulatory authority i.e., Reserve Bank of
India. The analysis & identification of the severity level is the responsibility
of Board of Directors / Management Officials of the Bank.
The incident details in stipulated format also shall be reported to
Computer Emergency Response Team of India (CERT-IN).
Board of Directors will be held responsible for non-reporting of the cyber
incident / information security breach in case occurred in the Bank.
Bank shall device / use suitable format of Incident Reporting based on the
guidelines issued by the regulatory authority and CERT-IN in this regard.
Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
Exceptions
Exceptions to this policy are not suggestible and in any case exceptions
should not be allowed.
Non-Compliance
An employee, associate, service provider found to have violated this policy
may be subject to disciplinary / legal action, up to and including
termination of employment / service contracts.
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1019
2 Name of the Policy Cyber Crisis Management Plan
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All employees of the Bank, IT Department Officials,
Management Officials, Board of Directors.
6 Revision History
Overview
The cyber crisis management plan will provide the strategic action points and
guide activities to be taken into consideration / execution to prepare, to respond,
and begin to coordinate recovery from a cyber-incident.
Purpose
The purpose of this policy is to make awareness of the significance of Cyber Crisis
Management Plan which Bank ideally needs to develop, implement and ensure
its effectiveness. The policy also guide on the steps to develop such Cyber Crisis
Management Plan.
Policy
The Cyber Crisis Management Plan shall depict each and all actions for following
cyber crisis response life cycle:
Bank shall form a Cyber Crisis Management Team and in case needed to be
reviewed by a subject matter expert periodically.
The cyber crisis management team should act as the program management
office, or liaison between the internal incident response team and the
broader environment that includes an array of internal and external groups,
ensure the proper coordination between the team members.
Cyber incident or isn’t pursuing an investigations, counsel can walk Bank through the
advantages or disadvantages of reporting the incident to law and enforcement agencies.
Policy Compliance
Compliance Measurement
The IT Department team will verify compliance to this policy through various methods,
including but not limited to, business tool reports, internal and external audits, and
feedback to the policy owner.
Exceptions
Exceptions to this policy are not suggestible and in any case exceptions should not be
allowed.