Cyber Security Policy For Banks

Cyber Security Policy
ABC Bank………
Information Technology Department, Central Audit & Vigilance

Department, Head Office.
[CYBER SECURITY FRAMEWORK]

This document is confidential in nature and any reproduction, copy, re-write by using the contents of this
document will be treated under jurisdiction of General Copyright Act. The document is sole property of ABC
Bank.
DOCUMENT CONTROL INFORMATION
SL No Particulars Details
1 Document Reference ITCSP/HO/2018
2 Document Date
3 Prepared By
4 Reviewing Authority & Date of Review
5 Board Approval Date & Reference
6 Published on Date
VERSION CONTROL
SL No Particulars Details
1 Cyber Security Policy Version 1.0
2

ABC Bank Page 1
TABLE OF CONTENTS
1. Introduction 3
2. Cyber Security Framework and its significance 4
3. General Cyber Security Policy : Acceptable Use (AU) 10
4. Organization Roles and Responsibilities 18
5. Preventing Access to Unauthorized Software 25
6. Environmental Controls & Physical Security 28
7. Network Management and Security 31
8. Secure Configuration Management 38
9. Operating System and Patch Management 41
10. End Point Security 43
11. User Access Right - Control / Management 46
12. Secure email and Messaging System 50
13. Delivery Channels, Digital Products 53
14. User/Employee/Management Awareness 56
15. Customer Education and Awareness 60
16. Disaster Recovery Site Establishments 63
17. Vendor / Outsourcing Risk Management 66
18. Incident Management and Reporting 71
19. Incident Reporting to Regulatory Authority 75
20. Cyber Crisis Management Plan 78

ABC Bank Page 2
1. Introduction
The Banking Industry is evident of customers preferences shifts towards digital

platforms and their expectation from Banks also increased for providing the round the
clock services. Among several other sectors, Banks are definitely seen to be more
proactive in investing and improving security practices, such measures may still be
inadequate considering the challenges that industry is facing today. A paradigm shift is
found in cyber-attack vectors which have been realized to Banks that the current
security establishments are inadequate and they need to put in place the robust Cyber
Security Mechanism with continual improvement practices to combat or reduce the
impact of un-foreseen incidents which may severely impact on overall reputation of the
Bank.
Reserve Bank of India has taken a step in the appropriate direction by realizing the
inherent need of Banks to strengthen their cyber security posture in the wake of
increasingly sophisticated Cyber Attacks. The guidelines issued by RBI in this regards has
comprehensive coverage and clearly indicates distinct necessity of adoption of cyber
security practices from a focus purely on information security and its related compliance
to be furnished by the Banks in stipulated time. Further, the guideline lays and insists on
establishment of cyber security operation center for continual improvement and from
the view of be vigilant in this most versatile environment.
Banks are in a race of providing various digital experiences to their customers which has
been formed necessity to be remained in the competition and to retain the customer
base. At the same time, the challenges of maintaining the underlined IT infrastructure
for non-disruptive services has also increased and Banks needs to ensure the related
arrangements within their operational mechanism.
Banks are in the verge to create cyber security programs, reviewing and formulating the
governance practices, awareness initiatives, policies, devices and solutions for alerting
cyber non-visible attempts being used by the cybercriminals and deeply exercising on
reduction of the organization’s reputation risks which has destructive impact on
business operations. Formulating Cyber Security Policy and its related eco-system
framework has become need of an hour and this document emphasizes on various
aspects towards implementation by the Bank.

ABC Bank Page 3
2. Cyber Security Framework and its Significance
Banks are dependent on the availability of Critical Infrastructure for providing customer
service. Cyber Security threats exploit the increased complexity and connectivity of
critical infrastructure systems, placing the Nation’s security, economy, and public safety
and health at risk. Similar to financial and reputational risks, cyber security risk affects
an organization’s bottom line. It can drive up costs and affect revenue. It can harm an
organization’s ability to innovate and to gain and maintain customers. Cyber security
can be an important and amplifying component of an organization’s overall risk
management.
The cyber security framework focuses on using business drivers to guide cyber security
activities and considering cyber security risks as a part of the organization’s risk
management process. It offers a flexible way to address cyber security, including cyber
securities effect on physical, cyber and people dimensions. It is applicable to all
organizations those are relying on Technology, the same is the scenario in Banking. All
Banking operations are now relying on Technology by using cyberspace ie.,
Communication Technology Network, Integrated web facing applications, Independent
Applications those are responsible for internal process automations, Servers, Desktops
and other systems like infrastructure management systems.
The framework and the eco-system around it is not one size fit to all for managing cyber
security risks for critical infrastructure. Organizations will continue to have unique risks,
different cyber threats, vulnerabilities, different risk tolerance. They also vary from Bank
to Bank; depends on how they customize practices, monitor the adherence of those
cyber security policies, digital platforms operational at the Bank and the risks associated
with it.
Due to the increasing pressures from external and internal threats, organizations
responsible for critical infrastructure need to have a consistent and iterative approach
to identifying, assessing, and managing Cyber Security risks.

ABC Bank Page 4
Cyber Security Framework Architecture and its Components:
The above architecture of Cyber Security Framework is conceptualized & supported by

Banking regulatory i.e., Reserve Bank of India. Moreover, the framework is also
architected based on the Cyber Security Best Practices proposed by IDRBT.
The above framework describes cyber security maturity model and has four key
segments i.e., Scope, Risks, Assessment and Effectiveness. Core Domain areas broadly
classify the various control areas into logical groups. The model defines five Core Areas
i.e., Security Management, Infrastructure Management, Cyber security Engineering,
Delivery Channels, Situational Awareness. Each of the domain areas have multiple
controls areas based on its thematic categorization for assessing maturity in a particular
area to track and assess process and operational effectiveness. The control areas are
further sub-divided into Control Principles for maturity assessments.
The inherent risk of the organization depends upon the products and services that it
operates, the assets that are needed to provide financial services to its customers, the
delivery channels it uses and its track record on cyber incidents. The maturity
assessment enables a financial institution to assess its process and control maturity. The
operational effectiveness measures the effectiveness of the firm in implementation of
the controls in the various control areas.

ABC Bank Page 5
The first step in self-assessment is to evaluate the ‘Inherent Risk’ of the Bank. The
inherent risk relates to business risk a Bank is exposed to based on its size, area of
operation, but irrespective of controls, policies and its own security posture. The
inherent risk assessment is important because, it gives an indication about what level of
maturity is adequate for the organization. Higher the inherent risk, higher the
requirement of maturity level. There are few recognized categories to identify the
inherent risks such as Technology, Delivery Channels, Products and technology enabled
services, Tracked record on cyber threats. The levels of inherent risks can be calculated
based on its impact i.e., Low, Medium, High, Not Applicable. The next step in self-
assessment is evaluation of Bank’s maturity in the Core Domain areas and its related
control areas. It can be measured in the ratings i.e., Missing Control Strategy, Initializing,
Developing, Operating, Managing, Optimizing in which last three category shows
preparedness of the organization towards cyber security.
Following highlighted are the areas taken into consideration while formulating the
Cyber Security Policies which ultimately frames Cyber Security Maturity Framework of
the Bank.
Cyber Security Governance in the Bank comprises of the responsibilities and

engagement of Board of Directors and senior management, organizational structures,
and processes that protect information and mitigation of growing cyber security threats.
Cyber security governance ensures alignment of cyber security with business strategy to
support organizational objectives.
Policy Framework elucidates the strategy containing an appropriate approach to

combat cyber threats given the level of complexity of business and acceptable levels of
risks, duly approved by the Board.
People and Awareness is the only effective way of synthesizing cyber security
technology or processes within the organization. It is the responsibility of the Bank’s
Management to ensure the proper trainings in this area at all the levels and have
necessary knowledge about risk management process.
The cyber risk comprises of various business and strategic risk that arises out of cyber
security concerns. The overall Risk Management shall consist of Assessment, Cyber
Security Crisis Management Plan (CCMP), Business Continuity & Risk Management and
mitigation plan.

ABC Bank Page 6
A Centralized Asset Management and inventory process is required to be effectively
managing system patches, prevent misuse and data leakage. The asset management
domains considers whether the regulated entity is maintaining up-to-date inventory of
the tangible or intangible assets those are associated with any or all kinds of information
enabled services containing the parameters such as but not limited to ownership or
classification of the assets.
3rd Party Risk Management covers the centralized vendor management, vendor
training, SLA Agreement that comprises of rules of engagement in cyber crisis.
Regulatory Compliance enumerates all the regulatory compliance requirements related

to cyber security. Regulatory compliance requires that the Bank has recognized the
applicable legislation and regulatory compliance they need to adhere to and has
implemented necessary controls.
IT Infrastructure Management which consists of environmental and physical security. A

good access control strategy involves physical and environmental security. The premise
management maintains details safety of personal and organization assets critical to
ensuring the steps against threats which may arise out of sabotages and other
intrusions. This also covers resilience and redundancy through DR capabilities.
End Point Security control area comprises of all end point devices connected across the
Bank’s network such as but not limited to Laptops, Desktops, Mobile Devices, IoT
devices, Telephones, Printers and similar IT enabled devices.
Network Security area comprises of all network devices, communication service

provider’s arrangements, routers, firewalls, switches, modems etc..
Server Security area comprises of all the servers those are responsible for providing
Banking Services to customers, Non production servers, Servers for providing internal
control services to Bank Employees, Test Servers etc..
Database Security area comprises of all Database Servers. Database security concerns
the use of broad range of information security controls to protect the databases
(potentially include the data, the database applications, stored procedures, the
database systems, the database servers and associated network links) against
compromises of their confidentiality, integrity and availability. It involves various types
of categories of controls such as technical, procedural/administrative and physical.
ABC Bank Page 7
Platform Security is also considered as significant component since the security best
practices needs to be applied to the hardware and the operating system on which the
application runs. Many devices provides default credentials, the system may be require
some additional steps to make it more secure. The platform security covers areas such
as Operating System, Device Hardening mechanism, regulatory platforms and its related
applications management.
Cyber Security Engineering Areas –
Security Architecture covers areas that Bank shall take into consideration to strengthen
the security of the enterprise systems as a whole. DNS Governance, Anti-phishing
controls, enterprise security designs, API and Interface management are some of the
areas.
Data Protection relates to securing the data at rest, data in motion and access to the
data. This is an important control area that includes data classification, DLP mechanism,
Data Life Cycle Management, data retention policies and tokenization.
Identity and Access Management covers mechanism that enables right individuals to
access the right resources at the right times and for right reasons.
Security Configuration covers platform related configurations, device and environment

hardening etc..
Application Security Life Cycle – Majority of the incidents happens because of poor
application design, inadequate security consideration either in design or in configuration
of the system. This domain covers application security life cycle that includes secure
software coding, threat modeling, using standard development practices, security
testing and stress testing of the Application. Banks shall not use the Application which is
not following the above mentioned criteria.
Delivery Channels -
ATM/POS/ECOMM – The security of the delivery channels has specific significance since
the mechanism associated with it has to be integrated with the third party / regulated
entities infrastructure. Any loophole identifies increases the risk of cyber-attack.
Mobile Banking & Internet Banking since providing the access of various applications
and information to customers through websites or handheld devices for availing
ABC Bank Page 8
Banking Service, has become most error prone are and vulnerable from the view of
cyber risk. The usage of standard mobile application, its related management,
reconciliation, Internet Banking Application with web security controls such as SSL
Certificates and multi-factor authentication become necessity and shall have complete
visible controls over its related operations management.
Bill Payment Systems such as Bharat Bill Payment, UPI, third party utility bill payment
interfaces etc.. also has same significance towards cyber security since the products and
services are technically associated with third party/ regulatory infrastructure.
Situational Awareness covers Security Monitoring and Incident Management. The

domain covers SOC operations, advance analytics that may use network or user
anomaly. Incident analysis, Incident Management, Crisis Management, Incident
response, regulatory reporting are some of the important considerations comes under
situational awareness domain area.
Management Reporting consists of appraising and educating about the security

mechanism operational at the Bank, Need of improvement, Incident Root Cause
Analysis, Crisis Management Standard Practices, Mechanism operational at the Bank on
regular intervals.

ABC Bank Page 9
3. General Cyber Security Policy : Acceptable Use (AU)
SL Particulars Description
1 Policy No ABC Bank/IT/CSP/2018/ABC1001
2 Name of the Policy Acceptable Use Policy
3 Written By IT Department – ABC Bank
4 Written Date
5 Stakeholders All employees, Management of the Bank, Board of
Directors, Stakeholders, Vendors, Associates
6 Revision History
1. Overview
IT Department intentions for publishing “Acceptable Use Policy” are not to impose
restrictions that are contrary to {ABC Bank} culture of openness, trust and integrity. IT
Department is committed to protecting {ABC Bank} employees, partners, and the Bank
from illegal, damaging actions by individuals either knowingly or un-knowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer

equipment, software, operating systems, storage media, network accounts providing
electronic mail, WWW browsing, and FTP, are the property of <ABC Bank>. These
systems are to be used for business purposes in serving the interests of the Bank, and of
our clients and customers in the course of normal operations. Please review Human
Resources policies for further details.
Effective security is a team effort involving the participation and support of every <ABC
Bank> employee and affiliate who deals with information and/or information systems. It
is the responsibility of every computer user to know these guidelines, and to conduct
their activities accordingly.

ABC Bank Page 10
2. Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at
<ABC Bank>. These rules are in place to protect the employee and <ABC Bank>.
Inappropriate use exposes <ABC Bank> to risks including virus attacks, compromise of
network systems and services, and legal issues.
3. Scope
This policy applies to the use of information, electronic and computing devices, and
network resources to conduct <ABC Bank> business or interact with internal networks
and business systems, whether owned or leased by <ABC Bank>, the employee, or a
third party. All employees, contractors, consultants, temporary, and other workers at
<ABC Bank> and its subsidiaries are responsible for exercising good judgment regarding
appropriate use of information, electronic devices, and network resources in accordance
with <ABC Bank> policies and standards, and local laws and regulation.
This policy applies to employees, contractors, consultants, temporaries, and other

workers at <ABC Bank>, including all personnel affiliated with third parties. This policy
applies to all equipment that is owned or leased by <ABC Bank>.
4. Policy
4.1 General Use and Ownership
4.1.1 <ABC Bank> proprietary information stored on electronic and computing

devices whether owned or leased by <ABC Bank>, the employee or a third party,
remains the sole property of <ABC Bank>. You must ensure through legal or
technical means that proprietary information is protected in accordance with the
Data Protection Standard.
4.1.2 You have a responsibility to promptly report the theft, loss or
unauthorized disclosure of <ABC Bank> proprietary information.
4.1.3 You may access, use or share <ABC Bank> proprietary information only to
the extent it is authorized and necessary to fulfill your assigned job duties.

ABC Bank Page 11
4.1.4 Employees are responsible for exercising good judgment regarding the
reasonableness of personal use. Individual departments are responsible for
creating guidelines concerning personal use of Internet/Intranet/Extranet systems.
In the absence of such policies, employees should be guided by departmental
policies on personal use, and if there is any uncertainty, employees should consult
their supervisor or manager.
4.1.4 Employees are responsible for exercising good judgment regarding the
reasonableness of personal use. Individual departments are responsible for
creating guidelines concerning personal use of Internet/Intranet/Extranet systems.
In the absence of such policies, employees should be guided by departmental
policies on personal use, and if there is any uncertainty, employees should consult
their supervisor or manager.
4.1.5 For security and network maintenance purposes, authorized individuals

within <ABC Bank> may monitor equipment, systems and network traffic at any
time, per Information Security Audit Policy.
4.1.6 <ABC Bank> reserves the right to audit networks and systems on a periodic
basis to ensure compliance with this policy.
4.2 Security and Proprietary Concerns
4.2.1 All mobile and computing devices that connect to the internal network must
comply with the Minimum Access Policy.
4.2.2 System level and user level passwords must comply with the Password Policy.
Providing access to another individual, either deliberately or through failure
to secure its access, is prohibited.
4.2.3 All computing devices must be secured with a password-protected
screensaver with the automatic activation feature set to 10 minutes or less.
You must lock the screen or log off when the device is unattended.
4.2.4 Postings by employees from a <ABC Bank> email address to newsgroups
should contain a disclaimer stating that the opinions expressed are strictly
their own and not necessarily those of <ABC Bank>, unless posting is in the
course of business duties.

ABC Bank Page 12
4.2.5 Employees must use extreme caution when opening e-mail attachments
received from unknown senders, which may contain malware.
4.3 Unacceptable Use
The following activities are, in general, prohibited. Employees may be exempted

from these restrictions during the course of their legitimate job responsibilities
(e.g., systems administration staff may have a need to disable the network access
of a host if that host is disrupting production services).
Under no circumstances is an employee of <ABC Bank> authorized to engage in

any activity that is illegal under local, state, federal or international law while
utilizing <ABC Bank>-owned resources.
The lists below are by no means exhaustive, but attempt to provide a framework
for activities which fall into the category of unacceptable use.
4.3.1 System and Network Activities
The following activities are strictly prohibited, with no exceptions:
1. Violations of the rights of any person or company protected by copyright, trade

secret, patent or other intellectual property, or similar laws or regulations,
including, but not limited to, the installation or distribution of "pirated" or other
software products that are not appropriately licensed for use by <ABC Bank>.
2. Unauthorized copying of copyrighted material including, but not limited to,

digitization and distribution of photographs from magazines, books or other
copyrighted sources, copyrighted music, and the installation of any copyrighted
software for which <ABC Bank> or the end user does not have an active license is
strictly prohibited.
3. Accessing data, a server or an account for any purpose other than conducting
<ABC Bank> business, even if you have authorized access, is prohibited.
4. Exporting software, technical information, encryption software or technology, in
violation of international or regional export control laws, is illegal. The
appropriate management should be consulted prior to export of any material
that is in question.

ABC Bank Page 13
5. Introduction of malicious programs into the network or server (e.g., viruses,
worms, Trojan horses, e-mail bombs, etc.).
6. Revealing your account password to others or allowing use of your account by

others. This includes family and other household members when work is being
done at home.
7. Using a <ABC Bank> computing asset to actively engage in procuring or

transmitting material that is in violation of sexual harassment or hostile
workplace laws in the user's local jurisdiction.
8. Making fraudulent offers of products, items, or services originating from any

<ABC Bank> account.
9. Making statements about warranty, expressly or implied, unless it is a part of

normal job duties.
10. Effecting security breaches or disruptions of network communication. Security
breaches include, but are not limited to, accessing data of which the employee is
not an intended recipient or logging into a server or account that the employee is
not expressly authorized to access, unless these duties are within the scope of
regular duties. For purposes of this section, "disruption" includes, but is not
limited to, network sniffing, pinged floods, packet spoofing, denial of service, and
forged routing information for malicious purposes.
11. Port scanning or security scanning is expressly prohibited unless prior notification
to IT Department is made.
12. Executing any form of network monitoring which will intercept data not intended
for the employee's host, unless this activity is a part of the employee's normal
job/duty.
13. Circumventing user authentication or security of any host, network or account.
14. Introducing honeypots, honeynets, or similar technology on the <ABC Bank>
network.
15. Interfering with or denying service to any user other than the employee's host
(for example, denial of service attack).
16. Using any program/script/command, or sending messages of any kind, with the
intent to interfere with, or disable, a user's terminal session, via any means,
locally or via the Internet/Intranet/Extranet.

ABC Bank Page 14
17. Providing information about, or lists of, <ABC Bank> employees to parties outside
<ABC Bank>.
4.3.2 Email and Communication Activities
When using <ABC Bank> resources to access and use the Internet, users must realize
they represent the company. Whenever employees state an affiliation to the company,
they must also clearly indicate that "the opinions expressed are my own and not
necessarily those of the company". Questions may be addressed to the IT Department
1. Sending unsolicited email messages, including the sending of "junk mail" or other
advertising material to individuals who did not specifically request such material
(email spam).
2. Any form of harassment via email, telephone or paging, whether through

language, frequency, or size of messages.
3. Unauthorized use, or forging, of email header information.

4. Solicitation of email for any other email address, other than that of the poster's
account, with the intent to harass or to collect replies.
5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any

type.
6. Use of unsolicited email originating from within <ABC Bank>'s networks of other
Internet/Intranet/Extranet service providers on behalf of, or to advertise, any
service hosted by <ABC Bank> or connected via <ABC Bank>'s network.
7. Posting the same or similar non-business-related messages to large numbers of

Usenet newsgroups (newsgroup spam).
4.3.3 Blogging and Social Media
1. Blogging by employees, whether using <ABC Bank>’s property and systems or

personal computer systems, is also subject to the terms and restrictions set forth
in this Policy. Limited and occasional use of <ABC Bank>’s systems to engage in
blogging is acceptable, provided that it is done in a professional and responsible
manner, does not otherwise violate <ABC Bank>’s policy, is not detrimental to

ABC Bank Page 15
<ABC Bank>’s best interests, and does not interfere with an employee's regular
work duties. Blogging from <ABC Bank>’s systems is also subject to monitoring.
2. <ABC Bank>’s Confidential Information policy also applies to blogging. As such,

Employees are prohibited from revealing any <Company> confidential or
proprietary information, trade secrets or any other material covered by
<Company>’s Confidential Information policy when engaged in blogging.
3. Employees shall not engage in any blogging that may harm or tarnish the image,
reputation and/or goodwill of <ABC Bank> and/or any of its employees.
Employees are also prohibited from making any discriminatory, disparaging,
defamatory or harassing comments when blogging or otherwise engaging in any
conduct prohibited by <ABC Bank>’s Non-Discrimination and Anti-Harassment
policy.
4. Employees may also not attribute personal statements, opinions or beliefs to

<ABC Bank> when engaged in blogging. If an employee is expressing his or her
beliefs and/or opinions in blogs, the employee may not, expressly or implicitly,
represent themselves as an employee or representative of <ABC Bank>.
Employees assume any and all risk associated with blogging.
Apart from following all laws pertaining to the handling and disclosure of
copyrighted or export controlled materials, <ABC Bank>’s trademarks, logos and
any other <ABC Bank> intellectual property may also not be used in connection
with any blogging activity.
5. Policy Compliance
5.1 Compliance Measurement
The IT Department team will verify compliance to this policy through various methods,
including but not limited to, business tool reports, internal and external audits, and
feedback to the policy owner.
5.2 Exceptions
Any exception to the policy must be approved by the DGM, IT Department in advance.
5.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
ABC Bank Page 16
6 Related Standards, Policies, Processes
 Data Classification Policy

 Data Protection Standard
 Social Media Policy
 Minimum Access Policy
 Password Policy

ABC Bank Page 17
4. Organization Roles and Responsibilities
2 Name of the Policy Cyber Security - Roles and Responsibilities
4 Written Date
5 Stakeholders All employees, Management of the Bank, Board of
Directors, Stakeholders, Vendors, Associates
6 Revision History
Overview
The management officials & Board of Directors of the Bank shall understand the
cyber risks to which the Bank can be exposed. Robust oversight and engagement
on cyber risk matters at the Board Level promotes a security risk conscious
culture within the Bank.
Purpose
The Bank Management Team which consists of Managers, Department Heads,

Assistant General Managers, Dy. General Managers, Joint General Managers,
General Managers, CEO & Managing Directors, Board of Directors, Various
Committees those are responsible for management of the Bank shall be aware
about their roles and responsibilities in the view of Cyber Security. It doesn’t
mean that other officials of the Bank do not have any type of the responsibility in
terms of Cyber Security. They all are considered as Bank Management Team.
Specific intention to document the roles of senior management officials towards
awareness is for top down approach penetration of the concept of Cyber Security
and the associated risks to the Bank and whenever necessary they shall be in a
position to guide rest of the team of the Bank.

ABC Bank Page 18
Scope
The policy applies to all management officials of the Bank as described above. The
roles and responsibilities are confined to the concept of Cyber Security Program
of the Bank and the Cyber Risks associated with the tools, technologies, products,
services, cyberspace operational at the Bank.
Policy
Cyber Security: Roles and Responsibilities of Board of Directors
 Board must ensure that they understand the legal implications of Cyber
Security Risks.
 Board must undertake a thorough analysis of Bank’s most valuable IT assets
and the assess Bank’s preparedness with regard to the Cyber risks
associated with each component.
 Understand and Review the Bank’s exercise on Cyber Security and its
related compliances once in a quarter and if management of Cyber Risk
allocated to a committee, full board should also review the Bank’s
preparedness at least semiannually.
 Board may decide to hire the outside expertise / engage a company
services to assess the Bank’s preparedness about Cyber Security and its
related compliance prepared by the officials of the Bank.
 Ensure IS Security Audit & VAPT exercise is being carried out by the Bank
officials along with the Cyber Security Audit once in a year. The compliance
of such observations also has to be reviewed by the Board once in a year.
 Review Bank’s management response plan to potential cyber security
breaches. The plan shall identify who will be responsible for making
decisions when a breach occurs and what action Bank Official will take in
the event of breach / cyber-attack.
 Ensure Bank is entrusting the audit exercise to an expert of the Cyber
Security Domain and verify the proposals in detail accordingly before
approving for the Audit Process.

ABC Bank Page 19
 Board shall review and ensure that Bank has developed Crisis Management
Plan with regard to Cyber Security.
 In case breach / attempt-to-hack/cyber-attack occurs, Board shall decide
under what circumstances and in what format the incident reporting is to
be approved before announcement to the customer or informing to the
regulatory authorities.
 It is Board’s responsibility / to involve the law and enforcement in case of
cyber-attack / breach of information by cyber criminals occurs in the Bank.
 A decision to inform to the customers of the Bank shall also lies with the
Board of Directors.
 Allocation and approving of the Budget required for ensuring the cyber
security preparedness, devices/applications procurement, procurement /
subscription of such continual improvement practices shall be the
responsibility of the Board of Directors.
 Assessment and approving for recruitment of the required manpower
within the organization / outsource to a company shall be the responsibility
of the Board of Directors. In case, HR Committee is authorized to recruit
such manpower, Board shall review the progress quarterly basis in this
regard.
Cyber Security: Roles and Responsibilities of Senior Management of the Bank

(Chief Executive Officer / Managing Director / General Manager / Dy.
General Manager)
 Review IT Asset Inventory for Critical Production Components i.e.,

Hardware, Software, Services once in a month.
 Review Information Security Policy and Cyber Security Policy once in a year
or as and when there is a change in the policy.
 Review an exercise / preparedness of IT Department with regard to the
Cyber Security, threat landscape, mitigation tools and technologies.
 Ensure Bank implements a Cyber Security Framework and its related
components.

ABC Bank Page 20
 Engage / entrust a third-party assessment exercise once in a quarter in
case the internal resources are not adequately aware about the Cyber
Security Domain and the risks associated with it.
 Shall ensure that Bank exercise the IS Security Audit on a periodical interval
i.e., once in a year and also assess the need to engage the services in this
regard for continual improvement.
 Appraising the Bank’s Cyber Security preparedness exercise to the Board in
quarterly interval.
 Ensure the compliances to the observation of IS Audit, VAPT Exercise,
Cyber Security Audit are being prepared by the respective stakeholders/IT
Department and review the same once in a quarter for the major and
minor non-conformities are mitigated those are mentioned in the report.
 Re-visit the compliance before submission to the regulatory authority
before and after approval by the Board.
Cyber Security: Roles and Responsibilities of CIO / CTO/AGM IT/Senior Manager

IT/ Manager IT
 Prepare Cyber Security Policy as per the guidelines issued by Reserve Bank
of India / IDRBT / NIST and appraise to senior management for onward
approval by the Board.
 Prepare detailed IT Asset Inventory document for all critical & non critical
Business IT assets operational at the Bank which consists of Details of IT
Assets (Hardware, Software, Network Devices, Key Personnel, Services,
Vendors, Software Licenses, Details of Systems responsible for storing of
Customer Information, Transaction Data, Business Applications etc..). Also
document and periodical review of Service wise / Application wise
Dependency of each component.
 Ensure Bank’s Network Devices, its related configuration, Security
Mechanism/Systems, Anti-Virus, Updates, Security of configuration files.
 Classify data/information based on the sensitivity criteria of the
information.

ABC Bank Page 21
 Appropriately manage and provide protection within and outside Bank’s
Network, Keeping in mind how the data/information is stored, transmitted,
processed, accessed and put in use within/outside the Bank’s Network, and
level of risks they are exposed to depending on the sensitivity of the
data/information.
 Maintain the centralized inventory of authorized software(s), approved
applications, software(s), libraries, backup tapes etc..
 Put in place a mechanism to control installation of the software /
application on end-user systems, identifying the usage of un-authorized
software.
 Ensure UAT Environment is not at all connected to the production
environment.
 Ensure the web facing application settings are set to highest security level
and review the same on periodical interval i.e., once in a month.
 Put in place an alert mechanism in case any user knowingly or un-knowingly
modify / change / delete / update the setting of the production application,
network devices, servers, database application.
 Ensure environmental controls are adequate for the critical IT Setup
operational at the Bank.
 Ensure secure configuration of all the IT Devices operational at the Bank.
 Ensure Anti-Virus Patches / Signatures updated automatically from the
OEM source.
 Report the Cyber Security Incident in the required format to senior
management, Board of Directors.
 Conduct periodical awareness programs / exercise of the Cyber Security,
Threats, and vulnerabilities for the rest of the Staff / Officials / managers
within the Bank.
 Develop and Implement Cyber Crisis Management Plan, appraise to senior
management & Board, update the same as and when any changes in the
environment, IT Infrastructure, Policies etc..

ABC Bank Page 22
 Regularly assess the anomalies with regard to the Cyber Security and
evaluate capacity planning to safeguard the critical IT Assets operational at
the Bank.
 Put up to the senior management for approval about any requirements in
terms of the software, hardware, services required to strengthen the Cyber
Security Landscape within the Bank. Implement and ensure the continual
monitoring of the same on approval from the Board / Competent authority
within the Bank.
Cyber Security: Roles and Responsibilities of all Officers, Clerks, Non-working

Staff
 Responsibility of Adherence to the information security and Cyber Security

Policies in all respects as stipulated in the various policies.
 Appraise changes required if any as per the applicability and dependency of
information security practices, interoperability of the applications and
services.
 Ensure the practices as per the policies while operating the critical / non-
critical IT Infrastructure.
 Always ensure the standard practices while operating the IT Infrastructure.
 Support in cyber security incidents as per the duties and responsibilities
allocated by the senior management time to time.
Policy Compliance
Compliance Measurement
Exceptions
Any exception to the policy must be approved by the DGM, IT Department in advance.

ABC Bank Page 23
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.

ABC Bank Page 24
5. Preventing Access to Unauthorized Software
2 Name of the Policy Preventing Access to Unauthorized Software
4 Written Date
5 Stakeholders All System Users of the Bank irrespective of his Profile.
6 Revision History
Overview
This policy set forth the guidelines for usage of Software, interface, API Programs those
are authorized to use for Banking Operations. Any un-authorized use of such software /
programs may lead into fraudulent activities, malpractices where the vigilance control of
such software do not have seamless integration with other software programs in use for
production banking business functions.
Purpose
The purpose of the policy is to guide users for usage of secured and authorized software
within the Bank for banking operations. In order to establish the security practices, it is
essential to use only authorized / recommended software / piece of software / interface
by the OEM / Supplier of the host application software those are being used for Banking
Business. In case third-party software is being used to carry out such banking
transaction, a written consent has to be obtained from the supplier for usage of the
same.
Scope
This policy is applicable to all the Systems, Cyber space which is being used for
production / non-production activities within the Bank premises irrespective of its use /
user in the Bank. The applicability of this policy is for but not limited to :
a. All Servers, Desktop, Laptops Systems operational for production activities in the
Bank.

ABC Bank Page 25
b. All Network Devices, Firewalls, IDP Sensors, Other related security applicances,
Routers, Switches, SANS/NAS/Storage Systems / Sub-Systems operational within
the Bank.
Policy
Un-authorized / non-recommended software or piece of software / application

shall not be used on production system those are responsible for Banking
Application. A competent authority of IT Department / CISO is authorized to
remove such un-authorized usage of application / software / piece of software
with prior approval from the escalation authority of the IT Department.
 Un-authorized Application Software

Unauthorized software incorporates any piece of Software / Application /
Interface to host system that is installed on any workstation / Server,
Stored in a library without prior consent / knowledge of the Authority of
Supplier(s). This includes, but not limited to, rouge software, Trojans,
protocol analyzer, shareware, freeware, communication software,
monitoring software, any other software that permits or promotes
hacking, system intrusion or system performance degradation.
 Standard / Authorized Applications / Software

The standard application is one which is contractually agreed by the
authority / OEM of application/software, recommended / consented by
the supplier of the application/software for the purpose to carryout
business operations.
 Non-Standard Application Software
The non-standard / un-authorized application/software or piece of
software program is one which is not supplied / recommended by the
OEM / authorized application service provider and do not have any legal /
contractual agreement / consent for usage from OEM / authorized
application service provider.
Cyber Risk Associated

ABC Bank Page 26
 Usage of un-authorized software/application software/piece of software
may be susceptible for intrusion by the un-authorized user / software
program.
 Un-authorized / non-standard software can provide the erroneous results
in case tampered by the intruder which may result into financial
losses/reputational losses to the Bank.
 Vigilant validations may not be applicable to such programs those are
operational in isolation / without consent from the OEM / Supplier of the
host systems those are responsible for business operations. There is every
possibility of miss-use / change in code of such programs by the intruder
with an intention to harm / hack the business operations of the Bank.
 Customer information / account transaction may be susceptible to modify
by the malware / intruder / cybercriminal which may attract cyber threat /
hacking /attempt to hack / create gap in the integrity of the application
usage with the host systems and its related security mechanism.
Policy Compliance
 It is the responsibility of the competent authority of IT Department of the

Bank to address the compliance issues in this regard in case noticed by the
regulatory auditors / IS Auditors / OEM’s Audit compliance team etc..
 A report once in a quarter has to be appraised to Management authority of
the Bank which shall consists of status of such usage either “NIL” or with
the details of the usage including system details, purpose, dependency etc..
in the form of stipulated document in practice at IT Department approved
by the competent authority of the Bank.
 A report of automated software can also be submitted to the management
in this regard wherein the information with all relevant details is available
for verification by the competent authority.

ABC Bank Page 27
6. Environmental Controls & Physical Security
2 Name of the Policy Environmental Controls & Physical Security
4 Written Date
5 Stakeholders All system users, Employees of the Bank, Management
Officials, Premises Department, Vigilance Department,
Infrastructure Management Department officials.
6 Revision History
Overview
Environmental control poses distinguished significance to the cyber security

practices and also equally important from the point of information security. A
good environmental control and physical security may reduce the risk of cyber
threat and help business to continue its operations.
Purpose
This policy supports to implement best practices by guiding relevant measures

to be taken to ensure good environmental and physical control which restrict /
reduce opportunities / intruder’s intent to harm the Information Technology
Infrastructure of the Bank with an intention to create possibilities for cyber
threat/attack thereon.
Scope
This policy applies to all employees, second staff, agency workers, associates,
contracted companies, consultants of the Bank. Asset or premises of IT / Non-
IT Infrastructure of the Bank and which is responsible to provide production or
non-production activities to the business operations of the Bank.

ABC Bank Page 28
Policy
 All the environmental & physical controls in practice has to be assessed

on periodical basis i.e., once in a quarter.
 High Tension Electricity arrangements of the premises, Circuit Breakers,
Power Generation & Protection Systems, Access Control Systems, Fire
Extinguishers, HVAC Systems, VESDA Systems, Smoke Detectors, NOVAC
/ FM200 Gas Suppression Systems, Physical Security Mechanism, Alert /
Alarm systems, Network Communication Mux rooms, Battery Rooms,
UPS Rooms etc.. And all other systems those are providing physical
security / environmental security to IT / Non-IT Infrastructure of the
Bank shall be periodically assessed and a report of status of such control
system shall have to be submitted to the Management on quarterly
interval.
 A list of persons those are authorized to gain access to the Data Center,
computer rooms or other areas supporting critical activities, where
computer equipment and data are located, shall be kept up-to-date and
be reviewed periodically.
 All access keys, cards, passwords etc. for entry to any of the information
system and network shall be physically secured or subject to well-
defined and strictly enforced security procedures.
 All visitors to data center or computer rooms shall be monitored all the
times 24x7x365 environment by the authorized staff. The record shall be
maintained properly for the Audit purpose.
 All staff shall ensure the security of their offices. Offices that can be
directly accessible from public area and contain information systems
connected to central site.
 Regular inspection of equipment and communication facilities shall be
performed to ensure continuous availability and failure detection.

ABC Bank Page 29
 Intruder can attempt to study & tamper the environmental controls /

physical security systems responsible for providing the access to the IT /
Non-IT Infrastructure by installing the mechanism / appliance/ system to
provide regular information to the intruder.
 Access control mechanism can be compromised by the intruder to
restrict the access to authorized officials so as to comfortably carry out
the cyber-attack. Monitoring / Surveillance recording mechanism may
get disabled as a result of the compromise.
Policy Compliance
 A competent authority of the Information Technology Department to

review the status/health report of the physical security equipment,
appliances, applications, monitoring system, manual observation
records on quarterly basis.
 In case Bank entrusted / outsourced the monitoring and maintenance
service, record of the monitoring / maintenance service provider has to
be verified on weekly basis by the competent authority of IT
Department, Premises Department officials.
 A quarterly review of such information system has to be placed before
the IT Committee / Computer Committee for the information.

ABC Bank Page 30
7. Network Management and Security
2 Name of the Policy Network Management and Security
4 Written Date
5 Stakeholders All system users, Employees of the Bank, Information
Technology Department, Communication Service
Management Officials, Infrastructure Management
officials.
6 Revision History
Overview
Network & its related security management is the most critical aspect to ensure
to protect the most valuable asset i.e., Customer Information from un-authorized
access. Banks in general establishes layered security approach in network
security management. However, considering the present cyber threat scenario,
layered security may not be adequate practice to combat the cyber threat. In
layered security, commonly “Trust but Verify” kind of approach is taken care with
implementation of policies / access control and event log mechanism. Banks are
to implement Zero Trust Security Model which “Don’t Trust always verify” kind of
approach. Moreover, no user / event / component is treated as “insider” while
designing the policies / implementing the security mechanism.
Purpose
This policy is guiding over and above the present orchestration of network
mechanism operational in the Bank. It is not adequate only to ensure the device
security, policy implementation but the design approach shall have to be
corrected and implemented by the Banks.

ABC Bank Page 31
Scope
This policy is applicable to all system users, network administrators, third-party

network monitoring organizations, network configuration and maintenance
team, IT Infrastructure Management team, Officers, and all the staff of the Bank.
Policy
There are some sub-policies under this master policy and are applicable as per
the scope and purpose defined in this policy.
a. Routers and Switch Security Policy

Purpose
This section of the policy describes a required minimal security configuration for
all routers and switches connecting to a production network or used in a
production capacity at or on behalf of the Bank.
Scope
All employees, contractors, consultants, temporary and other staff at the Bank
and must adhere to this policy. All routers and switches connected to production
networks or Test / UAT environment.
Policy
 No local user accounts shall be configured on the router.
 IP Directed broadcasting, TCP Small Services, All source routing and switching,
UDP small services, all web services running on router, Incoming packets sourced
from invalid address, discovery protocol, auto configuration, Telnet, FTP, HTTPS
must be disabled on router.
 Dynamic trunking, scripting environments, TCL Shell services must be disabled.
 Password-encryption, NTP configured to a corporate standard
 Use corporate standardized SNMP community strings. Default strings, such as
public or private must be removed. SNMP must be configured to use the most
secure version of the protocol allowed for by the combination of the device and
management systems.
 Access control lists must be used to limit the source and type of traffic that can
terminate on the device itself.
 Access control lists for transiting the device are to be added as business needs
arise.

ABC Bank Page 32
 Telnet may never be used across any network to manage a router, unless there is
a secure tunnel protecting the entire communication path. SSH version 2 is the
preferred management protocol.
 Dynamic routing protocols must use authentication in routing updates sent to
neighbors. Password hashing for the authentication string must be enabled
when supported
 The corporate router configuration standard will define the category of sensitive
routing and switching devices, and require additional services or configuration
on sensitive devices including:
 IP access list accounting
 Device logging
 Incoming packets at the router sourced with invalid addresses, such as RFC1918
addresses, or those that could be used to spoof network traffic shall be dropped
 Router console and modem access must be restricted by additional security
controls.
b. Remote access tools Policy

Overview
Remote desktop software, also known as remote access tools, provide a way for
computer users and support staff alike to share screens, access work computer
systems from home, and vice versa. Examples of such software include LogMeIn,
GoToMyPC, Team-viewer, Ammyadmin, VNC (Virtual Network Computing), and
Windows Remote Desktop (RDP).
While these tools can save significant time and money by eliminating travel and
enabling collaboration, they also provide a back door into the Bank’s network
that can be used for theft of, unauthorized access to, or destruction of assets. As
a result, only approved, monitored, and properly controlled remote access tools
may be used on Bank’s computer systems with prior approval from the
competent authority of IT Department.
Purpose
This policy defines the requirements for remote access tools used at Bank.
Scope
This policy applies to all remote access where either end of the communication
terminates at a Bank’s computer asset.

ABC Bank Page 33
Policy
All remote access tools used to communicate between Bank’s assets and other
systems must comply with the following policy requirements.
a) All remote access tools or systems that allow communication to Bank resources
from the Internet or external partner systems must require multi-factor
authentication. Examples include authentication tokens and smart cards that
require an additional PIN or password.
b) The authentication database source must be Active Directory or LDAP, and the
authentication protocol must involve a challenge-response protocol that is not
susceptible to replay attacks. The remote access tool must mutually
authenticate both ends of the session.
c) Remote access tools must support the Bank’s application layer proxy rather than
direct connections through the perimeter firewall(s).
d) Remote access tools must support strong, end-to-end encryption of the remote
access communication channels as specified in the Bank’s network encryption
protocols policy.
All Bank’s antivirus, data loss prevention, and other security systems must not be
disabled, interfered with, or circumvented in any way.
c. Wireless Communication Policy

With the mass explosion of Smart Phones and Tablets, pervasive wireless
connectivity is almost a given at any organization. Insecure wireless
configuration can provide an easy open door for malicious threat actors.
Purpose
The purpose of this policy is to secure and protect the information assets owned
by the Bank. Bank provides computer devices, networks, and other electronic
information systems to meet missions, goals, and initiatives. Bank grants access
to these resources as a privilege and must manage them responsibly to maintain
the confidentiality, integrity, and availability of all information assets.
Scope
All employees, contractors, consultants, temporary and other staff at the Bank,
including all personnel affiliated with third parties that maintain a wireless
infrastructure device on behalf of Bank must adhere to this policy. This policy

ABC Bank Page 34
applies to all wireless infrastructure devices that connect to a Bank’s network or
reside on a Bank’s site that provide wireless connectivity to endpoint devices
including, but not limited to, laptops, desktops, cellular phones, and tablets. This
includes any form of wireless communication device capable of transmitting
packet data.
Policy
General Requirements:
All wireless infrastructure devices that reside at a Bank’s site and connect to a
Bank’s network, or provide access to information classified as Bank’s
Confidential, or above must:
 Abide by the standards specified in the Wireless Communication Standard.
 Be installed, supported, and maintained by an approved support team.
 Use Bank approved authentication protocols and infrastructure.
 Use Bank approved encryption protocols.
 Maintain a hardware address (MAC address) that can be registered and
tracked.
 Not interfere with wireless access deployments maintained by other support
organizations.
Lab and Isolated Wireless Device Requirements:
All lab wireless infrastructure devices that provide access to Bank’s Confidential
or above, must adhere to section above. Lab and isolated wireless devices that
do not provide general network connectivity to the Bank’s network must:
 Be isolated from the corporate network (that is it must not provide any
corporate connectivity) and comply with the Lab Security Policy.
 Not interfere with wireless access deployments maintained by other support
organizations.
Home Wireless Device Requirements

Wireless infrastructure devices that provide direct access to the Bank’s corporate
network, must conform to the Home Wireless Device Requirements as detailed
in the Wireless Communication Standard.
Wireless infrastructure devices that fail to conform to the Home Wireless Device
Requirements must be installed in a manner that prohibits direct access to the
Bank’s corporate network.

ABC Bank Page 35
d. DNS Security Policy
Overview:
 Bank shall adopt DNS Security to protect their valuable IT Asset rather than just
relying on layered security approach i.e., deploying multiple security solutions
like firewall, secure web gateways, intruder prevention system, end-point anti-
virus solutions etc... Even after such deployments, malicious actors are persistent
to gain access to critical system by exploiting security weaknesses. One such gap
is vulnerable back door access that is recursive DNS.
 DNS resolvers perform one function i.e., they take human-readable domain
name and find the corresponding IP Address of the server where the resource is
located. The resolver either find IP address in cache or use recursive DNS server
to reach through a hierarchy of DNS name servers and authorative DNS Servers.
By implementing DNS based security solution, Bank will no longer resolve these
DNS requests blindly.
 The DNS based Security solution will act as Bank’s enterprise DNS server. It will
check domain names against comprehensive up-to-date threat intelligence
before resolving IP address.
Policy
Bank shall adopt DNS Based Security Solution and put in place such a mechanism
to continuously verify the up-to-date threat intelligence before resolving the IP
address to the requestor. There should not be anything treated “insider” while
configuring the DNS based security solution.
The threat intelligence that Bank’s DNS Based Security solution shall be able to :
 Deliver intelligence that focuses on threats that are current and relevant.
 Draw from a broad and comprehensive volume of DNS and IP traffic so it
is able to quickly identify global threat trends and detect threats before
they are widely active.
 Differentiate between dedicated domains that have been created
specifically for malicious use and legitimate domains that have been
compromised.
 Provide very low rate of false-positive security alert so that Bank’s
security team isn’t wasting time and efforts investigating them.

ABC Bank Page 36
 The biggest cyber security risk is associated with poor management of

Network architecture and its related orchestration. Any back door gap is
vulnerable to major cyber-attack on the organization and Bank’s
reputation risk will be very high.
 Network Communication Channels, its related devices/appliances, routers,
switches, firewalls, perimeter security mechanism, layered security
mechanism shall be under continuous surveillance and monitoring by the
team of expertise in the network domain.
Policy Compliance
 Compliance Measurement
The IT Department team will verify compliance to this policy through
various methods, including but not limited to, business tool reports,
internal and external audits, and feedback to the policy owner.
 Exceptions
Any exception to the policy must be approved by the DGM, IT Department
in advance.
 Non-Compliance
An employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.

ABC Bank Page 37
8. Secure Configuration Management
2 Name of the Policy Secure Configuration Management
4 Written Date
5 Stakeholders Information Technology Department Officials, Network
Administrator, Communication Service Management
Officials, Infrastructure Management officials.
6 Revision History
Overview
Cyber security is a risk management; yes it is, but this risk management end-up
with the answers of the questions with regard to the Configuration Management.
It is a detailed recording and updating of information that describes hardware
and software. The Configuration Management consists of - Inventory of
authorized and un-authorized devices, Secure configuration of hardware and
software, Controlled use of administrative privileges.
Purpose
This policy set forth the guidelines with regard to ensuring the secure
configuration management practices within the Bank. Bank shall ensure these
practices are in place and reduce the risk of cyber threat due to malicious change
in configuration management of the devices operational for the business
operations. Moreover, good configuration management practices reduce the
downtime in case of compromised by the intruder.
Scope
The policy specifically mandates to the Security Professionals, Network and

System Administrators, CIO, CTO and Head of IT Department, Officials of IT
Department of the Bank, IT Assets and devices those are responsible for critical
and non-critical IT infrastructure of the Bank.

ABC Bank Page 38
Policy
Configuration Management Practices shall put in place for all the Hardware and
Software components, all cyber space, critical and non-critical IT infrastructure
operational at the Bank. The practices shall have to be reviewed on periodical
interval for its correctness.
Bank shall adopt standard secure configuration management practices and create
repository for all the component described here in this policy and also ensure
user privileges carefully to access such repository for authorized officials only i.e.,
Specifically to Head of the IT Department / CIO/CTO and the mechanism put in
place shall have complete control with event management log practices.
Bank can accommodate standard applications authorized by the OEM companies

to ensure secure configuration management.
Cyber Risks Associated
 Poor Configuration management practices will lead to compromise to

critical and non-critical IT infrastructure and attract space for cyber threat
to the Bank.
 It will be easy for intruder to access and change the configurations of the
production systems which result into erroneous result / behavior of the
production system.
 Recovery time / Downtime of the production system will get increased to
set forth the required configuration back into original state which results
into a financial loss and business opportunity for the Bank.
 Reputation of the Bank will be at stake.
Policy Compliance

ABC Bank Page 39
 Exceptions
in advance.
 Non-Compliance

ABC Bank Page 40
9. Operating System and Patch Management
2 Name of the Policy Operating System and Patch Management
4 Written Date
5 Stakeholders Information Technology Department Officials, Network
Administrator, System Administrator, IT Infrastructure
Management officials.
6 Revision History
Overview
Operating System and patch management practices will ensure the un-
interrupted services on the critical production system responsible for the
business operations of the Bank. Patch management is not an event; it is a
process for identifying, acquiring, installing, and verifying patches for the
operating system and other software programs resides on it. Patches corrects
security and functionality bugs / problems in software and firmware of the server
and its operating system. From a security perspective, patches are most often of
interest because they are mitigating software flaw vulnerabilities. Proper
application of the relevant patches will eliminate the vulnerabilities and reduce
the risk of exploitation.
Purpose
This policy set forth the procedure to be adopted for technical vulnerability and
patch management.
Scope
All the critical and non-critical systems those are operational for production and
non-production activities applicable in the Bank.
Policy
All the systems i.e., production and non-production systems shall be regularly
scanned for vulnerabilities, identify the patches released by the OEM company of
ABC Bank Page 41
the Operating System operational on the Servers, desktop systems, laptops,
SAN/NAS/Storage systems, Network Devices, Security Mechanism
devices/appliances, Firewalls, Load balancers, Web Application Servers, Core
Application Servers and all other software and hardware components deployed in
the IT Infrastructure of the Bank.
All vendor updates shall be assessed for criticality and applied at least monthly.
Critical updates should be applied as quickly as possible.
 Without effective vulnerability and patch management there is a risk of

unavailability of the system. This can be caused by viruses, malware
exploiting systems or by out of date operating system patches, drivers
making system unstable and susceptible for cyber threat.
 Without regular vulnerability scanning and patching, the information
technology infrastructure could fall in foul of problems which can be fixed
by regularly updating the operating system patches, firmware patches,
drivers etc.. in the cyber space (all the systems) being operational at the
Bank.
 Bank shall take immediate step towards applying the security related
patches released by the OEM company before the exploitation affects to
the systems operational at the Bank.
Policy Compliance
 Exceptions
in advance.
 Non-Compliance
ABC Bank Page 42
10. End Point Security
2 Name of the Policy End Point Security
4 Written Date
5 Stakeholders All Staff of the Bank, Information Technology
Department Officials, Network Administrator, System
Administrator, IT Infrastructure Management officials,
Management executives those are system users.
6 Revision History
Overview
The objective of this policy is to reduce the cyber security risks associated with
the end-points i.e., user’s desktop / laptop systems being used for the business
operations. The un-secured / without anti-virus protection application, end-
points may attract the scenario of information goes out of the organization and
may be used for planning of cyber-attack on the Bank by the intruders / cyber
criminals.
Purpose
The purpose of this policy to is to regulate protection to the Bank’s business

information / production applications when accessed through Desktop, Laptops,
and Mobile Devices or similar. This policy seeks to limit security threats by:
 Ensuring staff are aware of the requirements and restrictions around end-
point devices.
 Enabling protective measures and controls to manage End-point security
and software compliance risks.
Scope
This policy is applicable to all the end-points connected to the Bank’s network for
accessing the information / being used for business operations.

ABC Bank Page 43
Policy
All the staff members are responsible to ensure:
 All care is taken to prevent unintended exposure, modification or removal of

private, copyright or confidential information as a result of leaving this
information on the desktop screen or desk, or exposed in such a way that it can
be viewed or accessed by unauthorized individual. This includes information
stored on portable storage media or hard drive.
 Any private or confidential information stored on such a end-point has the
appropriate security controls to restrict and prevent retrieval or intercept by an
un-authorized third party.
 endpoint software application / business application is updated regularly and the
software vendors are providing security patches.
 Updated Anti-virus applications are installed at all the end-points and are set to
update automatically from the central mechanism / OEM facility and restart to
complete the installation process.
 Critical security patches are updated on weekly basis those are provided by the
OEM vendors.
 Endpoint systems must be restarted post installation / update of security
patches.
 OS that end of support shall not be connected to the corporate network of the
Bank for business operations.
 Removing of end-point management software, anti-virus software without prior
approval from the competent authority is treated as breach of this policy.
 Unnecessary administrative privileges given to the end-point must be restricted
by applying appropriate mechanism.
 All endpoints capable of running anti-virus programs are mandatorily required to
do so before connecting them to the corporate network of the Bank.
 Exemption to this policy must be formally requested to the competent authority
and such approval shall be obtained before connecting to the Bank’s network.

ABC Bank Page 44
Cyber Security Risk Associated
 Poor end-point management may attract the information exploitation to the

unauthorized individuals and can create scope for stealing of the information by
installing / implementing the un-authorized software / piece of programs.
 Unawareness of this policy to any of the employee of the Bank may result into
compromise to information leakage to the unauthorized individual. Employee
may pretend that he/she is un-aware of the policy. A written consent is
suggested to be obtained undersigned by every employee.
Policy Compliance
 Exceptions
in advance.
 Non-Compliance

ABC Bank Page 45
11. User Access Right - Control / Management
2 Name of the Policy User Access Right - Control / Management
4 Written Date
5 Stakeholders All Staff of the Bank, Information Technology
Department Officials, Network Administrator, System
Administrator, IT Infrastructure Management officials,
Management executives those are system users.
6 Revision History
Overview
User rights management is a security feature controlling which resources (eg. Assets,
applications, data, devices, files, networks, and systems) a user can access and what
actions a user can perform on those resources. User rights management typically entails
– creating a rights profile granting privileges to access specific resources and perform
particular actions, creating groups and /or roles, assigning groups or roles to a particular
rights profile, assigning individual user to one or more groups, adding, updating or
deleting profiles, groups, roles or users.
Purpose
This policy set forth the guidelines pertaining to user rights management to access a
particular information/piece of information, data, file, application suit, application,
software program, hardware operating system programs, configuration, document,
stored procedures, repository, critical information, classification of information,
database records, business applications, business functions, profile functions available
or operational / resides within the Bank. This policy also advises the applicability of the
user management for the third-party sites connected to the corporate network of the
Bank, DR Sites, Near DR locations, external / internal storage systems.

ABC Bank Page 46
Scope
This policy is applicable to all the users / group of users / profiles / individuals
accessing the information / business information users / transaction information
users operational / active in the Bank.
Policy
Protecting IT systems and applications is critical to maintain the integrity of the

Bank’s technology infrastructure and prevent un-authorized access to such
resources.
Access to Bank’s systems must be restricted to authorized users and processes

only based on the principles of need to know and least privilege.
Bank will provide the access privileges to Bank’s technology infrastructure

(Desktops, Laptops, Servers, Applications, Database, Networks, Mobile devices, IT
Infrastructure Management Systems, Control Systems, Surveillance and vigilance
systems, Identity and access management systems ) based on the following
principles:
Need to Know – users or resources will be granted access to the systems that are
necessary to fulfill their roles and responsibilities.
Least Privileges – users or resources will be provided minimum privileges

necessary to fulfill their roles and responsibilities.
 Existing user accounts and access rights will be reviewed at least annually
to detect dormant accounts and accounts with excessive privileges.
 All user accounts and their access rights, granted privileges for usage of
the systems shall be documented and approved by the competent
authority of the Bank.
 Where possible, all default users will be disabled or changed. These
accounts includes “Guest”, “Temp”, ”Default Admin” or any other
commonly known user / user groups.
 Test accounts are only be created if they are justified by the relevant
business area. Such test accounts will be disabled or suspended once the

ABC Bank Page 47
relevant test exercise is done for which the user or group of users are
created.
 Vendor accounts in case created for a specific access purpose /
troubleshooting purpose, the same will be deleted immediately after
completion of the task.
 Demilitarized Zone wise access rights shall different and no user / its
profile shall match the Test Zone rights / name of user with the Production
Zone rights / name of the user.
 Shared user accounts are only to be used on an exception basis with
proper approval from the competent authority in the Bank.
 A nominative and individual privileged user account must be created for
administrative accounts instead of generic administrator account names.
 Privileged users can only be requested by managers or supervisors and
must be appropriately approved.
 Passwords shall be handled according to the password policy.
 All exceptions to this policy shall be formally documented and the same
shall be approved by the competent authority.
Cyber Security Risks Associated
 IT establishment in the Bank where the user rights management and

control mechanism is not operational / put in place is vulnerable for cyber
threat.
 In case intruder gain access in the Bank’s IT infrastructure, the first target
is to obtain the access rights for all other systems. Poor management of
the access rights / privilege management will lead into disastrous scenario
and all the users must be aware about this risk.
 Any granted exception to this policy is susceptible for cyber-attack.
 Violation of this policy will attract leakage of Customer information /
transaction information out of the organization / accessed by intruder /
cyber-criminal.

ABC Bank Page 48
Policy Compliance
 Exceptions
in advance.
 Non-Compliance

ABC Bank Page 49
12. Secure email and Messaging System
2 Name of the Policy Secure email and Messaging System
4 Written Date
5 Stakeholders All Staff of the Bank to whom email facility is provided
by the Bank irrespective of his profile in the Bank.
Management officials (Senior Management, Board of
Directors) to whom an email facility is provided by the
Bank
6 Revision History
Overview
Electronic email is pervasively used in almost all industry verticals and is often the
primary communication and awareness method within an organization. At the
same time, misuse of email can post many legal, privacy and security risks, thus
it’s important for users to understand the appropriate use of electronic
communications.
Purpose
The purpose of this email policy is to ensure the proper use of Bank’s email
system and make users aware of what Bank deems as acceptable and
unacceptable use of its email system. This policy outlines the minimum
requirements for use of email within Bank’s Network.
Scope
This policy covers appropriate use of any email sent from a Bank’s email address
and applies to all employees, vendors, and agents operating on behalf of the
Bank.

ABC Bank Page 50
Policy
 All use of email must be consistent with Bank’s policies and procedures of
ethical conduct, safety, compliance with applicable laws and proper
business practices.
 Bank’s email account should be used primarily for Bank’s business-related
purposes; personal communication is permitted on a limited basis, but
non-Bank related commercial uses are prohibited.
 All bank’s data contained within an email message or an attachment must
be secured according to the Data Protection Standard.
 Email should be retained only if it qualifies as a Bank’s business record.
Email is a bank’s business record if there exists a legitimate and ongoing
business reason to preserve the information contained in the email.
 Email that is identified as a Bank’s business record shall be retained
according to Bank’s Record Retention Schedule.
 The Bank’s email system shall not to be used for the creation or
distribution of any disruptive or offensive messages, including offensive
comments about race, gender, hair color, disabilities, age, sexual
orientation, pornography, religious beliefs and practice, political beliefs, or
national origin. Employees who receive any emails with this content from
any Bank’s employee should report the matter to their supervisor
immediately.
 Users are prohibited from automatically forwarding Bank’s email to a third
party email system. Individual messages which are forwarded by the user
must not contain Bank’s confidential or above information.
 Users are prohibited from using third-party email systems and storage
servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Bank’s
business, to create or memorialize any binding transactions, or to store or
retain email on behalf of Bank’s. Such communications and transactions
should be conducted through proper channels using Bank’s-approved
documentation.
 Using a reasonable amount of Bank’s resources for personal emails is
acceptable, but non-work related email shall be saved in a separate folder
from work related email. Sending chain letters or joke emails from a
Bank’s email account is prohibited.
 Bank’s employees shall have no expectation of privacy in anything they
store, send or receive on the company’s email system.
 Opening an email which doesn’t reflect the purpose of the profile,
business or other / un-known email is serious concern to this policy. Such

ABC Bank Page 51
emails attracts phishing attempt by the intruder / cyber-criminal. Phishing
attack is the first attempt by any of the intruder to gain access to to the
Bank’s IT infrastructure.
 Bank may monitor messages without prior notice. Bank is not obliged to
monitor email messages.
 Storing credentials into a mail is strictly prohibited.
 Phishing attacks are the preferred exercise by the intruder. Email System and
its user accounts, usage restrictions, awareness can only way of prevention
from such invisible malware or advanced persistent threats.
 Email system compromise is easiest way to get the information about the
organization and since multiple users with varied privileges are the
participants of this system which has similar significance to the business
operations, it is easy for the intruder to focus on and poor management of the
email system may lead into disastrous scenario.
Policy Compliance
 Exceptions
in advance.
 Non-Compliance

ABC Bank Page 52
13. Delivery Channels, Digital Products
2 Name of the Policy Delivery Channels, Digital Products
4 Written Date
5 Stakeholders All Staff of the Bank to whom email facility is provided
by the Bank irrespective of his profile in the Bank.
Management officials (Senior Management, Board of
Directors) to whom an email facility is provided by the
Bank
6 Revision History
Overview
Developments in Digital Banking has grown-up in last few years which is specifically
using internet & mobile as communication channel responsible for providing the 24x7
banking services to the customers. Simultaneously, the cyber security concerns also gets
evolved over the period and Banks need to more cautious while establishing and
maintaining the underline IT infrastructure for the same. On the other side, the systems
those are providing such applications or services necessarily has to be under continuous
surveillance from technology perspective and are to be prevented from un-authorized
access become prime responsibility of the Banks.
Banks are to be in the race of providing the digital experience to its customers and
establish various delivery channels, services and products to remain in the competitive
market and acquire more and more customers. These services includes primarily ATM,
POS, E-commerce, Internet Banking, Mobile Banking, UPI, Bill payment platforms,
Bharat Bill Payment System, Aadhaar Enabled Payment Systems etc..
Purpose
This policy depicts cyber security significance and set forth the precautions to be taken
up by the Bank while providing such delivery channels and digital services to its
customers.

ABC Bank Page 53
Scope
This policy is applicable to:
 all the related users of systems operational in the Bank for providing digital
services and delivery channels,
 IT Assets, Networks, Systems, Third-Party Technical arrangements, Servers,
Desktop Systems, Devices, Interfaces and applications,
 Switching applications & its related Infrastructure to regulatory and governing
establishments
 Third party network establishments necessary for providing the services
 Digital Products and Services operational at the Bank.
 Production and UAT Setup responsible for such digital products and services,
delivery channels.
 Officials responsible for monitoring and maintenance of delivery channels,
digital products and services
 Associated vendors, Service Providers, Technical Service Providers
Policy
- Bank intends to provide the delivery channel, digital product, service shall
have the regulatory approval / permission / license to use the platform /
establish the infrastructure for the service / product.
- Bank shall adhere to the procedural guidelines issued by regulatory
authorities i.e., Reserve Bank of India, NPCI, UIDAI
- Production IT Infrastructure and UAT IT Infrastructure should be separately
established and shall be networked / orchestrated in different demilitarized
zone.
- Users of the IT Infrastructure with regard to the delivery channels, digital
products and services shall be authorized users and their access rights /
profiles / privileges shall be documented and approved by the competent
- Security guidelines / best practices suggested by the regulatory authorities
shall be adhered in all respects.

ABC Bank Page 54
- Special monitoring shall be put in place with regard to threshold limits of the
transactions, amounts, records being performed by these digital products and
services, delivery channels.
- Bank shall depute identical manpower resources for reconciliation of the
transactions of all delivery channels, products and services. Bank can also
adopt automation applications, services in this regard for better control and
monitoring of the services.
- Using third-party application directly placing the transaction into the
production database can create security risks and may give erroneous results.
Adopt the inherent applications / authorized applications or interfaces to core
systems.
- Network Security Mechanism for identifying legitimate communication shall
be put in place.
- Security of the configuration files has significant relevance from the view of
cyber security.
- Execute service level agreements with regard to each service, product or
channel operational at the Bank with the Service Provider / Technical Service
Provider.
- Regulatory reporting requirements, Compliance Forms shall be furnished and
compliance in this regard shall be updated regularly to the management of
the Bank.
- Utmost care is to be taken while entrusting the operations of such channels
and services to the third-party service providers.
- SFTP Servers, Card management and registration mechanism, User
management, IT infrastructure availability, DR Arrangement shall be up to
date along with data, application is in sync for such delivery channels,
products and services.
- Transaction switching applications shall follow the Information security
standards while switching the transaction information to regulatory or
switching authorities i.e., NPCI, UIDAI, RBI in case of NG-RTGS Setup.
- No UAT Setup shall be technically accessible from production environment.
- The network communication for UAT purpose shall be through Bank’s
enterprise layered & DNS security architecture.
- Monitoring and alert mechanism shall have resilience in all respects.
- Any violation of this policy shall be approved by the Board of Directors.
ABC Bank Page 55
 Any small loophole in the entire IT architecture, Orchestration, Network

arrangements, Security Mechanism will lead to cyber-attack on the Bank’s
IT Infrastructure and it directly affect to the customer accounts and its
related transaction information results into big financial losses to the
Bank.
 Officials responsible for administration & configuration management shall
be designated authorized Bank official only and shall not be outsourced to
a third party, absence of the same may leads to security risk at any point
of time.
Policy Compliance
 Exceptions
Exceptions to this policy are not suggestible and in any case exceptions
should not be allowed.
 Non-Compliance
An employee, associate, service provider found to have violated this policy
may be subject to disciplinary / legal action, up to and including
termination of employment / service contracts.

ABC Bank Page 56
14. User/Employee/Management Awareness
2 Name of the Policy User/Employee/Management Awareness
4 Written Date
5 Stakeholders All Staff of the Bank irrespective of his profile in the
Bank. Management officials, Board of Directors
6 Revision History
Review
An organization’s security strategy only works if employees are properly trained /

aware about it. This will involve putting practices and policies in place that
promote security and training employees to be able to identify and avoid risks. A
larger goal should be to change the culture of the organization to focus on the
importance of security and get buy-in from end-users to serve as an added layer
of defense against security threats.
A good information security awareness program highlights the importance of

information security and introduces the information security policies and
procedures in simple yet effective way so that employees are able to understand
the policies and are aware of the procedures.
Training employees / Creating Cyber Security awareness is a critical element of

the security. They need to understand the value of protecting customer and
colleague information and their role in keeping it safe. They also need to basic
grounding in other risks and how to make good judgments online.
Purpose
This policy outlines the significance of information security awareness to protect

the organization’s information from unauthorized user / individual. This policy
also helps to guide standard practices to be taken into consideration by all the
employees about information security while discharging their day-to-day
responsibilities within the organization.

ABC Bank Page 57
Scope
This policy applies to all the employees of the Bank, Senior Management Officials,
All system users, Board of Directors of the Bank from the awareness point of view
and ensuring successful implementation of the same within the organization.
Policy
 All the employees / system users shall adhere to / follow / ensure :

- Information classification practices implemented in the Bank.
- Clear desk policy of the Bank.
- Password policy of the Bank.
- Not to open suspicious links to the mails they receive / mails from unknown
resources.
- Keep an eye out and say something in case they observe strange happenings
on their computer.
- Electronically shredding of the information which is no longer required.
- No sharing of User ID and Password is allowed and staff are made aware of
their responsibilities on safeguarding their user account and password.
- Understand and follow the backup practices put in place by the Bank about
the files / information available on the Desktop / Laptop.
- Should not visit / attempt to visit in-appropriate / un-wanted websites in case
internet facility is provided by the Bank to the User / Employee.
- All notebooks shall be kept in lock and key after business hours.
- Whether workstation have password protected screen saver to prevent
unauthorized access in absence of the employee / user.
- Confidential information should not be released to a third-party unless there
is need to know and a Non-disclosure agreement is signed by the competent
- Adhere to dos and don’ts checklist circulated by the Bank.
Management Officials shall ensure that the employee awareness programs about Cyber
Security / Information Security are being conducted on periodical interval.
Information on such employee awareness programs shall be appraised to the Board

once in a half year.

ABC Bank Page 58
- Unawareness about cyber security / information security risks may lead into
compromise and leakage of the critical information of the organization.
- Desktops / Laptops where critical information is stored and do not have
control from the systems put in place by the Bank, leads to gain easy access to
the intruder / attract cyber-attack.
Policy Compliance
 Exceptions
 Non-Compliance

ABC Bank Page 59
15. Customer Education and Awareness
2 Name of the Policy Customer Education and Awareness
4 Written Date
5 Stakeholders All Staff of the Bank, Planning and Development
Department, Training Facility Officials, Management
officials, Board of Directors
6 Revision History
Overview
With the fraudsters constantly creating more diverse and complex fraudulent scenario
using advance technology and social engineering techniques to access their victim’s
accounts, spreading awareness among consumers become imperative. Continual
education and timely information provided to customers will help them to understand
security requirements and take appropriate steps in reporting security problems.
Bank shall also run the awareness programs to its employees so that they can act as
resource person for customer queries, law and enforcement personnel for more
understanding response to customer complaints and media for dissemination of
accurate and timely information.
Purpose
This policy set forth the standard practices required for customer education about
information security / cyber security so as to enable them to avail the Bank’s services
safely and protect their transaction information against cyber threats.
Scope
The scope of this customer education policy shall cover following:
- Planning, implementing and organizing a fraud awareness initiative.

- Framework to evaluate the effectiveness of an awareness programs.
- Customer communication framework.

ABC Bank Page 60
- Addressing potential risks associated with awareness initiative.
- Development of safe and secure culture by encouraging users to act
responsibly and operate more securely.
Policy
 The Bank shall setup the awareness program to:
- Provide focal point and driving force for a range of awareness, training and
educational activities.
- Provide generic and basic information on fraud risk trends, types and controls
to people who need to know.
- Help consumers identify the areas vulnerable to fraud attempts and make
them aware of their responsibilities in relation to the fraud prevention.
 The bank shall ensure that the content of the awareness programs is in interest
of its users is relevant to their banking needs.
 The Bank shall identify and segment the target users and customize the
awareness program for specific target groups.
 The Bank shall build consensus amongst decision makers and stakeholders and
administrative support for conducting such awareness programs. In this respects,
Bank shall identify fixed and variable costs which may include personnel,
operations costs, awareness material, technology support cost, advertisement,
promotions and maintenance of website.
 Effective medium of communication shall be considered to conduct such
awareness programs.
 Deliver the right message to the right audience using the most effective
communication channel.
 The message shall state the risks and threats facing the users, why it is relevant
to them, what not to do and what to do, and finally how to be protected.
 The message shall be compelling and clearly state why security is important.
 The Bank shall establish more than one communication channel and use them to
engage its customers successfully.
 Evaluate the visibility of such awareness communication and its qualitative use to
the customers.

ABC Bank Page 61
 No initiative in this regard may lead into loss of customer confidence on the
services of the Bank from security point of view.
 Intruders can target un-aware customers of the Bank to use their tactics for
intrusion.
 Leakage of the crucial information of the organization is possible and Bank will
not have legal evidences that they have educated to the customers about the
cyber risks associated with it.
Policy Compliance
 Exceptions
 Non-Compliance

ABC Bank Page 62
16. Disaster Recovery Site Establishments
2 Name of the Policy Disaster Recovery Site Establishments
4 Written Date
5 Stakeholders IT Department Officials, DR Site Officials, Service
Providers with whom Bank executed the Service
Agreement, Management Officials of the Bank
6 Revision History
Overview
It is mandated by the Reserve Bank of India to every Bank to ensure the Disaster
Recovery Site for all the services operational at the Bank. It is imperative to ensure the
cyber security practices for your multiple / single DR Site establishments / Outsourced
to a third party vendor as DRaaS Service. This area is often treated as secondary site
whereas the entire infrastructure is connected to the corporate network of the Primary
site of the Bank to ensure the data, application sync in all respects. Remember the
reasons Bank originally moved to outsource / collocate the DR setup such as to free up
the floor space, reduce the cost of establishments etc.. while co-relating the security
arrangement required to ensure the enterprise security.
Purpose
The purpose of this policy is to prevent the organization from intrusion to steal the
critical information of the primary site by accessing it from secondary site
establishments i.e., Disaster Recovery Site.
Scope
The scope of this policy is with regard but not limited to IT Infrastructure, Assets,
Network arrangement of Primary and DR Site establishments.
Authorized System & Network Users / officials of the Bank, outsourced vendors,
communication channel vendors, monitoring and management officials of the Bank and
Outsourced vendor.
ABC Bank Page 63
Policy
It is common misconception that Disaster Recovery and Cyber Security Recovery are one
and the same concepts. Although they are similar and have some overlap, disaster
recovery’s primary objective is to provide business continuity after disruption from man-
made or natural causes, Security recovery, on the other hand, protects data assets after
a data breach. Following policy guidelines are to be ensured by the responsible officials
i.e., CIO / CTO / Senior Executives of IT Department of the Bank from the point of cyber
security.
 Bank shall re-visit the DR IT Infrastructure on periodical interval and

ensure the security mechanism arrangements operational at secondary /
DR Site is up to date.
 The network security establishments shall be identical to primary for
business centric application, database and services.
 Consider that the cyber-attack may corrupt the data of primary site, in
that case DR Implementation will not protect the information, as the
corrupted data will get replicated to both the locations. To avoid this, Bank
shall use layered defense tools and build relevant controls for the risk
management processes. Integrity and availability monitoring tools can also
help to detect such issues as early as possible.
 Some cyber-attacks simply cannot be stopped, so focusing solely on
prevention is flawed approach. Instead plan for all cyber incidents, their
containments and recovery process.
 Do not consider the DR establishments are secondary arrangements and
cannot be compromised by the intruder. A proper layered security with
zero trust mechanism may prevent / reduce the risk of such attacks on the
Bank.
 Ensure the patch management, authorization and authentication
mechanism control at DR Site establishments.
 Document everything ie., procedures, roles and responsibilities, vendors
associated, service management matrics, agreement’s location and
authority to access in case needed etc.. about Bank’s DR establishments.

ABC Bank Page 64
 Cyber-attack on the DR and subsequently on Primary may be possible

in case poor security arrangement in place at DR Site.
 DR Site may not help in case the cyber-attack on Primary resulting
complete business loss and recovery is difficult to re-establish the
services.
Policy Compliance
 Exceptions
 Non-Compliance

ABC Bank Page 65
17. Vendor / Outsourcing Risk Management
2 Name of the Policy Vendor / Outsourcing Risk Management
4 Written Date
5 Stakeholders Management officials, IT Department Officials,
Hardware and Software Vendors / Service Providers,
Consultants / Contractors, IT or business process
outsourcing firms, Hardware and Software maintenance
and support staff, DRaaS / PaaS/IaaS/ASP/Cloud Service
providers.
6 Revision History
Overview
Outsourcing involves transferring responsibility for carrying out an activity to a

third party for an agreed change / executing function / Monitoring of IT
Infrastructure setup on behalf of the Bank. The third-party vendor / outsourcer
agree to provide the required service against of the service charges thereon and
execute an agreement with the Bank for implementation and maintenance of the
same. Mostly commercial benefit is ascribed to outsourcing i.e., reducing the
organization costs, greater focus on the core business by outsourcing the non-
core activities; reduce the manpower cost and its related liability to the
organization.
Moreover, it is seen in Banking environment that the service level agreements its
terms and conditions are being imposed by the service providers stating their
company standard and Bank is missing important aspects of the service or cannot
stand legally in case agreed services are not provided or become victim of cyber
threat in case compromised due to poor control of the service provider.
Despite the potential benefits, information security incidents such as

inappropriate access to or disclosure of sensitive information, loss of intellectual
property protection or the inability of the outsourcer / service provider to live up

ABC Bank Page 66
to the agreed service levels, would reduce the benefits and could jeopardize the
security posture of the organization.
Purpose
The purpose of this policy is to set forth the standard guidelines / precautions to
be taken into consideration while outsourcing of any of the function / activity of
the Bank.
Scope
This policy applies to management officials, IT Department Officials, Hardware

and Software Vendors / Service Providers, Consultants / Contractors, IT or
business process outsourcing firms, Hardware and Software maintenance and
support staff, DRaaS / PaaS/IaaS/ASP/Cloud Service providers.
This policy also applies to all the activities those are non-core activities defined by
the Bank, Core Activities where Bank cannot execute the service because of
regulatory guidelines / infrastructure doesn’t support to establish the
requirements for providing the service / product.
Policy
 The commercial benefits of outsourcing non-core business activities /

functions must be balanced against the commercial and information
security risks.
 The risk associated with outsourcing must be managed through the
imposition of suitable controls, comprising a combination of legal,
physical, logical, procedural and managerial controls.
 The functions / activities related to business operations shall be permitted
as per the extant guidelines of the regulatory authority i.e., Reserve Bank
of India, NPCI, UIDAI, Department of Payment and Settlement Systems
(DPSS)-RBI, UBD-RBI etc..
 Bank shall maintain the documentation of every single activity which is
outsourced supported by the agreement executed with the outsourcing
agency, vendor, System Integrator, Service provider, Technology Service
Provider, Vendor / SI / Service Provider under Consortium arrangement,

ABC Bank Page 67
Colocation Service Provider, ASP, DRaaS / IaaS, PaaS, Cloud Service
Provider.
 Criteria for selection of outsourcing agency / service provider :
o Company reputation and history
o Quality of the service provided to other Banks / customers
o Number and competency of staff on-boarded by the company.
o Financial stability of the company.
o Security Standards in practice / currently followed with/by the
company i.e., ISO/IEC 27001, CMMi Level 3/5, Development
Standards etc...
 Cyber Security / Information Security criteria shall be defined &
documented as a result of the risk assessment by the Bank for specific to
the outsourcing function / activity.
 Customer on-boarding authorization shall be remained with the Bank.
 Security Parameters configured while establishment of the outsourcing
function / activity / service shall be appraised to the Bank by the
respective vendor / service provider / agency.
 No direct access to the production database shall be provided to the
outsourcing agency / vendor / SI / Service Provider.
 Application log management, storage of the logs / events shall be under
complete control of the Bank. In case technical establishment itself is out
of Bank’s network, vendor / service provider shall provide a copy of the
logs / events / security alert information to the Bank on periodical interval.
 Bank shall have an access to audit the outsourced environment / technical
establishments arranged for the Bank, as and when it is necessary /
stipulated by the regulatory audit officials.
 User management / profile management for the officials of the
outsourced agency / service provider shall be under control of the Bank’s
authorized officials and monitoring of the same shall be documented in
the form of softcopy / hardcopy format.
 Roles and responsibilities of the outsourced agency / service provider shall
be clearly stated in the service level / master agreement executed with the
vendor / service provider.

ABC Bank Page 68
 Bank shall not use the service / function which is not supported by the
service level agreement executed with the vendor / service provider.
 Service Charges / Fees i.e., One time & Recurring shall not be the criteria
for implementation of security tools & technologies by the service
provider / vendor.
 Poor vendor / outsourcing management, lack of documentation, agreement,

roles and responsibility definition, scope of the service deliverables, un-
secured Network Management from & to the establishment of the service
provider may leads to cyber-attack and Bank will not be in a position to
recover the same.
 Possibility of leakage of critical information of the Bank in case not adhered to
this policy guidelines.
 Vendor may escape from the responsibility and Bank will be in the trouble and
could not answer to its customers, regulators and resulting reputation risk.
 Vendor representatives, officials may be targeted by the intruder to gain
access to Bank’s critical infrastructure.
 Regulators may impose penalty Bank for non-adherence to the guidelines /
operating procedure guidelines with regard to information security / cyber
security of the Bank’s IT Infrastructure including Primary & Secondary
arrangements.
Policy Compliance
 Exceptions

ABC Bank Page 69
 Non-Compliance

ABC Bank Page 70
18. Incident Management and Reporting
2 Name of the Policy Incident Management and Reporting
4 Written Date
5 Stakeholders All Employees, Management Officials, Board of
Directors, Service Providers, Consultants / Contractors,
Service Providers.
6 Revision History
Overview
It is equally important to manage and report the incident whether it is applicable

to critical or non-critical IT Infrastructure of the Bank to reduce the impact of an
adverse event on bank customers and information resources. In most of the
cases, it is observed that Bank officials put up their possible effort to manage the
incident and do not prefer to report the same to the management, which further
create complexities in case management support is required to address the
situation.
Security incidents have potential to occur in an unpredictable manner and may

impact the Bank’s physical, electronic and human resources. Such incidents may
adversely effect on confidentiality, integrity and availability of the asset or
information belonging to the Bank and its customers. Bank has to adopt the
policy and supporting procedures to define the steps that will be taken in
response to an incident.
Purpose
The purpose of this policy is to define Bank’s Incident response program. The goal
is to establish an approach to manage and report the incident to reduce the
adverse impact of the incident on the Bank.

ABC Bank Page 71
Scope
This policy applies to physical and electronic information systems being operated
at the Bank. The policy also addresses the information system that is operated by
third-party service providers or agencies/agents on behalf of the Bank. All bank
employees, temporary / contracted employees, contractors, service providers are
covered by this policy.
Policy
 Bank’s responsible officials are to classify the incident basis on its severity
and use the information to manage and report the incident as per the
hierarchy structure operational in the Bank.
 The term “incident” refers is defined as any irregular or adverse event that
occurs to any asset / information or personally identifiable information or
that involves availability, integrity and confidentiality of Bank’s systems
and network. Incident can be a physical / electronic in nature.
 Incident has to report immediately to the escalation authority on notice by
the employee or individual. Any delay may lead to increase the complexity
of the incident.
 It is the responsibility of the Board of Directors and Management officials
of the Bank to disclose the information of the incident to the customers /
make it public / inform to law and enforcement agencies.
 Possible incident categories i.e.,
o Non availability of the Information / System / Network for the
business operations / customer service,
o Denial of system resources, cyber-incident, cyber-attack, malware-
attack, virus-attack, erroneous behavior of any of the system /
mechanism operational at the Bank.
o Change to System Hardware, firmware or software characteristics
without the management’s knowledge.
o Criminals obtaining large volume of credentials (User Names,
Passwords, email addresses) and other forms of identification used
by customers, employees and third parties to authenticate to
systems.

ABC Bank Page 72
o Internet Fraud / Phishing, Cyber-attack, identity theft of the
customer.
o Abrupt shut down of the production IT Infrastructure, Un-
availability of the corporate network / internet facility to the Bank.
o Bulk messages, SMS released to the customer’s mobile numbers
those are not scheduled / executed by the authorized officials of
the Bank.
o Bank’s responsible officials to document the type and method to be
used to respond to the incident in the prescribed format in practice
with the Bank. In case the prescribed format is not available,
Incident Type, Date, Time, Nature, Affected Areas, Systems
affected, Network affected, Official details responsible to manage
the area of operation where the incident occurred etc.. are to
documented and report the same to the escalation authorities as
early as possible.
 Even in case the incident is managed by providing the stop-gap
arrangement, workable solution, work-around or temporary arrangement
with an interest to reduce the downtime, business continuity / reduce the
impact on business transactions, the details are to be documented and
reported in the stipulated format described above to the escalation
authorities and management officials.
 If the severity of the incident is very high and that impact on Bank’s
reputation / business operations, the same has to be managed and
reported to the competent authority immediately.
 Telephonic / electronic email information can also be used to inform about
the incident in case occurred in wee hours / after business hours. The
evidences shall be kept on record for such reporting / managing the
incident by the respective official discharging the duty at the time of the
incident.
 Poor incident management / undefined reporting will lead to the

recovery time and critical information / customer information will be
compromised.

ABC Bank Page 73
 Cyber criminals may gain access to each and every system in the Bank
and can position their attack-surface for more damage to the
infrastructure.
 No escalation / non-reporting will lead to legal issues with regard to
the cyber-attack incident. Law and enforcement agencies / forensic
agencies will not have proper information for the investigation of the
incident.
 Impact of the incident will be more and Bank’s reputation will be in
stake.
Policy Compliance.
 Exceptions
 Non-Compliance

ABC Bank Page 74
19. Incident Reporting to Regulatory Authority
2 Name of the Policy Incident Reporting to Regulatory Authority
4 Written Date
5 Stakeholders IT Department Officials, Management Officials, Board of
Directors.
6 Revision History
Overview
Cyber incidents have serious consequences for societies, nations, and those who
are victimized by cyber criminals. The theft, exploitation, breach of information,
financial or other sensitive personal and commercial data and cyber-attacks
which damages the computer systems is capable of causing lasting harm.
It is mandatory or compulsory to report the cyber incident to a regulatory

reporting authority i.e., Reserve Bank of India by the management / Board of
Director of the Bank. It is also required to report the incident to Computer
Emergency Response Team of India (CERT-IN) in stipulated format issued by
CERT-IN for Indian organizations.
It is essential for an effective response to cyber incidents that authorities have as

much knowledge regarding the incident as possible and have that knowledge as
soon as possible. It is also critical that this information is communicated to the
public. This underlines the importance of reporting cyber incidents as a tool in
making the internet and digital infrastructure secure.. Like any other crime, an
Internet-based crime should be reported to those law enforcement authorities
assigned to tackle it at a local, state, national, or international level, depending
on the nature and scope of the criminal act.
Purpose
This policy set forth the guidelines to report the incident to regulatory authority
ie., Reserve Bank of India / NPCI / UIDAI, CERT-IN for analyzing its impact at

ABC Bank Page 75
national level and support the victim organization to identify / analyze the
incident scenario.
Scope
This policy applies to all the employees, management officials / Board of

Directors of the Bank.
It is the responsibility of the Bank’s Management / Board of Directors to report

the incident with all the relevant details to regulatory authority, CERT-IN
Policy
 All the incidents with full details, depends on their severity level / business
impact, are to be reported to regulatory authority i.e., Reserve Bank of
India. The analysis & identification of the severity level is the responsibility
of Board of Directors / Management Officials of the Bank.
 The incident details in stipulated format also shall be reported to
Computer Emergency Response Team of India (CERT-IN).
 Board of Directors will be held responsible for non-reporting of the cyber
incident / information security breach in case occurred in the Bank.
 Bank shall device / use suitable format of Incident Reporting based on the
guidelines issued by the regulatory authority and CERT-IN in this regard.
Cyber Security risks associated
 Non-reporting / No-information about the incident in case occurred in

the Bank along with complete details of the incident and its impact to
regulatory authorities are legal offense and entire management of the
Bank shall be held responsible for the further legal consequences of
the Incident.
 Cyber criminals may take un-due advantages where such Incident
Management & reporting programs are not in practice.

ABC Bank Page 76
Policy Compliance
 Exceptions
 Non-Compliance

ABC Bank Page 77
20. Cyber Crisis Management Plan
2 Name of the Policy Cyber Crisis Management Plan
4 Written Date
5 Stakeholders All employees of the Bank, IT Department Officials,
Management Officials, Board of Directors.
6 Revision History
Overview
Cybercrime / breaches / threats are continues to bread an increasingly

sophisticated underworlds of criminals who act upon variety of motives to
compromise their targets. Banks need to remain prepared for such cyber crisis.
This entails not only creating – and testing – an incident response plan, but also
establishing the capabilities to respond to a significant cyber incident with Cyber
Crisis Management best practices and solutions.
A properly orchestrated, documented and verified Cyber Crisis Management Plan

will give confidence to the Bank that in case the Cyber incident occurred, Bank
have approved set of activities to be taken up and ensure the timely recovery
from the cyber crisis and ensure the continuity of the Business Operations.
The cyber crisis management plan will provide the strategic action points and
guide activities to be taken into consideration / execution to prepare, to respond,
and begin to coordinate recovery from a cyber-incident.
Purpose
The purpose of this policy is to make awareness of the significance of Cyber Crisis
Management Plan which Bank ideally needs to develop, implement and ensure
its effectiveness. The policy also guide on the steps to develop such Cyber Crisis
Management Plan.

ABC Bank Page 78
Scope
This policy applies to all the employees, service providers, consultants /

contractors and asset / Information of the Bank and its business operations /
functions.
Policy
Cyber incident often trigger internal or external forensic cyber investigations, an

especially messy undertakings. The details of how the compromise occurred, area
impacted, number of records, whether and how much data removed / damaged
and / or whether the cyber attach is ongoing to fluctuate the entire ordeal. It is
necessary for the Bank to develop Cyber Crisis Management Plan and approve
the same from its Board of Directors.
The Cyber Crisis Management Plan shall depict each and all actions for following
cyber crisis response life cycle:
o Information Security Program of the Bank

o Cyber event Detected
o Incident Response
o Internal Investigation
o Third-party Forensic Investigation
o Contact Law and Enforcement Agencies
o Customer Notification
o Containment and remediation plan
o Disclosure / Report to the regulatory authorities
o Compliance
 The Cyber criminals are advanced and more sophisticated now a day, they are
able to gain deep and prolonged access to systems and networks, where they
can cause sustained damage over time. Bank shall not consider in case cyber
incident happened is one time activity and technical solution can solve this
technical problem. Bank requires to implement the entire Cyber incident
response life cycle
o React: Identify the issue, Perform triage to determine severity.
o Respond: Contain the problem to minimize the impact, Perform
forensic analysis to understand the full impact of the incident.

ABC Bank Page 79
Engage third party support if needed
o Resolve: Determine and repair control deficiencies, Return to normal
business operations, Conduct lesson learned.
The Cyber Crisis Management Model:
 Bank shall form a Cyber Crisis Management Team and in case needed to be
reviewed by a subject matter expert periodically.
 The cyber crisis management team should act as the program management
office, or liaison between the internal incident response team and the
broader environment that includes an array of internal and external groups,
ensure the proper coordination between the team members.
Critical success factor in responding to cyber crisis:
 Recently, Cyber Crisis incidents are becoming increasingly visible events

receiving considerable media attention. Bank shall expect that the details of
the crisis will expose to the public very fast and media will cover the entire
incident. Bank’s cyber crisis management plan shall reflect the crucial media
component in the incident response process.
 Incorporate the public relation strategy and communication plan into cyber
crisis management solution and integrate the public relations group with the
crisis management team.

ABC Bank Page 80
 A communication plan is key element of an effective crisis management
response. Indeed an absence of an effective plan makes it difficult to have an
effective response.
 Use various media tools to take in information in real-time, push out
information at strategic times, and gain a voice in the media space.
 Be decisive, pure crisis often calls for pure actions. Understand that in crisis
situation, decisions often must be made based on imprecise information. This
understanding will help you avoid the trap of remaining stagnant while
waiting for precise information amid a crisis.
 Establish a point of contact as a secretary, ensure availability of the detailed
note that will assist business leaders in recalling key junctures when critical
decisions are to be made along the way.
 Activate your incident response program immediately after detecting the
incident.
 Don’t make hurry to notify to the customers unless you have information,
facts that continue to surface.
Cyber incident or isn’t pursuing an investigations, counsel can walk Bank through the
advantages or disadvantages of reporting the incident to law and enforcement agencies.
Experienced outside counsel can understand the significance of your organization’s

burden as cyber victim. Counsel will be able to view the legal remedies available to your
organization as cyber victim. The injective provision of law assist victim in retrieving
stolen data as a result of system compromise and preventing its disseminations.
Policy Compliance
Compliance Measurement
Exceptions
Exceptions to this policy are not suggestible and in any case exceptions should not be
allowed.

ABC Bank Page 81
 Non-Compliance
An employee, associate, service provider found to have violated this policy may be
subject to disciplinary / legal action, up to and including termination of employment /
service contracts.

ABC Bank Page 82

Cyber Security Policy For Banks

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cyber Security Policy For Banks

Hochgeladen von

Copyright:

Verfügbare Formate

Cyber Security Policy

Information Technology Department, Central Audit & Vigilance

[CYBER SECURITY FRAMEWORK]