logo

CYBER SECURITY POLICY FOR MSCB LTD

CYBER SECURITY POLICY

For

THE MANIPUR  STATE CO-OPERATIVE BANK LTD.

 

 

1)  Introduction :-

Bank’s information systems and the data, these information systems process, are fundamental for its daily operations and effective service provision. The Bank shall implement adequate security policies, procedures and controls to protect confidentially maintain integrity and ensure availability of all information stored, processed and transmitted through its information systems. To build a secure and resilient cyberspace for customer there is a need to have an effective cyber security policy in the Bank.

Cyberspace is vulnerable to a wide variety of incidents, whether intentional or accident man-made or natural and the data exchanged in the cyberspace can be exploited for nefarious proposes. The cyberspace is expected to be more complex in the foreseeable future with increase in networks and devices connected to it.

Use of information technology by the Bank has grown rapidly and is now integral part of the operational strategies of the Bank. It is therefore important to develop policies, procedures and technologies based on the new developments and emerging concerns and fine tune the same as per evolving cyber threats.

The protection of information infrastructure and preservation of the confidentiality, integrity and availability of information in cyberspace is the essence of a secure cyber space. Due to the dynamic nature of cyberspace there is now a need for these actions to be unified under a cyber security policy, with an integrated vision and a set of sustained and coordinated strategies for implementation.

The cyber threat landscape has evolved from one of individual hackers to highly organized groups and advanced cyber criminal syndicates cyber attacks are more targeted and sophisticated than ever before. Powerful new malware is capable of stealing confidential data, card information and disabling network infrastructure. Attacks on critical infrastructure, including payment systems, can disable physical machinery cause catastrophic equipment failure and even result substantial financial loss to the Bank. Bank must be prepared to address the types of threats as mentioned in an indicative but not exhaustive list given as Annexure –A.

Cyber security policy is an evolving process and it caters to the whole spectrum of people process and technology, it serves as an umbrella framework for defining and guiding the actions related to security of cyberspace.

To combat growing cyber threats and enhancing the resistance of the banking system to address cyber risks, RBI vide its circular no.RBI/2018-19/63/DCBS. CO. PCB. Cir No.1/18.01.000/2018-19 dated 19th October 2018 directed the Bank’s as under:

1)”To put in place a cyber-security Policy elucidating the strategy containing an appropriate approach given the level of complexity of business and acceptable levels of risk duly approved by their Board.”

This Cyber Security (CS) Policy has been framed on the basis of stipulated RBI guidelines, information Technology Act and international Standards.

The Cyber Security Policy is distinct from IT Policy and information Security Policy.

2)  Ownership

The Board of Management (THE MANIPUR STATE COOPERATIVE. BANK LTD.) is the owner of the policy and ultimately responsible for overall functioning of cyber security in the bank.

 

 

3)  Cyber Security Scope and Applicability

  1. a) This policy applies to all employees, contractors, consultants and third-party users (internal and external) accessing Bank’s information systems from within or outside.
  2. b) This policy covers the usage of all of the Bank’s information technology and communication resources, including but not limited to:
  3. i) All computer-related equipment like PCs, workstations, telecom equipment, databases, printers, servers, shared computer resources etc. & all networks & hardware to this equipment is connected.
  4. ii) All software including purchased or licensed business software

applications, in-house applications, vendor/supplier provided

applications. Computer operating systems, firmware and any

other software residing on Bank owned equipment.

 

  1. c) All intellectual property and other data stored on the Bank’s

 

4)  Policy Framework

1)The Cyber Security Policy is designed as per the cyber security framework defined below. The framework has been built on the basis of the RBI circular to provide a compliance overview for each of the functional areas as outlined in the circular. The Distributed Denial of Services (DDoS), ransom-ware/ crypto ware, destructive malware, business email frauds including spam, phishing etc.

2) Define robust/cyber security framework to ensure adequate cyber security preparedness for addressing cyber risks, identify the inherent risks and the controls in place to adopt appropriate cyber security framework.

3) Define cyber security measures/controls to ensure protection of Bank’s and customer information and to maintain confidentiality integrity and availability of the data across the data/information life cycle.

4) To design IT architecture in a manner that it takes care of facilitating the security measures at all times.

5) To respond, resolve and recover from cyber incidents and attacks through timely information sharing, collaboration and action.

Collectively, these objectives provide the foundation for protecting against and preparing for cyber threats (i.e. a proactive approach to cyber security) as well as detecting, responding to and recovering from threats and challenges (i.e. reactive cyber security efforts)

5)  Guiding Principle

Bank’s approach to cyber security is based on the following                  principles.

  1. Bank has an important responsibility to, safeguard customers confidential information, systems and networks and to ensure their confidentiality, integrity, and availability. The bank will therefore, lead by example, implementing cyber security requirements while building and adopting innovative and new technologies.
  2. Individuals are responsible for being aware of threats, adopting best practices, understanding who is collecting their personal information and securing their own information systems and networks.
  3. Strong security measures and sound test practices are encouraged to protect personal and private information, unauthorized access or misuse. Bank will derived security procedures from the policy statements and provide the details of necessary actions to achieve the objectives of the policy statement.

6)  Policy Statement

The Bank shall strive for the preservation of the Confidentiality, integrity and availability of Bank’s information assets pertaining to customer’s data, for safe & secure computing environment in order to build adequate trust & confidence in electronic transactions.

7)  Objective

  1. a) To safeguard the cyber facing information infrastructure of the Bank various types of cyber threats including, but not limited to Denial of Service (DoS), pursue cyber security policy and initiatives that preserve Bank’s values and expectations, consistent with laws and regulations.
  2. b) All the third-party vendors are to be managed as per the information security procedure for third party.
  3. c) Bank will co-ordinate with external agencies during and after the cyber crisis as per the cyber Crises management Plan (CCMP).
  4. d) Head office and Dept. Heads to identify the inherent risk (including the cyber risk) & controls in place for any product/process be lunch of the same and periodically the same is to be reviewed as per the Risk Management Policy of the Bank.
  5. e) An indicative but not exhaustive list of requirements to be put in place by banks to achieve baseline cyber security framework given in the policy. This may be evaluated periodically to integrate risks that arise due to newer threats, products or process.

 

 

 

 

 

 

 

 

8)  Roles and Responsibilities

 

     Head information Technology Cell/Dept.

 

 

  1. Head of IT Cell/Department will be responsible for bringing to the notice of the Board/IT sub-committee of the board about the vulnerabilities and cyber security risk the Bank is exposed to.
  2. Head of IT Cell/Department by virtue of his role, may ensure inter alia, current /emerging cyber threats to business and the Bank’s preparedness in these aspects are invariable discussed in such committee(s).
  3. Head of IT Cell/Department shall manage monitor and drive cyber security related projects.
  4. Should co-ordinate the activities pertaining to Cyber Security Incident Response Teams within the Bank.
  5. Shall develop and get an independent assessment of Cyber Security including its coverage at least on a quarterly basis.
  6. Shall have a robust working relationship with Banks Top Management. HEAD OF IT Cell/Department may be a member of (or invited to) committees on operational risk where IT/IS risk is also discussed.
  7. Head of IT Cell/Department shall be adequately staffed with technically competent people. If necessary through recruitment of specialist officers commensurate with the business volume, extent of technology adoption and complexity.
  8. Shall be an invitee to the IT committee and IT steering committee.

 

(i). Board Level IT Committee:

An I.T. Sub-Committee at the Board level shall be constituted with the following members:

 

  • Managing Director/

Chief Executive Officer of the Bank                   – Chairman.

 

  • Any 3(three) members of the

Board of Management                                        – Members.

 

  • Head of the I.T. Cell/Department         – Convener.

 

The IT Sub-Committee of the Board shall meet at least once in a quarter. The committee should focus on the following:

 

  1. Reviewing the initiatives taken by the T. Steering Committee. After assessing, the committee shall apprise to the Board.

 

(ii). I.T. Steering Committee:

An IT Steering Committee shall be formed with representative from the IT, HR, Legal, Loans & Advances and Accounts Departments. Its role is to assist the Executive Management in Implementing IT strategy that has been approved by the IT Sub-committee of the Board. The IT Steering Committee should apprise/report to the IT Sub-Committee periodically. The Committee should focus on implementation of Bank’s IT Policy. Its functions, inter alia include;

  1. a) Defining project priorities and assessing strategies fit for IT proposals.

 

  1. Reviewing, approving and funding initiatives, after assessing value additions to business process.

 

 

 

 

iii). Information Security Committee:

Since IT/Cyber security affects all aspects of an organization, in order to consider/cyber security, an Information Security Committee of executives shall be formed. The Head of the IT Cell/Department shall be the Member Secretary of the Committee. The Information Security Committee may include, among others, the chief Executive Officer (CEO) and two senior Management officials well versed in the subject.  The Committee shall meet at least once on a quarterly basis.  Major responsibilities of the Information Securities Committee, inter alia include:

  1. Developing and facilitating the implementation of information security policies, standards and procedures to ensure that all identified Risk are managed within a Bank’s Risk appetite.

 

  1. Supporting the Development and implementation of the Bank’s information security management programme.

 

 

  1. Shall not have direct reporting relationship with the IT Cell/Department Head and shall not be given any business targets.

 

 

 

Information Technology Cell/Department

 

  1. To provide IT products support and services to the divisions and functions in accordance with the cyber security requirements of the Bank.
  2. Provide alternative solutions on industry practice to satisfy increased protection requirements.
  3. Provide relevant support to other on meeting cyber security objectives and plans.
  4. Provide periodic metrics to evaluate the cyber security posture of the Bank on a quarterly basis.
  5. Coordinate all activities necessary for compliance to the cyber security policy
  6. Oversee the execution of the cyber security planning at the functional level
  7. Maintain and update the relevant document.

 

Legal & Compliance

 

*   Provide guidance and support in contract negotiations and advise on legal issues (such as levels of liability), arising in connection with the contract and on regulatory requirements.

 

Branches / Departments

 

  1. a) Branches / Departments should support in meeting the Bank’s requirements around cyber security risk management.
  2. b) Help in identifying inherent risks in business / process and communicating the same to IT department.

 

 

Human Resources

 

  1. a) Ensure that all personnel are made aware of their information / Cyber security responsibilities
  2. b) Assign relevant information/Cyber security trainings to staff
  3. c) Provide guidance and support on the procedures that ensure compliance with applicable HR policies and employment regulations
  4. d) Address security requirements for all personnel before, during and at termination or change of employment which include trigger access to system, email and physical access at time on-board/off boarding of employee.

 

 

 

 

 Employee

  1. a) Comply with Bank’s cyber security policy
  2. b) Practice reasonable care to protect their Bank provided assets and access credentials
  3. c) Follow established cyber security incident reporting and escalation procedures

 

Third Party

 

  1. a) Comply with Bank’s cyber security policy
  2. b) Practice reasonable care to protect their Bank provided assets and access credentials
  3. c) Comply with the terms and conditions as per the Banks non-disclosure agreement and confidentiality agreement
  4. d) To ensure/confirm that the software /apps provided (if any) by third party for Bank’s use are free from embedded malicious/fraudulent code.

 

9)  Implementation Approach

 

Successful implementation of the Cyber Security Policy requires continuous commitment, governance and action by various stake holders who are collectively responsible for the Bank’s approach to cyber security. Bank shall develop and maintain or hire professional cyber security workforce. Bank has implemented various controls/measures to address various cyber security threats as mentioned in the Annexure-B in addition to this, Bank will adopt new innovative cyber security technology and solutions as required from time to time to protect ban information assets.

  1. a) Cyber Crisis Management Plan of the Bank should cover effective measure prevent cyber attacks and to promptly detect any cyber intrusion so as to respond / recover / and contain the fall out.
  2. b) Respective Officers /Management of IT Dept. Controlling Cyber facing applications must take following steps to make progress against the Cyber Security Objective.
  3. c) Identify & Safeguard Bank’s Cyber facing information Infrastructure.

 

  • Indentify & prepare a list of the Cyber facing information infrastructure Assess the threat to Cyber facing information infrastructure.
  • Identify the Gap and the cyber security controls
  • Implement cyber security controls / standards or suggest management action plan to mitigate risk.
  • Analyze cyber security trends and threats to provide timely reports to management
  • Always make the use of trustworthy technology products and services
  • Continuously monitor the security posture of cyber facing IT & information infrastructure.

 

  1. d) Respond, resolve and recover from cyber incidents:

 

In case the cyber facing infrastructure, the asset owner suspects any incidents then:

 

  • Do the preliminary assessment of the incident
  • If any cyber-attack is observed, report the matter immediately to the competent authority in accordance with the Bank’s cyber crisis Management plan.
  • Take immediate remedial steps to stop/reduce the cyber infections within cyber facing information infrastructure as per CCMP.
  • Take action to correct and recover from cyber security incidents and system failures
  • Establish mechanisms and procedures to facilitate timely information sharing and action among stakeholders as per the CCMP.
  • Enhance and maintain situational awareness capabilities.
  • Establish and continuously enhance incident response capabilities
  • Ensure preparedness by conducting cyber security exercises and drills.

 

10)     Cyber Security Awareness Training

 

  1. Bank shall take the steps to enhance cyber security awareness amongst the staff using trainings, posters, mails etc. on continuous basis.
  2. Staff of IT Dept. Handling cyber facing applications must take periodic trainings to make themselves aware of new cyber threats and measures.

11)     Reporting and Performance Measurement

 

  1. Performance of Cyber Security implemented by the Bank should be monitored continuously and based on the assessment future cyber security requirements should be identified.
  2. Regular assessment should be carried out for identifying potential threats in cyber security.
  3. Quarterly report about the Cyber Security Incident should be put before the Board and return thereof should be to be submitted to RBI on due date.

 

12)     Policy Review and Approval

 

This policy document shall be reviewed at least annually by the information Security Department or in events of any significant changes in the existing IS environment (internal/external) affecting policies and procedures. The policy owner must be responsible to make the changes to the policy document and to get approved from the Board.

 

 

 

 

 

13)    Compliance

 

  1. The Bank expects all employees to comply with the policies. Violation or any attempted violation of the cyber security policy shall result in disciplinary action to be taken by the Bank as per the extant guidelines. Disciplinary action shall be consistent with the severity of the incident as determined by an investigation.

 

  1. Violations, if any, of the cyber security policy must be reported to the respective department head and the HEAD OF IT.

 

  1. While the Bank would like to respect privacy of its employees, it reserves the right to audit and / or monitor the activities of its employees and information stored, processed transmitted or handled by the employees using Bank’s information systems.

 

14)    Exceptions

 

  1. Approval for exceptions or deviations from the policies, wherever warranted, must be provided by IT Committee for High Risk items and HEAD OF IT information Security Department for Medium and Low Risk items.
  2. Exceptions must not be universal but must be agreed on a case by case basis, upon official request made by the information asset owner. These may arise, for example because of local circumstances, conditions or legal reason existing at any point of time. Exceptions to the cyber security policy may have been allowed at the time of execution/updating or on ad-hoc basis if needed.
  3. All exceptions during implementation must be submitted by the concerned stakeholder to HEAD OF IT or any other official of the information security team. All the exceptions are to be raised as per the Bank’s cyber security policy exception form, The Bank’s HEAD OF IT. This request must be approved by the User Department Head / information asset owner.
  4. The information Security Department must review all exceptions, as the case may be every year for validity and continuity. The summary of high severity exceptions allowed should be reported to IT committee on a quarterly basis.

 

15)   Inquiries

 

Any inquiries relating to policy to the application of this policy should be referred to the HEAD OF IT Cell/Department.

 

16)     Cyber Security Domains

 

  • Inventory Management of IT Assets

 

  1. The Bank should maintain an up-to-date inventory of IT assets. IT assets include systems and network, including disaster recovery systems and networks with their supporting facilities but limited to information, software, physical, service and people indicating their criticality.
  2. Ensure confidentiality, integrity and availability of information, an information classification scheme designed by the Bank should be adhered to.
  3. The Bank should secure information accessible by the internal teams, external agency and partners through approved methods, including information in electronic form, information in physical form and information during transit.
  4. Any remote administration connections authorized by the Bank should use strong authentication (typically two-factor authentication) as well as corresponding encryption methods (such as ssh, ssl and vpn) to secure communication traversing the network.
  5. Bank should ascertain the risk related to critical information stored, transmitted, processed and accessed.

 

  • Preventing Access of unauthorized software

 

  1. The Bank should maintain central inventory of all software(s).
  2. Bank should develop mechanism to control installation of unauthorized software in the Bank.
  3. Bank should track use of authorized / unauthorized software (if any) in the Bank.
  4. Bank should define procedures for granting and approving exceptions which at minimum should cover justification of exceptions, duration of exception and authority for approving.
  5. Bank shall white list authorized application/software/ libraries etc.

 

  • Environmental Controls

 

  1. A cyber risk profile based on activities at various locations such as   Administrative offices, branches, data centre and disaster recovery site, should be documented and maintained which help risk based decision and implementation of cyber security controls.
  2. The Bank should ensure that physical access to information processing areas and their supporting infrastructure (communications, power, and environmental) are controlled to prevent, detect, and minimize the effects of unintended access to these areas (e.g., unauthorized information access, or disruption of information processing itself).
  3. Bank should monitor compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts (power supply, telecommunication, servers), access logs, etc.
  4. The Bank shall evaluate the cyber security risks and take up cyber insurance of anappropriate value from time to time. The need will be assessed on a yearly basis.

 

4) Network Management and Security

  1. Network security architecture should be documented at Bank level. Network security architecture should be updated as and when there are major changes inBank’s environment or at least annually.
  2. Security architecture and standard security management principles should be applied in network devices configuration, vulnerability and patch management and change in routing table or setting of network devices.
  3. Access to network’s device should be restricted to only Bank’s authorized network staff and appropriate access control mechanism that support individual accountability and access restriction.
  4. Bank should define standard operating procedures for all major IT activities.
  5. Bank should ensure that certain, events are logged and these logs are collected using various types of log collection software and infrastructure.
  6. A central repository for the log collection should be established which would be used to generate alerts, based on established parameters.
  7. g) Bank should install network security devices, such as  firewalls as well as intrusion detection and prevention systems, to protect its IT infrastructure from security exposures originating from internal and external source.

 

  1. h) Bank should periodically conduct configuration review of  network components.

 

  1. i) Bank shall deploy mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints.

 

  1. Bank shall implement solutions to automate network discovery and management.

 

5) Secure Configuration

 

  1. Document and apply baseline security requirements/ configurations to all categories of devices (end-points/workstations, mobile devices, operating systems, databases, applications, network devices, security devices, security systems, etc.), throughout the lifecycle (from conception to deployment) and carry out reviews periodically

 

  1. Periodically evaluate critical device (such as firewall, network switches, security devices, etc.) configurations and patch levels for all systems in the bank’s network including in Data Centers, in third party hosted sites, shared-infrastructure locations.

 

  1. The Bank should document minimum baseline security standards (MBSS) for IT platforms.

 

  1. The MBSS should be tested before any major release on an IT platform.

 

  1. The MBSS should be reviewed at least once annually and before major upgrade.

 

6) Anti Virus and Patch Management

  1. Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of    patches and applying patches so as to minimize the  number of vulnerable systems and the time window of vulnerability/exposure.
  2. Implement and update antivirus protection for all servers and applicable end points preferably    through a centralised system
  3. Put in place systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end-user devices directly connected to the internet and in respect of  Server operating Systems/ Databases /Applications/ Middleware, etc

 

  1. Changes to business applications, supporting technology, service
    components and facilities should be managed using robust configuration management processes, configuration baseline that ensure integrity of any changes thereto
  2. Periodically conduct VA/PT of internet facing web/mobile applications, servers & network components throughout their lifecycle (pre- implementation, post Implementation, after changes etc.)
  3. Periodically conduct Application security testing of web/mobile applications throughout -their lifecycle (ore-implementation, post implementation, after changes) in environment closely resembling or replica of production environment.
  4. As a threat mitigation strategy, identify the root cause of incident and apply necessary patches to plug the vulnerabilities.

 

  1. For further details, Information Security Procedure for Change management is to be followed.

 

  1. The Bank should implement security controls to provide robust defence against the Installation spread and execution of malicious code at multiple points in the enterprise

 

  1. Mechanisms such as-web security, anti-malware and continuous monitoring to detect advanced threats such as ransom ware, cyber extortion, data destruction, DDOS should be implemented.
  2. Anti-Virus should be installed on all end points, servers and centrally, managed for policy configuration management, virus definition updates.
  3. The Bank should implement and maintain preventive, detective and corrective measures across the enterprise to protect information systems and technology from malware.
  • Anti-Malware packages for operating systems should be deployed and definitions should be periodically updated.
  1. Malware protection should be installed on all web-gateways, exchange servers and centrally managed for policy implementation.
  2. The Bank should implement white listing of internet websites/systems.
  3. Bank should have threat intelligent mechanism that collect & analyses threat related information from different internal and external sources.
  4. Based on the analyze threat intelligence. Bank should share inferences and intelligence to regulatory bodies like RBI, IDRBT, CERT-ln.
  5. The Bank shall deploy mechanisms to deep scan network packets including secure {HTTPS, etc.) traffic passing through the web / internet gateway.
  6. Mechanisms to manage events related to phishing/rouge applications should be implemented.

 

7)   User Access Control and Management

 

  1. Provide secure access to the bank’s assets/ services from within/outside bank’s network by protecting data/ information at and in-transit.

 

  1. Carefully protect customer access credentials such as logon user id, authentication information and tokens, access profiles, etc. against leakage/attacks

 

  1. Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a need to know basis and for specific duration when it is required following an established process.

 

  1. Implement appropriate (e.g. centralized) systems and controls to allow, manage, log and monitor privileged/supervisor/administrative access to critical systems (servers/OS/DB, applications, network devices etc.)
  2. Implement controls to minimize invalid logon counts, deactivate dormant accounts.
  3. Monitor any abnormal change in pattern of logon.
  4. Implement measures to control installation of software on PCs/laptops, etc.
  5. Implement controls for remote management/wiping/locking of mobile devices including laptops, etc.
  6. Implement measures to control use of VBA/macros in office documents, control permissible attachment types in email systems
  7. For details, Information Security Procedure for Logical access is to be followed.

8)   Secure Mail and Messaging System

  1. Implement effective systems and procedures to ensure that e-mails are used as an efficient mode of business communication.
  2. Ensure that e-mail service and operations remain secure, efficient while communicating within intranet as well as through internet.
  3. Email specific server controls should be documented.
  4. Security of email communication should be enhanced by use of disclaimer, hashes or encryption.
  5. The Bank should control permissible attachment types in email systems.

 

9)   Removable Media

  1. By default, access to removable media, drives {USB ports, CD / DVD ROM drives, floppy drives) should be disabled.
  2. Critical and sensitive information stored in removable media should be sanitized before disposal. Removable media should be disposed of securely and safely when no longer required.

 

  1. Bank should deploy governing mechanism for use of personally owned and official mobile devices.

 

  1. Bank should deploy mechanism to scan removable media for malwares, before granting any read /write access.

 

  1. Bank should implement centralized policies through active directory or endpoint management systems to restrict use of removable media.

 

  1. Exceptions for granting write access to removable media should be granted after approval of HEAD OF IT and regular recertification process should be established, tracked and documented.

 

10)  User \ Employee \ Management Awareness

  1. The Bank should deploy mechanism to protect data at rest and in transmit by implementing secure access controls to the Bank’s network.
  2. The Bank should deploy mechanism in place to protect customer access credentials against data leakages.
  3. The Bank should provide access rights on a need to know basis for specific duration.
  4. Users should not be granted administrative rights on end-user workstations /laptops.
  5. The Bank should implement centralized authentication and authorization system for accessing IT assets including but not limited to applications, operating systems, databases, network and security devices/systems, point of connectivity.
  6. The Bank should enforce strong password policy for all critical assets.
  7. The Bank should implement appropriate systems and controls to log and monitor administrative access to critical systems.
  8. The Bank should implement controls to minimize invalid logon counts and deactivate dormant accounts.
  9. The Bank should deploy measures to control installation of software on end user devices.
  10. The Bank should deploy controls to restrict use of VBA / macros in office documents.
  11. The Bank shall deploy controls to monitor abnormal changes in pattern of logon.

 

11) Customer Education and Awareness

  1. Customer education and awareness program should be designed and implemented.
  2. Customers should be encouraged to report any phishing mails/websites, etc.
  3. Customers shall be educated on the downside risks involved in sharing of their login credentials to any third party and the consequences arising of such situations.
  4. Communication medium such as E-mail, SMS, banner, advertisements, Audio-Visual at branch offices should be used to improve customer cyber security awareness.

 

12) Backup and Restoration

 

  1. Periodic back up of the important data should be taken and store this data ‘off line’ (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files).

 

13) Vendor and Outsourcing Risk Management

  1. Banks shall carefully evaluate the need for outsourcing critical processes and selection of vendor/partner based on comprehensive risk assessment
  2. Among others, banks shall regularly conduct effective due diligence, oversight and management of third party vendors/service providers & partners.
  3. Establish appropriate framework, policies and procedures supported by baseline system security configuration standards to evaluate, assess, approve, review, control and monitor the risks and materiality of all its vendor/outsourcing activities shall be put in place
  4. Banks shall ensure and demonstrate that the service provider adheres to all regulatory and legal requirements of the country. Banks may necessarily enter into agreement with the service provider that amongst others provides for right of audit by the bank and inspection by the regulators of the country.
  5. Reserve Bank of India shall have access to all information resources (online/in person) that are consumed by banks, to be made accessible to RBI officials by the banks when sought, though the infrastructure /enabling resources may not physically be located in the premises of banks
  6. Further, bank has to adhere to the legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders.
  7. Banks shall thoroughly satisfy about the credentials of vendor/third-party personnel accessing and managing the bank’s critical assets.
  8. Background checks, non-disclosure and security policy compliance
    agreements shall be mandated for all third party service providers.

 

 

14)   Vulnerability Assessment and Penetration Testing

  1. The Bank should periodically conduct vulnerability assessment and penetration testing (VA/PT) for all the critical systems.
  2. Vulnerabilities identified should be remediated in a timely manner.
  3. Penetration testing of public facing systems and critical applications should be carried out by professionally qualified teams.
  4. Concerned Asset owners/team leaders should ensure that necessary remedial measures are implemented to close the findings detected by penetration testing.
  5. VA/PT findings and follow up actions should be closely monitored by senior management as well as Information Security/ IT audit team.
  6. The Bank should periodically & actively participate in external cyber drills.

 

15)   Risk Based Transaction Monitoring

  1. Fraud Risk Management System (FRMS) should be deployed by Bank across each delivery channel for monitoring risk based transactions.
  2. Continuous surveillance should be used to monitor and detect fraudulent or large transactions in the Bank.
  3. Immediate notifications through alternate channels like E-mail and SMS are provided to customers on transactions executed by customer across various means i.e. online, cheque, ATM.
  4. For transaction above tolerance limit Call Back Verification (CBV) control shall be implemented.

 

16)  Incident Response arid Cyber Crisis Management

  1. Bank should adhere to incident response procedures to respond consistently to attacks, minimize all loss, leakage or disruption during an attack.
  2. Learning’s from information security incidents should be documented and communicated to stakeholders. This information shall be used in improving the processes and systems to reduce recurrence and/or future impact of the security incident.
  3. Employees and third parties shall report any observed or suspected information security weaknesses in systems or services through proper communication channels.
  4. Bank should develop recovery strategies to ensure critical application systems are resumed within the agreed Recovery Time Objectives (RTO).
  5. Management responsibilities should be assigned to ensure a quick, effective, and orderly response to information and cyber security incidents.
  6. For information security incident that involves legal action (either civil or criminal), evidence should be collected, retained, and presented as per laws to conform to the rules laid down in the relevant jurisdiction(s).
  7. Contacts with relevant authorities such as law enforcement agencies, regulatory bodies and national nodal agencies should be maintained.
  8. The Bank should have process for collecting and sharing of threat
    information from local, national or international sources following legally accepted/defined means/processes.
  9. Advance cyber security incident like containing ransom ware/cyber extortion, data destruction, DDOS, etc. should follow cyber crisis management plan.

 

  1. Cyber-attacks should be controlled by implementing security controls like shielding, quarantining the affected devices/systems.
  2. Policy for aligning, Incident Response and Digital forensics to reduce the business downtime/ to bounce back to normalcy should be in place.

 

17) Forensics

 

  1. The Bank should conduct preliminary investigation and evidence gathering and involve external forensics service on case to case basis

 

  1. The Bank should have a forensic risk evaluation criterion to decide on incidents that qualify for forensics.

 

 

  1. Security function must coordinate legal, HR.

 

  1. Digital evidence related to information security incidents should be collected, stored and processed to facilitate necessary forensic investigation as per the applicable laws and regulations.

 

  1. The Bank should periodically and actively participate in external cyber drills.

 

Cyber Crisis Management

Cyber crisis management plan that includes identification, validation, activation, response, recovery and containment of cyber crisis should be documented, implemented and reviewed at least annually.

 

Type of Threats

  • Hacktivists; These are individuals or groups who seek to disrupt systems and networks for a variety of motives, including notoriety, financial gain, or political agendas. They connect across borders to overwhelm targeted websites and access sensitive information. They may seek to harm their enemies by either shaming them or disabling their services. Hacktivists typically launch distributed denial of service (DDoS) attacks, deface websites, access sensitive government data, and publish the personal information of high-ranking persons and business leaders.

 

  • Advanced Persistent Threats (APT}: These occur when malicious actors use complex and unique malware to quietly gain access to proprietary or personal information and sensitive government information. They may also use customized solutions to
    take advantage of insiders, social engineering, network hardware, and third-party software to cause various malfunctions, destroy data, and disable networks.

 

  • Cyber Crime Syndicates: These organizations seek account information to make fraudulent transactions or to siphon money, information theft is also common, as cyber criminals will sell sensitive corporate information to unauthorized individuals or groups. Cyber criminals leverage various methods to achieve their objectives, such as distributing massive amounts of e-mails while posing as banks or other authorities to obtain customer identification and financial information. They may also use large-scale DDoS attacks to overwhelm Internet dependent enterprises.

 

  • Malicious Insiders: These are trusted individuals who are motivated to compromise the confidentiality, integrity, or availability of an organization’s information and information systems. Their motives may include financial gain, revenge, or ideology. Insiders do not need to infiltrate perimeter network defences because they have trusted access to information and information systems and can use various methods to damage or destroy government and business systems.

 

  • Root kit: is a collection of tools that are used to obtain administrator-level access to a computer or a network of computers. A root kit could be installed on any computer by a cybercriminal exploiting a vulnerability or security hole in a legitimate application on the computer and may contain spyware that monitors and records keystrokes.

 

  • Botnet: also called a “zombie army” is a collection of software robots, or bots, that run automated tasks over the Internet. It is a group of computers connected to the Internet that have been compromised by a hacker using a computer virus or Trojanhorse. An individual computer in the group is known as a “zombie” computer

The botnet is under the command of a “bot herder” or a “bot master,” usually to perform nefarious activities by running programs such as worms, Trojan horses, or backdoors. This could include distributing spam to the email contact addresses on each zombie computer, for example. If the botnet is sufficiently big in number, it could be used to access a targeted website simultaneously in what’s known as a denial-of-service (DoS) attack. The goal of a DoS attack is to bring down a web server by overloading it with access requests.

 

  • Trojan horse : Users can infect their computers with Trojan horse software simply by downloading an application they, thought was legitimate but was in fact malicious. Once inside the computer of a user, a Trojan horse can do anything from recording his/her passwords by logging keystrokes (known as a keystroke logger) to hijacking the webcam to watch and record his/her every move.

 

  • Spam : is electronic junk email. The amount of spam has now reached to about 90 billion messages a day. Email addresses are collected from chat rooms, websites, news groups and by Trojans which harvest users’ address books. SPIM is spam sent via instant messaging systems such as Yahoo! Messenger, MSN Messenger and ICQ. Its Danger level is Low but Prevalence is Extremely High.

 

Spam can clog a personal mailbox, overload mail servers and impact network performance. On the other hand, efforts to control spam such as by using spam filters run the risk of filtering out legitimate email messages. Perhaps the real danger of spam is not so much in being a recipient of it as inadvertently becoming a transmitter of it. Spammers frequently take control of computers and use them to distribute spam, perhaps the use of a botnet. Once a user’s computer is compromised, their personal information may also be illegally acquired.

 

  • SQL Injection : Such attack involves the alteration of SQL statements that are used within a web application through the use of attacker-supplied data. Insufficient input validation and improper construction of SQL statements in web applications can expose them to SQL injection attacks. SQL injection is such a prevalent and potentially destructive attack that this has become the number one threat to web applications.

 

  • Authentication Bypass: This attack allows an attacker to log on to an application, potentially with administrative privileges, without supplying a valid username and password.

 

  • Information Disclosure: This attack allows an attacker to obtain, either directly or indirectly, sensitive information in a database.

 

 

  1. Compromised Data Integrity: This attack involves the alteration of the contents of a database. An attacker could use this attack to deface a web page or more likely to insert malicious content into otherwise innocuous web pages.
  2. Compromised Availability of data; This attack allows an attacker to delete information with the intent to cause harm or delete log or audit information in a database.
  3. Remote Command Execution: Performing command execution through a database can allow an attacker to compromise the host operating system. These attacks often leverage an existing, predefined stored procedure for host operating system command execution.

 

12)Ransomware : is a type of malware that prevents or limits users from accessing their system, either by Socking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransom ware families, collectively categorized as Crypto – ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

  • Website defacement: is an attack on a website that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.

 

  • Spoofing : is an attack situation in which one person or program successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage.

E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. The e­mail often contains malicious software as attachment which will be used to get unauthorized access to the user’s computer.

  • Session Hijacking: Sometimes also known as cookie hijacking is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Once the user’s session has been accessed the attacker can masquerade as that user and do anything the user is authorized to do on the computer.

 

  • Man in the Middle Attack : It is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. Online banking and e-commerce sites are frequently the target of such attacks. The attacker can capture login credentials and other sensitive data from the user’s computer with this type of attacks.

 

Control Measures Implemented in Bank:

  • Use and maintain an updated anti-virus software – Anti-virus software recognizes and protects our computer against most known viruses. Anti-virus software is maintained up-to-date with latest version, patches & updated definition on ail the Desktops and Servers and monitored.

 

  • Keep our operating system and application software up-to-date:- Bank deployed security patches on all endpoints, as soon as they become available, to eliminate exploitable vulnerabilities (i.e. zero day vulnerabilities) or known problems.

 

  • Regular Backup: – Execution of daily backups of all critical systems and periodically execute an “offline” backup of critical files to removable media in accordance with Data Retention Policy and IS Procedure for Data Backup.

 

 

  • Blocking of removable media devices: – Prevention or limitation of all removable media devices on systems to limit the spread or introduction of malicious software and possible exfiltration of data, except where there is a valid business need for use.
  • Restricting account privileges: – All daily operations are executed using standard user accounts unless administrative privileges are required for that specific function. Configuration of all standard user accounts to prevent the execution and installation of any unknown or unauthorized software. Both standard and administrative accounts have access only to services required for nominal daily duties, enforcing the concept of separation of duties.

 

CYBER SECURITY POLICY FOR MSCB LTD

Working Hours

Monday – Saturday

2nd Saturday and 4th Saturday is Holiday as per RBI Guideline since 1st September

img2

0385 - 2451540, 2451378

© 2015 MSCB Ltd, All Rights Reserved.
 

website Designed and Developed by Globizs