seq

BANGLADESH KRISHI BANK

INFORMATION AND COMMUNICATION TECHNOLOGY SECURITY POLICY

Computer Department

Head Office, Dhaka-1000

2

Published by: For Official use only. Computer Department Bangladesh Krishi Bank Head Office 83-85, Motijheel Commercial Area Dhaka - 1000 Information And Communication Technology Security Policy Version : 1.0 December' 2007

3

PREFACE

The Information and Communication Technology (ICT) opens the door of globalization and has become the backbone to modern banking operations. It is also a critical component of the infrastructure for a competitive market economy. The survival and success of a business organization mainly depends on the effective use of ICT

In view of the above, Bangladesh Krishi Bank has already set up an Information Technology platform for its branches and offices. The bank has a vision to expand and to modernize the IT platform and information systems gradually. Notwithstanding the level of computerization, the security requirements of information systems are universal and significant to the sustainability of the IT platforms. Accordingly, the bank requires policies to secure IT setup as well as information and to set standards for IT operations.

It is indeed a great pleasure that computer department of the bank has prepared a book titled Information and Communication Technology Security Policy in accordance with the guideline given by Bangladesh Bank, existing rules and regulations. The book contains the policies applicable to IT Management, IT Operation Management, Information System Physical Security, Information Security Standard, Business Continuity and Disaster Recovery plan, Procurement & Service Management. The organization chart along with the job description of IT personnel is also incorporated in the Appendix.

The Computer Department (Information Technology Department) and members of the Technical Committee on Computerization headed by Professor Dr. Muhammad Masroor Ali of BUET deserve thanks for intellectual and laborious efforts in accomplishing such a tedious job. I also express my thanks and gratitude to the Board of Directors of the bank for providing their kind approval of the policy.

However, implementation of the Policy is rather more important than its existence. Henceforth all concerns are requested to accomplish their business in accordance with the guidelines contained therein. The designated officers must examine and adhere to the strict compliance of the policy.

(M. Fazlul Hoque)

Managing Director

Dated : December2007 Dhaka

5

INDEX OF CONTENTS

Serial Contents Page

Chapter-1 Information and Communication Technology 7-9

1.1 Information and Communication Technology in Bangladesh Krishi

Bank

7

1.2 Automation of Branch Banking operations 8

1.3 Long term ICT vision of the bank 9

Chapter-2 Information and Communication Technology Security Policy 10-11

2.1 Scope 10

2.2 Objective 10

2.3 Basic Principles 11

Chapter-3 Information and Communication Technology Management 12-14

3.1 IT Management Area 12

3.2 Implementation of Information and Communication Technology

Policy

12

3.3 IT Related Documentation 12

3.4 Internal IT Audit 13

3.5 Training of IT Personnel 13

3.6 Insurance and Depreciation 13

3.7 Problem Management 13

3.8 Job Description of IT Related Personnel 14

3.9 Compliance of Government / Bangladesh Bank Guidance 14

Chapter-4 IT Operation Management. 15-16

4.1 Change Management 15

4.2 Asset Management 15

4.3 Operating Procedure Management 15

4.4 Request Management 16

Chapter-5 Information System Physical Security 17-22

5.1 Physical Security Standard Level-1 17

5.2 Physical Security Standard Level -2 19

5.3 Physical Security Standard Level -3 20

5.4 General Security Guidelines. 21

6

Serial Contents Page

Chapter-6 Information Security Standard 23-26

6.1 Access control for information Systems 23

6.2 Audit trail and follow up 25

6.3 Network Security 25

6.4 Data Encryption 26

6.5 Virus Protection 26

6.6 Internet and e-mail 26

Chapter-7 Business Continuity and Disaster Recovery Plan 27-28

7.1 Business Continuity Plan (BCP) 27

7.2 Disaster Recovery Plan (DRP) 27

7.3 Backup/Restore Plan (BRP) 28

Chapter-8 Procurement and Service Management 29-30

8.1 Computer Hardware and Software procurement 29

8.2 Service Level Agreement (SLA) 29

8.3 Outsourcing 30

IT Forms and Appendix

Form No. IT Forms 31-40

ITF-1 Change Request Form 33

ITF-2 User Acceptance Test(UAT) 34

ITF-3 Stock Register of Hardware and Software 35

ITF-4 Request Form 36

ITF-5 Access Authorization List 37

ITF-6 Access Log Book 37

ITF-7 Visitors Log Book 37

ITF-8 User Creation Form 38

ITF-9 Password Handover Form 39

ITF-10 Backup Log Book 40

Appendix 41-48

Appendix-1 Organization Chart of Computer Department 41

Appendix-2 Job Description of IT Related Personnel 42

GLOSSARY OF TERMS 49-52

7

CHAPTER 1

1.0: Information and Communication Technology

Information and Communication Technology (ICT) plays a vital role in present world.

The advancement of Communication and Information Technology is one of the major

attributing factors for the emergence of globalization of financial markets. The

banking industry has changed in the way they provide service to customers and

process information in recent years. Information Technology has brought about this

momentous transformation. Security of IT systems for a financial institution has

therefore gained much greater in importance, and it is vital to ensure that such risks

are properly identified and managed. Moreover Information and information

technology systems are essential assets of the bank and as well as for customers.

Protection and maintenance of these assets are important for sustainability of any

organization. Banks must take the responsibility of protecting this information from

unauthorized access, modification, disclosure and destruction to protect customers

interest.

This document will provide the policy for Information and Communication Technology

and ensures its secured use for Bangladesh Krishi Bank (BKB). It establishes general

requirements and responsibilities for protecting ICT systems. The policy covers such

common technologies such as computers and peripherals, data and network, web

system and other IT resources. The banks delivery of services depends on

availability, reliability and integrity of its information technology system.

The policy will require regular updates to cope with the evolving changes in the IT

environment both within the bank and overall industry. The senior management of

the bank must express a commitment to IT security by continuously upgrading,

awareness and ensuring training of the Bank officials. Compliance plans in case of

noncompliance issues should also be formulated time to time.

1.1: Information and Communication Technology in Bangladesh Krishi Bank:

In spite of all limitations, Bangladesh Krishi Bank has entered into the arena of

Information and Communication Technology to meet the demand of time and is

endeavoring to turn traditional banking operations into the most modern banking

system. Initially a computer section was started with two Micro Computers under the

Loan Recovery Division in 1987. Subsequently the Computer Section turned into

Computer Cell in a very limited scale. It began to expand with more microcomputers

and necessary system software time to time. In 1993, the span of Computer Cell

further extended by procurement of multi-user and multitasking machine i.e. Mini

Computer System. As the scope and working area of computer operations expanded

more, the Computer Cell of the Bank turned into a full-fledged department with the

approval of the Ministry of Finance. The Computer Department of the Bank started its

functioning in January, 2004.

8

1.2: Automation of Branch Banking Operations:

Introduction of the automated modern banking system, instead of traditional manual

banking, is the prime need of time. To meet the situation, Bangladesh Krishi Bank

prepared a 5-years plan during the financial year 1998-99. The plan was duly

approved by the Board of Directors of the Bank and subsequently by the Ministry of

Finance of the Government of the Peoples Republic of Bangladesh. The plan is to be

implemented in five phases as under:

1.2.1: First Phase: The implementation of the first phase of the computerization

plan was started in the year 1999 and it has been completed as under:

a. Branches: One-stop service facilities have been introduced under individual

local area network system in 28 branches of the bank including four corporate

branches in Dhaka, Chittagong, Khulna and Sylhet cities.

b. Head Office: The secretariat of the managing director, office of the deputy

managing directors and general managers along with most of the departments

in head office have been brought under computerization through standalone

personal computer or local area network system with necessary equipments.

c. Divisional Offices: Personal computers with related accessories have also

been supplied to all Divisional offices at field level to work on the basis of

standalone system.

1.2.2: Second and Third Phase: The implementation of the second and third phases

of the computerization program is under process. The automation processes are

described below:

a. Branches: One stop service will be introduced in 55 branches located at

different cities, district headquarters and in places having business

potentialities over the country.

b. Head Office: The computerization process comprises upgrading the existing

systems based on standalone personal computer into local area network and

expansion of the existing system with necessary equipments to the remaining

departments in Head Office.

c. Other Controlling Offices: The process comprises expansion of

computerized system to all Chief Regional Offices and Regional Offices

including Divisional Audit Offices of the Bank.

1.2.3: Fourth and Fifth Phase: On completion of the second and third phase of

computerization the implementation of fourth and fifth phase will start.

a. Branches: One Stop Service will also be introduced in 44 branches located

at different cities, urban areas and in places having business potentialities over

the country.

b. Head Office and Other Controlling Offices: The computerization process

includes upgrading the existing systems in Head Office. The bank also desires

9

to establish centralized banking operation system through setting up

appropriate servers for data center, disaster recovery sites and intends to

procure necessary hardware, software and equipments essential for connecting

business potential branches and also to connect field level controlling offices

with the Head Office. The process also includes expansion of computerized

system to all Chief Regional Offices and Regional Offices including Divisional

Offices of the Bank.

1.3: Long term ICT vision of the Bank:

In continuation to the five-year computerization program, the bank has an intention

to provide modern business facilities at the doorsteps of the valued customers

through computerization of almost all branches gradually. Besides these, to face the

challenges of the millennium under stiff competition in the banking sector, the bank

also has a vision to introduce On-line banking facility within its computerized

corporate branches, important urban and district level branches. Bank in the near

future would provide better services to the valued clients by implementing modern

banking products and services like ATM Transactions and other packages including

utility service operations.

The business operations in the banking and financial sector have been increasingly

dependent on the computerized information systems over the years. It has now

become impossible to separate information technology from the business of the banks

and financial institutions. There is increasing need for focusing highest attention on

the issues of the corporate governance of the information systems and security

controls to safeguard information.

10

CHAPTER 2

2.0 Information and Communication Technology Security Policy

This chapter describes the Information and Communication Technology Security

Policy of Bangladesh Krishi Bank.

This Information and Communication Technology Security Policy comply with the

guideline supplied by Bangladesh Bank. The Board of Directors of Bangladesh Krishi

Bank approves this policy. It provides the policy for Information and Communication

Technology and ensures secured use for the bank. Information security means

protection of the data, applications, networks and computer system from

unauthorized access, alteration or destruction.

2.1 Scope

This Policy is a systematic approach required to formulate for ICT and also to ensure

security of information and information systems. It covers all information that is

electronically generated, received, stored, printed, scanned and typed. However, the

provisions of this policy shall be applicable to:

Bangladesh Krishi Bank for all of its information technology systems.

All activities and operations required to ensure data security including facility

design, physical security, network security, disaster recovery and business continuity

planning, use of hardware and software, data disposal and protection of copyrights

and other intellectual property rights.

All users, customers, agents, employees concerned with information and information technology system.

2.2 Objective

The objectives of the Information and communication technology security policy of

Bangladesh Krishi Bank are as follows:

01. To establish a standard information technology management;

02. To help the bank for secure and stable setup of its IT platform;

03. To establish a secure environment for data processing;

04. To identify information security risks and their management;

05. To communicate the responsibilities for the protection of information and provide training regarding information system security;

06. To prioritize information and information systems to be protected;

07. To review periodically the policy to formulate procedure and security measures from time to time;

08. To provide automated banking facility to the customer;

09. To develop human resources with current electronic banking system;

10. To prescribe mechanisms that help to identify and prevent the compromise of information security and the misuse of Bank data, applications, networks and computer systems.

11

2.3: Basic Principles

The following are the generally accepted principles that provide policy in the

security of information:

2.3.1 Accountability: The responsibility and accountability of information/data

custodians, information/data providers, users and other parties concerned

with the security of information should be explicit.

2.3.2 Awareness: To foster confidence in information systems, custodians,

providers and users shall have access to all documentation about

information security policies and procedures.

2.3.3 Ethics: In the provision of information systems and the establishment of

information security, the rights and legitimate interests of the

organisation's personnel, its customers and business partners should be

respected.

2.3.4 Business Perspective: Security processes shall take account of and

address the relevant business considerations and viewpoints; these

include commercial, technical, administrative, organisational,

operational, behavioral, ethical and legal/ statutory aspects.

2.3.5 Proportionality: The level and cost of security processes should be

appropriate and proportionate to the value and degree of reliance on

information systems and to the severity, probability and extent of

potential or actual harm to the organisation.

2.3.6 Integration: Security processes should be coordinated and integrated with

each other and with other measures, procedures and practices of the

bank to create a coherent system of information security.

2.3.7 Timeliness: Action to respond to a information security breach should be

timely and coordinated to prevent and overcome the breach of security.

2.3.8 Reassessment: The security of information systems should be reassessed

periodically recognising that information systems and the requirements

for their security vary over time.

2.3.9 Freedom of Information: The freedom of information should be

compatible with the legitimate use and flow of data and information as

statutes in the e-governance policy(s) of the government.

2.3.10 Risk Mitigation: Risk analysis is to be carried out based on value, need

and type of different IT entities. Accordingly, risk mitigation plan is to be

framed for secured use of the IT entities.

12

CHAPTER- 3

3 .0 Information and Communication Technology Management

The Management must ensure that the functions relating to the Information and

Communication Technology are efficiently and effectively managed. They should

be aware of the capabilities of IT and be able to appreciate and recognize

opportunities and the risk of possible abuses. The management of the bank should

have a commitment to information technology security by continuously upgrading

awareness and ensuring training of the bank staff. IT Management deals in IT policy

formulation, system documentation and assistance to the internal IT audit, training

and insurance activities.

3.1 IT Management Area:

3.1.1 The IT Management should ensure maintenance of appropriate system

documentations, particularly for systems which support financial reporting.

3.1.2 The IT Management should participate in planning relating to the Information

and Communication Technology to ensure that allocated resources are

consistent with business objectives.

3.1.3 The IT Management should ensure that sufficient properly qualified technical

staff is employed so that continuance of the IT operation area is unlikely to

be at risk at all times.

3.2 Implementation of Information and Communication Technology Policy

3.2.1 The IT Management will ensure the implementation of the Information and

Communication Technology policy in the Bank. The policy covers common

technologies like computers and peripherals, data and network, web system

and other IT resources.

3.2.2 The policy will require regular updates to cope with the evolving changes in

the Information and Communication Technology environment.

3.3 IT related Documentation:

3.3.1 There shall be an Organization chart for Information Technology Department. This shall be a part of the bank's overall organization chart duly approved by the Government (Ref. Organization chart, Apendix-1).

3.3.2 There shall be documented job description for each IT personnel of different Offices/ Branches (Apendix-2).

3.3.3 A roster for IT activities should be documented properly and be reviewed time to time by the head of the department or office.

3.3.4 Segregation of duties for IT tasks shall be maintained and reviewed time to time by the head of the department or office.

3.3.5 Fallback plans for various levels of system support personnel shall be formulated, maintained and reviewed time to time by the head of the department or office.

13

3.4 Internal IT Audit:

3.4.1 Internal Audit shall have sufficient IT expertise/resources capable of

conducting IT Audit. At least one IT expert/resource person shall be

included in the audit team while auditing IT related branches and offices.

3.4.2 Internal IT audit shall be done on periodical basis according to the banks

internal audit policy.

3.4.3 The IT audit report should be treated as confidential and must be

preserved for respective Audit and Inspection including Bangladesh Bank

officials as and when required.

3.4.4 The bank/branch shall take appropriate measures to implement the

recommendations made in the last Audit Report. This must be documented

and kept along with the Audit Report as mentioned above.

3.5 Training of IT Personnel:

3.5.1 IT personnel should be given adequate training on relevant IT tasks.

3.5.2 The employees should be trained on aspects of importance and awareness

of Information and Communication Technology.

3.5.3 IT personnel should be trained for the purpose of any contingency/ health

security hazard in the IT area.

3.5.4 All the network users should be trained about its operating and security

procedures.

3.6 Insurance and Depreciation:

3.6.1

Due to rapid fall in the market value of computer hardware, the bank

generally should consider obtaining insurance coverage only in case of

costly and/ or specialized computer hardware and software. This decision

will be taken on individual basis based on opinion of the management.

3.6.2 All insurance matter for computer hardware should be conducted by the

Department assigned by the management of the Bank.

3.6.3 Depreciation at the rate of 20% per annum shall be charged on Computer

Hardware on straight-line method.

3.7 Problem Management:

3.7.1 Problems relating to Information Technology should be resolved quickly.

Resolving steps should be taken according to the nature of the troubles or

problems (level-1, level-2 and level-3 problems).

3.7.2 Level-1 problems are those that can be resolved by the user with or without telephonic assistance from the respective supplier.

Level-2 problems are those that can only be resolved by the local supplier or the vendor of the product.

14

Level-3 problems are those that can be resolved only by the manufacturer or principal of the product.

For level-1, stress should be given to solve the problems by the user himself/herself. For level-2 and level-3 problems, the bank should enter into a service level agreement with supplier/vendor of the respective IT asset.

3.7.3 Problems that hamper bank's operational activities directly should be logged

on daily basis. Other problems should be logged on weekly basis.

3.7.4 Responsibility for problem resolution should be accepted and be assigned to

a team for internal action.

3.7.5 The problem log should be examined/ investigated immediately.

3.7.6 The necessary corrective action should be performed within the time frame

bounded by the problems severity.

3.7.7 Findings and action steps taken during the problem resolution process

should be documented.

3.7.8 Problem information from remote systems should be referred to specific

support unit and Regional Help Desk and Support Teams.

3.7.9 Help-line support should be provided to remote units.

3.8 Job Description of IT Related Personnel

The job descriptions of the individuals posted in the services related to

Information Technology are shown in Apendix-2.

3.9 Compliance of Government / Bangladesh Bank Guidance

3.9.1

The Bank shall implement any instruction or recommendation given or to

be given by the Government / Bangladesh Bank from time to time in

connection with the management of Information and Communication

Technology.

3.9.2

The DGM (Information Technology) shall confirm compliance of the

instructions or recommendations that are given by the Government/

Bangladesh Bank within the stipulated time or within the shortest possible

time.

15

CHAPTER- 4

4.0 IT Operation Management

IT Operation Management covers the dynamics of technology operation

management including change management, asset management, operating

procedure management and request management. The objective of IT operation

management is to achieve the highest levels of technology service quality by

minimum operational risk.

4.1 Change Management:

4.1.1 All changes implemented in the production environment must be governed/

supported by a formal documented process including forms with necessary

change details. A sample document form has been provided in ITF- 1.

4.1.2 Audit Logs of changes should be maintained available for ready references.

4.1.3 Signed off declaration from the vendor should be obtained before

implementation of changes in production.

4.1.4 User Acceptance Test (UAT) should be completed before implementation of

the application related change. A sample form for UAT has been given in

ITF-2. This document should be preserved for ready reference.

4.2 Asset Management:

4.2.1 A register of inventory for hardware and software must be kept with all

significant details and will be reviewed on 30th June every year. A sample

form has been provided in ITF-3. A record of this review must be

maintained.

4.2.2 All data on equipment and associated storage device/media must be

destroyed or erased/overwritten before sale, disposal or reissue.

4.2.3 Bank must comply with the terms of all software licenses and must not use

any software that has not been legally purchased or otherwise legitimately

obtained.

4.2.4 Software used in production environments must be subject to a support

agreement.

4.2.5 No software shall be used in any computer without approval of the

competent authority. Use of unauthorized or pirated software must be

strictly prohibited throughout the bank. Random checks should be carried

out to ensure compliance.

4.3 Operating Procedure Management:

4.3.1 Operating procedures must exist for all ICT (Information and Communication Technology) related functions.

16

4.3.2 Changes to operating procedures must be authorized by the competent

authority and documented properly.

4.3.3 Operating procedures cover the following where appropriate:

a. Documentation on handling of different process.

b. Scheduling processes, including target start and finish times.

c. Documentation on handling of error and exception conditions.

d. Documentation for secure disposal of output from failed processing runs.

e. Documentation on system start-up, closedown, re-start and recovery.

f. System maintenance schedule.

4.4 Request Management:

4.4.1 IT Services means any services relating to installation, maintenance

replacement of computer hardware and peripherals, communication

hardware and media, operating and application software including efforts for

development of human resources.

4.4.2 Before any IT service a formal request process must be established. A sample

Request Form has been provided in ITF- 4.

17

CHAPTER- 5

5.0 Information System Physical Security

Sound business and management practices should be implemented in the Bank to

protect information and technology resources. It is the responsibility of each

branch and offices/departments to protect technology resources from unauthorized

access in terms of both physical hardware and data perspectives. Physical security

involves environmental safeguards as well as controlling physical access to

equipment and data.

The Policy is applicable for all units having information and communication

technology infrastructures. It is logical that infrastructure and operational

environment of all the production units are not equally important. Therefore

depending on the information and communication technology setup and operational

environment, security standard should be categorized into three Levels as under:

5.1 Physical Security Standards Level-1

Security standards for centralized operation under which Data Center, Disaster

Recovery Site and Branches/Offices are connected through WAN and attend

24x7x365 basis operations.

5.1.1 Data Center Access Control:

5.1.1.1 Data Center must be a restricted area and unauthorized access shall be

prohibited.

5.1.1.2 Number of entrance into the Data Center shall be limited, locked and

secured.

5.1.1.3 Access authorization procedures based on biometric features should exist

and apply to all persons e.g. employees and vendors. An employee must

escort vendors and cleaning crews during their stay in the Data Center.

5.1.1.4 Bank shall maintain Access Authorization list, as provided in ITF-5,

documenting individuals who are authorized to access the data center,

reviewed and updated periodically.

5.1.1.5 Access log book with date and time, shall be maintained in form of ITF-6

5.1.1.6 Visitor Log must exist and need to be maintained in ITF-7. Visitors to the

data center must be escorted to and from the entry point by an employee.

(Visitors: A person whose name does not appear on the active access

authorization list.)

5.1.1.7 Security guard must be available in the data center for 24 hours.

5.1.1.8 Emergency exit door should be available in the data center.

5.1.1.9 Carrying of briefcases, handbags and other packages into the data center

must be prohibited.

5.1.2 Environmental Control:

5.1.2.1 Documents regarding physical layout of the data centre should be

prepared and maintained.

5.1.2.2 The layout of power supplies of the data centers and network connectivity should be prepared.

18

5.1.2.3 Floors should be raised and all the data cable and power cable should be

concealed through channels alongside the wall to keep them neat and safe

position. Electrical cables and data cables must not cross each other to

avoid possible disturbance.

5.1.2.4 Water detection devices shall be positioned below the raised floor, if it is

raised.

5.1.2.5 Accessories not related to data center should not be allowed to be stored

therein.

5.1.2.6 Closed Circuit Television (CCTVs) camera should be installed at suitable

places and be monitored by authorized officials.

5.1.2.7 Eating, drinking and smoking must be prohibited in the data center. A

signboard mentioning "No eating, drinking or smoking." must be placed at

a conspicuous/visible point.

5.1.2.8 Vehicles for any emergency purpose should always be available on site.

5.1.2.9 There should be a separate telephone/cell phone. Address and phone

numbers of all contact persons of fire service, police station, service

providers, vendor and all concerned IT organizations should be kept to

cope with any emergency situation.

5.1.2.10 Loading capacity of electrical outlets should be reviewed annually.

5.1.2.11 The following environmental control measures/equipments should be

installed in data centre and disaster recovery site:

a) Uninterruptible power supply(UPS) having sufficient loading capacity

with backup units;

b) Backup Power Supply i.e. Generator/Instant Power Supply (IPS);

c) Temperature and humidity measuring devices;

d) Air conditioners with backup units;

e) Water leakage precautions and water drainage system from Air

conditioner;

f) Emergency power cut-off switches;

g) Emergency lighting arrangement;

h) Dehumidifier.

5.1.2.12 The above environmental control measures/equipments should be tested

regularly:

5.1.2.13 There shall be appropriate maintenance agreement/contract for above

equipments on 24x7x365 basis.

5.1.3 Fire Prevention:

5.1.3.1 The Data Center wall, ceiling, doors and windows shall be fire resistant.

5.1.3.2 A waterless fire extinguishing system(e.g. FM 200) which does not leave

any trace and does not cause any physical harm to sensitive equipments is

to be installed. There shall also be sensors for automatic activation of the

system along with facility for suctioning out polluted air in case of fire.

19

5.1.3.3 Employees must be aware of the fire extinguishing system and method of

use. All equipments must be sealed and tagged indicating type and

serviceability. Workability of the system shall be tested /examined

periodically.

5.1.3.4 An emergency alarm should be installed for giving immediate alarm/signal

of fire and any fire incident must be reported immediately to the fire

services. Workability of alarm shall be tested/examined periodically.

5.1.3.5 Fire detectors should be placed in the ceiling and below the raised floor, if

it is raised.

5.1.3.6 There shall be a separate dedicated electrical line. Electrical cables/

wires in the data center must maintain a quality and be concealed.

5.1.3.7 Any flammable items shall not be kept in the Data Center.

5.1.3.8 All concerned should be aware of steps to be taken in case of a fire. The

authority must ensure display of proper directions in conspicuous places.

5.2 Physical security standards Level-2

Security standards for Branches and offices having server to which all or a part of

the computers of that location are connected through LAN.

5.2.1 Server Room Access Control:

5.2.1.1 Server room should have a glass enclosure with lock and key. If it is not

possible in branch level to provide separate enclosure, Server shall be kept

in the chamber of the branch manager. Keys of the server room must be

kept with the Branch Manager or with the person authorized by the Branch

Manager/Head of the Department in Head Office/Controlling office.

5.2.1.2 Physical access in sever room shall be restricted. Visitors logbook must

have to be maintained as provided in ITF-7.

5.2.1.3 Access authorization list in form of ITF-5 must be maintained and reviewed

on regular basis.


5.2.2.1 Desktop screen must be locked and screen saver must have password

protected that should be activated after 5 minute.

5.2.2.2 Administrative password of Operating System, Database and Banking

Application Software shall be written in sealed envelope and kept in the

personal custody of the Branch Manager/Head of the Department or

Office.

5.2.2.3 User should be created with the prior permission of the Branch Manager/

Head of the Department or office. User creation request form should be

maintained as per ITF-8. System Administrator will keep a list of Users

with assigned rights/permission with a copy to the Branch Manager/Head

of the Department or office.

5.2.2.4 There should have the provision for replacement of server within quickest

possible time in case of any disaster.

5.2.2.5 Server room should be air-conditioned and clean.

20

5.2.2.6 Power Generator/IPS should be in place to continue banking operations in

case of power failure.

5.2.2.7 UPS should be in place to provide uninterrupted power supply to the

server during power failure.

5.2.2.8 Proper attention must be given on overloading electrical outlets with too

many devices.

5.2.3 Fire Protection:

5.2.3.1 Appropriate channels alongside the wall must be placed to keep all the

cabling to be in neat and safe position. A layout of power supply cable and

data cables must be maintained.

5.2.3.2 Power supply must be switched off before leaving the Server room. System

Administrator must ensure this.

5.2.3.3 Fire extinguisher of suitable type, with expiry date mentioned, needs to

be placed outdoor of the server room. This must be maintained and

reviewed on an annual basis. All employees should be aware of the use of

the fire extinguisher.

5.2.3.4 Proper earthing of electricity to be ensured.

5.3 Physical security standards Level-3

Security standards for Branch and offices having standalone computer(s) or

ATMs.

5.3.1 Computer Room Access Control:

5.3.1.1 The PC running the Branch Banking Application Software must be placed in

a clear glass enclosure with lock and key. In other offices PCs should be

placed in separate enclosure or room. A responsible person should keep

keys of such enclosure.

5.3.1.2 Access authorization list in form of ITF-5 must be maintained and

reviewed on regular basis.


5.3.2.1 User must have the desktop password only known to him and kept written

in sealed envelop in the personal custody of the Branch Manager/Head of

Department or office.

5.3.2.2 PC must have password-protected screen saver which should activate

after 5 minute of inactivity.

5.3.3 Fire Protection:

5.3.3.1 Power distribution board for the PC with a circuit breaker should be

placed outside the enclosure and covered with a box under lock and key

held by the senior most operators.

5.3.3.2 All power and other connecting cables for PCs must be kept secured from

physical damage.

21

5.3.3.3 UPS for backup power supply to be placed in the enclosure.

5.3.3.4 Power supply of the PC must be switched off before leaving the branch.

5.3.3.5 Fire extinguishers, of suitable type, with expiry date mentioned, to be

placed beside the Power distribution board. This must be maintained and

reviewed on an annual basis.

5.3.3.6 Proper earthing of electricity to be ensured.

5.4 General Security Guidelines.

5.4.1 Desktop and laptop computer should be connected to UPS to prevent

damage of hardware and data.

5.4.2 When leaving a desktop or laptop computer unattended, users should

apply the Lock Workstation feature.

5.4.3 Password protected screen saver must be used to protect desktop and

laptop from unauthorized access.

5.4.4 Automatic screen saver should be activated after a period of inactivity.

This period should not be more than 5 (five) minute.

5.4.5 Laptop computers that store confidential or sensitive information must

have encryption technology.

5.4.6 Desktop and laptop computers and monitors must be turned off at the end

of each workday.

5.4.7 Laptop computers actively connected to the network or information

systems must not be left unattended.

5.4.8 Laptop computers, computer media and any other forms of removable storage (e.g. diskettes, CD ROMs, zip disks, PDAs, flash drives, etc) must be stored in a secure location or locked cabinet when not in use.

5.4.9 Other information storage media containing confidential data such as

paper, files, tapes etc. must be stored in a secure location or locked

cabinet when not in use.

5.4.10 Individual users must not install or download software applications and/or

executable files to any desktop or laptop computer without prior

authorization.

5.4.11 Desktop and laptop computer users shall not write, compile, copy, knowingly propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of any computer system (e.g. virus, worm, Trojan etc).

5.4.12 Any kind of viruses must be reported immediately.

5.4.13 Viruses must not be deleted without expert assistance unless instructed by

the Information Technology Department.

22

5.4.14 User identification (name) and authentication (password) must be required

to access all desktop and laptop whenever turned on or restarted.

5.4.15 Standard virus detection software must be installed on all desktop and

laptop computers, mobile, and remote devices and should be configured to

check files when read and routinely scan the system for viruses.

5.4.16 Desktop and laptop computers must be configured to log all significant

computer security relevant events. e.g. password guessing, unauthorized

access attempts or modifications to applications or systems software, etc.

5.4.17 On holiday occasions computers should be removed from floors, if any, and

should be kept away from windows.

5.4.18 If in the bank premises, any packages like briefcases and similar objects

found in a commonplace is noticeably unusual as to become suspicious. In

such cases the police should be called immediately. The office must take

possible safety and security cautions. In no cases should be touched or

moved by non-police personnel.

5.4.19 Computer room should be away from the basement, water /drainage

system and above the flood level.

23

CHAPTER- 6

6.0 Information Security Standard

This chapter specifies Information Security Policies and Standard to be adopted by

the bank for service delivery and data processing. This also covers the basic and

general information security controls applicable to all functional groups to ensure

that information and data are protected against risk.

6.1 Access control for information systems

Access control refers to the functions that limit access to information system or

information processing resources. These functions are:

6.1.1 Password Policy and Control:

6.1.1.1 Password is a security method that identifies a specific authorized user

of a computer system or network, by a unique string of alphanumeric

characters that a user types as an identification code.

6. 1.1.2 To make a strong password the following principles should be followed:

a) The length password shall be at least 6 characters, combination of

uppercase, lowercase, numbers and special characters.

b) All users shall keep the passwords confidential and will not share/

disclose to anybody others.

c) Password should never be written down in unsecured paper and must

not be inserted into e-mail messages or other forms of electronic

communications.

d) The maximum validity period of password will not be more than 90

days.

e) The maximum number of invalid logon attempts should be 3

consecutive times.

f) One should not use password using names of family, pets, friends,

co-workers, fantasy characters, computer terms and names, commands,

sites, hardware, software, personal information like birthdays, address,

phone numbers, etc.

g) Password entries must be masked.

6.1.1.3 All system-level passwords (i.e. root, enable, network administration,

application administration, database administration, etc) must be hold

by the officer authorized by the branch manager or head of the

departments /offices where applicable. (ITF-9).

6.1.1.4 All user-level passwords shall be kept with the individual users.

6.1.1.5 All the system-level and user-level passwords shall be written in

separate sealed envelope and be kept in the personal custody of the

branch manager/head of the departments/offices with movement

records for usage in case of emergency.

24

6.1.1.6 Password Handover Form (ITF-9) shall be used while the users are

changed.

6.1.1.7 In absence of password holding authorized officer, if it becomes

necessary to use the above password(s), the branch manager/ head of

the departments or offices will open the sealed envelop and use the

password(s) by observing formal documentary process.

6.1.1.8 All users shall sign a document stating that the password will be kept

confidential.

6.1.1.9 Password given during registration of a new user, which they are forced

to change during first access.

6.1.1.10 Nobody will use the "Remember Password" feature of applications,

where applicable.

6.1.1.11 Password history maintenance has to be enabled in the system to allow

same passwords can be used again after at least 4 times.

6.1.2 User registration and maintenance:

6.1.2.1 There should be a formal user registration and de-registration procedure

for granting access to all multi-user information systems and services.

The access to the multi-user information systems and services should be

controlled through the following process:

6.1.2.2 The User registration with access privileges, duly approved by the

Branch Manager/Head of the Department/Office, should be maintained

in form of ITF-8.

6.1.2.3 Each user must have a unique User ID and a valid password, so that the

users can be linked to and be made responsible for their actions

6.1.2.4 All users have to ensure that user ID and password are not same.

6.1.2.5 The terminal inactive time for the users should be set at maximum 30

minutes.

6.1.2.6 The respective branch manager/ head of the department/office should

fix operating time schedule for the users where necessary.

6.1.2.7 Access privileges have to be changed/ locked within 24 hours when

users' status changed or left the bank.

6.1.2.8 A written statement of the users access rights has to be given to the

user by the System Administrator.

6.1.2.9 An acknowledgement should have to be obtained from the user

signifying that he/she understands the conditions and obligations of the

access.

6.1.2.10 Use of Group ID's to be permitted where they are suitable for the work

to be carried out.

6.1.3 Input Control and Data Processing:

6.1.3.1 Data Input should be done by the persons authorized by the competent

authority.

25

6.1.3.2 All financial transaction input must be supported with proper voucher,

document or formal procedures according to their business power.

6.1.3.3 Non-financial data inputs should be done on the basis of the proper

records, statements, reports or returns.

6.1.3.4 The software should not allow the same person to be both the maker

and checker of the same transaction.

6.1.3.5 The system should be restricted from being accessed especially sensitive

data or fields.

6.1.3.6 Start-of-Day and End-of-Day operations of the banking application software

should be performed by authorized officers. The day end process should

be completed with the generation of all prescribed reports.

6.1.3.7 Proper records with appropriate authentication should be maintained if

any corrective operations are made in the database.

6.2 Audit trail and follow up:

6.2.1 The Audit trails are records of activity used to provide a means for

restructuring events and establishing accountability.

6.2.2 Audit trail should provide for the operations when sensitive information

is accessed, network services are accessed and special privileges or

authorities such as the security administration commands, emergency

User ID, supervisory functions etc., overriding the normal processing

flow.

6.2.3 The audit trail should include user identification, functions, resources

and information used or changed, date and time stamp, work-station

address and network connectivity path.

6.2.4 The management should review the audit trail information regularly,

usually daily for financial operations and investigate and report

suspicious activity immediately.

6.3 Network Security

6.3.1 The Network and its security shall be implemented under a documented

design plan.

6.3.2 Physical security for network equipments must be housed in a secured

environment and access therein must be restricted and controlled.

6.3.3 The sensitive information should be kept in restricted area in the

networking environment.

6.3.4 Unauthorized access and electronic tampering must be controlled strictly.

6.3.5 Security of the network should be under dual administrative control.

6.3.6 Firewalls should be placed on the network for any external connectivity if

and when necessary.

6.3.7 There shall be a system to detect the unauthorized intruder for network.

26

6.4 Data Encryption

6.4.1 There should be mechanism in place to encrypt and decrypt the highly

sensitive data traveling through LAN/WAN or public network.

6.5 Virus Protection

6.5.1 Whenever possible a system which is not susceptible to virus attack is to

be used. Examples of such systems are Unix and Linux based environment.

6.5.2 Anti-Virus software should be installed in each server and computer

whether it is connected to LAN or not.

6.5.3 Virus auto protection mode should be enabled.

6.5.4 The Anti-Virus software should always be updated with the latest virus

definition file.

6.5.5 All users should be informed and trained about computer viruses and their

prevention mechanism.

6.5.6 All incoming e-mail messages must be scanned for viruses to prevent

infection to the banks network.

6.6 Internet and e-mail

6.6.1 Redundant communication links have to be used for WAN/Internet.

6.6.2 All Internet connections should be routed through a Firewall for PCs

connected to network.

27

CHAPTER- 7

7. Business Continuity and Disaster Recovery Plan

The Business Continuity Plan(BCP) is required to cover operational risks and should

take into account the potential for wide area disasters, data centre disasters and

the recovery plan. The BCP should take into account the backup and recovery

process. Keeping this into consideration this chapter covers BCP, Disaster

Recovery Plan and Backup/ Restore plan.

7.1 Business Continuity Plan (BCP):

7.1.1 There must be a Business Continuity Plan, in line with business, for IT in

place.

7.1.2 All the documents related to business continuity and disaster recovery plan

must be kept in a safe and secured locations. One copy can be stored in the

office for ready reference.

7.1.3 Business Continuity Plan (BCP) must contain the following:

a) Action plan for:

i. During office hours disaster,

ii. Outside office hours disaster, and

iii. Immediate and long term action plan in the line with business.

b) Emergency contact addresses and phone numbers including vendors.

c) Grab list of items such as backup tapes, Laptops etc. in case of an

immediate evacuation.

d) Disaster recovery site map.

7.1.4 Business Continuity Plan (BCP) must be reviewed at least once a year.

7.2 Disaster Recovery Plan (DRP):

7.2.1 A Disaster Recovery Site (DRS) must be in place replicating the Data Center

/ Production Site.

7.2.2 Disaster Recovery site should be at a minimum of 30 (thirty) kilometers

radial distance from the central data center.

7.2.3 Disaster Recovery Site should not be placed under same utility services as

the data center.

7.2.4 Disaster Recovery Site should be equipped with compatible hardware and

telecommunications equipment to support the live systems in the event of a

disaster.

7.2.5 Appropriate physical and environmental security should be provided at the

Disaster Recovery Site.

7.2.6 Information security should properly be maintained throughout the fallback

and DR recovery process.

7.2.7 An up-to-date and tested copy of the DR plan is to be securely held off-site.

DR plans exist for all the critical services where DR requirement is agreed

with the business.

28

7.2.8 DR test is to be successfully carried out at least once a year.

7.2.9 DR Test documentation should include at a minimum:

a) Scope - defines scope of planned tests - expected success criteria.

b) Plan - detailed actions with timetable.

c) Test Results.

7.3 Backup/ Restore Plan (BRP):

7.3.1 Backup means saving of data or information to assure business continuity

in case of a loss of resources at the production site.

7.3.2 There should be a documented backup procedure. Information technology

department/computer department of the bank should formulate backup

procedure and that will be reviewed annually.

7.3.3 Backup copies of information should be stored off-site at a geographically

separate and safe environment.

7.3.4 At least one backup copy should be kept on-site office for time critical

delivery.

7.3.5 The backup cycle is based on the following:

Backup for branch-banking operation should be taken daily in appropriate

media /device. Provision for both incremental and full backup should be

kept to avoid corruption of data as well as save time and money.

In other cases, backup should be taken daily/weekly/ monthly/ quarterly

and half-yearly basis depending on the nature of the database and or

operations whatever the DGM (IT) decides fit.

DGM (IT) will formulate action plan and implementation procedure for

backup and restore.

7.3.6 The backup media should be sent off-site immediately after the backup

has been taken.

7.3.7 The backup log book in form of ITF-10 should be maintained, checked and

signed by the Branch Manager/ Head of the Department/Office.

7.3.8 The back up inventory is maintained, checked and signed by supervisor.

7.3.9 The ability to restore from backup media is tested at least quarterly.

7.3.10 Backup media must be labeled properly indicating contents, date etc.

7.3.11 Hardcopy backup in applicable cases should also have to be taken.

29

CHAPTER- 8

8.0 Procurement and Service Management.

The purchase of computer hardware, software and peripherals requires careful

consideration of banks business needs because these are usually expensive to make

subsequent changes. The system must have adequate capacity or else it may not be

able to function properly. There shall have adequate arrangements for proper

maintenance of the system. However, the service of vendors is of utmost

importance for smooth operation of the business in modern business organizations.

This chapter specifies policies and procedure to be followed by the bank for

procuring and hiring different service to be rendered by each and every service

provider. This also covers the basic principles applicable to all service providers to

ensure spontaneous services so that banks operations are not hampered.

8.1 Computer Hardware and Software Procurement:

8.1.1 All purchase of new systems, computer hardware and software or new

component for existing systems must be made in accordance with the

applicable Government/Banks procurement policies and procedures as well

as technical standards.

8.1.2 Except for minor purchase (as is mandated by the delegation of financial

power), hardware and software must be purchased through a

structured/formal evaluation process.

8.1.3 Purchase must be done on the basis of the business needs and requirements

to be assessed by the competent authority.

8.1.4 All new hardware and software installation are to be planned formally and

notified to all interested parties ahead of the proposed installation date.

8.1.5 All hardware and software must be tested fully and comprehensively and

formally accepted by user before being transferred to the live operations.

8.1.6 All hardware and software under procurement shall have comprehensive

warranty to cover operational risk.

8.1.7 The period of warranty coverage should be determined by the procuring

entity depending on the nature of the components but the period should not

be less than twelve (12) months.

8.1.8 The description of warranty must clearly mention warranty coverage (parts,

labor and service), type of warranty (comprehensive), duration and any

provision for penalty when the said warranty is not complied with at an

acceptable level.

8.2 Service Level Agreement (SLA):

8.2.1 There should be maintenance service arrangement for all hardware and

software for post warranty period.

8.2.2 There should be service level agreement between the vendor and bank for

all sensitive hardware and software.

8.2.3 The Annual Maintenance Contact (AMC) with the vendor shall exist only for

usable hardware and software.

8.2.4 For sensitive hardware and software items, the concerned authority shall exercise utmost care in having a contract without an interruption due to delay in renewal of contract.

30

8.2.5 The user site should ensure that the equipment does not contain sensitive

live data when hardware is taken by the vendors for servicing/repair.

8.2.6 Service Contracts with all service providers including third-party vendors

should include:

a) Parties to the contract with address, b) Definitions of terms, if necessary, c) Measurable service/deliverables, d) Timing/schedules, i.e. service levels, e) Roles and responsibilities of contracting parties, including an escalation

matrix clearly mentioning response time and resolution time, f) Pricing of the contract, g) Penalty Clause, h) Confidentiality clause, i) Contact person names (on daily operations and relationship levels), j) Renewal period, k) Modification clause, l) Frequency of service reporting, m) Termination clause, n) Warranties, including service suppliers employee liabilities, 3rd party

liabilities and the related remedies, o) Geographical locations covered, p) Ownership of hardware and software, q) Documentation to be maintained (e.g. logs of changes, records of

reviewing event logs), r) Audit rights of access (internal audit, external audit, other audit as may

be appropriate), s) Any other clause considered fit for the contract.

8.3 Outsourcing:

8.3.1 Outsourcing shall be done for activities not usually performable using

normal capacity of man, materials and resources of the Bank.

8.3.2 The economic validity shall be studied before considering any shorts of

outsourcing.

8.3.3 The risk and security concerned with outsourcing shall be considered

carefully.

8.3.4 The legal implication behind outsourcing shall be carefully examined.

8.3.5 The technical aspect of any activities should be examined by the technical

committee or by the technical consultant according to the nature of the

activities concern.

8.3.6 Outsourcing proposal or working paper shall be prepared by the user

department/office.

8.3.7 Arrangements for possible acquire of the source code in case of software if

necessary through an escrow account.

8.3.8 Outsourcing service contract shall include terms and conditions mentioned

in chapter 8.2.6

31

IT Forms and Appendix

32

IT FORMS

(30 - 40)

And

APPENDIX

(41 - 48)

33

ITF- 1


.............................Office

CHANGE REQUEST FORM

Reference No: Date:

Section I : Requester Information

Branch/Division Name :

Submitted by :

Change Description :

Change Purpose :

Request Date :

Signature and Seal (Requester) Signature and Seal (Head of the Office)

Section II : Approvals

The undersigned agrees and accepts the change documented on this form.

Name :

Designation :

Comments :

Date :

Signature and Seal :

Section III : Implementer Details

The undersigned has implemented the requested change on this form.

Change reference No. :

Date of change Implementation :

Change Implementation Details :

Was change successful? Yes No

Name :

Designation :


Signature and Seal

(Head of Branch/Division)

(Ref: Para-4.1.1)

34

ITF- 2


.............................Office

USER ACCEPTANCE TEST (UAT)

Reference No: Date:

Application/System Name :

Change Request Reference : Date :

Test Scope (Detail plan of test) :

Hardware / Software

Performance Test/ Security Test

Black box/ White box

Expected Result :

Actual Result :

User Acceptance Test Failure / Success

Comments :


(Ref: Para-4.1.4)

35


.............................Office

ITF- 3

STOCK REGISTER OF HARDWARE AND SOFTWARE

Name of the item: SL

#

Brand &

Model

Description

with

Specification

/ Version

Quantity Identification

No

Machine

Location

Supplier/

Vendor

Date of

Supply

Price Signature Remarks

1 2 3 4 5 6 7 8 9 10 11

(Ref: Para- 4.2.1 )

36


.............................Office

REQUEST FORM

ITF- 4

Reference No.: Date:

Section I : Requester Information

Branch/Division Name :

Submitted by :

Contact No. :

Request Details :

Justification :

Request Date :

Signature and Seal (Requester) Signature and Seal (Head of the Office)

Section II : Approvals

The undersigned agrees and accepts the change documented on this form.

Name :

Designation :

Comments :

Date :


Section III : Implementer Details

The undersigned has implemented the requested change on this form.

Request reference No. :

Date of Request Implementation :

Request Implementation Details :

Was Request done successfully? Yes / No (put details below)

Short description in case of failure :

Name :

Designation :


(Ref: Para-4.4.2)

37


.............................Office

ITF- 5

ACCESS AUTHORIZATION LIST

Authorization Validity Serial

No.

Name and

Designation of the

authorized persons

Address

From To

Authoriza

tion Card

No.

Authorized by Remarks

01 02 03 04 05 06 07 08

(Ref: Para-5.1.1.4, 5.2.1.3 and 5.3.1.2)


.............................Office

ITF- 6

ACCESS LOG BOOK

(for the use in the Data Center, Server Room, Computer Room)

Date of

Access

Name and

Designation of the

Authorized Persons

Address Authorization

Card No.

Time of

Access

Signat

ure of

the

perso

n

Purpose of

Access /

Work done

Time

of

Depar

ture

Signat

ure

of the

perso

n

Remar

ks

01 02 03 04 05 06 07 08 09 10

(Ref: Para-5.1.1.5)


.............................Office

ITF- 7

VISITORS LOG BOOK (For the use in the Data Center, Server Room, and Computer Room)

Date

of

Visit

Name

of the

visitor.

Address Purpose

of Visit

Time

of

Access

Signature

of the

visitor

Work done

/Activities

during

stay

Time of

Departure

Signature

of the

visitor

Remarks

01 02 03 04 05 06 07 08 09 10

(Ref: Para-5.1.1.6 and 5.2.1.2)

38


.............................Office

ITF- 8

USER CREATION FORM (For the use of the user section of branch/department)

01. I. Name of the User :

II. Designation :

III. Address :

IV. Date of Joining :

V. Transfer from :

02. Name of the

System/Software

:

03. User Status : Administrator/Data Controller/Data

processor/ Data Operator/ Teller .

04. User Rights Proposed

: Module Name(s) : (Read, Write, Delete, Copy, Change, Print)

Users'

Signature:

Recommended/Proposed by:

Signature :

Designation:

Approved By :

Signature :

(Manager/Head of Department or Office).

(For use of computer section of the branch/computer department/system owner department)

Accepted for implementation for the

following rights:

1.

2.

3.

4.

5.

Signature :

Designation:

( Branch Manager/ Head of Department office-

system owner)

User Created :

a)On: .. .

b)User ID: .

c)User Password Envelop No : .. .

Signature with seal

(In charge of System Admistrator)

(Ref: Para-5.2.2.3 and 6.1.2.2)

39


.............................Office

ITF- 9

PASSWORD HANDOVER FORM

We, the undersigned handing over and receiving respectively today the

...............(date) at am/pm the sealed cover in respect of the followings:

(1).

(2).

(3).

in terms of the order

no......................dated..

of (name of the order issuing office) ..in

presence of the following witness (officer/staff).

Signature:

(Handing over Officer)

Name :

Designation:

Address :

Signature:

(Receiving Officer)

Name :

Designation:

Address :

Counter Signature:

Name of the counter signing officer:

Designation:

Address :

NB: After receiving the passwords the receiving officer will open the sealed envelop alone and

confirm the passwords applying in the system/database. S/he will change the passwords just after

checking and again handed over the same in a sealed envelop to the Head of the Computer

Department/branch manager documentarily.

(Ref: Para-6.1.1.3 and 6.1.1.6)

40


.............................Office

ITF- 10

BACK UP LOG BOOK

Name of the System:.

Backup taken by

Serial

no.

Backup

Period/

Date

Backup

Media

Backup Type

(full /

incremental)

Name Designation Signature

Backup

sent to

Reference/

code no.

Signature

of the

recipient

Remarks

01 02 03 04 05 06 07 08 09 10 11

(Ref: Para-7.3.7)

41

ORGANIZATION CHART OF COMPUTER DEPARTMENT Appendix-1

(Ref: Para-3.3.1)

Principal Maintenance

Engineer (AGM)-1

Senior Maintenance

Engineer (SPO)-2

Synopsis 1 Deputy General Manager 1 Senior Operation Manager (AGM) 1 Senior System Analyst (AGM) 1 System Administrator (AGM) 1 Database Administrator (AGM) 1 Principal Maintenance Engineer (AGM) 2 Operation Manager (SPO) 2 System Analyst (SPO) 2 Senior Programmer (SPO) 1 Assistant System Administrator (SPO) 1 Assistant database Administrator (SPO) 2 Senior Maintenance Engineer (SPO) 4 Computer Operation Supervisor (PO) 4 Assistant System Analyst (PO) 4 Programmer (PO) 4 Maintenance Engineer (PO) 6 Senior Computer Operator (SO) 12 Assistant Programmer (SO) 8 Assistant Maintenance Engineer (SO) 6 Computer Operator (Officer) 2 Data Entry control Supervisor (Officer) 2 Senior Data Entry/Control Operator (Supervisor) 2 Data Entry/Control Operator (Jr Assistant) 5 Peon

TOTAL = 75

Deputy General Manager (Information Technology) -1

Asst System Administrator/

Asst DBA(SPO)-2

System Analyst

(SPO)-2

Assistant System Analyst (PO)-4

Maintenance Engineer

(PO)-4

Computer Operator

(Officer)-6

Senior System Analyst/ System Administrator/ Database Administrator

(AGM)-3

Assistant Maintenance

Engineer (SO)-8

Senior Programmer

(SPO)-2

Programmer (PO)-4

Assistant Programmer

(SO)-12

Senior Operation Manager

(AGM)-1

Operation Manager (SPO)-2

(DC-1 & DRS-1)

Computer Operation Supervisor (PO)-4

Senior Computer Operator (SO)-6

Senior Data Entry/ Control Operator

(Supervisor)-2

Peon-1

Peon-2

Peon-1

Peon -1

Data Entry Control

Supervisor (Officer)-2

Data Entry/ Control

Operator (Jr Assistant)-2

42

Job Description of IT Related Personnel

Appendix-2

1. Deputy General Manager of Information Technology (IT) Department

DGM(IT) is responsible for -

Planning, organizing, directing, coordinating, controlling and

implementing of the policies and procedure as contained in the

Information Technology Security Policy of the bank;

Formulation of plans and programs for organizing, developing and

managing computerization information technology system

infrastructure;

Taking appropriate steps and measures needed for implementation of

the computerization plan;

Coordinating procurement committee and banks technical committee

on computerization;

Present working papers on computerization to the management.

Approving changes in production site, data center, communication

media in respect of the asset management, operating procedure

management and request management.

Managing procurement of computer hardware, software, peripherals

and other accessories as required by the bank.

Also responsible for performing job whatsoever assigned by the competent

authority.

2. System Analysis, Design and Programming:

A. Senior System Analyst/ System Analyst/ Assistant System Analyst.

They are responsible for -

Evaluating business procedures and problems reasonably;

Understanding the capabilities of the bank's equipment, software and

providing recommendations about selection of new equipment or

software packages;

Analyzing systems for the banks own use ;

Interviewing method of data collection, conducting surveys and

observing employees performances;

Preparing charts and diagrams that constitute a representation of the

new system which Banks executives can understand;

Analyzing cost benefit for implementing the proposed system;

Preparing specifications for programmers to follow;

43

Coordinating the test problems to debug the system and participating in

trial runs;

Determining computer hardware and software needed to set up the

system, designing application software;

Preparing system documentation and instructional/user manuals.


authority.

B. Senior Programmer/ Programmer/ Assistant Programmer.


Writing programs creating a logical series of instructions the computer

can follow, applying knowledge of computer capabilities, subject

matter, and symbolic logic;

Coding instructions into programming languages, test and debug

programs to get intended results;

Analyzing, reviewing, and rewritings programs using workflow charts

and diagrams, converting detailed logical flow charts into language that

computers can process;

Preparing flow charts and block diagrams and encoding resultant

equations for processing, developing programs from workflow charts or

diagrams, considering computer storage capacity, speed, and intended

use of output data;

Preparing detailed workflow charts and diagrams from programs to

illustrate sequence of steps to describe input, output, and logical

operation, write documentation of program development and

subsequent revisions;

Revising existing programs to increase operating efficiency or to adapt

new requirements;

Consulting managerial and technical personnel to clarify program

intent, identify problems and suggest changes;

Writing instructions to guide operating personnel during production

runs;

Preparing records and reports as per requirement;

Collaborating vendors and users in developing new programming

methods;

Assisting system analysts or computer operators to resolve problems in

running computer programs;

Imparting training to subordinates in programming and program coding.


authority.

44

3. Computer Operation and Management:

A. Senior Operation Manager/Operation Manager/Computer Operation

Supervisor.


Managing all sorts of operations using computer hardware, software and

peripherals;

Understanding management need for information and banks obligations

for providing or presenting information to the government, central bank

and other bodies;

Coordinating information sources and destinations within and outside of

the bank, coordinating system development groups, vendors for

improving computer systemic operations;

Defining and structuring appropriate operation procedure for

information gathering, data capture, data validation and processing

using computer systems;

Supervising implementation of the structured operational systems and

procedures according to the requirement of the bank;

Recommending information system needs and requirements to the

management.


authority.

B. Senior Computer Operator/Computer Operator/ Data Entry/ Control

Supervisor.

They are responsible for-

Implementing all sorts of operations using computer hardware, software

and peripherals;

Understanding management need for information and banks obligations

for providing or presenting information to the government, central bank

and other bodies;

Coordinating information sources and destinations within and outside

the bank;

Coordinating system development groups for improving computer

operations;

Implementing operation procedure designed for information gathering;


authority.

45

C. Senior Data Entry/Control Operator, Data Entry/Control Operator


Maintaining physical aspects of the computer system including personal

computers, peripherals, operating systems and application software

media kits;

Performing all sorts of operations including desktop works using

computer system;

Maintaining inventory for all shorts Hardware, Software and peripherals

including software media kits;

Understanding information need and coordinating information sources

and destinations within the bank;

Coordinating system development groups for improving computer

operations;

Obeying operational procedure designed for information gathering.


authority.

4. Hardware Maintenance and Control:

Principal Maintenance Engineer/ Senior Maintenance Engineer/

Maintenance Engineer/ Assistant Maintenance Engineer.


Installation, configuration, maintenance, management and control of

the computer systems;

Examining and analyzing technical reports, manuals, brochures and

recommending purchases of servers, personal computers, hardware,

software and peripherals;

Testing and evaluating the hardware and software to determine

efficiency, reliability and compatibility with the system and upgrade

components;

Ensuring system security, installing system applications, distributing

software upgrades, monitoring related activities;

Enabling and enforcing software licensing agreements;

Developing storage management systems and providing for routine

backups;

Processing procurement of computer hardware, software, peripherals

and other accessories as required by the bank.

Managing vendors and directing the work of system technicians and

computer support staff.


authority.

46

5. System Administration and Control

A. System Administrator/ Assistant System Administrator.


Managing bank's information technology setup including computers,

peripherals and operating systems;

Testing and evaluating the hardware and software to determine

efficiency, reliability and compatibility with the system and upgrade

components;

Ensuring network security, installing new applications, distributing

software upgrades;

Maintaining given multi-user system and dealing control over the

information on the system;

Administering access control, creating and maintaining system users,

controlling users power/ right and managing system controls;

Monitoring daily activity, enabling and enforcing licensing agreements;

Designing and developing storage management program and providing

routine backups;

Managing vendors and directing the work of network technicians and

computer support staff;

Managing and maintaining the servers and computers in the following

levels:

o Data Center and DRS level: Operating System for Core Banking Database

Server and Switching Server, Application Server, Host Security Module

(HSM), Network Access Controller (NAC), Web Server, Mail Server,

Internet Banking Application server, Internet Banking DB server;

o Head office level: SWIFT Server, Application Servers including Backup

Server;

o ATM and POS level: ATM and POS Terminal Control Software.


authority.

B. Database Administrator/ Assistant Database Administrator.


System performance tuning as well as the structuring tables within the

database, the number of instances to run, and other parameters;

The physical aspect of the data warehouse, which includes physical

design, performance, and maintenance activities including backup and

recovery;

Administering access control, creating and maintaining database users,

controlling users power/ right and managing database controls;

Ensuring the username and password are encrypted properly;

Administering and managing Standby Servers;

Managing configuration of application clustering.

Also responsible for performing job whatsoever assigned by the authority.

47

6. Branch Banking Operations and Management.

A. IT Operation Manager.


Managing and maintaining physical aspects of the information

technology setup including server, personal computers and other

peripherals;

Managing and maintaining physical aspect of the computer Local Area

Network (LAN) including physical design of the LAN, power supply

system, performance and maintenance activities;

Managing and maintaining media kits for system software, application

software and utility software including banking application software;

Maintaining multi-user system and dealing control over the

information on the system;

Administering access control, creating and maintaining system users,

controlling users power/ right and managing system controls;

Ensuring timely backup of data and managing backup media for onsite

and offsite preservation;

Ensuring that the username and password are encrypted properly;

Maintaining inventory for computer hardware, software including

licenses, ancillary documents, reports and registers;


authority.

B. Second Passing Officer/ Verification Officer.


Ensuring customer service over the counter for banking purpose;

Ensuring verification of customers digital specimen signature online

or otherwise if online fails before payment;

Ensuring cash payment made by the teller over the counter according

to their business power/limit after observing rules and regulations;

Ensuring authentication of fund transfer from and to the accounts

within the bank;

Ensuring transaction entry into the respective modules of the banking

application software for processing;

Managing generation statements and reports relating to the customers

accounts for use of the customers or for the purpose of the bank;


authority.

48

C. Senior Teller/ Teller.


Serving customers over the counter for banking purpose;

Receiving cash from the customers over the counter against proper

authentication and observing rules and regulations;

Ensuring verification of customers digital specimen signature online

or otherwise if online fails before payment;

Making cash payment to customers over the counter according to their

business power limit after observing rules and regulations;

Transferring fund from and to the accounts within the bank;

Ensuring transaction entry into the respective modules of the banking

application software for processing;

Holding keys of the safe vault with appropriate formalities.

Holding cash in hand, cash in counter and cash in vault over night;


authority.

49

GLOSSARY OF TERMS

A term is listed in this Glossary only if it is used in this document with a connotation

different from normal usage.

Access Control: Functions that limit access to information or information processing

resources to persons or applications.

Physical access controls are those, which are based on placing physical barriers

between unauthorized persons and the information resource being protected.

Logical access controls are those, which employ other means.

Alarm: Indication of an unusual or dangerous condition or security violation, which

may require immediate attention.

Application: Task or set of tasks to be accomplished by the information processing

system.

Audit: Function that seeks to validate that controls are in place, adequate for their

purposes and report inadequacies to the appropriate levels of management.

Audit Trail: Collection of records from an information processing facility indicating

the occurrence of certain actions, used to determine if unauthorized use or

attempted use of the facilities has taken place.

Authentication: Process that seeks to validate identity or to prove the integrity of

the information.

Authentication Token: Device that performs dynamic authentication.

Backup: The saving of business information in appropriate media to assure business

continuity in case of loss of resources at the production site.

Classification: Scheme that separates information into categories so that appropriate

controls may be applied. Separation may be by type of information, criticality, fraud

potential or sensitivity.

Code: Software instructions such as object code (the instructions the computer

executes) or sort code (the instructions the programmer writes). System of principles

or rules such as fire codes or building codes. Result of a cryptographic process such as

message authentication code.

Competent Authority: A designated official to perform specific job given by the

authority.

Contingency Plan: Procedure which, when followed, allows an organization to

resume operations after natural or other disasters.

Control: Measure taken to assure the integrity and quality of process.

50

Criticality

seq

Documents

implementation of information

information security

communication technology

bangladesh bank

management area

operation management

business organization

procurement service