Annexure: Information Systems Security Guidelines for the Banking and Financial Sector (Part 1 of 2) - ಆರ್ಬಿಐ - Reserve Bank of India
Annexure: Information Systems Security Guidelines for the Banking and Financial Sector (Part 1 of 2)
Chapter 1
Introduction
1.1 The information and the supporting processes, the computer systems and the networks, used for generating, storing and retrieving information and the human beings are important business assets of every organisation. The confidentiality, integrity and availability of information is essential for any financial organisation to maintain its competitive edge, cash-flow, profitability, legal compliance and commercial image. The application of Information Technology has brought about significant changes in the way the banking and the financial organisations process and store data. The telecommunication networks have played a catalytic role in the expansion and integration of the Information Systems, within and among the organisations, facilitating data accessibility to different users. This has made it imperative for each organisation to put in place adequate security controls to ensure data accessibility to all the authorised users, data inaccessibility to all the unauthorized users, maintenance of data integrity and implementation of safeguards against all security threats to guarantee information and information systems security across the organisation. This makes it necessary for each organisation to define, document, communicate, implement and audit Information Systems (IS) Security.
1.2 The information systems and the networks of the organisations are increasingly faced with security threats from a wide range of sources including computer-assisted fraud, espionage, sabotage, vandalism etc. The sources of damage such as the computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated in the networked environment. The ever-growing dependence of the organisations on the information systems has made them more vulnerable to such security threats. At the same time, the interconnection between the public and the private networks and the sharing of the information assets/ resources have increased the difficulty of ensuring security for information and the information systems. The trend to distributed computing has significantly contributed to the complexity in security controls.
1.3 The maintenance of information security relates to the preservation of the confidentiality, integrity and availability of information, as described hereunder:
(a) Confidentiality of information relates to authorised access only to information and the controls put in place to ensure the same.
(b) Integrity of information relates to the safeguarding of the accuracy and the completeness of information including the associated processing methods.
(c) Availability of information means the accessibility to information, as and when required, by the authorised users only.
1.4 Each organisation has to identify its security requirements, which can be facilitated by addressing the following :
a) Risk Assessment to identify the threats to information and information assets. Their vulnerability to security threats and the likelihood of the occurrence of such threats. The potential impact of such threats on the business of the organisation.
b) The legal, statutory, regulatory and contractual requirements, which an organization, its trading partners, contractors and service providers have to comply with.
c) The principles, objectives and requirements for information processing, which an organisation may have developed to support its business operations.
1.5 The security controls to be put in place require to be identified by a methodical assessment of risks. The expenditure on the security controls need to be balanced against the business hardships, which are likely to result from security failures. The risk assessment techniques require to be applied to the whole organization or only parts thereof including individual information systems, specific components of such systems or services. In fact, risk assessment is a systematic consideration of the business hardships, likely to result from security failure, togetherwith the potential consequences of the loss of confidentiality, integrity or availability of information and the information assets and the realistic likelihood of the occurrence of such failure in the light of the prevailing threats and vulnerabilities vis-à-vis the security controls currently implemented in the organisation.
1.6 The results of this assessment will help guide and determine the appropriate management action, the priorities for managing the information and the information systems security risks and for implementing security controls, selected to protect the organisation against such risks. The process of assessing the risks and the selection of the security controls may require to be performed a number of times to cover different parts of the organization or the individual information systems and services. It is also important to carry out periodic reviews of the security risks and the implemented security controls in view of new threats and vulnerabilities and to confirm that the security controls in place are effective and appropriate. The reviews will require to be performed at different levels of depth, depending on the results of the previous assessments and the changing levels of risk, which the management of the organisation is prepared to accept. The risk assessments will require to be carried out first at a high level for prioritising the information and the information assets in the areas of high risk and then, at a more detailed level to address specific risks.
1.7 Many information systems in operation in an organisation may not have been designed to be sufficiently secure. Further, the level of security, which can be achieved through the application of technology, could also be limited and therefore, it requires to be supported by appropriate management policies and procedures. The selection of the security controls requires careful and detailed planning. The management of information and information systems security will require participation by all the employees in an organisation. It will also require participation from the third parties such as the suppliers, vendors, customers and shareholders. The organisation may also have to turn to specialist advice in the matter of information systems security, as and when required. The information systems security could be achieved by implementing a suitable set of controls which consists of policies, practices, procedures, organisational structures, hardware and software functions. Each organisation has to establish these controls to ensure that its security requirements are met.
1.8 The Board of Directors/Management of each organisation has the responsibility for ensuring appropriate corporate policies, which set out the management responsibilities and the control practices for all the areas of information processing activities. A well-defined corporate security policy has to be put in place and periodically reviewed and amended, as required, under the approval of the Board of Directors/Management of the organisation.
1.9 The management of risks is central to the organisation in the banking and financial sector. These organisations manage risks through prudent business practices, contractual arrangements with third parties, obtaining insurance coverage and use of appropriate security mechanisms. These organisations have now been increasingly dependent on the Information Technology (IT) for the efficient conduct of business, which necessitates growing levels of information systems security within the organisations. This report contains the guidelines for building up an "Information Systems Security Programme" by an organisation in the banking and financial sector.
The objectives of this report are :
a) to provide a structure for the information systems security ;
b) to provide a guide to security controls, procedures and practices ; and
c) to be consistent with the existing and emerging needs of information systems security.
1.10 The objective is to produce a comprehensive document to facilitate the creation of effective security for ensuring confidentiality, integrity and availability of information and the information systems by the banking and financial organisations. However, the recommendations in this document should be considered as the bare minimum security requirements only and it is suggested that the banking and the financial organisations may have to endeavour to strengthen the same continuously in view of the ever increasing complexity in security threats to information and information systems.
Executive Summary
2.1 The Board of Directors/Managements of the banks and the financial organisations are responsible for putting in place effective security controls for protecting information assets, as the confidentiality, integrity, authenticity and timely availability of such information is of paramount importance to business operations. It is, therefore, critical for such organisations to protect the information and information systems from unauthorised disclosure, modification, replication, destruction and access. Built-in safeguards and controls should be put in place to save information and the information systems from the unauthorised persons, hackers etc.
2.2 The business operations in the banking and the financial sector would be increasingly dependent on computerised information systems in future. It has now become impossible to separate technology from the business of the banks/financial organisations. The growing use of the personal computers and their networking in the financial sector has necessitated their integration in a Local Area or Wide Area Network environment. In many organisations, most of the work is still done on the standalone personal computers and those integrated with intra-city networks including LANs than on large mainframe systems. The security controls for these computer systems and networks are not as developed as the security controls available for the mainframe systems. On account of the phenomenal growth in the use of IT and IT based applications by these organisations in their day-to-day operations, the need for putting in place the security controls for all the information systems has grown tremendously. The information systems security has, therefore, assumed great importance for the commercial success of an organisation, as the survival of the organisation depends on the speed, accuracy and reliability of the flow of information within the organisation vis-à-vis its customers.
2.3 The security controls are required to minimise the vulnerability to unauthorised use of the information and the information systems. However, such controls may have to be consistent with the degree of exposure of such systems and the information and the impact of loss to the organisation on account of unauthorised access and misuse, including accidental misuse, of such systems and information. The unauthorised including accidental misuse of the information may result in financial loss, competitive disadvantage, damaged reputation, improper disclosure, law suits and non-compliance with the regulatory provisions etc. Structured, well defined and documented security policies, standards and guidelines lay the foundation for good information systems security and are the need of the hour.
2.4 No threat becomes obsolete. Further, new threats surface from time to time. The financial sector has witnessed rapid changes in the volume and the value of transactions and the introduction of the most modern and secured methods for the delivery of services to the customers. Still better information systems are being introduced at frequent intervals. Further, the banking and the financial sector is now poised to countenance various developments such as Internet banking, e-money, e-cheque, e-commerce etc., which have been made possible by the revolutionary researches and discoveries in Information Technology and its applications and the future promises to remain challenging. Constant developments of far reaching implications dictate constant vigilance and necessitate sound information systems security programme. Constant Vigilance and the extensive and proper implementation of the information systems security programme in an organisation are the minimum requirements for the organisation’s competitiveness and continued contribution to economic growth.
Ensuring Security In Bankig and Financial Sector -
Implementation of Information Systems Security Programme
3.1 The acceptance of ethical values and adoption of security control measures may have to be communicated by the highest level of the organisation (Board of Directors) to its management and staff. The prudential control over the information assets of an organisation constitutes a sound business practice. The protection of the information on the key business processes is critical for protecting the business processes, which are very critical to an organisation. Therefore, the security requirements should be carefully examined at each stage of the business process in the organisation.
3.2 The development, maintenance and monitoring of an information systems security programme requires wholehearted participation by the functionaries in various disciplines in an organisation such as business operations, audit, insurance, regulation compliance, physical security, training of personnel and their deployment, legal etc. There has to be close co-ordination between the business manager and the information systems security manager. The maintenance of the Information systems security is basically a team effort and it is the responsibility of each and every individual in an organisation to ensure its proper implementation and observance.
3.3 The information systems security programme should include an organisation-wide information systems security policy and a statement containing the following :
a) a statement that the organisation considers information in any form to be an important asset;
b) an identification of risks ;
c) the requirements/procedures/processes for the implementation of the security controls and practices;
d) an assurance that the information assets are protected and that the organisation continuously endeavours to beef up the security controls/measures against the ever increasing threats thereagainst;
e) a well-defined procedure on the responsibilities of each manager, employee and the related third parties for the maintenance of information systems security; and
f) a commitment to security awareness and education among the employees in the organisation irrespective of cadres and grades.
In addition to the above, the information systems security programme must also deal with the following :
a) At the apex level, a Senior Executive should be responsible for Information Systems Security. He will be assisted by one or more officer(s) to be responsible for the information systems security programme in each of the offices/locations of the organisation. If so required, there may be an Information Systems Security Department in each organisation to address various issues such as the development of the Information Systems Security Policy, updation of the Information Systems Security Guidelines on an on-going basis, provision of consultancy and information on information systems security requirements, maintenance of centralised security functions etc. Further, the System Administration responsibilities should, among others, relate to the implementation of the security controls, compliance with the information systems security guidelines, management of day-today security functions etc.
b) Identification of individuals to be responsible for the protection of information assets at each office/location of the organisation or as warranted;
c) Classification of information assets and specifications of the appropriate levels of security for each class of information assets;
d) Implementation of an awareness/education programme to ensure that the employees and the related third parties are aware of and observe their respective responsibilities for the maintenance and continuation of information systems security in the organisation;
e) Reporting of information systems security incidents and provision for their resolution;
f) Preparation of written (comprehensively documented) plans and procedures for business resumption/continuity following disasters;
g) Identification of the procedures and the processes for addressing exceptions or deviations from the information systems security policy document ;
h) Co-ordination and co-operation among the various disciplines in the organisation such as technical, operational, audit, insurance and regulatory compliance ;
i) Laying down precisely the responsibilities to ensure compliance with and to assess soundness and comprehensiveness of the information systems security programme on a continuous basis ;
j) Review, updation and upgradation of the information systems security programme in the light of new threats and technology on a continuous basis ; and
k) Preparation of the audit records, where necessary and the monitoring of the audit trails for the detection of uncharacteristic behaviour of individuals and activities.
3.4 The Information Systems Security Managers will serve as the supervisors and have to, therefore, monitor the successful implementation of the Information Systems Security Policy within their work-areas. This makes them key players in the information systems security programme. It is, therefore, essential that each Information Systems Security Manager should:
a) understand, support and abide by the organisation’s information systems security policy, standards and directives ;
b) ensure that the employees and the related third parties understand, support and abide by the information systems security policy, standards and directives;
c) implement information systems security controls, consistent with the requirements of business and prudent business practices, obtaining in the organisation ;
d) create a positive atmosphere that encourages employees and the third parties to report information systems security concerns/ incidents to the Information Systems Security Manager immediately;
e) participate in the information systems security communication and awareness programme ;
f) apply sound business and security principles in preparing the exception requests;
g) define realistic business and security principles in preparing exception requests;
h) define realistic business "need-to-know" or "need-to-restrict" criteria to implement and maintain appropriate access controls and identify and obtain resources, necessary to implement these tasks ;
i) ensure that information systems security reviews are undertaken, whenever required, by the concerned functionaries. The circumstances that should trigger such a review illustratively include the following :
- material/large loss from a security failure ;
- appearance of bugs in the software all of a sudden;
- preparation of an annual report to the Board of Directors and Audit Committee (relevant authority as per the systems and procedures in the organisation) ;
- acquisition of a financial organisation ;
- purchase or upgradation of computer systems, either hardware or software, or both ;
- introduction of a new financial product ;
- appointment of a new external processing third party ; and
- discovery of a new threat or a change in an existing threat’s direction, scope or intent.
3.5 All business information should have an identified "owner’ and the ownership of information should be established as per the procedures laid down therefor in this document. The ‘owner’ of the information should also be responsible for :
a) classification of information or information processing systems under his control;
b) defining the security requirements for his information or information processing systems ;
c) authorizing access to information or information processing systems under his control ;
d) informing the Information Systems Security Officer of the access rights ; and
e) keeping the information on access rights up-to-date.
3.6 The employees and the third parties such as the suppliers, vendors, contractors and shareholders (if any) should:
a) understand, support and abide by the information security policies, standards and directives of the organization and the associated business unit;
b) be aware of the security implications of their actions ;
c) promptly report any suspicious behaviour or circumstances, which may threaten the integrity of the information and/or information assets ; and
d) keep the organisation’s information confidential. This especially applies to the contractors, vendors and suppliers with several organisations being their customers. This includes internal confidentiality requirements as per the terms and conditions relating to Confidentiality, specified in the Service Agreement/ Employment Contract, signed by the organisation with them.
3.7 Legal Function :
Each organisation has to ensure compliance with the legal requirements and keep track of the modifications/additions to the legal requirements, as prescribed by the concerned authorities. Each organisation will have to take care of the following :
a) monitor changes in the law through legislation, regulation and settled court cases that may affect the information systems security programme of the organisation;
b) review contracts concerning employees, customers, service providers, contractors, vendors and any other third party to ensure that the legal issues relating to information systems security have been duly taken care of ;
c) render advice with respect to the security breach incidents ; and
d) develop and maintain procedures for handling security threats including the preservation of evidence thereof etc.
3.8 Information Security Officers :
An Information Security Officer could be a senior official or a group of officials entrusted with the design, development, implementation and maintenance of the Information Systems Security Programme for protecting the information and the information assets of the organisation. There could be one or many information security officers in an organisation, as warranted by the size and spread of the organisation. In case of the need for many information security officers, every organisation should have a Chief Information Security Officer with supervisory, administrative and regulatory powers in regard to the other information security officers in the organisation.
The information Security Officer/s will have to:
a) manage the overall information systems security programme in the organisation;
b) be responsible for developing the Information Systems Security Policies and Standards for use throughout the organisation. These policies and standards should be kept up-to-date, reflecting changes in technology, business direction and potential threats ;
c) assist business units in the development of specific standards or guidelines that meet the information security policies for specific products within the business unit. This requires working with the business managers to ensure that an effective process for implementing and maintaining the security controls is in place ;
d) ensure that, when exceptions to the information security policy are necessitated, the risk acceptance process is completed and the exceptions are reviewed and re-assessed periodically ;
e) remain current/up-to-date on the threats against the information assets. Attending information security meetings, reading trade publications and participation in work groups are some of the ways to stay current/up-to-date with the developments in the field of information systems security ;
f) understand the current information processing technologies and the most current information protection methods and controls by receiving internal education, attending information security seminars and through on-the-job training ;
g) understand the business processes of the organisation, so as to provide appropriate security protection ;
h) apply management and organizational skills and knowledge of the business in the execution of their duties ;
i) encourage the participation of the managers, auditors, insurance staff, legal experts and the staff members from other disciplines, who can contribute to the information systems security programme;
j) review audit and examination reports dealing with the information security issues and ensure that they are placed before the Board of Directors/Management of the organisation at pre-determined intervals. The information security officer should be involved in the formulation of the management’s response to the audit findings and follow-up to ensure that the security controls and procedures, as required, are implemented within the stipulated time frame ;
k) confirm that the key threats to the information assets have been defined and understood by the management of the organisation ;
l) assume responsibility or assist in the preparation and distribution of an appropriate warning system of potentially serious and imminent threats to the organisation’s information assets e.g. outbreak of computer virus etc. ;
m) co-ordinate or assist in the investigation of security threats or other attacks on the information assets ;
n) assist in the recovery of information and information assets from such attacks; and
o) assist in responding to the security issues relating to the customers including the letters of assurance and suitable replies to the questions on information systems security, as and when raised by the customers.
3.9 Information Systems Security Administration :
Each business unit and information systems manager should lay down the need-to-know access privileges for the users within his business domain and communicate the same to the users. These access privileges should be documented. Further, these documented privileges should be reviewed periodically and changes should be made as and when deemed appropriate.
3.10 Each information access control system should have one or more Information Systems Security Administrator(s), appointed to ensure that the access control procedures are being monitored and enforced continuously. The Information Systems Security Administrator should:
a) be responsible for maintaining accurate and complete access control privileges, based on the instructions from the information resource owner and in accordance with any applicable internal policies, directives and standards, laid down therefor;
b) remain informed by the appropriate manager/s whenever the service of the employees is terminated or they are transferred or retire or are on leave or when have joint responsibilities, if any ;
c) monitor selected users with high-level access privileges and remove such privileges immediately, when such privileges are no longer required ;
d) monitor daily access activity to determine if any unusual activity has taken place such as repeated invalid access attempts that may threaten the integrity, confidentiality or the availability of information and the information systems. These unusual activities, whether intentional or accidental, must be brought to the attention of the information resource owner for investigation and resolution;
e) ensure that each information system user be identified by a unique identification sequence (USERID), associated only with that user. The process should require that the user identity be authenticated prior to the user’s gaining access to the information system by utilizing an established/properly chosen authentication technology;
f) make periodic reviews on access to information systems by the users and report to the appropriate information resource owner ; and
g) ensure that the audit trail is collected, protected and available, whenever required.
3.11 The activities of the Information Systems Security Administrator/s (ISSA) have to be reviewed by an independent party, appointed by the management of the organisation for the purpose, on a routine basis.
3.12 Risk Acceptance :
The business managers will have to abide by the information systems security policy, standards and directives, issued by the organisation. If any business manager believes that the circumstances or any particular situation prevents him from operating within the laid down information systems security policy, standards and directives, he/she should either :
a) undertake steps to observe compliance, as required, as soon as possible, under proper intimation to the information systems security officer ; or
b) seek an exception from the information systems security officer, based upon risk assessment of the special circumstances/situations involved.
3.13 The Information Systems Security Officer will have to participate in the preparation of the compliance plan or exception request for submission to the appropriate authority in the organisation for decision/approval. The Information Systems Security Officer will also have to consider changes to the information systems security programme, whenever the exception procedure reveals situation/ s, which had not been previously addressed.
3.14 Insurance :
In planning the information systems security programme, the Information Systems Security Officer and the business manager should consult the insurance department and if possible, the insurance service provider. This will result in a more effective information systems security programme.
3.15 The insurance service provider/s may require that certain controls, say conditions prior to liability or conditions precedent, will have to be met before a claim could be honoured. The conditions prior to liability often deal with the proper observance of the information systems security controls. Since these security controls must be in place for, among others, insurance purposes, they should be incorporated into the organisation’s information systems security programme. Some controls may also require to be warranted i.e. to be shown to have been in place continuously since the implementation of the information systems security programme. The coverage of business interruption and that of the errors and omissions, in particular, will have to be integrated with the information systems security programme.
3.16 Audit :
Internal audit is an independent appraisal function, established within an organization, to examine and evaluate its activities, as a service to the organization. The objective of internal auditing is to assist the members of the organization in the effective discharge of their responsibilities. To this end, internal auditing furnishes with the analyses, appraisals, recommendations, counsel and information concerning the activities reviewed, so that necessary corrective/preventive action could be taken to ensure that the activities of the organisation continue, conforming to the procedures/guidelines/prescriptions, as laid down therefor.
The auditors of information systems security should :
a) evaluate and test the security controls, implemented for the confidentiality, integrity and availability of the information and the information assets against internationally accepted standards;
b) engage in an on-going dialogue with the Information Systems Security Officer and others, associated with the security of the information and the information assets, to bring in appropriate perspectives to the identification of threats, risks and adequacy of the security controls and procedures in place, both for the existing and the new products/assets ;
c) provide the management of the organisation with objective reports on the condition of the controlled environment in respect of the security for information and information assets and recommend changes, improvements etc., if any, which can be justified by the need and the cost-benefit criteria therefor ; and
d) specify the retention and review of the audit trail information.
3.17 Where the audit review function relating to the information systems security is combined with such other functions, the management of the organisation is required to put appropriate system/procedure in place, so that the conflict of interest on account of the conduct of the combined activities could be either eliminated or minimised. Further, the Information Systems Audit has to be performed by persons with suitable skills/expertise therefor, say CISA (Certified Information Systems Auditor) or CISSP (Certified Information Systems Security Professionals) personnel.
3.18 Regulatory Compliance :
The Regulatory Authorities concern themselves principally with the issues of safety, soundness and compliance with the laws and regulations. One measure for the safety and soundness is the control system, the organisation has put in place, which facilitates the availability of/access to information to the authorised persons only in the organisation and protects the same from unauthorized modifications, disclosures and destruction.
The Regulatory Compliance Officer/s will have to work with the Information Systems Security Officer/s, business managers, risk control managers and the Information Systems Auditors to ensure that the regulatory requirements for the information systems security are understood and implemented. The Regulatory Compliance Officer/s will have to remain current/up-to-date on the new technologies or methodologies, which may come under the subject of regulation.
3.19 Disaster Recovery Planning :
An important part of an Information Systems Security Programme is a comprehensively documented plan to ensure the continuation of the critical business operations of the organisation in the event of disruption. A disaster recovery plan outlines the roles and responsibilities under such situations and the system/procedures to be adopted for business continuity.
3.20 The disaster recovery is that part of the business resumption plan which ensures that the information and the information processing facilities are restored to their normal operating conditions as soon as possible after disruption. The disaster recovery plan should include the following:
a) listing of business activities which are considered critical, preferably with priority rankings, including the time frame, adequate to meet business commitments ;
b) identification of the range of disasters that must be protected against ;
c) identification of the processing resources and locations, available to replace those supporting critical activities ;
d) identification of personnel to operate information processing resources at the disaster recovery site;
e) identification of information to be backed up and the location for storage, as well as the requirement for the information to be saved for back-up purpose on a stated schedule and compliance therewith;
f) information back-up systems being capable of locating and retrieving critical information in a timely fashion ; and
g) agreements entered into with the service providers/contractors/ vendors for priority resumption of services under the terms and conditions specified therefor therein.
3.21 The disaster recovery plan will have to be tested as frequently as necessary, as per the terms and conditions specified therefor in the agreement/ s with the service providers/contractors/vendors, to find problems, if any in the execution of the plan as also to keep the personnel trained therefor and in the operation of the back-up system. The record of each of these exercises should be documented, submitted to higher-ups and preserved. A periodic re-evaluation of the disaster recovery plan, to ascertain that it still serves the purpose, will have to be undertaken. A minimal frequency for both the testing of the disaster recovery plan and the re-evaluation exercise of its appropriateness/suitability will require to be specified by the Organisation. The agreement/s with the service providers/contractors/vendors will have to include the terms and conditions for switch-over to the primary system on the resolution of the problems thereat. Further, if the implementation of the disaster recovery plan requires close co-ordination among various service providers/contractors/vendors, the terms and conditions, warranting close co-ordination & co-operation among them, will have to be specified in each relevant agreement, setting out the obligations to be met by each of the service providers/contractors/vendors including the penalties/punitive measures in case of non-compliance.
Information Systems Security Awareness Programme and Third Parties
4.1 The goal of an Information Systems Security Awareness Programme is to promote information systems security awareness among all concerned. The programme is meant to influence in a positive manner the employees’ approach towards Information Systems Security. The security awareness, among all concerned, requires to be addressed on an on-going basis.
4.2 The success of any Information Systems Security Programme is directly related to the Information Systems Security Officer’s ability to gain support and commitment from all categories of employees within the organization. The failure to gain this support reduces the programme’s effectiveness. There should be clear directions from the Board of Directors/Management of the organisation regarding the Information Systems Security Programme including the role and responsibility of different functionaries/individuals in the organisation.
4.3 The Information Systems Managers will have to be made aware of the exposure, risks and loss potential as well as regulatory and audit requirements. To function properly, the Information Systems Security Programme must achieve a balance between the security controls and accessibility to information and the information assets. Both the staff and the management must be made aware of this requirement. It will have to be ensured that the users are given sufficient access to perform their required official functions. However, they should never be given unrestricted access.
4.4 The Information Systems Security Programme must be so structured and documented as to support the work environment to which it applies. The Information Systems Security staff must not operate in a vacuum. They must understand the business objectives, the internal operations and the organizational structure of the institution to be able to protect information and information systems better and to periodically advise the organisation in the matter. By working in co-ordination with the other groups in the organisation, a co-operative spirit would evolve, which will benefit one and all in the organisation and the organisation itself.
4.5 External Service Providers :
The Organisation will have to ensure that the externally provided critical services such as data processing, transaction handling, network service management, maintenance and software development and modifications, if any, receive the same levels of security controls and information protection as the data processed / activities performed within the organisation itself. The agreement entered into with the service providers/contractors/vendors will have to, among others, contain terms and conditions to satisfy the following requirements:
a) the external service provider must in all cases abide by the security policies and standards adopted by the Organisation ;
b) the third party reports i.e. the reports prepared by the service provider, should be available to the Information Systems Security Manager alongwith the relevant departments/divisions/wings in the Organisation ;
c) the internal auditors from the Organisation shall have the right to conduct an audit of the procedures and security controls, adopted by the Service Provider, for ensuring conformity to the procedures and security controls, as specified by the Organisation ; and
d) Escrow arrangements for all such products, both hardware and software, in the country or as the case may be, whose ownership can not be transferred to the Organisation.
4.6 An independent financial review of the service provider requires to be conducted by the specialists in the Organisation before entering into a contract with the Service Provider. If expertise/skills are not available in-house for the purpose, the review should be conducted with out-sourced expertise/skills under well documented terms and conditions.
4.7 No business should be transacted with a service provider unless a letter of assurance is obtained stating that the required information security controls and procedures are in place with the service provider. The Information Systems Security Officer should examine the Service Provider’s information systems security programme to determine if it is in conformity with that of the organisation. Any inaccuracy/ies or inadequacy/ies should be resolved either through negotiation with the service provider or by the risk acceptance process within the organisation.
4.8 In addition to the information systems security requirements, the contract/ s with the service provider/s will include the confidentiality clause and clear assignment of liability for loss resulting from information security lapses, if any, for which the service provider is solely responsible.
4.9 Internet Service Provider :
The Internet has made spectacular progress in the coverage of geographical area and subscribers across the world. However, this networking environment is associated with new types of risk to the banking and financial sector. The Internet is the world-wide collection of inter-connected networks. It uses Internet Protocol (IP) to link various physical networks into a single logical network. The risks of a public network such as the Internet are many because security was never a design consideration during its evolution and therefore, needs to be retro-fitted. The security features, provided by the operating systems and applications ensure better protection than the one that is added later on. The following are, among others, the major security risks/concerns, which the operating systems alone may not be able to address and specific security applications such as firewalls, Intrusion Detection System etc. will, therefore, have to be implemented therefor.
a) Address spoofing which allows someone to impersonate and thereby, making the messages untrustworthy.
b) Integrity of the message being threatened by the ability to change the contents of the message, either while in transit or after it has reached the recipient-destination.
c) Theft of information where the original message is left unaltered, but information such as credit card numbers etc. is stolen.
d) Denial-of-service-attacks where persons are able to flood an Internet node with automated mail messages, called spamming, which may eventually shut down the Internet node.
4.10 Internet Connectivity : There are several ways through which one can have Internet connectivity. The first is to have a direct connection to the Internet from a computer through Serial Line Internet Protocol (SLIP) connection or a Point-to-Point Protocol (PPP) connection. Both these methods cause the greatest risks to the Organisation’s internal network/s because they provide a Peer-to- Peer connection. In other words, the systems and/or networks outside the organisation become a part of its internal network/s and enjoy access to any of the organisation’s network resources, unless prevented through security barriers such as Proxy Servers, Firewalls etc. The second method is to procure a connection from an Internet Service Provider who will provide access to the Internet. However, the external systems/networks will have connectivity with the Systems of the Internet Service Provider only and not with the internal network/systems of the Organisation.
4.11 Selection of Internet Service Provider : While selecting an Internet Service Provider for Internet connectivity, the factors such as the safeguards/ security measures, deployed by the Internet Service Provider to prevent access by the external systems to the organisation’s internal network/systems must be duly considered in addition to the cost requirements for such connectivity. Some Internet Service Providers offer complete turnkey operations, where all the security equipment/products are operational at their sites and are managed by them. Under such circumstances, they monitor the security violations, if any and alert the subscriber-organisations to such incidents. The agreement between the Internet Service Provider and the Subscribers governs the relationship between them.
4.12 Before procuring the Internet connectivity from the Internet Service Provider, the Organisation should conduct a thorough review of the Internet Service Provider to ascertain the details of access to the computer systems and the firewall, which provide the gateway to the Organisation’s internal network/s. It should be ensured that only the barest minimum of the Internet Service Provider’s staff have access to these computer resources and that such access privileges are closely monitored by the Internet Service Provider on a regular basis. If the Organisation does not have the necessary in-house skills to conduct the review, the services of a third party with suitable skills and expertise for the purpose and not related to the Internet Service Provider, may be engaged to conduct the security review concerning the Internet Service Provider and the organisation must ask for a written report of the findings from the third party, which the Organisation should use to negotiate changes with the Internet Service Provider before entering into the required agreement for obtaining Internet connectivity.
4.13 Penetration Attempt – Regular Penetration-Prevention Exercise:
The use of a third party to test the information systems security of the organisation by attempting penetration into the Information Systems, with the knowledge and consent of the appropriate official/s of the organisation, could be considered as a penetration-prevention exercise for ensuring adequacy of the information systems security programme in place and taking necessary steps to plug loopholes, if any. Such an exercise has to be carried out at regular intervals to ensure the adequacy of the information systems security programme. As the computer systems become more and more complex, the security requirements will become increasingly harder to maintain. The use of such a third party can help find specific points of weakness in an organisation’s Information Systems Security Programme. While adopting this methodology, the Organisation will have to duly consider the following :
a) The Organisation should enter into an agreement with the selected third party, which must contain, among others, the terms and conditions for confidentiality of information and prohibitive penalties/ liabilities in the event of breach of agreement by the third party.
Further, the terms and conditions will have to also ensure that the third party unfailingly advises the organisation about the emerging security concerns during the currency of the agreement/contract.
b) The organisation should not rely solely on the third party’s report on the findings of the penetration exercise to review and address the shortcomings in its Information Systems Security Programme.
The Organisations should endeavour to develop necessary in-house skills/expertise for the purpose also.
4.14 Electronic Money :
Recent advancements in the smart card technology and cryptography have enabled the organisations to issue tokens which are capable of storing and exchanging value. The organisation should consider the following and take necessary action before participating in the Electronic Money Programme.
4.14.1 Disclosure: How much information is to be made available to the customers and how? Compliance with the regulatory requirements, if any, in regard to the issues of liability, refund policy in case of loss, malfunction or theft, privacy expectations and other similar issues.
4.14.2 Capacity: How much can be stored in a token ? Can the token be refilled ? How are limits to be enforced ? Compliance with the requirements in place.
4.14.3 Privacy: Restrictions on the collection of information for marketing purposes on the purchase by the customers and compliance therewith.
4.14.4 Law Enforcement Concerns : Measures taken/provisions put in place to prevent money laundering, which may be facilitated by an unlimited value refillable, untraceable, anonymous electronic cash system and compliance therewith.
4.14.5 Record Keeping: If the electronic money is to be refundable, the Electronic Money System will have to be capable of tracing the transactions and compliance with the methodology put in place therefor including the maintenance of records to facilitate refund. Compliance with the privacy, accountability and legal requirements is in place.
4.15 Cryptographic Operations :
4.15.1 Threats against confidentiality and integrity of information can be countered/minimised by the implementation of appropriate cryptographic controls. Cryptographic controls such as encryption and authentication require that certain materials such as the cryptographic keys remain secret. One or more facilities that generate, distribute and account for the cryptographic materials may be required to support cryptographic controls.
4.15.2 The facilities providing the management of the cryptographic materials must be subject to the highest level of physical protection and access control. Key management must be performed under split knowledge to preserve the security of the system.
4.15.3 Sound cryptographic practices and effective disaster recovery planning may pose conflicting objectives. Close consultation between those responsible for disaster recovery and the cryptographic support is essential to ensure that neither function compromises the other.
4.15.4 Supply of cryptographic materials to customers should be done in a manner that minimizes the possibility of any compromise. The customers should be made aware of the importance of the security measures for the cryptographic materials. The inter-operation between a customer’s correspondent’s and the Service Provider’s cryptographic systems should only be allowed under a fully documented letter of assurance and confidentiality of information.
4.15.5 The quality of security, delivered by the cryptographic products, depends on the continued integrity of these products. Both hardware and software cryptographic products require integrity protection, consistent with the level of security they are intended to provide. The use of appropriately certified integrated circuits, anti-tamper enclosures and key zeroing make hardware systems some what easier to protect than software. Where circumstances allow, software cryptographic products may be used. The features that enhance system integrity such as self-testing should be employed to the maximum possible extent.
4.15.6 The cryptographic products, their implementation/use and the systems/ procedures/methodologies therefor may be subject to varying governmental regulations relating to import and export and such regulations will have to be complied with.
4.16 Privacy/Confidentiality :
4.16.1 The financial organisations possess some of the most sensitive information about individuals and organizations. The laws and regulations require that this information be processed and retained under certain security and privacy rules. Certain technical and business developments such as networks, document imaging, target marketing and cross-departmental information sharing may raise concerns about the adequacy of the privacy protection measures adopted by the Organisation.
4.16.2 The financial organisations should review all privacy laws and regulations which involve credit information.
4.16.3 The organisation should continuously update itself on the developments/ changes relating to the national privacy legislation, either through its law offices, industry sources or other independent information sources. In addition, the organisations, which have international operations, need to be aware of the applicable regional, international and other privacy laws and regulations and necessary compliance therewith.
4.16.4 The organisations should review their business operations from time to time to assess whether the information on their customers and employees are adequately protected. The organisations will have to put in place specific policies and procedures concerning how the information is gathered, used and protected. These policies and procedures should be made known to the relevant employees/ customers. The privacy policies and procedures of the organisations should address the following requirements:
a) Collection of information to ensure that only information, which is relevant and accurate to an identified business need, is to be collected.
b) Provision for appropriate access controls including decision on who should have access to information and the extent of accessibility, quality control to avoid errors in data entry or processing and protection against inadvertent and unauthorized access.
c) Sharing of information through pre-determined procedures, use of the information for the purposes relevant to the reasons for its original collection and ensuring that such sharing of information does not lead to new opportunities for unauthorized privacy invasion by other parties.
d) Methodology adopted for the storage of information to ensure that it occurs in protected fashion to disallow unauthorized access.
e) Notification of the use of the information and the availability of procedures which allow the person, whose information is being held, to correct errors and to raise objections, if any, over the use of the information or any part thereof.
f) Secure destruction of information, when no longer needed.
4.16.5 In addition, the methodology adopted for monitoring the collection, use and storage of information, either electronic or in any other form, must meet the legal requirements. The organisation will also require to develop a privacy audit. This audit will evaluate how well the organisation is achieving privacy protection and explore ways by which Information Technology can address the privacy concerns.
Security Controls and Procedures/Methodologies
5.1 The security controls to be adopted, among others, to ensure the availability of information, the information processing resources and to prevent unauthorized modifications, disclosures or destruction of information, are mentioned hereunder:
a) Classification of Information
b) Access Control
c) Audit Trails
d) Change Control Mechanism
5.2 The assessment of the vulnerabilities in the Information System Resources and the risks which arise therefrom are an integral part of any Information Systems Security programme. The process of risk assessment is a method for formulating the policies and selecting the safeguards to protect information and information system assets from security threats occurring through the vulnerabilities, inherent in the personnel, facilities and equipment, communications, applications, environmental conditions, operating systems and applications. The risk assessment should be done by assessing the security threats relating to the above vulnerabilities and based on the impact of the occurrence, assigning a high, moderate or low risk to the particular vulnerability. In this way, the possibility and the magnitude of monetary loss, productivity loss and embarrassment to the organisation can be minimized. It is important that the organisation addresses all the known threats prudently/judiciously. The implementation of the security controls, the execution of the insurance policy and the recognition and acceptance of the risks are preferable to ignoring the security threats, existing and the likely future ones.
5.3 Classification of Information :
5.3.1 Not all information in an organisation requires maximum level of security control. The methodology for identifying which information requires comparatively lower, middle and higher level of security control should be implemented. Information can be classified on the basis of its criticality and sensitivity to business operations.
5.3.2 The criticality of information is the requirement that the information be available when and where required for the continuity and survival of business operations. The criticality of the information is directly related to the criticality of the processes accessing the information. The contingency/disaster recovery programme provides classification of the processes. The same categorisation/ classification should be applied to information also. The information which is classified as ‘CRITICAL’ requires certain controls to ensure its availability with integrity, whenever required.
On the basis of criticality, Information could be broadly classified as under :
ESSENTIAL :
Information or information processing capacity/asset, whose loss would cause severe or irreparable damage to the organisation.
IMPORTANT:
Information or information processing capacity/asset, whose loss would cause moderate, but recoverable damage to the organisation.
NORMAL :
Information or information processing capacity/asset, whose loss would represent minor disruption in the business operations of the organisation.
5.3.3 Information sensitivity is specified in very broad terms as a measure of how mishandling of such information may impact the organisation. The question which may be addressed while categorizing sensitive information is, "What is the possible impact on the organisation of unauthorized modifications, disclosures or destruction of the information and what is the probability of the occurrence with such sort of impact ?" The areas to consider, while evaluating the impact, include the effect on the organisation’s credibility, profitability and customer confidence as well as compliance with the regulatory and legal requirements.
5.3.4 The following procedure may be adopted for the classification of information. The primary reason for classifying the information is to communicate the management’s expectations of how the employees are required to handle the same. If a document, file or database contains various classifications, it must be according to the highest category of information classification it contains. The classification of any information may also change during the useful life of that information. It is, therefore, required that the change in the classification of information has to be an authorised one.
HIGHLY SENSITIVE:
Information of the highest sensitivity/criticality is that, which, if mishandled, will probably cause substantial damage to the organisation. Examples may include acquisition/merger information, strategic business plans and cryptographic keys and materials.
SENSITIVE:
Information which, if mishandled, may cause significant damage to the organisation. It is sensitive to both internal as well as external exposure. Examples may include internal personnel information, customer information and departmental budgets or staffing plans.
INTERNAL:
Information, which is sensitive to external exposure only and any unauthorised disclosure would cause embarrassment or difficulty to the organisation. Examples may include internal memos, telephone books and organizational charts.
PUBLIC :
Information which has been expressly approved for release to the public. Note that the public information never originates as ‘PUBLIC’, but is re-classified as such when it is released. Examples are the annual report, other publications and new products.
5.4 Business Requirements & Access Control Policy :
Access to information and business processes require to be controlled on the basis of business and security requirements. The access control system, required to be put in place, should be in conformity with the policies for information dissemination and authorization in the organisation. The business requirements for access control should be defined and documented. The access control rules and rights for each user or group of users should be clearly stated in an access policy statement. The users and the service providers should be given a clear statement of the business requirements to be met by access controls. The access control policy should take into account of the following:
a) security requirements of individual business applications;
b) identification of all information related to the business applications and the methodology for handling, controlling such information ;
c) policies for information dissemination and authorization e.g. the need-to-know principle, security levels and classification of information;
d) consistency between the access control and the policies for information classification of different systems and networks;
e) relevant legislation and any contractual obligations regarding the protection of access to data or services ;
f) standard user access profiles for common categories of job;
g) management of access rights in a distributed and networked environment which recognizes all types of connections available ; and
h) Implementation of Intrusion Detection System.
While specifying the access control rules, the following points should be considered :
a) Differentiation between the rules which must always be enforced and the rules which are optional or conditional.
b) Establishment of the rules based on the premise of "What must be generally forbidden unless expressly permitted" rather than that of "Everything is generally permitted unless expressly forbidden".
c) Changes in the information labels which are automatically initiated by the information processing facilities and those which are initiated at the discretion of a user.
d) Changes in the user permissions which are automatically initiated by the information system and those which are initiated by a system administrator.
e) Rules which require the approval of the system administrator or that of other appropriate authority/ies before execution and those which do not.
5.4.1 User Access Management :
Formal procedures should be put in place to control the allocation of access rights to the information systems and/or services. The procedures should cover all stages in the life-cycle of user access i.e. from the initial registration of new users to the final de-registration of users, who no longer require access to information systems and services. Special attention has to be paid, where appropriate, to the need-to-control the allocation of privileged access rights, which allow such users to override the system controls.
5.4.2 User Registration :
There should be a formal user registration and de-registration procedure for granting access to all multi-user information systems and services. The access to the multi-user information systems and services should be controlled through a formal user registration process, which should include the following :
a) Use of unique User Ids, so that the users can be linked to and be made responsible for their actions.
b) Use of Group Ids to be permitted where they are suitable for the work to be carried out.
c) Checking that the user has authorization from the system owner for the use of the information systems and/or services.
d) Checking that the level of access granted is appropriate to the business purpose and is consistent with the organisation’s information systems security policy.
e) Giving users a written statement containing their respective access rights.
f) Requirement for the users to sign statements indicating that they understand the conditions of access.
g) Ensuring that no service provider provides access, if any, until the authorization procedure has been completed.
h) Maintenance of a formal record of all persons registered to use the information systems and/or services.
i) Immediate removal of access rights of the users who have changed jobs or left the organization.
j) Periodic checking for the redundant User Ids and Accounts and removal thereof.
k) Ensuring that the redundant User Ids are not issued to the other users.
l) Inclusion of terms and conditions in the staff contracts and the service provider contracts, which specify sanctions/penalties if unauthorized access is attempted by the staff or the service providers.
Each organisation should gradually introduce Identity Mapping, Role–based Approach and Single Sign-on.
5.4.3 Privilege Management :
The allocation and use of privileges (any feature or facility of a multi-user information system which enables the user to override the operating system or application controls) should be restricted and controlled. Inappropriate use of such system privileges is often found to be a major contributory factor to the failure/breach of the inforrmation systems security. Multi-user systems should have the allocation of privileges controlled through a formal authorization process. The authorisation process should include the following :
a) The privileges associated with each system product e.g. operating system, database management system and each application and the categories of staff to which they need to be allocated should be identified.
b) Privileges should be allocated to the individuals on a need-to-use basis and on an event-by-event basis i.e. the minimum requirement for performing their functional role only, when needed.
c) An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete.
d) The development and the use of the system routines should be promoted to avoid the need to grant privileges to the users.
e) Privileges should be assigned to a different User Id from those used for normal business use.
5.4.4 Logical Access Control & Identification of Users :
It is the collection of all controls, used to ensure that only authorized persons will have access to information and/or information processing facilities for which they are authorized. The identification of the users focuses on the individuals. In some circumstances, a group of users may be required to share an identification and password. Under such circumstances, the local management must assume any responsibility arising from this shared use. When such a decision is taken, the term "individual user" may be interpreted to also include a group of users. Each organisation shall decide on the length of the password depending upon the class of information under access. Further, the period for expiration of the password could be dependent upon the User privileges. All User Accounts in the system will be associated with an applicable, informative full name and description. Guest Account, if any, will require to be disabled. Temporary passwords to Users will be conveyed to such Users in a secure manner. The passwords will conform to the password construction standards. The passwords will have to be difficult to guess and unique to each User. To identify individual users of information and/or information processing facilities, the following procedure may be followed :
a) assign a unique user identification sequence (USERID) to each individual user of the information processing systems ;
b) hold each individual user accountable for all the activities performed under his USERID ; and
c) require that each use of an USERID be traceable to the individual who logs on to the information system.
To ensure that the unused or unneeded USERIDs are not used in an authorised manner, the following procedure may be followed :
a) suspend rights associated with an USERID after ‘N’ days of non-use (suggestion ‘N’=number of days to be as decided by the organisation) and delete the USERID after ‘N’ days of suspension (suggestion ‘N’=number of days to be as decided by the organisation). If it be so that the USERIDs are used quarterly only or as the case may be, longer time limits may require to be fixed. It will have to be ensured that the rights should remain suspended between the scheduled actions/ uses ; and
b) revoke the privileges assigned to the separated or transferred employees’ USERIDs, immediately on their transfer, separation, dismissal or retirement.
5.4.5 Authentication of Users :
All the users including the technical support staff such as the operators, the network administrators, the system programmers, the database administrators and the system administrators should have a unique identifier (user ID) for their personal and exclusive use, so that the activities can subsequently be traced. User Ids should not give any indication of the user’s privilege level e.g. manager, supervisor etc. In exceptional circumstances, where there is a clear business benefit, the use of a shared user ID for a group of users or a specific job can be used. Approval by the management/concerned authority should be documented for such cases. Additional controls may be required to maintain accountability. Bio-metric authentication technologies that use the unique characteristics or attributes of an individual can also be used to authenticate the user’s identity.
Users may be internal or external to the organisation. The provision for the authentication of the user’s identity requires the use of either static or dynamic passwords. The static passwords are those that are memorized by the user. They authenticate a person by something the person knows. The dynamic password systems use devices to generate new passwords for each session. They authenticate a person by something the person has, something the person knows or something the person is.
5.4.5.1 Password Management System : A good ‘Password Management System’ should ensure the following :
a) enforce the use of individual passwords to maintain accountability;
b) allow users to select and change their own passwords, where appropriate, and include a confirmation procedure to allow for input errors;
c) enforce a choice of quality passwords ;
d) force the users to change temporary passwords at the first log-on, where the users select the passwords ;
e) maintain a record of the previous user passwords, say, for the previous 12 months and prevent re-use of such passwords for a reasonable period of time;
f) non-display of the password on the screen when being entered;
g) store password files separately from the application system data;
h) store passwords in encrypted form using a one-way encryption algorithm; and
i) alter the vendor’s/supplier’s default passwords, following the installation of the hardware/software.
j) In case of Web based applications, http POST may be used for obtaining information from the users, which could be sensitive, personal or may compromise with the security of the applications.
5.4.5.2 USE OF STATIC PASSWORD : To ensure proper authentication using a static password, the following steps, among others, should be taken:
a) users to report known or suspected password compromises immediately ;
b) passwords to be chosen by the user ; and
c) assignment of an initial password that is to be changed by the new or the reinstated user on the first use thereof.
5.4.5.3 To minimize the chances that someone may acquire or guess a password, the following steps should be taken:
a) use of a minimum password length of 6 characters ;
b) change of the passwords at least once in ‘N’ days (suggestion ‘N’=number of days as decided by the organisation) and enforcement by suspension of the USERID, if passwords are not changed ;
c) availability of distress passwords for sensitive operations. A distress password is a pre-arranged password, different from an user’s usual password that is used to signal that the user is being forced or has to access the system under duress/abnormal circumstances;
d) passwords not to be shared, available or known to others, including the system administrator ;
e) instruction to the users not to choose passwords which can be easily guessed i.e. names or part of names, phone numbers, dates, common words or numbers. Use dictionary checking to restrict selection, if available. A dictionary, enhanced with organizational terminologies, would provide better checking ;
f) passwords to include both alphabetical and numeric components ;
g) no writing down of the passwords. Alternatively, the passwords may be subject to the handling procedures used for lock combinations ; and
h) protection of the password by encryption during transmission. The encryption mechanisms, which prevent successful replay of the encrypted passwords, should be used. However, mailing of passwords in uncontrolled and insecure environment should be strictly prohibited.
5.4.5.4 Maintenance of Static Password Integrity : To ensure the continued integrity of the static passwords, the following steps should be taken:
a) to use the current password prior to allowing a new password to become effective;
b) to prevent re-use of the user’s last ‘N’ passwords (suggestion ‘N’= number of passwords to be as decided by the organisation) ;
c) to prohibit change of password within ‘N’ days of previous change (suggestion ‘N’= number of days to be as decided by the organisation) ;
d) to store passwords under irreversible encryption ; and
e) to prohibit the display of passwords on input, reports or other media.
5.4.5.5 Use of Dynamic Password System : To ensure proper authentication using dynamic password systems, the following steps should be taken :
a) to select authentication tokens that require either an user-changeable personal identification number (PIN) or the activation of biometric data ;
b) an user’s PIN is different from the USERID ;
c) to prohibit the token PINs from being shared ;
d) the minimum token PIN length to be of ‘N’ characters (suggestion ‘N’= number of characters to be decided by the organisation) ;
e) the length of the generated password be of minimum ‘N’ characters (suggestion ‘N’= number of characters to be decided by the organisation) ;
f) the randomly generated passwords be used only once ;
g) the generated passwords can not be easily guessed ;
h) the keys and the other information ‘CRITICAL’ to authentication be encrypted within the token and on the validating system ;
i) the security tokens be resistant to tampering and duplication ;
j) the token gets locked after ‘N’ invalid PIN entries (suggestion ‘N’= number of invalid attempts to be decided by the organisation) ;
k) to maintain an inventory control on security tokens ;
l) the employees sign for security tokens on a form which contains details of the acceptable uses and the consequences for misuse ;
m) to recover dynamic tokens from the employees upon reassignment or termination. Alternatively, to ensure termination of the access rights, associated with the token assigned to such employees ; and
n) to consider the use of bio-metric features with security tokens.
5.4.6 Limiting Sign-on Attempts :
The following should be implemented for detecting unauthorized sign-on attempts:
To display to the authorized user the date and the time of the last access and the number of unsuccessful access attempts.
The following should be implemented to limit the opportunity for unauthorized attempts to sign-on to a system :
a) To suspend the USERID after a maximum of ‘N’ repeated unsuccessful log-on attempts (suggestion ‘N’= number of unsuccessful log-ons to be as decided by the organisation).
b) To set authentication time limit at ‘N’ minutes (suggestion ‘N’=number of minutes to be decided by the organisation) and to terminate the session if the time limit is exceeded. In both the cases, users should be informed of the failure to sign on, but not the reason therefor.
5.4.7 Unattended Terminals :
The following steps should be implemented to prevent unauthorized use of a terminal connected to a system :
a) Identification and authentication process to be repeated after a specified period of inactivity before work can be continued on the terminal.
b) Use of one-button lock-up system, force button or shut-off sequence to be activated when the terminal is left alone.
c) All users and contractors should be made aware of the security requirements and procedures for protecting unattended terminals as well as their responsibilities for implementing such protection.
d) Termination of the active sessions when finished, unless they can be secured by an appropriate locking mechanism e.g. a password protected screen saver.
e) Log-off to the mainframe system, when the session is finished and not just switch-off the PC or terminal.
f) Inactive terminals in high risk locations, e.g. public or external areas outside the organization’s security management or serving high risk systems, should shut down after a defined period of inactivity to prevent access by unauthorized persons. This time-out facility should clear the terminal screen and close both application and network sessions after a defined period of inactivity. The time-out delay should reflect the security risks of the area and the users of the terminal.
g) A limited form of terminal time-out facility can be provided for some PCs which clears the screen and prevents unauthorized access but does not close down the application or network sessions.
5.4.8 Access Control Features & Operating System :
Information and information processing resources are protected when systems, supporting multiple users, are in use, the access control software that is capable of restricting the access of each individual to only those information resources for which the individual is authorised, requires to be specified and used. Security facilities at the operating system level should be used to restrict access to computer resources. Administration Account should be used for Administration purpose only and not for general purpose. These facilities should be capable of the following :
a) Identification and verification of the identity and if necessary, the terminal or location of each authorized user.
b) Recording of successful and failed system accesses.
c) Provision for appropriate means for authentication.
d) Provision (where appropriate) for restricting the connection time of the users.
e) Use of the access control methods, such as challenge-response, if these are justified on the basis of the business requirements and risk.
f) Control of user access to information and application system functions in accordance with the established access control policy.
g) Provision of protection from unauthorized access for any utility and/ or operating system software that is capable of overriding system or application controls.
h) Non-compromise of the security of the other systems with which information resources are shared.
i) Provision for access to information to the owner only, other authorized individuals or authorised users.
5.4.9 Information Access Restriction :
Users of application systems, inclusive of the technical support staff, should be provided with access to information and the application system functions in accordance with the established access control policy, based on the individual business application requirements. Application of the following controls should be considered for implementing information access restrictions.
a) Provision for menus to control access to application system functions.
b) Restriction of users’ knowledge of information or application system functions which they are not authorized to access with appropriate editing of user documentation.
c) Control of the access rights of the users, e.g. read, write, delete and execute.
d) The outputs from the application systems, handling sensitive information, contain only the information that is relevant to the use of the output and is sent only to authorized terminals and locations, including periodic review of such outputs to ensure that redundant information is removed.
5.4.10 Automatic Terminal Identification :
Automatic terminal identification should be considered to authenticate connection to specified locations and to portable equipment. Automatic terminal identification is a technique that can be used, if it is important that the session can only be initiated from a particular location or computer terminal. An identifier in or attached to the terminal can be used to indicate whether a particular terminal is permitted to initiate or receive specific transactions. It may be necessary to apply physical protection to the terminal and to maintain the security of the terminal identifier.
5.4.11 Terminal Log-on Procedures :
Access to information services should be attainable through a secure log-on process. The procedure for logging into a computer system should be designed to minimize the opportunity for unauthorized access. The log-on procedure should, therefore, disclose the minimum of information about the system in order to avoid providing an unauthorized user with unnecessary assistance. A good log-on procedure should :
a) not display system or application identifiers until the log-on process has been successfully completed ;
b) display a general notice warning that the computer should only be accessed by the authorized users;
c) not provide help messages during the log-on procedure that could aid an unauthorized user;
d) validate the log-on information only on completion of all input data.
If an error arises, the system should not indicate which part of the data is correct or incorrect ;
e) limit the number of unsuccessful log-on attempts allowed (the number of such log on attempts to be as decided by the organisation) and consider:
i. recording unsuccessful attempts;
ii. forcing a time delay before further log-on attempts are allowed or rejecting any further attempts without specific authorization; and
iii. disconnecting data link connections;
f) limit the maximum and minimum time allowed for the log-on procedure. If exceeded, the system should terminate the log-on; and
g) display the following information on completion of a successful log-on
i. date and time of the previous successful log-on;
ii. details of any unsuccessful log-on attempts since the last successful log-on.
In case of application software, the system should authenticate the User ID and User Password.
5.4.12 Use of System Utilities :
Most computer installations have one or more system utility programs that might be capable of overriding system and application controls. It is essential that their use is restricted and tightly controlled. The following controls should be considered :
a) use of authentication procedures for system utilities;
b) segregation of system utilities from application software;
c) limitation of the use of system utilities to the minimum practical number of trusted, authorized users;
d) authorization for ad hoc use of systems utilities;
e) limitation of the availability of system utilities;
f) logging of all the uses of system utilities;
g) defining and documenting the authorization levels for system utilities; and
h) removal of all unnecessary software based utilities and system software.
5.4.13 Limitation of Connection Time :
Restrictions on connection time should provide additional security for high risk applications. Limiting the period during which terminal connections are allowed to computer services reduces the window of opportunity for unauthorized access. Such a control should be considered for sensitive computer applications, especially those with terminals installed at the high risk locations e.g. public or external areas that are outside the organization’s security management. The examples of such restrictions may include:
a) use of pre-determined time slots e.g. for batch file transmissions or regular interactive sessions of short duration; and
b) restricting the connection time to normal office hours if there is no requirement for extended-hours of operation.
5.4.14 Warning :
To warn unauthorized users of the possible consequences of their actions, to display a warning screen, prior to completing sign-on, that makes it clear to the users that unauthorized access, if any, will be deemed illegal only, resulting in the prosecution of such unauthorised users, as prescribed under Law.
5.4.15 External Users :
In addition to the controls listed above, the internal network of the organisation will require to be closely controlled/guarded in regard to the access granted to the users from outside the organisation. To protect against unauthorized access by the external users, it is to be ensured that all the traffic, external to the organisation’s network, pass through a properly configured firewall.
5.4.16 Audit Trails :
The audit trails are records of activity, used to provide a means for restructuring events and establishing accountability. The audit trail information is essential for investigation of the incidents/problems. The controls, useful in the audit trail process, are described hereunder. To deter and provide early detection of unauthorized activity, the following steps should be implemented :
A) To provide an audit trail for the computer systems and manual operations when:
a) SENSITIVE or HIGHLY SENSITIVE information is accessed ;
b) network services are accessed ; and
c) special privileges or authorities such as the security administration commands, emergency USERIDs, supervisory functions etc., overriding the normal processing flow, are used.
B) To include in the audit trail as much of the following as is practical:
a) user identification ;
b) functions, resources and information used or changed ;
c) date and time stamp (including time zone) ;
d) work-station address and network connectivity path ; and
e) specific transaction or program executed.
C) To provide an additional real time alarm of significant security-related events for all computer systems having on-line capabilities for enquiry or update, containing information as under :
a. access attempts that violate the access control rules ;
b. attempts to access functions or information not authorized ;
c. concurrent log-on attempts ; and
d. security profile changes.
D) To investigate and report suspicious activity immediately.
E) To ensure that management reviews the audit trail information on a timely basis, usually daily.
F) To investigate and report security exceptions/violations and unusual occurrences.
G) To preserve the audit trail information for an appropriate period of time for business requirements.
H) To protect the audit trail information from deletion, modifications, fabrications or re-sequencing by use of digital signature.
5.4.17 Sensitive System Isolation :
Sensitive systems might require a dedicated (isolated) computing environment. Some application systems are sufficiently sensitive to potential loss and they require special handling. The sensitivity/criticality may be such that the application system requires to run on a dedicated computer system or that it should share resources with other trusted application systems only. The following may be considered for addressing such requirements:
a) The sensitivity of an application system should be explicitly identified and documented by the application owner.
b) When a sensitive application is to run in a shared environment, the other application system/s with which it will share resources should be identified and agreed with the owner of the sensitive application.
5.4.18 Monitoring of System Use - Procedures and Areas of Risk :
Procedures for monitoring the use of information processing facilities should be established. Such procedures are necessary to ensure that the users perform only those activities, for which they have been authorized. The level of monitoring required for individual facilities should be determined by a risk assessment which should include the following :
a) Authorized Access including details as under :
- the user ID;
- the date and time of key events;
- the types of events ;
- the files accessed; and
- the program/utilities used.
b) All Privileged Operations as under :
- use of supervisor account;
- system start-up and stop; and l
- I/O device attachment/detachment.
c) Unauthorized Access Attempts as under :
- failed attempts;
- access policy violations and notifications for network gateways and firewalls; and
- alerts from proprietary intrusion detection systems.
d) System Alerts or Failure as under :
- console alerts or messages;
- system log exceptions; and
- network management alarms.
5.4.19 Risk Factors :
The result of the system monitoring activities should be reviewed regularly. The frequency of the review should depend on the risks involved. The risk factors, as under, should be considered in this regard :
a) the criticality of the application processes ;
b) the value, sensitivity or criticality of the information involved ;
c) the past experience of system infiltration and misuse; and
d) the extent of system interconnection (particularly public networks)
5.4.20 Operator logs :
Operational staff should maintain a log of their activities. Logs should include the following:
a) system starting and finishing times;
b) system errors and corrective action taken;
c) confirmation of the correct handling of data files and computer output; and
d) the name of the person making the log entry.
Operator logs should be subject to regular, independent checks against operating procedures.
5.4.21 Fault Logging :
Faults should be reported and corrective action taken. Faults, reported by the users regarding the problems with the information processing or communication systems, should be logged. There should be established rules and procedures for handling the reported faults which, among others, should include:
a) review of the fault logs to ensure that faults have been satisfactorily resolved;
b) review of corrective measures to ensure that controls have not been compromised and that the action taken is fully authorized.
5.4.22 Logging and Reviewing of Events :
A log review involves understanding the security threats faced by the information systems and the manner in which such threats may arise. System logs often contain a large volume of information, much of which is extraneous to security monitoring. There should be a documented plan for the volumes of information to be logged, rotation of log files, back-up archival of log files, encryption of log files and retention/disposal of log data. To help identify significant events for security monitoring purposes, the copying of appropriate message types automatically to a second log, and/or the use of suitable system utilities or audit tools to perform file interrogation should be considered. When allocating the responsibility for log review, a separation of roles should be considered between the person(s) undertaking the review and those whose activities are being monitored. Particular attention should be given to the security of the logging facility because any susceptibility to tampering thereof i.e. modifications, fabrications etc., can lead to a false sense of security. Security controls should aim to protect the logging facilities against unauthorized changes and operational problems including:
a) the logging facility being de-activated:
b) alterations to the message types that are recorded;
c) log files being edited or deleted; and
d) log file media becoming exhausted and either failing to record events or overwriting itself.
5.4.23 System Clock Synchronization :
The correct setting of computer clocks is important to ensure the accuracy of audit logs, which may be required for investigations or as evidence in legal or disciplinary cases. Inaccurate audit logs may hinder such investigations and damage the credibility of such evidence. Where a computer or communications device has the capability to operate a real-time clock, it should be set to an agreed standard, e.g. Universal Co-ordinated Time (UCT) or local standard time. As some clocks are known to drift with time, there should be a procedure that checks for and corrects any significant variation.
Software and Security Controls
Software, used in the financial sector, needs high integrity. Since software is intangible i.e. not visible or capable of existing in multiple copies or in various forms without the user’s intervention, the control of software poses challenges different from those relating to the control of equipment (hardware). The following controls should be exercised for the protection of software and the information that is processed by the software. In general, access to live data or software should be justified and authorized. The work which is carried out should be monitored or recorded and validated and signed off by the authorized personnel, who understand the underlying business application/s. The results should be reported to the designated authority and filed in the security unit.
6.1 System software :
System software is that set of instructions which functions as the central control for the computer system. Special attention should be paid to the control of this software, which, among others, includes manipulation of this software allowed and other security controls in the system.
To ensure the integrity of system software, the following steps should be taken:
a) To apply the most stringent access controls to system software and their handling facilities.
b) To apply the highest Human Resource standards in selecting personnel for systems software operation and maintenance.
6.2 Memory Resident Programs :
To prevent loss of integrity because of the presence of memory resident programs i.e., those programs that allow seemingly normal processing to take place, but retain ultimate control over the functions of the processing resources, periodic inspection of the software installed to ascertain, whether any unauthorised software has been inserted, should be performed. Further, special attention should be paid to the detection of the memory resident programs.
6.3 Applications :
Applications are specific sets of software designed to accomplish one or more functions, such as funds transfer, billing, logical access control etc. A business application serves the basis for using the computation power of the computer systems. To prevent unavailability or unauthorized modifications, disclosures or destruction of information, the following steps should be taken.
a) To integrate the application security with the operating system access control facility in such a manner that the USERIDs and the passwords are maintained by the operating system control facility and not the application system. This facilitates centralized and standardized USERID and password management as well as more efficient audit and reporting functions.
b) To establish an access profile structure that controls access to information and functions, if not otherwise provided. The "profile" must have the capability to restrict access in such a manner that the "least possible privilege" can be granted to an individual to perform the job.
c) Consistent access controls on information that is replicated on multiple platforms.
d) Application controls identify specific accountabilitiy with an user/ USERID through USERID/time/date stamp.
e) To incorporate information ownership into the system. The ownership may be accountable on a group or individual level.
f) To consider location control methodology that applies additional restrictions at specific locations.
g) Dual control capabilities for CRITICAL transactions such as money movement transactions.
h) The applications, not under the control of a database management system, to meet requirements listed under the databases.
i) To log and report violation (modifications/alterations/amendments) of the messages, when they exist.
6.4 Application Testing :
Application testing is the checking of new or modified processing systems to ensure that the systems work properly. To protect sensitive or highly sensitive customer information from disclosure or inappropriate processing during application testing, the following steps should be implemented.
To establish and communicate a policy that controls the use of production information during application testing and uses access control to limit to appropriate personnel the renaming and restoration of the production files.
Alternatively,
a) To depersonalise production information by rearranging one or more sensitive fields, so as to render the resulting files unrelated to actual customer accounts and use other controls to ensure that no statements or notices are generated and distributed on test information.
b) To dispose of production information used in testing, in either case.
c) To require use of physically separate environments for operational and development systems.
6.5 Availability of Application Software Code :
To ensure that source code is available for debugging or enhancement, the following steps should be taken :
a) To establish procedures to maintain the most current version of the programs written by the organisation’s staff and contractors.
b) To consider an escrow arrangement for the application software code under due agreement for the purchased application software for which source code is not available.
6.6 Change Management :
To maintain the integrity of software when changes are made, the established change control procedures should be followed.
6.7 Databases :
A database is a collection of information that may be retrieved according to one or more criteria. It is dealt with in this document as a special case of software application. To protect databases from unauthorized modification or destruction and to maintain the integrity of information stored in the databases, the following steps should be taken :
a) To ensure that the database management systems have controls, so that all updating and retrieval of information preserve information integrity with respect to transaction control and system failure.
Concurrency control is required for shared databases.
b) All accesses to information be controlled as specified by an Information Systems Security Administrator.
c) To apply access control mechanisms to physical information resources to restrict access to authorized information management systems, applications and users. This requirement is especially important where access is possible via mechanisms other than the intended primary information management agent.
6.8 Artificial Intelligence (AI) :
The applications, which use AI techniques, should include controls, specific to that technology and the following steps should be taken :
a) To secure all knowledge bases used by inference engines or similar AI processing techniques and ensure a regular review thereof for accuracy and effectiveness.
b) To place limits of the automatic decision making ability of AI systems or AI sub-systems of conventional applications to ensure that vital decisions are approved.
c) To place controls on the information used in the training of neural networks based applications.
d) To monitor the stability of neural network based applications for effectiveness.
e) To build all AI systems within programmed decision enclosures to ensure that the control of decision making is kept within reasonable limits according to the information being processed or the impact of the decisions made.
6.9 Defective Software :
To minimize the probability of latent defects in software, the following steps should be taken :
a) To select vendors with a good reputation, a proven record and sufficient resources or insurance to cover the damages, which may result from the use of their software.
b) To install and operationalise quality assurance program for all software.
c) All software to be fully documented, tested and verified.
6.10 Unlicensed Software :
To prevent litigation or embarrassment, caused by use of software that is not licensed or beyond the license granted by the vendor, the following steps should be taken.
a) To use only licensed or authorized software.
b) To maintain evidence that license agreements are being fully met.
This can include an inventory system, physical control of master copies of software and periodic auditing of the information systems.
6.11 Protection against Malicious Software :
Software and information processing facilities are vulnerable to the introduction of malicious software such as computer viruses, network worms, Trojan horses and logic bombs. Users should be made aware of the dangers of unauthorized or malicious software and the Information System Security Managers should, where appropriate, introduce special controls to detect or prevent its introduction. It is essential that precautions are taken to detect and prevent computer viruses on personal computers.
6.11.1 Controls against Malicious Software :
The detection and prevention controls to protect against malicious software and appropriate user awareness procedures should be implemented. The protection against malicious software should be based on security awareness, appropriate system access and change management controls. To protect the integrity of information and the information systems from modifications, disclosures or destruction by malicious software, the following steps should be taken:
a) To establish a virus detection and protection procedure, to be continuously reviewed and revised, conforming to the emerging requirements and to implement the same across the organisation.
All software acquired by the organisation should be checked by the virus detection procedure prior to installation and use.
b) To establish the management procedures and responsibilities to deal with the virus protection on systems, training in their use, reporting and recovering from virus attacks.
c) To distribute instructions on the detection of viruses to all the users.
Evidence such as sluggish performance or mysterious growth of files should alert the users to a problem that must be reported to the information system security manager immediately on occurrence thereof.
d) To establish a written policy on downloading, acceptance and use of freeware and shareware including the flexibility to prohibit this practice, if deemed necessary.
e) To establish a formal policy requiring compliance with software licences and prohibiting the use of unauthorized software.
f) To authenticate software for highly CRITICAL applications using digital signature. Failure to verify would indicate potential problem/ s and the software should not be used until the source of the problem is identified and properly dealt with.
g) To establish a formal policy to protect against risks associated with obtaining files and software either from or via external networks or on any other medium, indicating what protective measures should be taken.
h) To install and regularly update the anti-virus detection and repair software to scan computers and media, either as a precautionary control or on a routine basis.
i) To conduct regular reviews of the software and data content of systems supporting critical business processes. The presence of any unapproved files or unauthorized amendments should be formally investigated.
j) To establish a policy and procedure for checking the diskettes and other such media, brought in from outside the organisation’s normal purchasing programme. To check any files on electronic media of uncertain or unauthorized origin or files received over untrusted networks for viruses before use.
k) To check any electronic mail attachments and downloads for malicious software before use. This check may be carried out at different places e.g. at electronic mail servers, desktop computers or when entering the network of the organization.
l) To establish appropriate business continuity plans for recovering from virus attacks, including all necessary data and software backup and recovery arrangements.
m) To establish procedures to verify all information relating to malicious software and ensure that warning bulletins are accurate and informative. The Information Systems Security Managers should ensure that qualified sources, e.g. reputed journals, reliable Internet sites or anti-virus software suppliers are used to differentiate between hoaxes and real viruses. The users of the information systems should be made aware of the problem of hoaxes and the action to be taken on receipt thereof.
To ensure recovery of the processing capabilities following a virus infection, the following steps should be taken :
a) To retain the original back-up copy of all software and hold the same until such time as the original software is no longer in use.
b) All data is backed up regularly.
6.12 Software provided to Customers :
Financial organisations may provide software to their customers for the purpose of serving the customers better or to interact with a customer for various purposes. To prevent unauthorized destruction or modifications of the software distributed to the customers, the following steps should be taken :
a) To create a secure and dedicated environment for the creation of customer diskettes. This should include physical and logical controls on the hardware, software and diskettes, used for the creation, copying and protection of the master copies of the customer software. Alternatively, it has to be ensured to restore the copying hardware and software to a "diskette creation state" prior to the creation of each session.
b) To obtain a written statement from the vendor/s of the software, which is being provided to the customers, binding such Vendor/s that the respective vendors are making their best efforts to protect the software against viruses and other unwanted codes and undertake to continuously upgrade such software with virus detection/protection measures, as required.
To protect the organisation against the claims of negligence due to the use of the software provided by the organisation, the following steps should be taken :
a) All software controls, applicable to the organisation’s software, also apply to the software provided to the customers. The organisation should also develop control requirements and guidelines for all the departments issuing software to the customers. This should include the software developed within the organisations, third-party software that may be legally distributed to customers and a combination of both internally developed and third-party software "packages."
b) To execute an agreement with the customers to whom software is provided specifying, among others, each party’s responsibilities, security requirements, indemnity for the organisation, limits on liability, compliance with environmental conditions and implementation of access controls at each customer site/s and instructions/procedures for use of the software.
c) To maintain sufficient documentation to prove that the software, provided by the organisation, was not the cause of viruses or other malicious codes, if encountered subsequently.
6.13 Software to interface with Customers :
The growth of computerisation and connectivity in banking operations may lead to the customers communicating with the financial organisations through commercial banking packages, ushering in the era of on-line banking facilities. On account of the growing pressure of competition and the need for the competitive edge in operations, the banks may have to provide on-line banking services to the customers. To limit the liabilities or losses which may arise on account of on-line banking, the following steps should be taken :
a) The liability/ies for the security breaches are, among others, clearly specified in the agreement/s with the banks.
b) To specify, among others, the role and responsibilities of the customers, availing of on-line banking facilities, under the terms and conditions, the organisation has set out for rendering such services.
c) The security policies of the service provider/s are compatible with that of the banks and financial organisations.
6.14 Security Controls and System Documentation :
Systems documentation may contain a range of sensitive information e.g. description of the application processes, procedures, data structures, authorization processes etc. The following security controls should be considered to protect the system documentation from unauthorized access.
a. System documentation should be stored securely.
b. The size of the access list for access to system documentation should be kept to a minimum and authorized by the system/ application owner.
c. System documentation held over a public network or supplied through a public network should be appropriately protected.
6.15 Exchange of Information and Software :
Exchanges of information and software between organizations should be controlled and be in conformity with the relevant legislations. Such exchange/s should be carried out on the basis of written agreements. Procedures and standards to protect information and media in transit should be established. The business and security implications, associated with electronic data interchange, electronic commerce and electronic mail and the requirements for security controls therefor, should be considered.
6.15.1 Information and Software Exchange Agreement :
Agreements including software escrow agreements, where appropriate, should be established for the exchange of information and software (whether electronic or manual) between the organizations. The security controls, specified in such an agreement, should reflect the sensitivity of the business information involved. Agreements on security conditions should consider the following :
a) management responsibilities for controlling and notifying transmission, despatch and receipt ;
b) Procedures for notifying sender, transmission, despatch and receipt;
c) minimum technical standards for packaging and transmission ;
d) courier identification standards ;
e) responsibilities and liabilities in the event of loss of data ;
f) use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected;
g) information and software ownership and responsibilities for data protection, software copyright compliance and similar considerations;
h) technical standards for recording and reading information and software; and
i) any special controls such as the cryptographic keys that may be required to protect sensitive items.
6.14 Applets, JAVA and Software from External Sources :
The Internet Service Providers may download software to their customers. However, care should be taken to preclude such software as is introduced into the organisation’s domain without the specific request therefor or the express consent of the organisation. JAVA, a computer language, specifically aimed at creating applications that can be remotely accessed and run, also represents a path for software, not requested by a customer, to become resident in a computer.
To prevent the entry of unauthorized software into the organisation’s systems, the following steps should be taken :
a. To provide connectivity to the Internet with the required security safeguards, as required for the conduct of business.
b. To install firewall including proxy server between the Internet and the internal network of the organisation.
c. Either the firewall includes virus scanning or that any executable file is virus scanned before it is introduced to the organisation’s network.
d. To include, among others, liability clauses in any contract/ agreement entered into with such Internet Service Providers.
ಭಾರತೀಯ ರಿಸರ್ವ್ ಬ್ಯಾಂಕ್ ಮೊಬೈಲ್ ಅಪ್ಲಿಕೇಶನ್ ಅನ್ನು ಇನ್ಸ್ಟಾಲ್ ಮಾಡಿ ಮತ್ತು ಇತ್ತೀಚಿನ ಸುದ್ದಿಗಳಿಗೆ ತ್ವರಿತ ಅಕ್ಸೆಸ್ ಪಡೆಯಿರಿ!
