IT Security

Q.All of the following are biometric techniques except

badge
retina
face
palm print*

Q.)A ______ provides privacy for LANs that must communicate through the global Internet.
A)VPP
B)VNP
C)VNN
D)VPN`

Q.) AEShas _____ different confgurations.

A)two
B)three``
C)four
D)five

Q.Security protection for personal computers includes

internal components
locks and cables
software
all of these*

The most devastating loss to a company is

loss of hardware
loss of data
loss of software
loss of printouts*

When a DNS server accepts and uses incorrect information from a host that has no authority giving
that information, then it is called
a) DNS lookup
b) DNS hijacking
d) None of the mentioned

Q. PGP encrypts data by using a block cipher called

a) international data encryption algorithm``
b) private data encryption algorithm
c) intrenet data encryption algorithm
d) none of the mentioned

Q. Pretty good privacy (PGP) is used in

a) browser security
ppb) email security``
c) FTP security
d) none of the mentioned

1. IPSec is designed to provide the security at the

a) transport layer
b) network layer*
c) application layer
d) session layer

1. Why would a hacker use a proxy server?

A. To create a stronger connection with the target.
B. To create a ghost server on the network.
C. To obtain a remote access connection.
D. To hide malicious activity on the network.

Correct Answer – D
Explanation – Proxy servers exist to act as an intermediary between the hacker and
the target and servces to keep the hacker anonymous tot he network.
2. What type of symmetric key algorithm using a streaming cipher to
encrypt information?
A. RC4
B. Blowfish
C. SHA
D. MD5

Correct Answer – A
Explanation – RC$ uses streaming ciphers.
3. Which of the following is not a factor in securing the environment
against an attack on security?
A. The education of the attacker
B. The system configuration
C. The network architecture
D. The business strategy of the company
E. The level of access provided to employees

Correct Answer – D
Explanation – All of the answers are factors supporting the exploitation or prevention
of an attack. The business strategy may provide the motivation for a potential attack,
but by itself will not influence the outcome.
4. What type of attack uses a fraudulent server with a relay address?
A. NTLM
B. MITM
C. NetBIOS
D. SMB

Correct Answer – B
Explanation – MITM (Man in the Middle) attacks create a server with a relay address.
It is used in SMB relay attacks.
5. What port is used to connect to the Active Directory in Windows 2000?
A. 80
B. 445
C. 139
D. 389

Correct Answer – D
Explanation – The Active Directory Administration Tool used for a Windows 2000
LDAP client uses port 389 to connect to the Active Directory service.
6. To hide information inside a picture, what technology is used?
A. Rootkits
B. Bitmapping
C. Steganography
D. Image Rendering

Correct Answer – C
Explanation – Steganography is the right answer and can be used to hide information
in pictures, music, or videos.
7. Which phase of hacking performs actual attack on a network or system?
A. Reconnaissance
B. Maintaining Access
C. Scanning
D. Gaining Access

Correct Answer – D
Explanation – In the process of hacking, actual attacks are performed when gaining
access, or ownership, of the network or system. Reconnaissance and Scanning are
information gathering steps to identify the best possible action for staging the attack.
Maintaining access attempts to prolong the attack.
8. Attempting to gain access to a network using an employee’s credentials
is called the _____________ mode of ethical hacking.
A. Local networking
B. Social engineering
C. Physical entry
D. Remote networking

Correct Answer – A
Explanation – Local networking uses an employee’s credentials, or access rights, to
gain access to the network. Physical entry uses credentials to gain access to the
physical IT infrastructure.
9. Which Federal Code applies the consequences of hacking activities that
disrupt subway transit systems?
A. Electronic Communications Interception of Oral Communications
B. 18 U.S.C. § 1029
C. Cyber Security Enhancement Act 2002
D. 18 U.S.C. § 1030
Correct Answer – C
Explanation – The Cyber Security Enhancement Act 2002 deals with life sentences
for hackers who recklessly endanger the lives of others, specifically transportation
systems.
10. Which of the following is not a typical characteristic of an ethical
hacker?
A. Excellent knowledge of Windows.
B. Understands the process of exploiting network vulnerabilities.
C. Patience, persistence and perseverance.
D. Has the highest level of security for the organization.

Correct Answer – D
Explanation – Each answer has validity as a characteristic of an ethical hacker.
Though having the highest security clearance is ideal, it is not always the case in an
organization.
11. What is the proper command to perform an Nmap XMAS scan every
15seconds?
A. nmap -sX -sneaky
B. nmap -sX -paranoid
C. nmap -sX -aggressive
D. nmap -sX -polite

Correct Answer – A
Explanation – SX is used to identify a xmas scan, while sneaky performs scans 15
seconds apart.
12. What type of rootkit will patch, hook, or replace the version of system
call in order to hide information?
A. Library level rootkits
B. Kernel level rootkits
C. System level rootkits
D. Application level rootkits

Correct Answer – A
Explanation – Library leve rootkits is the correct answer. Kerel level focuses on
replaceing specific code while application level will concentrate on modifying the
behavior of the application or replacing application binaries. The type, system level,
does not exist for rootkits.
13. What is the purpose of a Denial of Service attack?
A. Exploit a weakness in the TCP/IP stack
B. To execute a Trojan on a system
C. To overload a system so it is no longer operational
D. To shutdown services by turning them off

Correct Answer – C
Explanation – DoS attacks force systems to stop responding by overloading the
processing of the system.
14. What are some of the most common vulnerabilities that exist in a
network or system?
A. Changing manufacturer, or recommended, settings of a newly installed
application.
B. Additional unused features on commercial software packages.
C. Utilizing open source application code
D. Balancing security concerns with functionality and ease of use of a system.

Correct Answer – B
Explanation – Linux is an open source code and considered to have greater security
than the commercial Windows environment. Balancing security. Ease of use and
functionality can open vulnerabilities that already exist. Manufacturer settings, or
default settings, may provide basic protection against hacking threats, but need to
change to provide advance support. The unused features of application code provide
an excellent opportunity to attack and cover the attack.
15. What is the sequence of a TCP connection?
A. SYN-ACK-FIN
B. SYN-SYN ACK-ACK
C. SYN-ACK
D. SYN-SYN-ACK

Correct Answer – B
Explanation – A three-handed connection of TCP will start with a SYN packet
followed by a SYN-ACK packet. A final ACK packet will complete the connection.
16. What tool can be used to perform SNMP enumeration?
A. DNSlookup
B. Whois
C. Nslookup
D. IP Network Browser

Correct Answer – D
Explanation – SNMPUtil and IP Network Browser is SNMP enumeration tool
17. Which ports should be blocked to prevent null session enumeration?
A. Ports 120 and 445
B. Ports 135 and 136
C. Ports 110 and 137
D. Ports 135 and 139

Correct Answer – D
Explanation – Port 139 is the NetBIOS Session port typically can provide large
amounts of information using APIs to connect to the system. Other ports that can be
blocked in 135, 137,138, and 445.
18. The first phase of hacking an IT system is compromise of which
foundation of security?
A. Availability
B. Confidentiality
C. Integrity
D. Authentication

Correct Answer – B
Explanation – Reconnaissance is about gathering confidential information, such as
usernames and passwords.
19. How is IP address spoofing detected?
A. Installing and configuring a IDS that can read the IP header
B. Comparing the TTL values of the actual and spoofed addresses
C. Implementing a firewall to the network
D. Identify all TCP sessions that are initiated but does not complete successfully

Correct Answer – B
Explanation – IP address spoofing is detectable by comparing TTL values of the
actual and spoofed IP addresses
20. Why would a ping sweep be used?
A. To identify live systems
B. To locate live systems
C. To identify open ports
D. To locate firewalls

Correct Answer – A
Explanation – A ping sweep is intended to identify live systems. Once an active
system is found on the network, other information may be distinguished, including
location. Open ports and firewalls.
21. What are the port states determined by Nmap?
A. Active, inactive, standby
B. Open, half-open, closed
C. Open, filtered, unfiltered
D. Active, closed, unused

Correct Answer – C
Explanation – Nmap determines that ports are open, filtered, or unfiltered.
22. What port does Telnet use?
A. 22
B. 80
C. 20
D. 23

Correct Answer – D
Explanation – Telnet uses port 23.
23. Which of the following will allow footprinting to be conducted without
detection?
A. PingSweep
B. Traceroute
C. War Dialers
D. ARIN
Correct Answer – D
Explanation – ARIN is a publicly accessible database, which has information that
could be valuable. Because it is public, any attempt to obtain information in the
database would go undetected.
24. Performing hacking activities with the intent on gaining visibility for
an unfair situation is called ________.
A. Cracking
B. Analysis
C. Hacktivism
D. Exploitation

Correct Answer – C
Explanation – Hacktivism is the act of malicious hacking for a cause or purpose.
25. What is the most important activity in system hacking?
A. Information gathering
B. Cracking passwords
C. Escalating privileges
D. Covering tracks

Correct Answer – B
Explanation – Passwords are a key component to access a system, making cracking
the password the most important part of system hacking.
26. A packet with no flags set is which type of scan?
A. TCP
B. XMAS
C. IDLE
D. NULL

Correct Answer – D
Explanation – A NULL scan has no flags set.
27. Sniffing is used to perform ______________ fingerprinting.
A. Passive stack
B. Active stack
C. Passive banner grabbing
D. Scanned

Correct Answer – A
Explanation – Passive stack fingerprinting uses sniffing technologies instead of
scanning.
28. Phishing is a form of ____________________.
A. Spamming
B. Identify Theft
C. Impersonation
D. Scanning

Correct Answer – C
Explanation – Phishing is typically a potential attacker posing, or impersonating, a
financial institution
29. Why would HTTP Tunneling be used?
A. To identify proxy servers
B. Web activity is not scanned
C. To bypass a firewall
D. HTTP is a easy protocol to work with

Correct Answer – C
Explanation – HTTP Tunneling is used to bypass the IDS and firewalls present on a
network.
30. Which Nmap scan is does not completely open a TCP connection?
A. SYN stealth scan
B. TCP connect
C. XMAS tree scan
D. ACK scan

Correct Answer – A
Explanation – Also known as a “half-open scanning,” SYN stealth scan will not
complete a full TCP connection.
31. What protocol is the Active Directory database based on?
A. LDAP
B. TCP
C. SQL
D. HTTP

Correct Answer – A
Explanation – Active4 direction in Windows 200 is based on a Lightweight Directory
Access Protocol (LDAP).
32. Services running on a system are determined by _____________.
A. The system’s IP address.
B. The Active Directory
C. The system’s network name
D. The port assigned

Correct Answer – D
Explanation – Hackers can identify services running on a system by the open ports
that are found.
33. What are the types of scanning?
A. Port, network, and services
B. Network, vulnerability, and port
C. Passive, active, and interactive
D. Server, client, and network

Correct Answer – B
Explanation – The three types of accepted scans are port, network, and vulnerability.
34. Enumeration is part of what phase of ethical hacking?
A. Reconnaissance
B. Maintaining Access
C. Gaining Access
D. Scanning

Correct Answer – C
Explanation – Enumeration is a process of gaining access to the network by
obtaining information on a user or system to be used during an attack.
35. Keyloggers are a form of ______________.
A. Spyware
B. Shoulder surfing
C. Trojan
D. Social engineering

Correct Answer – A
Explanation – Keyloggers are a form of hardware or software spyware installed
between the keyboard and operating system.
36. What are hybrid attacks?
A. An attempt to crack passwords using words that can be found in dictionary.
B. An attempt to crack passwords by replacing characters of a dictionary word with
numbers and symbols.
C. An attempt to crack passwords using a combination of characters, numbers, and
symbols.
D. An attempt to crack passwords by replacing characters with numbers and
symbols.

Correct Answer – B
Explanation – Hybrid attacks do crack passwords that are created with replaced
characters of dictionary type words.
37. Which form of encryption does WPA use?
A. Shared key
B. LEAP
C. TKIP
D. AES

Correct Answer – C
Explanation – TKIP is used by WPA
38. What is the best statement for taking advantage of a weakness in the
security of an IT system?
A. Threat
B. Attack
C. Exploit
D. Vulnerability

Correct Answer – C
Explanation – A weakness in security is exploited. An attack does the exploitation. A
weakness is vulnerability. A threat is a potential vulnerability.
39. Which database is queried by Whois?
A. ICANN
B. ARIN
C. APNIC
D. DNS

Correct Answer – A
Explanation – Who utilizes the Internet Corporation for Assigned Names and
Numbers.
40. Having individuals provide personal information to obtain a free offer
provided through the Internet is considered what type of social
engineering?
A. Web-based
B. Human-based
C. User-based
D. Computer-based

Correct Answer – D
Explanation – Whether using email, a fake website, or popup to entice the used,
obtaining information from an individual over the Internet is a computer-based type of
social engineering

1. What is the default port number for Apache and most web servers?
A) 20
B) 27
C) 80
D) 87
2. What is the maximum character Linux supports in its filenames?
A) 8
B) 128
C) 256
D) Unlimited
3. A DNS translates a domain name into what?
A) Binary
B) Hex
C) IP
D) URL
4. Which of the following is not an example of Operating system?
A) Windows 98
B) BSD Unix
C) Microsoft Office XP
D) Red Hat Linux
5. What do you press to enter the current date in a cell?
A) CTRL + ; (Semicolon)
B) CTRL + Shift + : (Colon)
C) CTRL + F10
D) CTRL + F11
6. An Octal number 237 is equal to the binary number
A) 011 011 111
B) 010 111 011
C) 010 011 111
D) 011 000 001
7. Charles Babbage invented
A) ENIAC
B) Difference Engine
C) Electronic Computer
D) Punched Card
8. Which was the First Web browser?
A) Worldwideweb
B) Netscape Navigator
C) Internet Explorer
D) Safari
9. Which was the first ever web server software?
A) GWS
B) IIS 5.0
C) CERN httpd
D) nginx
10. Who is known as the Father of the Java Programming language?
A) Bill Board
B) James Gosling
C) Jame Smith
D) Sabeer Bhatia
11. Java is a?
A) Compiler
B) Operating System
C) Input Device
D) Programming Language
12. The way of manipulating data into information is called as?
A) Storing
B) Processing
C) Deletion
D) Organizing
13. What is CGI?
A) Computed Gateway Interface
B) Compliant Gateway Interface
C) Case Gateway Interface
D) Common Gateway Interface
14. Surgeons can perform delicate operations by manipulating devices through
computers instead of manually. This technology is known as:
A) Robotics
B) Computer Forensics
C) Simulation
D) Forecasting
15. In the binary language each letter of the alphabet, each number and each special
character is made up of a unique combination of:
A) Eight Bytes
B) Eight Kilobytes
C) Eight Characters
D) Eight Bits
16. What will be the output if you will compile and execute the following code?
#include
int main(){
register int i,x;
scanf(“%d”,&i);
x=++i + ++i + ++i;
printf(“%d”,x);
return 0;
}
A) 17
B) 18
C) 21
D) Compiler Error
17. The ability to recover and read deleted or damaged files from a criminals computer
is an example of a law enforcement specialty called?
A) Robotics
B) Simulation
C) Computer Forensics
D) Animation
18. What is the only function all C++ programs must contain?
A) Start ()
B) system ()
C) main ()
D) program ()
19. Which of the following is the boolean operator for logical-and?
A) &
B) &&
C) |
D) |&
20. What punctuation ends most lines of C++ code?
A) (Dot)
B) (semi-colon)
C) (colon)
D) (single quote)
21. A script is a
A) Program or sequence of instructions that is interpreted or carried out by processor
directly
B) Program or sequence of instruction that is interpreted or carried out by another
program
C) Program or sequence of instruction that is interpreted or carried out by web server
only
D) None of above
22. Examine the following program and determine the output
#include
using namespace std;
int operate (int a, int b)
{
return (a * b);
}
float operate (float a, float b)
{
return (a/b);
}
int main()
{
int x=5, y=2;
float n=5.0, m=2.0;
cout << operate(x,y) <<“\t”;
cout << operate (n,m);
return 0;
}
A) 10.0 5.0
B) 5.0 2.5
C) 10.0 5
D) 10 2.5
23. The following piece of script will output:
<? $email=’[email protected]’; $new=strstr($email, ‘@’ ; print $new; ?>
A) admin
B) admin@yeahhub
C) @yeahhub.com
D) Yeahhub.com
24. The memory address of the first element of an array is called
A) floor address
B) foundation address
C) first address
D) base address
25. Two dimensional arrays are also called
A) tables arrays
B) matrix arrays
C) both of above
D) none of above
26. How many steps are in the systems development life cycle (SDLC)?
A) 4
B) 5
C) 6
D) 10
27. A protocol is a set of rules governing a time sequence of events that must take place
A) between peers
B) between an interface
C) between modems
D) across an interface
28. In OSI network architecture, the dialogue control and token management are
responsibility of
A) session layer
B) network layer
C) transport layer
D) data link layer
E) none of above
29. Which of the following signal is not standard RS-232-C signal?
A) VDR
B) RTS
C) CTS
D) DSR
30. Microprocessor 8085 can address location upto
A) 32K
B) 128K
C) 64K
D) 1M
31. The main purpose of data protection act is to
A) Protect personal privacy
B) Prevent Viruses
C) Increase the security of computer systems
D) Reduce Project Failures
32. Which of the following is false for switch statement in C++?
A) It uses labels instead of blocks
B) We need to put break statement at the end of the group of statement of a
condition
C) We can put range for case such as case 1..3
D) None of above
33. To increase the value of c by one which of the following statement is wrong?
A) c++;
B) c = c + 1;
C) c + 1 => c;
D) c += 1
34. When following piece of code is executed, what happens?
b = 3;
a = b++;
A) a contains 3 and b contains 4
B) a contains 4 and b contains 4
C) a contains 4 and b contains 3
D) a contains 3 and b contains 3
35. Consider the following two pieces of codes and choose the best answer
Code 1:
switch (x) {
case 1:
cout <<”x is 1”;
break;
case 2:
cout <<”x is 2”;
break;
default:
cout <<”value of x unknown”;
}
Code 2:
If (x==1){
Cout <<”x is 1”;
}
Else if (x==2){
Cout << “x is 2”;
}
Else{
Cout <<”value of x unknown”;
}
A) Both of the above code fragments have the same behaviour
B) Both of the above code fragments produce different effects
C) The first code produces more results than second
D) The second code produces more results than first.

IT SECURITY:
Basic Principles of Information Security:
For over twenty years, information security has held confidentiality, integrity and availability (known as
the CIA triad) to be the core principles. There is continuous debate about extending this classic trio.
Other principles such as Authenticity, Non-repudiation and accountability are also now becoming key
considerations for practical security installations.
Confidentiality: Confidentiality is the term used to prevent the disclosure of information to unauthorized
individuals or systems. For example, a credit card transaction on the Internet requires the credit card
number to be transmitted from the buyer to the merchant and from the merchant to a transaction
processing network. The system attempts to enforce confidentiality by encrypting the card number
during transmission, by limiting the places where it might appear (in databases, log files, backups,
printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized
party obtains the card number in any way, a breach of confidentiality has occurred. Breaches of
confidentiality take many forms like Hacking, Phishing, Vishing, Email-spoofing, SMS spoofing, and
sending malicious code through email or Bot Networks, as discussed earlier.
Integrity: In information security, integrity means that data cannot be modified without authorization.
This is not the same thing as referential integrity in databases.
Integrity is violated when an employee accidentally or with malicious intent deletes important data files,
when he/she is able to modify his own salary in a payroll database, when an employee uses
programmes and deducts small amounts of money from all customer accounts and adds it to his/her
own account (also called salami technique), when an unauthorized user vandalizes a web site, and so
on.
On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database
could alter data in an incorrect way, leaving the integrity of the data compromised. Information security
professionals are tasked with finding ways to implement controls that prevent errors of integrity.
Availability: For any information system to serve its purpose, the information must be available when it
is needed. This means that the computing systems used to store and process the information, the
security controls used to protect it, and the communication channels used to access it must be
functioning correctly. High availability systems aim to remain available at all times, preventing service
disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also
involves preventing denial-of-service (DoS) and distributed denial-of service (DDoS) attacks.
Authenticity: In computing, e-business and information security it is necessary to ensure that the data,
transactions, communications or documents (electronic or physical) are genuine. It is also important for
authenticity to validate that both parties involved are who they claim they are.
Non-repudiation: In law, non-repudiation implies one's intention to fulfill one’s obligations under a
contract / transaction. It also implies that a party to a transaction cannot deny having received or having
sent an electronic record. Electronic commerce uses technology such as digital signatures and
encryption to establish authenticity and non-repudiation.
In addition to the above, there are other security-related concepts and principles when designing a
security policy and deploying a security solution. They include identification, authorization,
accountability, and auditing.
Identification: Identification is the process by which a subject professes an identity and accountability is
initiated. A subject must provide an identity to a system to start the process of authentication,
authorization and accountability. Providing an identity can be typing in a username, swiping a smart
card, waving a proximity device, speaking a phrase, or positioning face, hand, or finger for a camera or
scanning device. Proving a process ID number also represents the identification process. Without an
identity, a system has no way to correlate an authentication factor with the subject.
Authorization: Once a subject is authenticated, access must be authorized. The process of authorization
ensures that the requested activity or access to an object is possible given the rights and privileges
assigned to the authenticated identity. In most cases, the system evaluates an access control matrix
that compares the subject, the object, and the intended activity. If the specific action is allowed, the
subject is authorized. Else, the subject is not authorized.
Accountability and auditability: An organization’s security policy can be properly enforced only if
accountability is maintained, i.e., security can be maintained only if subjects are held accountable for
their actions. Effective accountability relies upon the capability to prove a subject’s identity and track
their activities. Accountability is established by linking a human to the activities of an online identity
through the
security services and mechanisms of auditing, authorization, authentication, and identification. Thus,
human accountability is ultimately dependent on the strength of the authentication process. Without a
reasonably strong authentication process, there is doubt that the correct human associated with a
specific user account was the actual entity controlling that user account when an undesired action took
place.

Information and network security very important

Introduction:

Information and the knowledge based on it have increasingly become recognized as ‘information
assets’, which are vital enablers of business operations. Hence, they require organizations to provide
adequate levels of protection. For banks, as purveyors of money in physical form or in bits and bytes,
reliable information is even more critical and hence information security is a vital area of concern.

Robust information is at the heart of risk management processes in a bank. Inadequate data quality is
likely to induce errors in decision making. Data quality requires building processes, procedures and
disciplines for managing information and ensuring its integrity, accuracy, completeness and timeliness.
The fundamental attributes supporting data quality should include accuracy, integrity, consistency,
completeness, validity, timeliness, accessibility, usability and auditability. The data quality provided by
various applications depends on the quality and integrity of the data upon which that information is built.
Entities that treat information as a critical organizational asset are in a better position to manage it
proactively.
 Information security not only deals with information in various channels like spoken, written, printed,
electronic or any other medium but also information handling in terms of creation, viewing,
transportation, storage or destruction .This is in contrast to IT security which is mainly concerned with
security of information within the boundaries of the network infrastructure technology domain. From an
information security perspective, the nature and type of compromise is not as material as the fact that
security has been breached.

To achieve effective information security governance, bank management must establish and maintain
a framework to guide the development and maintenance of a comprehensive information security
programme.

Basic Principles of Information Security:

For over twenty years, information security has held confidentiality, integrity and availability (known as
the CIA triad) to be the core principles. There is continuous debate about extending this classic trio.
Other principles such as Authenticity, Non-repudiation and accountability are also now becoming key
considerations for practical security installations.

Confidentiality: Confidentiality is the term used to prevent the disclosure of information to unauthorized
individuals or systems. For example, a credit card transaction on the Internet requires the credit card
number to be transmitted from the buyer to the merchant and from the merchant to a transaction
processing network. The system attempts to enforce confidentiality by encrypting the card number
during transmission, by limiting the places where it might appear (in databases, log files, backups,
printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized
party obtains the card number in any way, a breach of confidentiality has occurred. Breaches of
confidentiality take many forms like Hacking, Phishing, Vishing, Email-spoofing, SMS spoofing, and
sending malicious code through email or Bot Networks, as discussed earlier.

Integrity: In information security, integrity means that data cannot be modified without authorization. This
is not the same thing as referential integrity in databases.
Integrity is violated when an employee accidentally or with malicious intent deletes important data files,
when he/she is able to modify his own salary in a payroll database, when an employee uses
programmes and deducts small amounts of money from all customer accounts and adds it to his/her
own account (also called salami technique), when an unauthorized user vandalizes a web site, and so
on.

On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database
could alter data in an incorrect way, leaving the integrity of the data compromised. Information security
professionals are tasked with finding ways to implement controls that prevent errors of integrity.

Availability: For any information system to serve its purpose, the information must be available when it is
needed. This means that the computing systems used to store and process the information, the security
controls used to protect it, and the communication channels used to access it must be functioning
correctly. High availability systems aim to remain available at all times, preventing service disruptions
due to power outages, hardware failures, and system upgrades. Ensuring availability also involves
preventing denial-of-service (DoS) and distributed denial-of service (DDoS) attacks.

Authenticity: In computing, e-business and information security it is necessary to ensure that the data,
transactions, communications or documents (electronic or physical) are genuine. It is also important for
authenticity to validate that both parties involved are who they claim they are.

Non-repudiation: In law, non-repudiation implies one's intention to fulfill one’s obligations under a contract
/ transaction. It also implies that a party to a transaction cannot deny having received or having sent an
electronic record. Electronic commerce uses technology such as digital signatures and encryption to
establish authenticity and non-repudiation.

In addition to the above, there are other security-related concepts and principles when designing a
security policy and deploying a security solution. They include identification, authorization,
accountability, and auditing.
Identification: Identification is the process by which a subject professes an identity and accountability is
initiated. A subject must provide an identity to a system to start the process of authentication,
authorization and accountability. Providing an identity can be typing in a username, swiping a smart
card, waving a proximity device, speaking a phrase, or positioning face, hand, or finger for a camera or
scanning device. Proving a process ID number also represents the identification process. Without an
identity, a system has no way to correlate an authentication factor with the subject.

Authorization: Once a subject is authenticated, access must be authorized. The process of authorization
ensures that the requested activity or access to an object is possible given the rights and privileges
assigned to the authenticated identity. In most cases, the system evaluates an access control matrix
that compares the subject, the object, and the intended activity. If the specific action is allowed, the
subject is authorized. Else, the subject is not authorized.

Accountability and auditability: An organization’s security policy can be properly enforced only if
accountability is maintained, i.e., security can be maintained only if subjects are held accountable for
their actions. Effective accountability relies upon the capability to prove a subject’s identity and track
their activities. Accountability is established by linking a human to the activities of an online identity
through the

security services and mechanisms of auditing, authorization, authentication, and identification. Thus,
human accountability is ultimately dependent on the strength of the authentication process. Without a
reasonably strong authentication process, there is doubt that the correct human associated with a
specific user account was the actual entity controlling that user account when an undesired action took
place.

Information Security Governance

Information security governance consists of the leadership, organizational structures and processes
that protect information and mitigation of growing information security threats like the ones detailed
above.

Critical outcomes of information security governance include:

Alignment of information security with business strategy to support organizational objectives

Management and mitigation of risks and reduction of potential impacts on information resources to an
acceptable level

Management of performance of information security by measuring, monitoring and reporting information

security governance metrics to ensure that organizational objectives are achieved
Optimisation of information security investments in support of organizational objectives

It is important to consider the organisational necessity and benefits of information security governance.
They include increased predictability and the reduction of uncertainty in business operations, a level of
assurance that critical decisions are not based on faulty information, enabling efficient and effective risk
management, protection from the increasing potential for legal liability, process improvement, reduced
losses from security-related events and prevention of catastrophic consequences and improved
reputation in the market and among customers.

A comprehensive security programme needs to include the following main activities:

Development and ongoing maintenance of security policies

Assignment of roles, responsibilities and accountability for information security
Development/maintenance of a security and control framework that consists of standards, measures,
practices and procedures
Classification and assignment of ownership of information assets
Periodic risk assessments and ensuring adequate, effective and tested controls for people, processes and
technology to enhance information security
Ensuring security is integral to all organizational processes
Processes to monitor security incidents
Effective identity and access management processes
Generation of meaningful metrics of security performance
Information security related awareness sessions to users/officials including senior officials and board
members

Organizational Structure, Roles and Responsibilities:

Boards of Directors/Senior Management

The Board of Directors is ultimately responsible for information security. Senior Management is
responsible for understanding risks to the bank to ensure that they are adequately addressed from a
governance perspective. To do so effectively requires managing risks, including information security
risks, by integrating information security governance in the
overall enterprise governance framework of the organization. It is reported that the effectiveness of
information security governance is dependent on the involvement of the Board/senior management in
approving policy and appropriate monitoring of the information security function.

The major role of top management involves implementing the Board approved information security
policy, establishing necessary organizational processes for information security and providing
necessary resources for successful information security. It is essential that senior management
establish an expectation for strong cyber security and communicate this to their officials down the line.
It is also essential that the senior organizational leadership establish a structure for implementation of
an information security programme to enable a consistent and effective information security programme
implementation apart from ensuring the accountability of individuals for their performance as it relates
to cyber security.

Given that today’s banking is largely dependent on IT systems and since most of the internal processing
requirements of banks are electronic, it is essential that adequate security systems are fully integrated
into the IT systems of banks. It would be optimal to classify these based on the risk analysis of the
various systems in each bank and specific risk mitigation strategies need to be in place.

Information security team/function

Banks should form a separate information security function/group to focus exclusively on information
security management. There should be segregation of the duties of the Security Officer/Group dealing
exclusively with information systems security and the Information Technology Division which actually
implements the computer systems. The organization of the information security function should be
commensurate with the nature and size of activities of a bank including a variety of e-banking systems
and delivery channels of a bank. The information security function should be adequately resourced in
terms of the number of staff, level of skills and tools or techniques like risk assessment, security
architecture, vulnerability assessment, forensic assessment, etc. While the information security
group/function itself and information security governance related structures should not be outsourced,
specific operational components relating to information security can be outsourced, if required
resources are not available within a bank. However, the ultimate control and responsibility rests with
the bank.

Information Security Committee

Since information security affects all aspects of an organization, in order to consider information security
from a bank -wide perspective a steering committee of executives should be formed with formal terms
of reference. The Chief Information Security Officer would be the member secretary of the Committee.
The committee may include, among others, the Chief Executive Officer (CEO) or designee, chief
financial officer (CFO), business unit executives, Chief Information Officer (CIO)/ IT Head, Heads of
human resources, legal, risk management, audit, operations and public relations.
 A steering committee serves as an effective communication channel for management’s aims and
directions and provides an ongoing basis for ensuring alignment of the security programme with
organizational objectives. It is also instrumental in achieving behavior change toward a culture that
promotes good security practices and compliance with policies.

Major responsibilities of the Information Security Committee, inter-alia, include:

Developing and facilitating the implementation of information security policies, standards and procedures
to ensure that all identified risks are managed within a bank’s risk appetite

Approving and monitoring major information security projects and the status of information security plans
and budgets, establishing priorities, approving standards and procedures

Supporting the development and implementation of a bank-wide information security management

programme
Reviewing the position of security incidents and various information security assessments and monitoring
activities across the bank
Reviewing the status of security awareness programmes
Assessing new developments or issues relating to information security
Reporting to the Board of Directors on information security activities
Minutes of the Steering Committee meetings should be maintained to document the committee’s
activities and decisions and a review on information security needs to be escalated to the Board on a
quarterly basis.

Chief information security officer (CISO)

A sufficiently senior level official, of the rank of GM/DGM/AGM, should be designated as Chief
Information Security Officer, responsible for articulating and enforcing the policies that banks use to
protect their information assets apart from coordinating the security related issues / implementation
within the organization as well as relevant external agencies. The CISO needs to report directly to the
Head of Risk Management and should not have a direct reporting relationship with the CIO. However,
the CISO may have a working relationship with the CIO to develop the required rapport to understand
the IT infrastructure and operations, to build effective security in IT across the bank, in tune with
business requirements and objectives.

Critical components of information security:

Policies and procedures:

Banks need to frame Board approved Information Security Policy and identify and implement appropriate
information security management measures/practices keeping in view their business needs.
The policies need to be supported with relevant standards, guidelines and procedures. A policy framework
would, inter-alia, incorporate/take into consideration the following:

An information security strategy that is aligned with business objectives and the legal requirements
Objectives, scope, ownership and responsibility for the policy
Information security organisational structure
Information security roles and responsibilities that may include information
security-specific roles like IT security manager/officer, administrators, information security specialists
and information asset-specific roles like owners, custodians, end-users

̀⠀⤀ĀᜀĀ Periodic reviews of the policy – at least annually and in the event of significant changes
necessitating revision

̀⠀⤀ĀᜀĀ A periodic compliance review of the policy – about the adherence of users to information security
policies and put up to the information security committee.
̀⠀⤀ĀᜀĀ Exceptions: An exception policy for handling instances of non-compliance with the information
security policy including critical aspects like exception criteria including whether there is genuine need
for exceptions, management of the exception log or register, authority to grant exemptions, expiry of
 exceptions and the periodicity of review of exceptions granted. Where exemptions are granted, banks
need to review and assess the adequacy of compensating controls initially and on an ongoing basis. A
sign -off needs to be obtained from the CISO on the exceptions

Penal measures for violation of policies and the process to be followed in the event of violation

Identification, authorisation and granting of access to IT assets (by individuals and other IT assets)

Addressing the various stages of an IT asset’s life to ensure that information security requirements are
considered at each stage of the lifecycle
An incident monitoring and management process to address the identification and classification of
incidents, reporting, escalation, preservation of evidence, the investigation process

Management of technology solutions for information security like a firewall, anti-virus/anti-malware

software, intrusion detection/prevention systems, cryptographic systems and monitoring/log analysis
tools/techniques
Management and monitoring of service providers that provides for overseeing the management of
information security risks by third parties

Clearly indicating acceptable usage of IT assets including application systems that define the information
security responsibilities of users (staff, service providers and customers) in regard to the use of IT
assets
Requirements relating to recruitment and selection of qualified staff and external contractors that define
the framework for vetting and monitoring of personnel, taking into account the information security risk

Strategy for periodic training and enhancing skills of information security personnel, requirement of
continuous professional education
Specific policies that would be required include, but not limited to, the following:
Logical Access Control
Asset Management
Network Access Control
Password management
E-mail security
Remote access
Mobile computing
Network security
Application security
Backup and archival
Operating system security
Database administration and security
Physical security
Capacity Management
Incident response and management
Malicious software
IT asset/media management
Change Management
Patch Management
Internet security
Desktop
Encryption
Security of electronic delivery channels

Wireless security
Application/data migration

Accountability for security is increased through clear job descriptions, employment agreements and policy
awareness acknowledgements. It is important to communicate the general and specific security roles
and responsibilities for all employees within their job descriptions. The job descriptions for security
personnel should also clearly describe the systems and processes they will protect and their
 responsibility towards control processes. Management should expect all employees, officers and
contractors/consultants to comply with security and acceptable-use policies and protect the institution’s
assets, including information.

Given the critical role of security technologies as part of the information security framework, banks need to
subject them to suitable controls across their lifecycle like guidelines on their usage, standards and
procedures indicating the detailed objectives and requirements of individual information security-
specific technology solutions, authorisation for individuals who would be handling the technology,
addressing segregation of duties issues, appropriate configurations of the devices that provide the best
possible security, regularly assessing their effectiveness and fine-tuning them accordingly, and
identification of any unauthorised changes.

Digital evidence is similar to any other form of legal proof - it needs to withstand challenges to its integrity,
its handling must be carefully tracked and documented, and it must be suitably authenticated by
concerned personnel as per legal requirements. Since the evidence resides on or is generated by a
digital device, a trained information security official or skilled digital forensics examiner may need to be
involved in the handling process to ensure that any material facts is properly preserved and introduced.
A suitable policy needs to be in place in this regard.

Risk Assessment

The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a
vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss
of availability, integrity and confidentiality, and possibly other losses (lost income, loss of life, loss of
property).
Risk assessment is the core competence of information security management. The risk assessment must,
for each asset within its scope, identify the threat/vulnerability combinations that have a likelihood of
impacting the confidentiality, availability or integrity of that asset - from a business, compliance or
contractual perspective. Standards like ISO27001 and ISO 27002 are explicit in requiring a risk
assessment to be carried out before any controls are selected and implemented and are equally explicit
that the selection of every control must be justified by a risk assessment.
In broad terms, the risk management process consists of:
Identification of assets and estimation of their value. Some aspects to be included are people, buildings,
hardware, software, data (electronic, print) and supplies
Conducting a threat assessment which may include aspects like acts of nature, acts of war, accidents,
malicious acts originating from inside or outside the organization

Conducting a vulnerability assessment for each vulnerability and calculating the probability that it will be
exploited. Evaluating policies, procedures, standards, training, physical security, quality control and
technical security in this regard

Calculating the impact that each threat would have on each asset through qualitative or quantitative
analysis
Identifying, selecting and implementing appropriate controls. Providing proportional response including
considerations like productivity, cost effectiveness, and the value of the asset

Evaluating the effectiveness of the control measures. Ensuring the controls provide the required cost-
effective protection.

The process of risk management is an ongoing iterative process. The business environment is constantly
changing and new threats and vulnerabilities emerge every day. The choice of countermeasures or
controls used to manage risks must strike a balance between productivity, cost-effectiveness of the
countermeasure and the value
of the informational asset being protected. The risk assessment should be carried out by a team of
people who have knowledge of specific areas of the business. The assessment may use a subjective
qualitative analysis based on informed opinion, or where reliable figures and historical information is
available, quantitative analysis.
Quantitative methods involve assigning numerical measurements that can be entered into the analysis to
determine total and residual risks. The various aspects that are considered a part of measurements
include costs to safeguard the information and information systems, value of that information and those
systems, threat frequency and probability, and the effectiveness of controls. A shortcoming of
quantitative methods is a lack of reliable and predictive data on threat frequency and probability. This
shortcoming is generally addressed by assigning numeric values based on qualitative judgments.

Qualitative analysis involves the use of scenarios and attempts to determine the seriousness of threats and
the effectiveness of controls. Qualitative analysis is by definition subjective, relying upon judgment,
knowledge, prior experience and industry information. Qualitative techniques may include walk-
throughs, surveys/questionnaires, interviews and specific workgroups to obtain information about the
various scenarios.

Inventory and information/data classification

Effective control requires a detailed inventory of information assets. Such a list is the first step in
classifying the assets and determining the level of protection to be provided to each asset.

The inventory record of each information asset should, at the least, include:

A clear and distinct identification of the asset

Its relative value to the organization

Its location
Its security/risk classification
Its asset group (where the asset forms part of a larger information system)
Its owner
Its designated custodian

Information assets have varying degrees of sensitivity and criticality in meeting business objectives. By
assigning classes or levels of sensitivity and criticality to information resources and establishing specific
security rules/requirements for each class, it is possible to define the level of access controls that should
be applied to each information asset. Classification of information reduces the risk and cost of over- or
under - protecting information resources in aligning security with business objectives since it helps to
build and maintain a consistent and uniform perspective of the security requirements for information
assets throughout the organization. ISO 27001 standards require the inventorying of information assets
and the classification, handling and labelling of information in accordance with preset guidelines.

Defining roles and responsibilities

All defined and documented responsibilities and accountabilities must be established and
communicated to all relevant personnel and management. Some of the major ones include:

Information owner

This is a business executive or business manager who is responsible for a bank’s business information
asset. Responsibilities would include, but not be limited to:
Assigning initial information classification and periodically reviewing the classification to ensure it still meets
business needs
Ensuring security controls are in place commensurate with the classification

Reviewing and ensuring currency of the access rights associated with information assets they own

Determining security requirements, access criteria and backup requirements for the information assets they
own

Information custodian
 The information custodian, usually an information systems official, is the delegate of the information
owner with primary responsibilities for dealing with backup and recovery of the business information.
Responsibilities include, but are not limited to, the following:

Performing backups according to the backup requirements established by the information owner
When necessary, restoring lost or corrupted information from backup media to return the application to
production status

Ensuring record retention requirements are met based on the information owner’s requirements

Application owner

The application owner is the manager of the business line who is fully accountable for the performance
of the business function served by the application. Responsibilities, inter-alia, include:

Establishing user access criteria, availability requirements and audit trails for their applications
Ensuring security controls associated with the application are commensurate with support for the highest
level of information classification used by the application

Performing or delegating the following - day-to-day security administration, approval of exception access
requests, appropriate actions on security violations when notified by the security administration, the
review and approval of all changes to the application prior to being placed in the production
environment, and verification of the currency of user access rights to the application

User manager

The user manager is the immediate manager or supervisor of an employee or HR official of the business
function in which an employee works. He has the ultimate responsibility for all user IDs and information
assets owned by bank employees. In the case of non employee individuals such as contractors,
consultants, etc., this manager is responsible for the activity and for the bank assets used by these
individuals. He/she is usually the manager responsible for hiring the outside contractor. Responsibilities
include the following:
Informing security administration of the termination of any employee so that the user ID owned by that
individual can be revoked, suspended or made inaccessible in a timely manner

Informing security administration of the transfer of any employee if the transfer involves the change of
access rights or privileges

Reporting any security incident or suspected incident to the Information Security function
Ensuring that employees are aware of relevant security policies, procedures and standards to which they
are accountable

Security Administrator

Security administrators have the powers to set system-wide security controls or administer user IDs
and information resource access rights. These security administrators usually report to the Information
Security function. Responsibilities include the following:
Understanding different data environments and the impact of granting access to them

Ensuring access requests are consistent with the information directions and security guidelines
Administering access rights according to criteria established by the Information Owners

Creating and removing user IDs as directed by the user manager

Administering the system within the scope of their job description and functional responsibilities

Distributing and following up on security violation reports

End user
 The end users would be any employees, contractors or vendors of the bank who use information
systems resources as part of their job. Responsibilities include :
Maintaining confidentiality of log-in password(s)
Ensuring security of information entrusted to their care

Using bank business assets and information resources for management approved purposes only

Adhering to all information security policies, procedures, standards and guidelines

Promptly reporting security incidents to management.

Access Control

An effective process for access to information assets is one of the critical requirements of information
security. Internal sabotage, clandestine espionage or furtive attacks by trusted employees, contractors
and vendors are among the most serious potential risks that a bank faces. Current and past employees,
contractors, vendors and those who have an intimate knowledge of the inner workings of the bank’s
systems, operations and internal controls have a significant advantage over external attackers. A
successful attack could jeopardise customer confidence in a bank’s internal control systems and
processes.

Hence, access to information assets needs to be authorised by a bank only where a valid business need
exists and only for the specific time period that the access is required. The various factors that need to
be considered when authorising access to users and information assets, inter-alia, include business
role, physical location, method of connectivity, remote access, time, anti-malware and patch updation
status, nature of device used and software /operating system.
The provision of access involves various stages like identification and authentication which involves
determination of the person or IT asset requesting access and confirmation of the purported identity
and authorisation. This involves an assessment of whether access is allowed to an information asset
by the request or based on the needs of the business and the level of information security required.
These processes are applicable to both users as well as IT assets.
A bank should take appropriate measures to identify and authenticate users or IT assets. The required
strength of authentication needs to be commensurate with risk. Common techniques for increasing the
strength of identification and authentication include the use of strong password techniques (i.e.
increased length, complexity, re-use limitations and frequency of change) and increasing the number
and/or type of authentication factors used.
The examples where increased authentication strength may be required, given the risks involved include :
administration or other privileged access to sensitive or critical IT assets, remote access through public
networks to sensitive assets and activities carrying higher risk like third-party fund transfers, etc. The
period for which authentication is valid would need to be commensurate with the risk.
Among the important controls that banks need to consider are:
A systematic process of applying and authorizing the creation of user ids and the access control matrix

Conducting a risk assessment and granting access rights based on the same. For example, contractors
and temporary staff would have higher inherent risks

Implementation of role-based access control policies designed to ensure effective segregation of duties
Changing default user names and/or passwords of systems and prohibiting sharing of user ids and
passwords including generic accounts

Modification of access rights whenever there is a change in role or responsibility and removal of access
rights on cessation of employment
Processes to notify in a timely manner the information security function regarding user additions, deletions
and role changes
Periodic reconciliation of user ids in a system and actual users required to have access and deletion of
unnecessary ids, if any

Audit of logging and monitoring of access to IT assets by all users

Regular reviews of user access by information asset owners to ensure appropriate access is maintained
 Applying the four-eyes principle to very critical/sensitive IT assets
Considering de-activating user ids of users of critical applications who are on prolonged leave
(vii) Banks may consider using automated solutions to enable effective access control and management of
user ids. Such solutions should also be managed effectively to ensure robust access management.

For accountability purposes, a bank should ensure that users and IT assets are uniquely identified and
their actions are auditable.

Transaction processes and systems should be designed to ensure that no single employee/outsourced
service provider could enter, authorize and complete a transaction.
Segregation should be maintained between those initiating static data (including web page content) and
those responsible for verifying its integrity. Further, segregation should be maintained between those
developing and those administering e-banking systems.

E-banking systems should be tested to ensure that segregation of duties cannot be bypassed.
Mutual authentication system may be considered. Mutual Authentication, also called two-way
authentication, is a security feature in which a client process must prove his identity to a server, and the
server must prove its identity to the client, before any application traffic is sent over the client-to-server
connection. Identity can be proved through a trusted third party and use of shared secrets or through
cryptographic means as with a public key infrastructure. For e.g., with the mutual authentication
implemented, a connection can occur only when the client trusts the server's digital certificate and the
server trusts the client's certificate. The exchange of certificates will happen through special protocols
like the Transport Layer Security (TLS) protocol. This process reduces the risk that an unsuspecting
network user will inadvertently reveal security information to a malicious or insecure web site.

System administrators, security officers, programmers and staff performing critical operations invariably
possess the capability to inflict severe damage on the banking systems they maintain or operate by
virtue of their job functions and privileged access. Personnel with elevated system access entitlements
should be closely supervised with all their systems activities logged, as they have inside knowledge and
the resources to circumvent systems controls and security procedures. Some of the control and security
practices enumerated below needs to be considered:

Implementing two-factor authentication for privileged users

Instituting strong controls over remote access by privileged users
Restricting the number of privileged users

Granting privileged access on a “need-to-have” or “need-to-do” basis

Maintaining audit logging of system activities performed by privileged users
Ensuring that privileged users do not have access to systems logs in which their activities are being captured
Conducting regular audit or management review of the logs
Prohibiting sharing of privileged IDs and their access codes
Disallowing vendors and contractors from gaining privileged access to systems without close supervision
and monitoring

Protecting backup data from unauthorized access.

Information security and information asset life-cycle

Information security needs to be considered at all stages of an information asset’s life-cycle like planning,
design, acquisition and implementation, maintenance and disposal. Banks need to apply systematic
project management oriented techniques to manage material changes during these stages and to
ensure that information security requirements have been adequately addressed.
Planning and design level controls need to be in place to ensure that information security is embodied in
the overall information systems architecture and the implemented solutions are in compliance with the
information security policies and requirements of a bank.

Ongoing support and maintenance controls would be needed to ensure that IT assets continue to meet
business objectives. Major controls in this regard include change management controls to ensure that
the business objectives continue to be met following change; configuration management controls to
ensure that the configuration minimises vulnerabilities and is defined, assessed, maintained and
 managed; deployment and environment controls to ensure that development, test and production
environments are appropriately segregated; and patch management controls to manage the
assessment and application of patches to software that addresses known vulnerabilities in a timely
manner

The other relevant controls include service level management, vendor management, capacity management
and configuration management which are described in later chapters. Decommissioning and
destruction controls need to be used to ensure that information security is not compromised as IT assets
reach the end of their useful life. (for example, through archiving strategies and deletion of sensitive
information prior to the disposal of IT assets.)

Personnel security

Application owners grant legitimate users access to systems that are necessary to perform their duties and
security personnel enforce the access rights in accordance with institution standards. Because of their
internal access levels and intimate knowledge of financial institution processes, authorized users pose
a potential threat to systems and data. Employees, contractors, or third-party employees can also
exploit their legitimate computer access for malicious or fraudulent reasons. Further, the degree of
internal access granted to some users can increase the risk of accidental damage or loss of information
and systems.

Risk exposures from internal users include altering data, deleting production and back-up data,
disrupting/destroying systems, misusing systems for personal gain or to damage the institution, holding
data hostage and stealing strategic or customer data for espionage or fraud schemes.

Banks should have a process to verify job application information on all new employees. Additional
background and credit checks may be warranted based on the sensitivity of a particular job or access
level. Personnel with privileged access like administrators, cyber security personnel, etc. should be
subjected to rigorous
background checks and screening. Institutions should verify that contractors are subject to similar
screening procedures. The verification considerations would include:

Character references – business and personal

Confirmation of prior experience, academic record, and professional qualifications
Confirmation of identity through a government issued identification
There also needs to be a periodic rotation of duties among users or personnel as a prudent risk measure.

Physical security

The confidentiality, integrity, and availability of information can be impaired through physical access and
damage or destruction to physical components. Conceptually, those physical security risks are
mitigated through zone-oriented implementations. Zones are physical areas with differing physical
security requirements. The security requirements of each zone are a function of the sensitivity of the
data contained or accessible through the zone and the information technology components in the zone.

The requirements for each zone should be determined through the risk assessment. The risk assessment
should include, but is not limited to, threats like aircraft crashes, chemical effects, dust, electrical supply
interference, electromagnetic radiation, explosives, fire, smoke, theft/destruction, vibration/earthquake,
water, criminals, terrorism, political issues (e.g. strikes, disruptions) and other threats based on the
entity’s unique geographical location, building configuration, neighboring environment/entities, etc.
A bank needs to deploy the following environmental controls:
Secure location of critical assets providing protection from natural and man-made threats

Restrict access to sensitive areas like data centres, which also includes detailed procedures for
handling access by staff, third party providers and visitors
Suitable preventive mechanisms for various threats indicated above
Monitoring mechanisms for the detection of compromises of environmental controls relating to
temperature, water, smoke, access alarms, service availability alerts (power supply,
telecommunication, servers), access log reviews etc
User Training and Awareness

It is acknowledged that the human link is the weakest link in the information security chain. Hence, there
is a vital need for an initial and ongoing training and information security awareness programme. The
programme may be periodically updated keeping in view changes in information security,
threats/vulnerabilities and/or the bank’s information security framework. There needs to be a
mechanism to track the effectiveness of training programmes through an assessment/testing process
designed on testing the understanding of the relevant information security policies, not only initially but
also on a periodic basis. At any point of time, a bank needs to maintain an updated status on user
training and awareness relating to information security and the matter needs to be an important agenda
item during Information Security Committee meetings.

Some of the areas that could be incorporated as part of the user awareness programme include:

Relevant information security policies/procedures

Acceptable and appropriate usage of IT assets

Access controls including standards relating to passwords and other authentication requirements

Measures relating to proper email usage and internet usage

Physical protection
Remote computing and use of mobile devices
Safe handling of sensitive data/information
Being wary of social engineering attempts to part with confidential details
Prompt reporting of any security incidents and concerns

Incident management

Incident management is defined as the process of developing and maintaining the capability to manage
incidents within a bank so that exposure is contained and recovery achieved within a specified time
objective. Incidents can include the misuse of computing assets, information disclosure or events that
threaten the continuance of business processes.

Major activities that need to be considered as part of the incident management framework include:

Developing and implementing processes for preventing, detecting, analyzing and responding to information
security incidents
Establishing escalation and communication processes and lines of authority
Developing plans to respond to and document information security incidents
Establishing the capability to investigate information security incidents through various modes like
forensics, evidence collection and preservation, log analysis, interviewing, etc.

Developing a process to communicate with internal parties and external organizations (e.g., regulator,
media, law enforcement, customers)
Integrating information security incident response plans with the organization’s disaster recovery and
business continuity plan
Organizing, training and equipping teams to respond to information security incidents

Periodically testing and refining information security incident response plans

Conducting post-mortem analysis and reviews to identify causes of information security incidents,
developing corrective actions and reassessing risk, and adjusting controls suitably to reduce the related
risks in the future

Common incident types include, but not limited to, outages/degradation of services due to hardware,
software or capacity issues, unauthorised access to systems, identity theft, data leakage/loss, malicious
software and hardware, failed backup processes, denial of service attacks and data integrity issues.

A bank needs to have clear accountability and communication strategies to limit the impact of information
security incidents through defined mechanisms for escalation and reporting to the Board and senior
 management and customer communication, where appropriate. Incident management strategies would
also typically assist in compliance with regulatory requirements. Institutions would also need to pro-
actively notify CERT-In/IDRBT/RBI regarding cyber security incidents.

All security incidents or violations of security policies should be brought to the notice of the CISO.

Application Control and Security:

Financial institutions have different types of applications like the core banking system, delivery
channels like ATMs, internet banking, mobile banking, phone banking, network operating systems,
databases, enterprise resource management (ERP) systems, customer relationship management
(CRM) systems, etc., all used for different business purposes. Then these institutions have partners,
contractors, consultants, employees and temporary employees. Users usually access several different
types of systems throughout their daily tasks, which makes controlling access and providing the
necessary level of protection on different data types difficult and full of obstacles. This complexity may
result in unforeseen and unidentified holes in the protection of the entire infrastructure including
overlapping and contradictory controls, and policy and regulatory noncompliance.

There are well-known information systems security issues associated with applications software,
whether the software is developed internally or acquired from an external source .Attackers can
potentially use many different paths through the application to do harm to the business. Each of these
paths represents a risk that may or may not be serious enough to warrant attention. Sometimes, these
paths are easy to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is
caused may range from minor to major. To determine the risk to itself, a bank can evaluate the likelihood
associated with the threat agent, attack vector, and security weakness and combine it with an estimate
of the technical and business impact to the organization. Together, these factors determine the overall
risk.

The following are the important Application control and risk mitigation measures that need to be
implemented by banks:
Each application should have an owner which will typically be the concerned business function that uses
the application
Some of the roles of application owners include:
Prioritizing any changes to be made to the application and authorizing the changes

Deciding on data classification/de-classification and archival/purging procedures for the data pertaining to
an application as per relevant policies/regulatory/statutory requirements
Ensuring that adequate controls are built into the application through active involvement in the application
design, development, testing and change process

Ensuring that the application meets the business/functional needs of the users
Ensuring that the information security function has reviewed the security of the application

Taking decisions on any new applications to be acquired / developed or any old applications to be discarded
Informing the information security team regarding purchase of an application and assessing the application
based on the security policy requirements
Ensuring that the Change Management process is followed for any changes in application

Ensuring that the new applications being purchased/developed follow the Information Security policy
Ensuring that logs or audit trails, as required, are enabled and monitored for the applications
All application systems need to be tested before implementation in a robust manner regarding controls to
ensure that they satisfy business policies/rules of the bank and regulatory and legal
prescriptions/requirements. Robust controls need to be built into the system and reliance on any manual
controls needs to be minimized. Before the system is live, there should be clarity on the audit trails and
the specific fields that are required to be captured as part of audit trails and an audit trail or log
monitoring process including personnel responsible for the same.

A bank needs to incorporate information security at all stages of software development. This would assist
in improving software quality and minimizing exposure to vulnerabilities. Besides business
functionalities, security requirements relating to system access control, authentication, transaction
authorization, data integrity, system activity logging, audit trail, security event tracking and exception
handling are required to be clearly specified at the initial stages of system development/acquisition. A
compliance check against the bank’s security standards and regulatory/statutory requirements would
also be required.

All application systems need to have audit trails along with policy/procedure of log monitoring for such
systems including the clear allocation of responsibility in this regard. Every application affecting
critical/sensitive information, for example, impacting financial, customer, control, regulatory and legal
aspects, must provide for detailed audit trails/ logging capability with details like transaction id, date,
time, originator id, authorizer id, actions undertaken by a given user id, etc. Other details like logging
the IP address of the client machine, terminal identity or location may also be considered.

Applications must also provide for, inter-alia, logging unsuccessful logon attempts, access to sensitive
options in the application, e.g., master record changes, granting of access rights, use of system utilities,
changes in system configuration, etc.
The audit trails need to be stored as per a defined period as per any internal/regulatory/statutory
requirements and it should be ensured that they are not tampered with.

There should be documented standards/procedures for administering the application, which are approved
by the application owner and kept up-to-date.
The development, test and production environments need to be properly segregated.

Access should be based on the principle of least privilege and “need to know” commensurate with the job
responsibilities. Adequate segregation of duties needs to be enforced.
There should be controls on updating key ‘static’ business information like customer master files, parameter
changes, etc.

Any changes to an application system/data need to be justified by genuine business need and approvals
supported by documentation and subjected to a robust change management process. The change
management would involve generating a request, risk assessment, authorization from an appropriate
authority, implementation, testing and verification of the change done.

Potential security weaknesses / breaches (for example, as a result of analyzing user behaviour or patterns
of network traffic) should be identified.

There should be measures to reduce the risk of theft, fraud, error and unauthorized changes to information
through measures like supervision of activities and segregation of duties.
Applications must not allow unauthorized entries to be updated in the database. Similarly, applications
must not allow any modifications to be made after an entry is authorized. Any subsequent changes
must be made only by reversing the original authorized entry and passing a fresh entry.

Direct back-end updates to database should not be allowed except during exigencies, with a clear business
need and after due authorization as per the relevant policy.

Access to the database prompt must be restricted only to the database administrator.
Robust input validation controls, processing and output controls needs to be built in to the application.
There should be a procedure in place to reduce the reliance on a few key individuals.

Alerts regarding use of the same machine for both maker and checker transactions need to be considered.
There should be a proper linkage between a change request and the corresponding action taken. For
example, the specific accounting head or code which was created as a result of a specific request
should be established clearly.

Error / exception reports and logs need to be reviewed and any issues need to be remedied /addressed at
the earliest.
Critical functions or applications dealing with financial, regulatory and legal, MIS and risk
assessment/management, (for example, calculation of capital adequacy, ALM, calculating VaR, risk
weighted assets, NPA classification and provisioning, balance sheet compilation, AML system,
revaluation of foreign currency balances, computation of MTM gains / losses, etc.,) needs to be done
through proper application systems and not manually or in a semi-automated manner through
spreadsheets. These pose risks relating to data integrity and reliability. Use of spreadsheets in this
regard should be restricted and should be replaced by appropriate IT applications within a definite time-
frame in a phased manner.
Banks may obtain application integrity statements in writing from the application system vendors providing
for reasonable level of assurance about the application being free of malware at the time of sale, free
of any obvious bugs, and free of any covert channels in the code (of the version of the application being
delivered as well as any subsequent versions/modifications done).
For all critical applications, either the source code must be received from the vendor or a software escrow
agreement should be in place with a third party to ensure source code availability in the event the vendor
goes out of business. It needs to be ensured that product updates and programme fixes are also
included in the escrow agreement.
Applications should be configured to logout the users after a specific period of inactivity. The application
must ensure rollover of incomplete transactions and otherwise ensure integrity of data in case of a log
out.

There should be suitable interface controls in place. Data transfer from one process to another or from one
application to another, particularly for critical systems, should not have any manual intervention in order
to prevent any unauthorized modification. The process needs to be automated and properly integrated
with due authentication mechanism and audit trails by enabling “Straight Through Processing” between
applications or from data sources to replace any manual intervention/semi-automated processes like
extracting data in text files and uploading to the target system, importing to a spreadsheet, etc. Further,
proper validations and reconciliation of data needs to be carried out between relevant
interfaces/applications across the bank. The bank needs to suitably integrate the systems and
applications, as required, to enhance data integrity and reliability.
Multi-tier application architecture needs to be considered for relevant critical systems like internet banking
systems which differentiate session control,

presentation logic, server side input validation, business logic and database access.

In the event of data pertaining to Indian operations being stored and/or processed abroad, for example, by
foreign banks, there needs to be suitable controls like segregation of data and strict access controls
based on ‘need to know’ and robust change controls. The bank should be in a position to adequately
prove the same to the regulator. Regulator’s access to such data/records and other relevant information
should not be impeded in any manner and RBI would have the right to cause an inspection to be made
of the processing centre/data centre and its books and accounts by one or more of its officers or
employees or other persons.

An application security review/testing, initially and during major changes, needs to be conducted using a
combination of source code review, stress loading, exception testing and compliance review to identify
insecure coding techniques and systems vulnerabilities to a reasonable extent.

Critical application system logs/audit trails also need to be backed up as part of the application backup
policy.
Robust System Security Testing, in respect of critical e-banking systems, needs to incorporate, inter-alia,
specifications relating to information leakage, business logic, authentication, authorization, input data
validation, exception/error handling, session management, cryptography and detailed logging, as
relevant. These need to be carried out atleast on annual basis.

Migration controls:
There needs to be a documented Migration Policy indicating the requirement of road-map / migration plan
/ methodology for data migration (which includes verification of completeness, consistency and integrity
of the migration activity and pre and post migration activities along with responsibilities and timelines
for completion of same). Explicit sign offs from users/application owners need to be obtained after each
stage of migration and after complete migration process. Audit trails need to be available to document
the conversion, including data mappings and transformations.
The key aspects that are required to be considered include:

a. Integrity of data— indicating that the data is not altered manually or electronically by a person,
programme, substitution or overwriting in the new system. Integrity thus, includes error creep due to
factors like transposition, transcription, etc.

Completeness— ensuring that the total number of records from the source database is transferred to the
new database (assuming the number of fields is the same)
Confidentiality of data under conversion—ensuring that data is backed up before migration for future
reference or any emergency that might arise out of the data migration process

Consistency of data— the field/record called for from the new application should be consistent with that of
the original application. This should enable consistency in repeatability of the testing exercise
Continuity—the new application should be able to continue with newer records as addition (or appendage)
and help in ensuring seamless business continuity

It is a good practice that the last copy of the data before conversion from the old platform and the first copy
of the data after conversion to the new platform are maintained separately in the archive for any future
reference.

The error logs pertaining to the pre-migration/ migration/ post migration period along with root cause
analysis and action taken need to be available for review.

Banks may need to migrate the complete transaction data and audit trails from the old system to the new
system. Else, banks should have the capability to access the older transactional data and piece together
the transaction trail between older and newer systems, to satisfy any supervisory/legal requirements
that may arise.

Implementation of new technologies:

Banks need to carry out due diligence with regard to new technologies since they can potentially introduce
additional risk exposures. A bank needs to authorise the large scale use and deployment in production
environment of technologies that have matured to a state where there is a generally agreed set of
industry-accepted controls and robust diligence and testing has been carried out to ascertain the
security issues of the technology or where compensating controls are sufficient to prevent significant
impact and to comply with the institution’s risk appetite and regulatory expectations.

Any new business products introduced along with the underlying information systems need to be assessed
as part of a formal product approval process which incorporates, inter-alia, security related aspects and
fulfilment of relevant legal and regulatory prescriptions. A bank needs to develop an authorisation
process involving a risk assessment balancing the benefits of the new technology with the risk.

Encryption

Encryption Types:

Symmetric encryption is the use of the same key and algorithm by the creator and reader of a file or
message. The creator uses the key and algorithm to encrypt, and the reader uses both to decrypt.
Symmetric encryption relies on the secrecy of the key. If the key is captured by an attacker, either when
it is exchanged between the communicating parties, or while one of the parties uses or stores the key,
the attacker can use the key and the algorithm to decrypt messages or to masquerade as a message
creator.
 Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the
private key and the public key. When one key is used to encrypt, only the other key can decrypt.
Therefore, only one key (the private key) must be kept secret. The key that is exchanged (the public
key) poses no risk if it becomes known. For instance, if individual A has a private key and publishes the
public key, individual B can obtain the public key, encrypt a message to individual A, and send it. As
long as an individual keeps his private key secure from disclosure, only individual A will be able to
decrypt the message.

Typical areas or situations requiring deployment of cryptographic techniques, given the risks involved,
include transmission and storage of critical and/or sensitive data/information in an ‘un-trusted’
environment or where a higher degree of security is required, generation of customer PINs which are
typically used for card transactions and online services, detection of any unauthorised alteration of
data/information and verification of the authenticity of transactions or data/information.
Since security is primarily based on the encryption keys, effective key management is crucial. Effective key
management systems are based on an agreed set of standards, procedures, and secure methods that
address

Generating keys for different cryptographic systems and different applications

Generating and obtaining public keys and distributing keys to intended users, including how keys should
be activated when received
Storing keys, including how authorized users obtain access to keys and changing or updating keys,
including rules on when keys should be changed and how this will be done

Dealing with compromised keys, revoking keys and specifying how keys should be withdrawn or
deactivated
Recovering keys that are lost or corrupted as part of business continuity management
Archiving, destroying keys
Logging the auditing of key management-related activities
Instituting defined activation and deactivation dates, limiting the usage period of keys

Secure key management systems are characterized by the following precautions:

Additional physical protection of equipment used to generate, store and archive cryptographic keys
Use of cryptographic techniques to maintain cryptographic key confidentiality
Segregation of duties, with no single individual having knowledge of the entire cryptographic key (i.e. two-
person controls) or having access to all the components making up these keys

Ensuring key management is fully automated (e.g., personnel do not have the opportunity to expose a key
or influence the key creation)
Ensuring no key ever appears unencrypted
Ensuring keys are randomly chosen from the entire key space, preferably by hardware
Ensuring key-encrypting keys are separate from data keys. No data ever appears in clear text that was
encrypted using a key-encrypting key. (A key encrypting key is used to encrypt other keys, securing
them from disclosure.)
Make sure that keys with a long life are sparsely used. The more a key is used, the greater the opportunity
for an attacker to discover the key

Ensuring keys are changed frequently.

Ensuring keys that are transmitted are sent securely to well-authenticated parties.
Ensuring key-generating equipment is physically and logically secure from construction through receipt,
installation, operation, and removal from service.

Normally, a minimum of 128-bit SSL encryption is expected. Constant advances in computer hardware,
cryptanalysis and distributed brute force techniques may induce use of larger key lengths periodically.
It is expected that banks will properly evaluate security requirements associated with their internet
banking systems and other relevant systems and adopt an encryption solution that is commensurate
with the degree of confidentiality and integrity required. Banks should only select encryption algorithms
which are well established international standards and which have been subjected to rigorous scrutiny
 by an international cryptographer community or approved by authoritative professional bodies,
reputable security vendors or government agencies.

Data security

Banks need to define and implement procedures to ensure the integrity and consistency of all data stored
in electronic form, such as databases, data warehouses and data archives.
A data security theory seeks to establish uniform risk-based requirements for the protection of data
elements. To ensure that the protection is uniform within and outside of the institution, tools such as
data classifications and protection profiles can be used, as indicated earlier in the chapter.

Data classification and protection profiles are complex to implement when the network or storage is viewed
as a utility. Because of that complexity, some institutions treat all information at that level as if it were
of the highest sensitivity and implement encryption as a protective measure. The complexity in
implementing data classification in other layers or in other aspects of an institution’s operation may
result in other risk mitigation procedures being used. Adequacy is a function of the extent of risk
mitigation, and not the procedure or tool used to mitigate risk.
Policies regarding media handling, disposal, and transit should be implemented to enable the use of
protection profiles and otherwise mitigate risks to data. If protection profiles are not used, the policies
should accomplish the same goal as protection profiles, which is to deliver the same degree of residual
risk without regard to whether the information is in transit or storage, who is directly controlling the data,
or where the storage may be.
There should be secure storage of media. Controls could include physical and environmental controls such
as fire and flood protection, limiting access by means like physical locks, keypad, passwords,
biometrics, etc., labelling, and logged access. Management should establish access controls to limit
access to media, while ensuring that all employees have authorization to access the minimum data
required to perform their responsibilities. More sensitive information such as system documentation,
application source code, and production transaction data should have more extensive controls to guard
against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should
minimize the distribution of sensitive information, including printouts that contain the information.
Periodically, the security staff, audit staff, and data owners should review authorization levels and
distribution lists to ensure they remain appropriate and current.

The storage of data in portable devices, such as laptops and PDAs, poses unique problems. Mitigation of
those risks typically involves encryption of sensitive data, host-provided access controls, etc.
Banks need appropriate disposal procedures for both electronic and paper based media. Contracts with
third-party disposal firms should address acceptable disposal procedures. For computer media, data
frequently remains on media after erasure. Since that data can be recovered, additional disposal
techniques should be applied to sensitive data like physical destruction, overwriting data, degaussing
etc.

Banks should maintain the security of media while in transit or when shared with third parties. Policies
should include contractual requirements that incorporate necessary risk-based controls, restrictions on
the carriers used and procedures to verify the identity of couriers.

Banks should encrypt customer account and transaction data which is transmitted, transported, delivered
or couriered to external parties or other locations, taking into account all intermediate junctures and
transit points from source to destination.
A few other aspects that also needs to be considered include appropriate blocking, filtering and monitoring
of electronic mechanisms like e-mail and printing and monitoring for unauthorised software and
hardware like password cracking software, key loggers, wireless access points, etc.

Concerns over the need to better control and protect sensitive information have given rise to a new set of
solutions aimed at increasing an enterprise’s ability to protect its information assets. These solutions
vary in their capabilities and methodologies, but collectively they have been placed in a category known
as data leak prevention (DLP). It provides a comprehensive approach covering people, processes, and
systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g.,
network actions), and data at rest (e.g., data storage) through deep content inspection and with a
centralized management framework.
 Most DLP solutions include a suite of technologies that facilitate three key objectives:
Locate and catalogue sensitive information stored throughout the enterprise

Monitor and control the movement of sensitive information across enterprise networks

Monitor and control the movement of sensitive information on end-user systems Banks may consider
such solutions, if required, after assessing their potential to improve data security.

Vulnerability Assessment

Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers
engineer the malicious exploit code and then launch that code against targets of interest. Any significant
delays in finding or fixing software with critical vulnerabilities provides ample opportunity for persistent
attackers to break through, gaining control over the vulnerable machines and getting access to the
sensitive data they contain. Banks that do not scan for vulnerabilities and address discovered flaws
proactively face a significant likelihood of having their computer systems compromised.
The following are some of the measures suggested:
Automated vulnerability scanning tools need to be used against all systems on their networks on a periodic
basis, say monthly or weekly or more frequently.
Banks should ensure that vulnerability scanning is performed in an authenticated mode (i.e., configuring
the scanner with administrator credentials) at least quarterly, either with agents running locally on each
end system to analyze the security configuration or with remote scanners that are given administrative
rights on the system being tested, to overcome limitations of unauthenticated vulnerability scanning.
Banks should compare the results from back-to-back vulnerability scans to verify that vulnerabilities were
addressed either by patching, implementing a compensating control, or by documenting and accepting
a reasonable business risk. Such acceptance of business risks for existing vulnerabilities should be
periodically reviewed to determine if newer compensating controls or subsequent patches can address
vulnerabilities that were previously accepted, or if conditions have changed increasing the risk.

Vulnerability scanning tools should be tuned to compare services that are listening on each machine against
a list of authorized services. The tools should be further tuned to identify changes over time on systems
for both authorized and unauthorized services.
The security function should have updated status regarding numbers of unmitigated, critical vulnerabilities,
for each department/division, plan for mitigation and should share vulnerability reports indicating critical
issues with senior management to provide effective incentives for mitigation.

Establishing on-going security monitoring processes

A bank needs to have robust monitoring processes in place to identify events and unusual activity patterns
that could impact on the security of IT assets. The strength of the monitoring controls needs to be
proportionate to the criticality of an IT asset. Alerts would need to be investigated in a timely manner,
with an appropriate response determined.
Common monitoring processes include activity logging (including exceptions to approved activity), for
example, device, server, network activity, security sensor alerts; monitoring staff or third-party access
to sensitive data/information to ensure it is for a valid business reason, scanning host systems for known
vulnerabilities, checks to determine if information security controls are operating as expected and are
being
complied with, checking whether powerful utilities / commands have been disabled on attached hosts
by using tools like ‘network sniffer’), environment and customer profiling, checking for the existence and
configuration of unauthorised wireless networks by using automated tools, discovering the existence of
unauthorised systems by using network discovery and mapping tools and detecting unauthorised
changes to electronic documents and configuration files by using file integrity monitoring software.

Banks’ networks should be designed to support effective monitoring. Design considerations include
network traffic policies that address the allowed communications between computers or groups of
computers, security domains that implement the policies, sensor placement to identify policy violations
and anomalous traffic, nature and extent of logging, log storage and protection and ability to implement
additional sensors on an ad hoc basis when required.
Banks would need to establish a clear allocation of responsibility for regular monitoring, and the processes
and tools in this regard should be in a position to manage the volume of monitoring required, thereby
reducing the risk of an incident going undetected.

Highly sensitive and/or critical IT assets would need to have logging enabled to record events and
monitored at a level proportional to the level of risk.
Users, like system administrators, with elevated access privileges should be subjected to a greater level of
monitoring in light of the heightened risks involved.

The integrity of the monitoring logs and processes should be safeguarded through appropriate access
controls and segregation of duties.
Banks should frequently review all system accounts and disable any account that cannot be associated
with a business process and business owner. Reports that may be generated from systems and
reviewed frequently may include, among others, a list of locked out accounts, disabled accounts,
accounts with passwords that exceed the maximum password age, and accounts with passwords that
never expire.
Banks should establish and follow a process for revoking system access by disabling accounts immediately
upon termination of an employee or contractor.
Banks should regularly monitor the use of all accounts, automatically logging off users after a standard
period of inactivity.

Banks should monitor account usage to determine dormant accounts that have not been used for a given
period, say 15 days, notifying the user or user’s manager of the dormancy. After a longer period, say
30 days, the account may be disabled.
On a periodic basis, say monthly or quarterly basis, banks should require that managers match active
employees and contractors with each account belonging to their managed staff. Security/system
administrators should then disable accounts that are not assigned to active employees or contractors.

Banks should monitor attempts to access deactivated accounts through audit logging.
Banks should validate audit log settings for each hardware device and the software installed on it, ensuring
that logs include a date, timestamp, source addresses, destination addresses, and various other useful
elements of each packet and/or transaction. Systems should record logs in a standardized format such
as syslog entries. If systems cannot generate logs in a standardized format, banks need to deploy log
normalization tools to convert logs into a standardized format.
System administrators and information security personnel should consider devising profiles of common
events from given systems, so that they can tune detection to focus on unusual activity, reducing false
positives, more rapidly identify anomalies, and prevent overwhelming the analysts with insignificant
alerts.

The following technologies/factors provide capabilities for effective attack detection and analysis:

Security Information and Event Management (SIEM) - SIEM products provide situational awareness
through the collection, aggregation, correlation and analysis of disparate data from various sources.
The information provided by these tools help in understanding the scope of an incident.
Intrusion Detection and Prevention System (IDS and IPS) - IPS products that have detection capabilities
should be fully used during an incident to limit any further impact on the organization. IDS and IPS
products are often the primary source of information leading to the identification of an attack. Once the
attack has been identified, it is essential to enable the appropriate IPS rule sets to block further incident
propagation and to support containment and eradication.
Network Behaviour Analysis (NBA) - Network wide anomaly-detection tools will provide data on traffic
patterns that are indicative of an incident. Once an incident has been identified through the use of these
tools, it is important to capture that information for the purposes of supporting further mitigation
activities, including operational workflow to ensure that the information from these tools is routed to the
appropriate response team.
Managed Security Service Provider (MSSP) - If an organization has outsourced security event
management to an MSSP, the latter should provide notification when an incident requires attention.
Organisation must obtain as much information on the incident as possible from MSSP and implement
remediation steps as recommended by MSSP.
Banks also need to pro-actively monitor various authentic sources like CERT-In, security vendors, etc. for
any security related advisories and take suitable measures accordingly.

Security measures against Malware:

Malicious software is an integral and a dangerous aspect of internet based threats which target end-users
and organizations through modes like web browsing, email attachments, mobile devices, and other
vectors. Malicious code may tamper with a system's contents, and capture sensitive data. It can also
spread to other systems. Modern malware aims to avoid signature-based and behavioral detection, and
may disable anti-virus tools running on the targeted system. Anti-virus and anti-spyware software,
collectively referred to as anti-malware tools, help defend against these threats by attempting to detect
malware and block their execution.

Typical controls to protect against malicious code use layered combinations of technology, policies and
procedures and training. The controls are of the preventive and detective/corrective in nature. Controls
are applied at the host, network, and user levels:
At host level: The various measures at the host level include host hardening(including patch application and
proper security configurations of the

operating system (OS), browsers, and other network-aware software), considering implementing host-
based firewalls on each internal computer and especially laptops assigned to mobile users. Many host-
based firewalls also have application hashing capabilities, which are helpful in identifying applications
that may have been trojanized after initial installation, considering host IPS and integrity checking
software combined with strict change controls and configuration management, periodic auditing of host
configurations, both manual and automated.

At network level: The various measures include limiting the transfer of executable files through the
perimeter, IDS and IPS monitoring of incoming and outgoing network traffic, including anti-virus, anti-
spyware and signature and anomaly-based traffic monitors, routing Access Control Lists(ACLs) that
limit incoming and outgoing connections as well as internal connections to those necessary for business
purposes, proxy servers that inspect incoming and outgoing packets for indicators of malicious code
and block access to known or suspected malware distribution servers, filtering to protect against attacks
such as cross-site scripting and SQL injection.
At user level: User education in awareness, safe computing practices, indicators of malicious code, and
response actions.
Enterprise security administrative features may be used daily to check the number of systems that do not
have the latest anti-malware signatures. All malware detection events should be sent to enterprise anti-
malware administration tools and event log servers.
Banks should employ anti-malware software and signature auto update features to automatically update
signature files and scan engines whenever the vendor publishes updates. After applying an update,
automated systems should verify that each system has received its signature update. The bank should
monitor anti-virus console logs to correct any systems that failed to be updated. The systems deployed
for client security should be delivering simplified administration through central management and
providing critical visibility into threats and vulnerabilities. It should also integrate with existing
infrastructure software, such as Active Directory for enhanced protection and greater control.

Administrators should not rely solely on AV software and email filtering to detect worm infections. Logs from
firewalls, intrusion detection and prevention sensors, DNS servers and proxy server logs should be
monitored on a daily basis for signs of worm infections including but not limited to:

Outbound SMTP connection attempts from anything other than a bank’s SMTP mail gateways

Excessive or unusual scanning on TCP and UDP ports 135-139 and 445
Connection attempts on IRC or any other ports that are unusual for the environment
Excessive attempts from internal systems to access non-business web sites
Excessive traffic from individual or a group of internal systems
Excessive DNS queries from internal systems to the same host name and for known “nonexistent” host
names. Using a centralized means such as a syslog host to collect logs from various devices and
systems can help in the analysis of the information
Banks should configure laptops, workstations, and servers so that they do not auto-run content from USB
tokens, USB hard drives, CDs/DVDs, external SATA devices, mounted network shares, or other
removable media.

Banks should configure systems so that they conduct an automated antimalware scan of removable media
when it is inserted.
Banks can also consider deploying the Network Access Control (NAC) tools to verify security configuration
and patch level compliance of devices before granting access to a network. Network Admission Control
(NAC) restricts access to the network based on the identity or security posture of an organization. When
NAC is implemented, it will force a user or a machine seeking network access for authentication prior
to granting actual access to the network. A typical (non-free) WiFi connection is a form of NAC. The
user must present some sort of credentials (or a credit card) before being granted access to the network.
The network admission control systems allow noncompliant devices to be denied access, placed in a
quarantined area, or given restricted access to computing resources, thus keeping insecure nodes from
infecting the network. The key component of the Network Admission Control program is the Trust Agent,
which resides on an endpoint system and communicates with routers on the network. The information
is then relayed to a Secure Access Control Server (ACS) where access control decisions are made.
The ACS directs the router to perform enforcement against the endpoint.

Email Attachment Filtering - Banks should filter various attachment types at the email gateway, unless
required for specific business use. Some examples include .ade .cmd
.eml .ins .mdb .mst .reg .url .wsf .adp .com .exe .isp .mde .pcd .scr .vb .wsh .bas .cpl
.hlp .js .msc .pif .sct .vbe .bat .crt .hta .jse .msi .pl .scx .vbs .chm .dll .inf.lnk .msp .pot

.shs .wsc… etc. Banks should consider only allowing file extensions with a documented business case
and filtering all others.

Patch Management:

A Patch Management process needs to be in place to address technical system and software vulnerabilities
quickly and effectively in order to reduce the likelihood of a serious business impact arising.

There should be documented standards / procedures for patch management. The standards / procedures
for patch management should include a method of defining roles and responsibilities for patch
management, determining the importance of systems (for e.g., based on the information handled, the
business processes supported and the environments in which they are used) , recording patches that
have been applied (for e.g., using an inventory of computer assets including their patch level).
The patch management process should include aspects like:
Determining methods of obtaining and validating patches for ensuring that the patch is from an authorised
source
Identifying vulnerabilities that are applicable to applications and systems used by the organisation

Assessing the business impact of implementing patches (or not implementing a particular patch)
Ensuring patches are tested
Describing methods of deploying patches, for example, through automated manner

Reporting on the status of patch deployment across the organisation

Including methods of dealing with the failed deployment of a patch (e.g., redeployment of the patch).
Methods should be established to protect information and systems if no patch is available for an identified
vulnerability, for example, disabling services and adding additional access controls.Organizations
should deploy automated patch management tools and software update tools for all systems for which
such tools are available and safe.
Organizations should measure the delay in patching new vulnerabilities and ensure the delay is not beyond
the benchmarks set forth by the organization, which should be less for critical patches, say not more
than a week, unless a mitigating control that blocks exploitation is available.

Critical patches must be evaluated in a test environment before being updated into production on enterprise
systems. If such patches break critical business applications on test machines, the organization must
devise other mitigating controls that block exploitation on systems where the patch is difficult to be
deployed because of its impact on business functionality.
Change Management:

A change management process should be established, which covers all types of change. For example,
upgrades and modifications to application and software, modifications to business information,
emergency ‘fixes’, and changes to the computers / networks that support the application.
The change management process should be documented, and include approving and testing changes to
ensure that they do not compromise security controls, performing changes and signing them off to
ensure they are made correctly and securely, reviewing completed changes to ensure that no
unauthorised changes have been made.

The following steps should be taken prior to changes being applied to the live environment:

Change requests should be documented (e.g., on a change request form) and accepted only from authorised
individuals and changes should be approved by an appropriate authority

The potential business impacts of changes should be assessed (for e.g., in terms of the overall risk and impact
on other components of the application)

Changes should be tested to help determine the expected results (for e.g., deploying the patch into the live
environment)

Changes should be reviewed to ensure that they do not compromise security controls (e.g., by checking software
to ensure it does not contain malicious code, such as a trojan horse or a virus)

Back-out positions should be established so that the application can recover from failed changes or unexpected
results

Changes to the application should be performed by skilled and competent individuals who are capable of making
changes correctly and securely and signed off by an appropriate business official.

Audit trails

Banks needs to ensure that audit trails exist for IT assets satisfying the banks business requirements including
regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in
dispute resolution. This could include, as applicable, various areas like transaction with financial consequences,
the opening, modifications or closing of customer accounts, modifications in sensitive master data, accessing or
copying of sensitive data/information; and granting, modification or revocation of systems access rights or
privileges for accessing sensitive IT assets.

Audit trails should be secured to ensure the integrity of the information captured, including the preservation of
evidence. Retention of audit trails should be in line with business, regulatory and legal requirements.
Some considerations for securing the integrity of log files include :

Encrypting log files that contain sensitive data or that are transmitting over the network

Ensuring adequate storage capacity to avoid gaps in data gathering

Securing back-up and disposal of log files

Logging the data to write-only media like a write-once/read-many (WORM) disk or drive

Setting logging parameters to disallow any modification to previously written data

As indicated earlier, network and host activities typically are recorded on the host and sent across the network
to a central logging facility which may process the logging data into a common format. The process, called
normalization, enables timely and effective log analysis.

Other aspects related to logging to be considered include:

All remote access to an internal network, whether through VPN, dial-up, or other mechanism, should be logged
verbosely

Operating systems should be configured to log access control events associated with a user attempting to access
a resource like a file or directory without the appropriate permissions

Security personnel and/or administrators designated in this regard should identify anomalies in logs and actively
review the anomalies, documenting their findings on an ongoing basis

IT SECURITY::
BUSINESS CONTINUITY PLANNING
Introduction
The pivotal role that banking sector plays in the economic growth and stability, both at national
and individual level, requires continuous and reliable services. Increased contribution of 24x7
electronic banking channels has increased the demand to formulate consolidated Business
Continuity Planning (BCP) guidelines covering critical aspects of people, process and
technology.
BCP forms a part of an organisation's overall Business Continuity Management (BCM) plan,
which is the “preparedness of an organisation”, which includes policies, standards and
procedures to ensure continuity, resumption and recovery of critical business processes, at an
agreed level and limit the impact of the disaster on people, processes and infrastructure
(includes IT); or to minimise the operational, financial, legal, reputational and other material
consequences arising from such a disaster.
Effective business continuity management typically incorporates business impact analyses,
recovery strategies and business continuity plans, as well as a governance programme covering
a testing programme, training and awareness programme, communication and crisis
management programme.
Roles, Responsibilities and Organisational structure Board of Directors and Senior Management
A bank’s Board has the ultimate responsibility and oversight over BCP activity of a bank. The
Board approves the Business Continuity Policy of a bank. Senior Management is responsible for
overseeing the BCP process which includes:
Determining how the institution will manage and control identified risks
Allocating knowledgeable personnel and sufficient financial resources to implement the
BCP
Prioritizing critical business functions
Designating a BCP committee who will be responsible for the Business Continuity Management
The top management should annually review the adequacy of the institution's business recovery,
contingency plans and the test results and put up the same to the Board.
The top management should consider evaluating the adequacy of contingency planning and their
periodic testing by service providers whenever critical operations are outsourced.
Ensuring that the BCP is independently reviewed and approved at least annually;
Ensuring employees are trained and aware of their roles in the implementation of the
BCP
Ensuring the BCP is regularly tested on an enterprise-wide basis
Reviewing the BCP testing programme and test results on a regular basis and
Ensuring the BCP is continually updated to reflect the current operating environment
.1 BCP Head or Business Continuity Coordinator
A senior official needs to be designated as the Head of BCP activity or function.
His or her responsibilities include:
Developing of an enterprise-wide BCP and prioritisation of business objectives and critical
operations that are essential for recovery
Business continuity planning to include the recovery, resumption, and maintenance of all aspects
of the business, not just recovery of the technology components;
Considering the integration of the institution’s role in financial markets;
Regularly updating business continuity plans based on changes in business processes, audit
recommendations, and lessons learned from testing
Following a cyclical, process-oriented approach that includes a business impact analysis (BIA), a
risk assessment, management and monitoring and testing
Considering all factors and deciding upon declaring a “crisis”
1.2 BCP Committee or Crisis Management Team
Since electronic banking has functions spread across more than one department, it is necessary
that each department understands its role in the plan. It is also important that each gives its
support to maintain it. In case of a disaster, each has to be prepared for a recovery process,
aimed at protection of critical functions. To this end, it would be helpful if a set up like the BCP
Committee, charged with the implementation of BCP, in an eventuality and all departments
expected to fulfill their respective roles in a coordinated manner.
Hence, a committee consisting of senior officials from departments like HR, IT, Legal, Business
and Information Security needs to be instituted with the following broad mandate:
To exercise, maintain and to invoke business continuity plan, as needed
Communicate, train and promote awareness
Ensure that the Business Continuity Plan (BCP) fits with other plans and requirement of
concerned authorities
Budgetary issues
Ensure training and awareness on BCP to concerned teams and employees
Co-ordinating the activities of other recovery, continuity, response teams and handling key
decision-making
They determine the activation of the BCP
Other functions entail handling legal matters evolving from the disaster, and handling public
relations and media inquiries
1.3 BCP Teams
There needs to be adequate teams for various aspects of BCP at central office, as well as
individual controlling offices or at a branch level, as required. Among the teams that can be
considered based on need, are the incident response team, emergency action and operations
team, team from particular business functions, damage assessment team, IT teams for
hardware, software, network support, supplies team, team for organizing logistics, relocation
team, administrative support team, coordination team. Illustrative guidelines for committees or
teams for BCP are provided in Annex C.
2. Critical Components of Business Continuity Management Framework
The BCP requirements enunciated in this document should be considered. The onus lies on the
Board and Senior Management for generating detailed components of BCP in the light of an
individual bank's activities, systems and processes.
2.1 BCP Methodology
Banks should consider looking at BCP methodologies and standards–BS 25999 by BSI– which
follows the “Plan-Do-Check-Act Principle”.
BCP methodology should include:
Phase 1: Business Impact Analysis
Identification of critical businesses, owned and shared resources with supporting functions to
come up with the Business Impact Analysis (BIA)
Formulating Recovery Time Objectives (RTO), based on BIA. It may also be periodically fine-
tuned by benchmarking against industry best practices
Critical and tough assumptions in terms of disaster, so that the framework would be exhaustive
enough to address most stressful situations
Identification of the Recovery Point Objective (RPO), for data loss for each of the critical systems
and strategy to deal with such data loss
Alternate procedures during the time systems are not available and estimating resource
requirements
Phase 2: Risk Assessment
Structured risk assessment based on comprehensive business impact analysis. This assessment
considers all business processes and is not limited to the information processing facilities.
Risk management by implementing appropriate strategy/ architecture to attain the bank’s agreed
RTOs and RPOs.
Impact on restoring critical business functions, including customer-facing systems and payment
and settlement systems such as cash disbursements, ATMs, internet banking, or call centres
Dependency and risk involved in use of external resources and support
Phase 3: Determining Choices and Business Continuity Strategy
BCP should evolve beyond the information technology realm and must also cover people,
processes and infrastructure
The methodology should prove for the safety and well-being of people in the branch / outside
location at the time of the disaster.
Define response actions based on identified classes of disaster.
To arrive at the selected process resumption plan, one must consider the risk acceptance for the
bank, industry and applicable regulations
Phase 4: Developing and Implementing BCP
Action plans, i.e.: defined response actions specific to the bank’s processes , practical manuals(
do and don’ts, specific paragraph’s customised to individual business units) and testing
procedures
Establishing management succession and emergency powers
Compatibility and co-ordination of contingency plans at both the bank and its service providers
The recovery procedure should not compromise on the control environment at the recovery
location
Having specific contingency plans for each outsourcing arrangement based on the degree of
materiality of the outsourced activity to the bank's business
Periodic updating to absorb changes in the institution or its service providers. Examples of
situations that might necessitate updating the plans include acquisition of new equipment,
upgradation of the operational systems and changes in:
Personnel
Addresses or telephone numbers
Business strategy
Location, facilities and resources
Legislation
Contractors, suppliers and key customers
Processes–new or withdrawn ones
Risk (operational and financial)
2.3 Key Factors to be considered for BCP Design
Following factors should be considered while designing the BCP:
Probability of unplanned events, including natural or man-made disasters, earthquakes, fire,
hurricanes or bio-chemical disaster
Security threats
Increasing infrastructure and application interdependencies
Regulatory and compliance requirements, which are growing increasingly complex
Failure of key third party arrangements
Globalisation and the challenges of operating in multiple countries.
1.4 BCP Considerations
Banks must consider implementing a BCP process to reduce the impact of disruption, caused by
disasters and security failures to an acceptable level through a combination of preventive and
recovery measures.
BCP should include measures to identify and reduce probability of risk to limit the consequences
of damaging incidents and enable the timely resumption of essential operations. BCP should
amongst others, consider reputation, operational, financial, regulatory risks.
The failure of critical systems or the interruption of vital business processes could prevent timely
recovery of operations. Therefore, financial institution management must fully understand the
vulnerabilities associated with interrelationships between various systems, departments, and
business processes. These vulnerabilities should be incorporated into the BIA, which analyses
the correlation between system components and the services they provide.
Various tools can be used to analyse these critical interdependencies, such as a work flow
analysis, an organisational chart, a network topology, and inventory records. A work flow analysis
can be performed by observing daily operations and
interviewing employees to determine what resources and services are shared among various
departments. This analysis, in conjunction with the other tools, will allow management to
understand various processing priorities, documentation requirements, and the interrelationships
between various systems. The following issues when determining critical interdependencies
within the organisation:
Key personnel;
Vital records;
Shared equipment, hardware, software, data files, and workspace;
Production processes;
Customer services;
Network connectivity; and
Management information systems.
Key Considerations while Formulating A BCP:
Ensuring prompt and accurate processing of securities transactions, including, but not limited to,
order taking, order entry, execution, comparison, allocation, clearance and settlement of
securities transactions, the maintenance of customer accounts, access to customer accounts
and the delivery of funds and securities.
Honouring of all customer payouts (i.e. obligation)
Providing priority to intra-day deal payment
Providing customers prompt access to their funds and securities – measures should be
undertaken to make customer funds and securities available to customers in the event of a
significant business disruption.
Continuing compliance with regulatory reporting requirements etc.
A single framework of BCP should be maintained to ensure that all plans are consistent, and to
identify priorities and dependencies for testing and maintenance.
A BCP framework should consider the following:
Conditions for activating plans, which describe a process to be followed (how to assess the
situation, who is to be involved, etc.) before each plan is activated
Emergency procedures, which describe the actions to be taken following an incident which
jeopardises business operations and/ or human life. This should include arrangements for public
relations management and for effective liaison with appropriate public authorities e.g. police, fire
service, health-care services and local government
Identification of the processing resources and locations, available to replace those supporting
critical activities; fall back procedures which describe the actions to be taken to move essential
business activities or support services to alternative temporary locations and to bring business
processes back into operation in the required time-scales
Identification of information to be backed up and the location for storage, as well as the
requirement for the information to be saved for back-up purpose on a stated schedule and
compliance therewith
Resumption procedures, which describe the actions to be taken to return to normal business
operations
A maintenance schedule which specifies how and when the plan will be tested and the process
for maintaining the plan
Awareness and education activities, which are designed to create understanding of critical
banking operations and functions, business continuity processes and ensure
that the processes continue to be effective
The responsibilities of the individuals, describing who is responsible for executing which
component of the plan. Alternatives should be nominated as required.
(g) Pandemic Planning
Pandemics are defined as epidemics, or outbreaks in humans, of infectious diseases that have
the ability to spread rapidly over large areas, possibly worldwide. Adverse economic effects of a
pandemic could be significant, both nationally and internationally. Due to their crucial financial
and economic role, financial institutions should have plans in place that describe how they will
manage through a pandemic event.
Pandemic planning presents unique challenges to financial institution management. Unlike
natural disasters, technical disasters, malicious acts, or terrorist events, the impact of a
pandemic is much more difficult to determine because of the anticipated difference in scale and
duration. Further, while traditional disasters and disruptions normally have limited time durations,
pandemics generally occur in multiple waves, each lasting two to three months. Consequently,
no individual or organisation is safe from the adverse effects that might result from a pandemic
event.
One of the most significant challenges likely from a severe pandemic event will be staffing
shortages due to absenteeism. These differences and challenges highlight the need for all
financial institutions, no matter their size, to plan for a pandemic event when developing their
BCP.
It is important for institutions to actively keep abreast of international and national developments
and health advisories issued in this regard.
Accordingly, a bank’s BCP needs to provide for the following:
A preventive programme to reduce the likelihood that a bank’s operations will be significantly
affected by a pandemic event, including: monitoring of potential outbreaks, educating employees,
communicating and coordinating with critical service providers and suppliers, in addition to
providing appropriate hygiene training and tools to employees.
A documented strategy that provides for scaling the institution’s pandemic efforts so they are
consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of
humans contracting the disease overseas or in India and first cases within the organisation itself.
The strategy will also need to outline plans that state how to recover from a pandemic wave and
proper preparations for any following wave(s).
A comprehensive framework of facilities, systems, or procedures that provide the organisation
the capability to continue its critical operations in the event that large numbers of the institution’s
staff are unavailable for prolonged periods. Such procedures could include social distancing to
minimise staff contact, telecommuting, redirecting customers from branch to electronic banking
services, or conducting operations from alternative sites.
The framework should consider the impact of customer reactions and the potential demand for,
and increased reliance on, online banking, telephone banking, ATMs, and call support services.
In addition, consideration should be given to possible actions by public health and other
government authorities that may affect critical business functions of a financial institution.
A testing programme to ensure that the institution’s pandemic planning practices and capabilities
are effective and will allow critical operations to continue.
An oversight programme to ensure ongoing review and updates to the pandemic plan so that
policies, standards, and procedures include up-to-date, relevant information provided by
governmental sources or by the institution’s monitoring programme.
Banks may also consider insurance to transfer risk to a third party, however taking due care
regarding certainty of payments in the event of disruptions.
Testing A BCP
– Banks must regularly test BCP to ensure that they are up to date and effective: Testing of BCP
should include all aspects and constituents of a bank i.e. people, processes and resources
(including technology). BCP, after full or partial testing may fail. Reasons are incorrect
assumptions, oversights or changes in equipment or personnel. BCP tests should ensure that all
members of the recovery team and other relevant staff are aware of the plans. The test schedule
for BCPs should indicate how and when each component of a plan is to be tested. It is
recommended to test the individual components of the plans(s) frequently, typically at a minimum
of once a year. A variety of techniques should be used in order to provide assurance that the
plan(s) will operate in real life.
– Banks should involve their Internal Auditors (including IS Auditors) to audit the effectiveness of
BCP: And its periodic testing as part of their Internal Audit work and their findings/
recommendations in this regard should be incorporated in their report to the Board of Directors.
– Banks should consider having a BCP drill planned along with the critical third parties: In order
to provide services and support to continue with pre-identified minimal required processes.
– Banks should also periodically moving their operations: Including people, processes and
resources (IT and non-IT) to the planned fall-over or DR site in order to test the BCP
effectiveness and also gauge the recovery time needed to bring operations to normal functioning.
– Banks should consider performing the above test without movement of bank personnel to the
DR site. This will help in testing the readiness of alternative staff at the DR site.
– Banks should consider having unplanned BCP drill: Wherein only a restricted set of people and
certain identified personnel may be aware of the drill and not the floor or business personnel. In
such cases banks should have a “Lookout Team” deployed at the location to study and
assimilate the responses and needs of different teams. Based on the outcome of this study,
banks should revise their BCP Plan to suit the ground requirements.
3.1 Testing Techniques
The below are few of the illustrative techniques that can be used for BCP testing purposes:
Table-top testing for scenarios (discussing business recovery arrangements using example
interruptions)
Simulations (particularly for training people in their post-incident or crisis
management roles)
Technical recovery testing (ensuring information systems can be restored effectively)
Testing recovery at an alternate site (running business processes in parallel with recovery
operations away from the main site)
Tests of supplier facilities and services (ensuring externally provided services and products will
meet the contracted commitment)
Complete rehearsals (testing that the organisation, personnel, equipment, facilities and
processes can cope with interruptions)
Simulation testing: It is when participants choose a specific scenario and simulate an on-location
BCP situation. It involves testing of all resources: people, IT and others, who are required to
enable the business continuity for a chosen scenario. The focus is on demonstration of
capability, including knowledge, team interaction and decision-making capabilities. It can also
specify role playing with simulated response at alternate locations/facilities to act out critical
steps, recognise difficulties, and resolve problems.
Component testing: This is to validate the functioning of an individual part or a sub-process of a
process, in the event of BCP invocation. It focuses on concentrating on in-depth testing of the
part or sub-process to identify and prepare for any risk that may hamper its smooth running. For
example, testing of ATM switch.
Each organisation must define frequency, schedule and clusters of Business Areas, selected for
test after a through Risk and Business Impact Analysis has been done.
The bank can consider broad guidelines provided below for determining the testing frequency
based on critical of a process:
Impact on Table-top Call tree Simulation Component Complete
processes testing testing testing Rehearsals
High Quarterly Quarterly Quarterly Quarterly Annually
Medium Quarterly Half-yearly Half-yearly Annually Annually
Low Half-yearly Annually NA NA NA

Maintenance and Re-assessment of Plans

BCPs should be maintained by annual reviews and updates to ensure their continued
effectiveness. Procedures should be included within the organisation’s change management
programme to ensure that business continuity matters are appropriately addressed.
Responsibility should be assigned for regular reviews of each business continuity plan. The
identification of changes in business arrangements/processes, not yet reflected in the business
continuity plans, should be followed by an appropriate update of the plan on a periodic basis, say
quarterly. This would require a process of conveying any changes to the institution’s business,
structure, systems, software, hardware, personnel, or facilities to the BCP coordinator/team. If
significant
changes have occurred in the business environment, or if audit findings warrant changes to the
BCP or test programme, the business continuity policy guidelines and programme requirements
should be updated accordingly.
Changes should follow the bank’s formal change management process in place for its policy or
procedure documents. This formal change control process should ensure that the updated plans
are distributed and reinforced by regular reviews of the complete plan.
A copy of the BCP, approved by the Board, should be forwarded for perusal to the RBI on an
annual basis. In addition, the bank should also submit:
– An annual statement at the end of each financial year describing the critical systems, their Rots
and the bank’s strategy to achieve them, and
– A quarterly statement, reporting major failures during the period for critical systems, customer
segment or services impacted due to the failures and steps taken to avoid such failures in future.
Procedural aspects of BCP
An effective BCP should take into account the potential of wide area disasters, which impact an
entire region, and for resulting loss or inaccessibility of staff. It should also consider and address
inter dependencies, both market-based and geographic, among financial system participants as
well as infrastructure service providers.
Further, banks should also consider the need to put in place necessary backup sites for their
critical payment systems which interact with the systems at the Data centres of the Reserve
Bank.
Banks may also consider running some critical processes and business operations from primary
and the secondary sites, wherein each would provide back-up to the other.
Namely prioritising process and alternative location for personnel in the following categories:
• Dealers and traders
• Operations (e.g. teller, loan desk, cash desk etc.)
• Treasury department staff
• Sales staff
• IT staff
• Corporate functions (HR, Admin) staff
• Comprehensive testing would help banks to further fine-tune BCP/DR processes to ensure their
robustness and also enable smooth switch-over to the DR site, as per the priority and scale of
processes identified for each process.
All critical processes should be documented to reduce dependency on personnel for scenarios
where the staff is not able to reach the designated office premises.
Backup/standby personnel should be identified for all critical roles. A call matrix should be
developed to better co-ordinate future emergency calls involving individual financial authorities,
financial sector trade associations, and other banks and stakeholders. In addition the
organisation should have calling tree with branches
across specific region/business processes. Based on the nature of the emergency a particular
branch/the entire calling tree should be activated.
The relevant portion of the BCP adopted should also be disseminated to all concerned, including
the customers, so that the awareness would enable them to react positively and in consonance
with the BCP. This would help maintain the customer’s faith on the banking institution, and the
possibility of a bank-run would be exponentially minimised. The part of the plan kept in the public
domain should normally be confined to information relating to the general readiness of the banks
in this regard without any detailed specifics, to protect the banks from becoming vulnerable to
security threats
Banks should consider formulating a clear ‘Communication Strategy’ with the help of media
management personnel to control the content and form of news being percolated to their
customers in times of panic.
Banks should consider having a detailed BCP plan for encountering natural calamity/ disaster
situation. A formal exception policy should be documented which will guide the affected areas
Personnel to act independently till connection to the outside world is resumed.
The above mentioned guideline should have exceptions documented for critical process which
will ensure continuation of critical process without the regular operational formalities.
After appropriate approvals or permissions are obtained internally and from RBI, banks should
consider having a guideline ready on relaxing certain rules/ requirements for customers affected
by the calamity.
Like:
Extending loan/interest payment timeliness
Issuance of fresh loan with minimal required documents
Waving off late payment fees and penalties in certain cases
Allowing more than normal cash withdrawal from ATM’s
Banks can consider expediting cheque clearing for customers by directing all cheques to a
different region than the one affected by the calamity. In case of severe calamity banks should
consider restricting existing loans to facilitate rebuilding efforts by the Govt. for the calamity
areas. The banks may also be consider ensuring quick processing of loan applications,
preferably within 48 hours of receipt of such applications. It should consider dispatching credit
bill, agreement notes, etc. due to customer by having an arrangement to print the same at an
alternative location and should consider accepting late payments for credit card dues for
customers in the calamity affected area.
Banks may also endeavor for resumption of banking services by setting up satellite offices,
extension counters or mobile banking facilities.
Infrastructure Aspects of BCP
– Banks should consider paying special attention to availability of basic amenities such as
electricity, water and first-aid box in all offices. (e.g. evaluate the need of electricity backup not
just for its systems but also for its people and running the infrastructure like central air-
conditioning.)
– Banks should consider assigning ownership for each area. Emergency procedures, manual
fallback plans and resumption plans should be within the responsibility of the owners of the
appropriate business resources or processes involved.
– In-house telecommunications systems and wireless transmitters on buildings should have
backup power. Redundant systems, such as analogue line phones and satellite phones (where
appropriate), and other simple measures, such as ensuring the availability of extra batteries for
mobile phones, may prove essential to maintaining communications in a wide-scale infrastructure
failure.
– Possible fallback arrangements should be considered and alternative services should be
carried out in co-ordination with the service providers, contractors, suppliers under written
agreement or contract, setting out roles and responsibilities of each party, for meeting
emergencies. Also, imposition of penalties, including legal action, may be initiated by an
organisation against service providers or contractors or suppliers, in the event of noncompliance
or non-co-operation.
– When new requirements are identified, established emergency procedures: e.g. evacuation
plans or any existing fallback arrangements, should be amended as appropriate.
– Banks may consider having backup resources (erg. stationery required for cheque printing,
special printers, stamps) at a secondary operational location.
– The plans may also suitably be aligned with those of the local government authorities
– Banks should consider not storing critical papers, files, servers in the ground floors where there
is possibility of floods or water logging. However, banks should also consider avoiding top floors
in taller building to reduce impact due to probable fire.
– Fire-proof and water-proof storage areas must be considered for critical documents.
– Banks should consider having alternative means of power source (like procurement of more
diesel/ emergency battery backup etc.) for extended period of power cuts.
– Banks should consider having an emergency helpline number or nationalised IVR message to
resolve queries of customers and ensure that panic situation is avoided. For this an alternative
backup area call centre should be identified to take over part load of the calamity affected area.
Designated person/ team must be responsible for enabling line diversion. A similar service can
also be considered for the benefit of employee related communication.
Human Aspects of BCP
People are a vital component of any organisation. They should therefore be an integral part of a
BCP. Generally, plans are often too focused on the technical issues, therefore, it is suggested
that a separate section relating to people should be incorporated, including details on staff
welfare, counseling, relocation considerations, etc. BCP awareness programmer should also be
implemented which serve to strengthen staff involvement in BCP. This can be done through
induction programme newsletters, staff training exercises, etc.
Banks must consider training more than one individual staff for specific critical jobs (ire. in the
absence on one employee the work must not be stalled or delayed). They must consider cross-
training employees for critical functions and document-operating procedures. Banks
should consider possibility of enabling work-from--home capabilities and resources for
employees performing critical functions.
Role of HR in the BCP context
Crisis Management Team: As a core member of the CMT, HR provides guidance to team on
people-related issues, including evacuation, welfare, whether to invoke the HR incident line,
alternative travel arrangements and what to communicate to staff.
HR Incident Line: Operated from within the centralised HR function, the incident helpline is
invoked in those instances, where there are possible casualties or missing staff, as a result of an
incident. Invoked by the CMT, the line is manned by qualified HR officers trained in how to deal
with distressed callers. The staff may be provided with an emergency card, which includes the
incident line number. Information on the hotline is updated on a regular basis. The facility
enables line managers to keep the central crisis team up to speed on the whereabouts and well-
being of staff. Ongoing welfare and support for staff is also provided via an employee assistance
provider.
Exceptional Travel arrangements: Transportation plans should be considered in the event of the
need to relocate. Key staff needs to be identified including details of where they are located, and
vehicles are on standby to transport them if required.
Technology Aspects of BCP
The are many applications and services in banking system that are highly mission critical in
nature and therefore requires high availability, and fault tolerance to be considered while
designing and implementing the solution. This aspect is to be taken into account especially while
designing the data centre solution and the corporate network solution.
Data Recovery Strategies
Prior to selecting a data recovery (DR) strategy, a DR planner should refer to their organisation's
BCP, which should indicate key metrics of recovery point objective and recovery time objective
for business processes:
Recovery Point Objective (RPO)–The acceptable latency of data that will be recovered
Recovery Time Objective (RTO)–The acceptable amount of time to restore the function
Recovery Point Objective must ensure that the Maximum Tolerable Data Loss for each activity is
not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of
Disruption (MTPD), for each activity, is not exceeded. The metrics specified for the business
processes must then be mapped to the underlying IT systems and infrastructure that support
those processes. Once, RTO and RPO metrics have been mapped to the IT infrastructure, the
DR planner can determine the most suitable recovery strategy for each system. An important
note here, however, is that the business ultimately sets the IT budget. Therefore, RTO and RPO
metrics need to fit with the available budget and the critical of the business process/function.
A List of Common Strategies for Data Protection:
Backups made to tape and sent off-site at regular intervals (preferably daily)
Backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site
disk
Replication of data to an off-site location, which overcomes the need to restore the data (only the
systems then need to be restored or synced). This generally makes
use of storage area network (SAN) technology
High availability systems that keep both data and system replicated, off-site, enabling continuous
access to systems and data
In many cases, an organisation may elect to use an outsourced disaster recovery provider to
provide a stand-by site and systems rather than using their own remote facilities. In addition to
preparing for the need to recover systems, organisations must also implement precautionary
measures with an objective of preventing a disaster in the first place. These may include some of
the following:
Local mirrors of systems or data. Use of disk protection technology such as RAID
Surge protectors—to minimise the effect of power surges on delicate electronic equipment
Uninterrupted power supply (UPS) or backup generator to keep systems going in the event of a
power failure
Fire preventions—alarms, fire extinguishers
Anti-virus software and security measures
A disaster recovery plan is a part of the BCP. It dictates every facet of the recovery process,
including:
What events denote possible disasters;
What people in the organisation have the authority to declare a disaster and thereby put the plan
into effect;
The sequence of events necessary to prepare the backup site once a disaster has been
declared;
The roles and responsibilities of all key personnel with respect to carrying out the plan;
An inventory of the necessary hardware and software required to restore production;
A schedule listing the personnel that will be staffing the backup site, including a rotation schedule
to support ongoing operations without burning out the disaster team members.
A disaster recovery plan must be a living document; as the data centre changes, the plan must
be updated to reflect those changes.
It is to be noted that the technology issues are a derivative of the Business Continuity plan and
Management.
For example, BCP and Management will lead to the Business Impact Analysis, which will lead to
the Performance Impact Analysis (PIA). That will depend on the Technology Performance of the
total IT Solution Architecture.
To amplify business impact analysis is to identify the critical operations and services, key internal
and external dependencies and appropriate resilience levels. It also analysis the risks and
quantify the impact of those risks from the point of view of the business disruptions. For example,
in order to provide state of the art customer services both at the branch level and the delivery
channels we need to take into account the services levels that are committed.
If an ATM transaction has to take place in 10 seconds and cash withdrawal or deposit has to take
place in 60 seconds at the counter, then based on the load one can compute the number of
customers who can be serviced in a day. The above example is to understand the fact that the
business latency introduced by the system is a combination of technology, process and people.
Therefore, the technical latency is a derivative of the committed business latency and the
technology solution architecture has to deliver the same under varying loads.
Technology Solution Architecture to address specific BCM requirements are:
Performance
Availability
Security and Access Control
Conformance to standards to ensure Interoperability
Performance of the technology solution architecture for operations needs to be quantified. It
should be possible to measure, as and when required, the quantified parameters. (For example,
if the latency for a complex transaction initiated at the branch has to be completed in four
seconds under peak load, it should be possible to have adequate measuring environments to
ensure that performance degradations have not taken place due to increasing loads.)
Solution architecture has to be designed with high -availability, and no single point of failure. It is
inevitable that a complex solution architecture with point products from different sources
procured and implemented at different points in time will have some outage once in a while and
the important issue is that with clearly defined SLAs, mean time to restore, it should be possible
to identify the fault and correct the same without any degradation in performance.
Accordingly, with respect to the performance and availability aspects the following architectures
have to be designed and configured to provide high levels of up time round the clock to ensure
uninterrupted functioning.
Summation of the required processes:
–Data centre solution architecture
–DR solution architecture
–Near site solution architecture
–Enterprise network and security architecture
– Branch or delivery channel architecture
– Based on the above observation, banks are required to do the following: Take up the
performance and availability audit of the solutions deployed to ensure that the architecture is
designed and implemented with no single point of failure.
– Audit the deployed architecture for all the mission critical applications and services and resolve
the concerns that arise in a time bound manner.
– Periodically investigate the outages that are experienced from time to time, which are mini
disasters that result in non availability of services for a short span of time, systems not
responding when transactions are initiated at the branch level, delivery channels not functioning
for a brief period of time to ensure that the customer service is not affected.
– Ensure availability of appropriate technology solutions to measure and monitor the functioning
of products. And, have competent and capable technical people within the system to resolve
issues expeditiously.
The issues detailed above have to be borne in mind while finalising the data centre architecture
and the corporate network architecture which are expected to have redundancy built in the
solution with no single point of failure.
With reference to the network architecture it is recommended that the Banks built in
redundancies as under:
Link level redundancy
Path level redundancy
Route level redundancy
Equipment level redundancy
Service provider level redundancy
Issues in choosing a backup site and implementing a DC or DR solution:
Backup site: Is a location where an organisation can easily relocate following a disaster, such as
fire, flood, terrorist threat or other disruptive event. This is an integral part of the disaster recovery
plan and wider business continuity planning of an organisation. A backup site can be another
location operated by the organisation, or contracted via a company that specialises in disaster
recovery services. In some cases, an organisation will have an agreement with a second
organisation to operate a joint backup site.
There are three main types of backup sites:
cold sites
warm sites
hot sites
Differences between them are determined by costs and effort required to implement each.
Another term used to describe a backup site is a work area recovery site.
Cold Sites: A cold site is the most inexpensive type of backup site for an organisation to operate.
It does not include backed up copies of data and information from the original location of the
organisation, nor does it include hardware already set up. The lack of hardware contributes to the
minimal start up costs of the cold site, but requires additional time following the disaster to have
the operation running at a capacity close to that prior to the disaster.
Hot Sites: A hot site is a duplicate of the original site of the organisation, with full computer
systems as well as near-complete backups of user data. Real-time synchronisation between the
two sites may be used to mirror the data environment of the original site, using wide area
network links and specialised software. Following a disruption to the original site, the hot site
exists so that the organisation can relocate with minimal losses to normal operations. Ideally, a
hot site will be up and running within a matter of hours or even less. Personnel may still have to
be moved to the hot site so it is possible that the hot site may be operational from a data
processing perspective before staff has relocated. The capacity of the hot site may or may not
match the capacity of the original site depending on the organisation's requirements. This type of
backup site is the most expensive to
operate. Hot sites are popular with organisations that operate real time processes such as
financial institutions, government agencies and ecommerce providers
Warm Sites: A warm site is, quite logically, a compromise between hot and cold. These sites will
have hardware and connectivity already established, though on a smaller scale than the original
production site or even a hot site. Warm sites will have backups on hand, but they may not be
complete and may be between several days and a week old. An example would be backup tapes
sent to the warm site by courier
8.1 The following issues arise in choosing a back up site and implementing a DC/DR solution:
Solution architectures of DC and DR are not identical for all the applications and services. Critical
applications and services, namely the retail, corporate, trade finance and government business
solutions as well as the delivery channels are having the same DR configurations whereas
surround or interfacing applications do not have the DR support. Banks will have to conduct
periodical review with reference to the above aspect and upgrade the DR solutions from time to
time and ensure that all the critical applications and services have a perfect replica in terms of
performance and availability.
The configurations of servers, network devices and other products at the DC and DR have to be
identical at all times. This includes the patches that are applied at the DC periodically and the
changes made to the software from time to time by customization and parameterization to
account for the regulatory requirements, system changes etc .
Periodic checks with reference to ensuring data and transaction integrity between DC and DR
are mandatory. It could be done over the week end or as a part of the EoD / BoD process.
Solutions have to have a defined Recovery Time Objective (RTO) and Recovery Point Objective
(RPO) parameter. These two parameters have a very clear bearing on the technology aspects as
well as the process defined for cut over to the DR and the competency levels required moving
over in the specified time frame.
Values chosen for the RTO and RPO is more to follow the industry practice and not derived from
first principles. Therefore, the DR drills that are conducted periodically have to ensure that the
above parameters are strictly complied with.
Technology operations processes which support business operations (such as EOD/ BOD) need
to formally included into the IT Continuity Plan.
Banks may also consider Recovery Time Objective and Recovery Point Objectives (RTO/ RPO)
for services being offered and not just a specific application. For example--for internet portal and
not retail banking. This is done to avoid any inconsistency in business users understanding.
DR drills currently conducted periodically come under the category of planned shutdown. Banks
have to evolve a suitable methodology to conduct the drills which are closer to the real disaster
scenario so that the confidence levels of the technical team taking up this exercise is built to
address the requirement in the event of a real disaster.
It is also recommended that the support infrastructure at the DC and DR, namely the electrical
systems, air-conditioning environment and other support systems have no single point of failure
and do have a building management and monitoring system to constantly and continuously
monitor the resources. If it is specified that the solution has a high availability of
95 measured on a monthly basis and a mean time to restore of 2 hrs in the event of any failure, it
has to include the support system also.
Data replication mechanism followed between DC and DR is the asynchronous replication
mechanism and implemented across the industry either using database replication techniques or
the storage based replication techniques. They do have relative merits and demerits. The RTO
and RPO discussed earlier, along with the replication mechanism used and the data transfer
required to be accomplished during the peak load will decide the bandwidth required between the
DC and the DR. The RPO is directly related to the latency permissible for the transaction data
from the DC to update the database at the DR. Therefore, the process implemented for the data
replication requirement has to conform to the above and with no compromise to data and
transaction integrity.
Given the need for drastically minimizing the data loss during exigencies and enable quick
recovery and continuity of critical business operations, banks may need to consider near site DR
architecture. Major banks with significant customer delivery channel usage and significant
participation in financial markets/payment and settlement systems may need to have a plan of
action for creating a near site DR architecture over the medium term (say, within three years).
8.2 Issues/Challenges in DC/DR implementation by the Banks
Despite considerable advances in equipment and telecommunications design and recovery
services, IT disaster recovery is becoming challenging. Continuity and recovery aspects are
impacting IT strategy and cost implications are challenging IT budgets.
The time window for recovery is shrinking in face of the demand for 24 / 365 operations. Some
studies claim that around 30 percent of high-availability applications have to be recovered in less
than three hours. A further 45 percent within 24 hours, before losses become unsustainable;
others claim that 60 percent of Enterprise Resource Planning (ERP) Systems have to be
restored in under 24 hours. This means that traditional off-site backup and restore methods are
often no longer adequate. It simply takes too long to recover incremental and full image backups
of various inter-related applications (backed up at different times), synchronise them and re-
create the position as at disaster. Continuous operation–data mirroring to off-site locations and
standby computing and telecommunications–may be the only solution.
A risk assessment and business impact analysis should establish the justification for continuity
for specific IT and telecommunication services and applications.
Achieving robust security (security assurance) is not a onetime activity. It cannot be obtained just
by purchasing and installing suitable software and hardware. It is a continuous process that
requires regular assessment of the security health of the organisation and proactive steps to
detect and fix any vulnerability. Every bank should have in place quick and reliable access to
expertise for tracking suspicious behavior, monitoring users and performing forensics. Adequate
reporting to the authorities concerned – such as the RBI/ IDRBT/CERT-In and other institutions
should be an automatic sub process whenever such events occur.
Important steps that need to be institutionalised are the following:
Rigorous self-assessment of security measures by banks and comprehensive security audit by
external agencies, as detailed under the “Chapter on Information Security” earlier.
Random Security Preparedness. It is proposed that a sufficiently large ``question bank'' related to
security health of the organization be prepared and given to RBI's inspection teams who go for
inspection of banks. A random subset of these queries could then be given to a bank’s IT team
for which answers need to be
provided in near real time. Sample checks related to user accounts could be the number of new
accounts, terminated accounts, most active accounts. There could also be demonstrations of
data recovery from archives.
Telecommunications issues may also arise: It is important to ensure that relevant links are in
place and that communications capability is compatible. The adequacy of voice and data
capacity needs to be checked. Telephony needs to be switched from the disaster site to the
standby site. A financial institution’s BCP should consider addressing diversity guidelines for its
telecommunications capabilities. This is particularly important for the financial services sector
that provides critical payment, clearing, and settlement processes; however, diversity guidelines
should be considered by all financial institutions and should be commensurate with the
institution’s size, complexity, and overall risk profile. Diversity guidelines may include
arrangements with multiple telecommunications providers. However, diverse routing may be
difficult to achieve since primary telecommunications carriers may have an agreement with the
same sub-carriers to provide local access service, and these sub-carriers may also have a
contract with the same local access service providers. Financial institutions do not have any
control over the number of circuit segments that will be needed, and they typically do not have a
business relationship with any of the sub-carriers. Consequently, it is important for financial
institutions to understand the relationship between their primary telecommunications carrier and
these various sub-carriers and how this complex network connects to their primary and back-up
facilities. To determine whether telecommunications providers use the same sub-carrier or local
access service provider, banks may consider performing an end-to-end trace of all critical or
sensitive circuits to search for single points of failure such as a common switch, router, PBX, or
central telephone office.
Banks may consider the following telecommunications diversity components to enhance BCP:
Alternative media, such as secure wireless systems
Internet protocol networking equipment that provides easily configurable re-routing and traffic
load balancing capabilities
Local services to more than one telecommunications carrier’s central office, or diverse physical
paths to independent central offices
Multiple, geographically diverse cables and separate points of entry
Frame relay circuits that do not require network interconnections, which often causes delays due
to concentration points between frame relay providers
Separate power sources for equipment with generator or uninterrupted power supply back-up
(vii) Separate connections to back-up locations
Regular use of multiple facilities in which traffic is continually split between the connections; and
Separate suppliers for hardware and software infrastructure needs.
Banks need to monitor their service relationship with telecommunications providers: In order to
manage the inherent risks more effectively. In coordination with vendors, management should
ensure that risk management strategies include
the following, at a minimum:
– Establish service level agreements that address contingency measures and change
management for services provided;
– Ensure that primary and back-up telecommunications paths do not share a single point of
failure
– Establish processes to periodically inventory and validate telecommunications circuits and
routing paths through comprehensive testing.
Some vendors offer a drop-ship service as an alternative to occupying the standby site. That is,
in the event of equipment failure, for instance, they will drop off a replacement rather than insist
the client occupy the standby site, with all the inconvenience that may involve. But it is essential
that a site survey is undertaken to ensure they can be parked on the required site. Most
commercial standby sites offering IT and work area recovery facilities do not guarantee a service:
the contract merely provides access to the equipment. Although most reputable vendors will
negotiate a Service Level Agreement that specifies the quality of the service, it is rarely offered.
It is important to ensure that a bank’s service will not suffer from unacceptable downtime or
response. The vendor may have skilled staff available – but this is rarely guaranteed and they
come at a cost. In terms of cost, there may be additional fees to pay for testing, on invocation of
a disaster, and for occupation in a disaster. The vendor charging structure also needs to be
carefully considered.
Outsourcing Risks: In theory a commercial hot or warm standby site is available 24 / 365. It has
staff skilled in assisting recovery. Its equipment is constantly kept up to date, while older
equipment remains supported. It is always available for use and offers testing periods once or
twice a year. The practice may be different. These days, organizations have a wide range of
equipment from different vendors and different models from the same vendor. Not every
commercial standby site is able to support the entire range of equipment that a bank may have.
Instead, vendors form alliances with others – but this may mean that a bank’s recovery effort is
split between more than one standby site. The standby site may not have identical IT equipment:
instead of the use of an identical piece of equipment, it will offer a partition on a compatible large
computer or server. Operating systems and security packages may not be the same version as
the client usually uses. These aspects may cause setbacks when attempting recovery of IT
systems and applications – and weak change control at the recovery site could cause a disaster
on return to the normal site.
It is the responsibility of the IT manager/bank to ensure effective recovery by those vendors, who
apply the highest standards, supporting this by a stringent contract, clearly defining service
specifications and technical requirements, and service-level agreements.

Banking Sector IT guideline

The Reserve Bank of India issued new guidance in April 2011 for banks to mitigate
the risks of use of information technology in banking operations. RBI guidelines are
result of the Working Group's recommendations on information security, electronic
banking, technology risk management and cyber fraud. The Working Group was formed
under the chairmanship of G. Gopalakrishna, the executive director of RBI in April 2010.
The guidance is largely driven by the need for mitigating cyber threats emerging from
increasing adoption of IT by commercial banks in India.
Recommendations are made in nine broad areas, including-
1. IT Governance: emphasizes the IT risk management accountability on a bank's
board of directors and executive management. Focus includes creating an
organizational structure and process to ensure that a bank's IT security sustains
and extends business strategies and objectives.
2. Information Security: maintaining a framework to guide the development of a
comprehensive information security program, which includes forming a separate
information security function to focus exclusively on information security and risk
management, distinct from the activities of an information technology
department. These guidelines specify that the chief information security officer
needs to report directly to the head of risk management and should not have a
direct reporting relationship with the chief information officer.
3. IT Operations: specialized organizational capabilities that provide value to
customers, including IT service management, infrastructure management,
application lifecycle management and IT operations risk framework.
4. IT Services Outsourcing: places the ultimate responsibility for outsourcing
operations and management of inherent risk in such relationships on the board
and senior management. Focus includes effective selection of service provider,
monitoring and control of outsourced activities and risk evaluation and
management.
5. Information Security Audit: the need for banks to re-assess IS audit processes
and ensure that they provide an independent and objective view of the extent to
which the risks are managed. This topic focuses on defining the roles and
responsibilities of the IS audit stakeholders and planning and execution of the
audit.
6. Cyberfraud: defines the need for an industry wide framework on fraud
governance with particular emphasis on tackling electronic channel based frauds.
Focus includes creating an organizational structure for fraud risk management
and a special committee for monitoring large value fraud.

7. Business Continuity Planning : focuses on policies, standards and procedures

to ensure continuity, resumption and recovery of critical business processes.
Also, this topic emphasizes implementing a framework to minimize the
operational, financial, legal, reputational and other material consequences arising
from such a disaster.
8. Customer Education: the need to implement consumer awareness framework
and programs on a variety of fraud related issues.
9. Legal Issues: defines the need to put effective processes in place to ensure that
legal risks arising from cyber laws are identified and addressed at banks. It also
focuses on board's consultation with legal department on steps to mitigate
business risks within the bank.