Cyber Security Policy Of The Bank – Implementation Thereof And User/Consumer Aware
In compliance to directives of the regulators and the Govt. of India, the Bank has framed a cyber-security policy, which need to be implemented in the bank as a whole and users as well as customers are required to be made aware of the same so that untoward eventualities are avoided and a safe & secured environment is created to work in and to serve our constituents to their utmost satisfaction. So let us understand that what Cyber Security is.
Cyber security refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. Common Types of Cyber Threats are Malware (malicious software such as computer viruses), Spyware, Trojan horses, Key loggers and Ransomware (malware that locks or encrypts data until a ransom is paid).
The cyber threat exposes the Bank to risks likes:
- Inherent Risk – applies to possible financial frauds etc. of the Banking and financial industry.
- Residual Risk – applies to risks that remain even after implementation of suitable best Information System controls.
- Inherent Risk – applies to possible losses in case of any failure/Cyber-attacks, which Management plan to absorb.
Cyber-attack means misuse IT services, causing data/financial loss or disruption in Banking operations/ customer services, originating either from inside the Bank or outside, which impact all applications/software, website & email etc. used by the Bank. An indicative list of cyber-attacks is:
- Denial of service attack: – consists concerted efforts to prevent an internet site or service from functioning efficiently resulting into deprivation resource the organization would normally have.
- Cross Site Scripting: – Injecting malicious code and data in the data in the transactions using application weaknesses.
- Distributed denial of service (DDoS) – A large numbers of systems are compromised, thereby causing denial of service for users of the targeted system due to flood of incoming messages, which forces it to shut down.
- Ransomware – is an act that threatens to publish the victim’s data or perpetually block access to it unless a ransom if paid.
- Malware – is a maliciously crafted software code used to fool an individual into believing that inbuilt security is protecting him during online Banking transactions.
- Phishing – is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
- Sphere Phishing – spear Phishing attackers often gather and use personal information about their target to increase their probability of success.
- Whaling – is spear Phishing attacks directed specifically at senior executives and other high-profile targets.
- Vishing – is illegal access to data via Voice over Internet Protocol (VoIP) in which attacker uses voice messages to steal identities and financial resources.
- Browser Gateway Frauds – The information sent and received from a PC/Device is routed through an undesired path on the network which has been compromised.
- Ghost Administrator Exploit – A ghost administrator is a code that takes advantage of a software vulnerability or security flaw to gain Administrator’s rights / privileges, or move deeper into the network.
- Internal Attacks – by way of misuse of IT system, Access Authority, Data Thefts, Information Disclosure and Technical Information leakage etc.
These types of cyber-attacks usually result into Financial Frauds, Failure of Servers/Infrastructure, Network and Customer Services, Loss of Customer Private Data, Reputation of Bank and non-compliance to provisions of IT Act, 2000 as well as, RBI Guidelines.
To counter cyber-attack Bank shall implement procedures and controls at all levels to protect the Confidentiality, Integrity, Availability and Privacy of information stored and processed on its systems and ensure that information is available to authorized persons as and when required. Protection of information system resources & critical assets is the responsibility & accountability of all Bank employees/ contract staff. All employees and contract staff are required t maintain the confidentiality of Bank data and Customer Privacy. Any violation in discharging responsivities shall result into Disciplinary proceedings comprising suspension, termination or legal actions as per the merits of the incident so that such a process would act as a deterrent to employees/contractors.
The Bank has the deployed the following Information Technology and Information System infrastructure in the Branches and Head Office:
- Computer Terminals/PC
- Admin IDs and Login IDs procedures for access to IT & IS infrastructure
- Printers cum photocopy machines
- Passbook printers
- Switches
- Local Network connectivity (including wiring)
- Modem/ Wi-fi/Internet Connectivity
- CCTV Cameras & console
- UPS for power back-up to systems
- Bio-metric machine
- Air-conditioning, Firefighting equipment
- Hardware/software maintenance service providers
- Bank is outsourcing services of vendor for day to day CBS & Branch banking operations for which servers/centrally connected PCs are deployed in the Branches, which are centrally connected with servers at Head Office and vendor as well. To meet eventuality, the vendor has devised business continuity and disaster recovery policy and procedures, which need to be followed by the employees/ contract staff of the bank
Do's And Don'ts
The following Dos and Don’ts help remind us all of actions we must take to remain vigilant:
- DO use hard-to-guess passwords or passphrases. A password should have a minimum of 10 characters using uppercase letters, lowercase letters, numbers and special characters. To make it easy for you to remember but hard for an attacker to guess, create an acronym. For example, pick a phrase that is meaningful to you, such as “My son's birthday is 12 December, 2004.” Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
- DO use different passwords for different accounts. If one password gets hacked, your other accounts are not compromised.
- DO keep your passwords or passphrases confidential. DON’T share them with others or write them down. You are responsible for all activities associated with your credentials.
- DO pay attention to phishing traps in email and watch for telltale signs of a scam. DON’T open mail or attachments from an untrusted source. If you receive a suspicious email, the best thing to do is to delete the message, and report it to your manager and Information Security Officer (ISO)/designated security representative.
- DO destroy information properly when it is no longer needed. Place paper in designated confidential destruction bins throughout the office or use a crosscut shredder. For all electronic storage media, consult with IT.
- DO be aware of your surroundings when printing, copying, faxing or discussing sensitive information. Pick up information from printers, copiers or faxes in a timely manner.
- DO lock your computer and mobile phone when not in use. This protects data from unauthorized access and use.
- DO remember that wireless is inherently insecure. Avoid using public Wi-Fi hotspots. When you must, use agency provided virtual private network software to protect the data and the device.
- DO report all suspicious activity and cyber incidents to your manager and ISO/designated security representative. Challenge strangers whom you may encounter in the office. Keep all areas containing sensitive information physically secured, and allow access by authorized individuals only. Part of your job is making sure NYS data is properly safeguarded, and is not damaged, lost or stolen.
- DO ensure that files, documents, manuals, brochures, privileged information, passwords, and laptops/mobile device in possession of employee or contract staff are recovered and userID & emailID are disabled at time of EXIT due to resignation or termination.
- DO review User Access in CBS as per roles defined once in every 3 months so as to ensure that no unauthorized user exist in system. Process should be completed once every 3 months (Quarter).
- DO maintain documentation/inventory regarding IT Hardware/Software and Networking assets & numbering thereof, vendor contacts/SLA [Service Level Agreement], Software Licensing details, Bugs/Problems/change registers of Software/Hardware/ Networking, Network Diagrams, Configurations settings of OS/Applications, Legacy Systems and Equipment (OLD server, Applications) and all system documentation (technical manuals, client documentation etc.) must be stored in a secure environment and protected from unauthorized access. Protections procedure should restrict both machine and physical access to only authorized users.
- DO store Confidential data under the method of Encryption and Decryption [Encryption is the process of translating plain text data (plaintext) into something that appears to be random and meaningless (cipher text). Decryption is the process of converting cipher text back to plaintext. To encrypt more than a small amount of data, symmetric encryption is used]
- DO ensure that Bank Users shall not have Administrator Rights on PC, PC shall be protected by suitable and updated Anti-Virus solution, Remote access from PC shall not be allowed, unless approved, USB port shall be disabled on PC, Restriction of TeamViewer as an open-ended desktop sharing.
- Do ensure implementation of laid down Physical and Environmental Controls w.r.t. Servers, Firewall, networking equipment (which shall be maintained in a secure environment with physical controls at Data Centre and Branches) & cabling, Physical Security, CCTV system monitor using night vision cameras on 24 X 7 X 365 basis, CCTV recordings & Back-ups, Preservation of data at off-site location, Cleanliness, Temperature and Humidity controls, Transformers/UPS/generator systems and Fire Fighting equipment.
- DO maintain inventory of removable media with lables and store it in Fire Safe cabinets only, use of/ access to such media be allowed to only authorized person/s and shall be disposed of securely and safely when no longer required.
- DO ensure that laid down Back-up and Recovery Procedure are followed in letter & spirit; such as, CBS Data backup - DAILY, Bank Files and Folders on PC/Notebooks –WEEKLY. CCTV backup –WEEKLY, Email data backup – WEEKLY
- Do maintain & publish Emergency Contact List Hospitals, fire station, Police station, CEO of Bank, key managers at HO, Head IT, Account Manager & vendors
- DO maintain record and details of Major Incidents log wise as stipulated by Cert-in (Computer Emergency Response Team, under Ministry of IT and Communications) as per IT Act, 2000, Digital law of India.
- • DON’T leave sensitive information lying around the office. DON’T leave printouts or portable media containing private information on your desk. Lock them in a drawer to reduce the risk of unauthorized disclosure.
- • DON’T post any private or sensitive information, such as credit card numbers, passwords or other private information, on public sites, including social media sites, and DON’T send it through email unless authorized to do so. DO use privacy settings on social media sites to restrict access to your personal information.
- • DON’T click on links from an unknown or untrusted source. Cyber attackers often use them to trick you into visiting malicious sites and downloading malware that can be used to steal data and damage networks.
- • DON’T be tricked into giving away confidential information. It’s easy for an unauthorized person to call and pretend to be an employee or business partner. DON’T respond to phone calls or emails requesting confidential data.
- • DON’T install unauthorized programs on your work computer. Malicious applications often pose as legitimate software.
- • DON’T plug in portable devices without permission from your agency management. These devices may be compromised with code just waiting to launch as soon as you plug them into a computer.
- • DON’T leave devices unattended. Keep all mobile devices, such as laptops and cell phones physically secured. If a device is lost or stolen, report it immediately to your manager and ISO/designated security representative.
- • DON’T leave wireless or Bluetooth turned on when not in use. Only do so when planning to use and only in a safe environment.
- • DON’T allow Use of OPEN storage (Dropbox, Google, Drive etc.), unauthorized Exchange of data (which in case of approval should be done through VPN, SSL, SFTP and secure links only and should pass through Firewall devices installed at location.
Remember - Cyber Security is everyone’s responsibility! Thus all are advised to abide by the laid down guidelines, system and procedures in letter & spirit and any willful violation/ deviation shall be viewed seriously and suitable action will be initiated wherever deem fit.