Search

Information Security And Risk Management For Banks In India

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    Favorites, Groups & Events

    Information Security And Risk Management For Banks In India - Presentation Transcript

    1. ‘“INFORMATION SECURITY RISK MANAGEMENT IN BANKS” Presented to TASMAC & University of Wales On 9th FEBRUARY, 2007 By KAUSTUBH D. GONDHALEKAR WM/JO5/004 MBA III (Information Management Specialisation) Total Number of Words: 19,897 WORDS
    2. DECLARATION This work has not previously been accepted in substance for any degree and is not being concurrently submitted in candidature for any degree. Signed___________________________________________ (candidate) Date ____________________________________________ STATEMENT 1 This dissertation is being submitted in partial fulfillment of the requirements for the degree of _________________________________________ (i.e. MA, MSc, MBA etc.) Signed____________________________________________ Date _____________________________________________ STATEMENT 2 This dissertation is the result of my own independent work and investigation, except where otherwise treated. Other sources are acknowledged footnotes giving explicit references. A bibliography is appended. Signed____________________________________________ Date _____________________________________________ STATEMENT 3 I hereby give consent for my dissertation, if accepted, to be available for photocopying and for inter-library loan, and for the title and summary to be made available to outside organizations. Signed____________________________________________ Date _____________________________________________
    3. TABLE OF CONTENTS SR.NO. CONTENTS PAGE (S) DECLARATION i LIST OF TABLES ii LIST OF FIGURES iii EXECUTIVE SUMMARY 1 1 CHAPTER:1 – INTRODUCTION 3 – 11 1.1 Background 3 1.2 Purpose Of The Study 5 1.3 Importance Of The Study 6 1.4 Statement Of The Problem 9 1.5 Research Questions 9 1.6 Hypotheses 9 1.7 Research Methodology 10 1.8 Limitations 10 1.9 Overview of the Study 11 2 CHAPTER : 2 - LITERATURE REVIEW 12 – 46 2.1 History of Information Security and Risk Management 13 2.2 Scope of IS 14 2.3 How is IS applicable in Banks 15 2.4 The IS Scenario in India 37 2.5 Understanding Information Security (IS) 42 2.6 Spending Patterns (Technologically and Financially) 43 2.7 CTO / CIO’s view point 45
    4. 2.8 Summary 47 3 Chapter : 3 – METHODOLOGY 48 – 54 3.1 Introduction 48 3.2 Research Questions and Research Hypotheses 48 – 49 3.3 Data Collection / Collected 49 3.4 Location of the Data 52 3.5 Pilot Test 53 3.6 Method of Inquiry 54 3.7 Analysis performed on the data 55 3.8 Summary 55 4 Chapter : 4 – ANALYSIS 56 – 73 4.1 Introduction 56 4.2 Key Findings 57 4.3 Detailed Survey Results 58 5 Chapter : 5 – CONCLUSION 75 – 93 5.1 General Password Guidelines 84 5.2 Password Protection 86 5.3 Changing Passwords 87 5.4 Security Breach Examples 87 5.5 Bank Procedures 88 5.6 Downloading Software 88 5.7 Laptop Security 89 5.8 Fax Machines 89 5.9 Internet Security Concerns 90
    5. 5.10 Physical Security 90 5.11 Monitoring and Inspections 90 6 Chapter : 6 – BIBLIOGRAPHY 94 Appendix I 104 Appendix II 119 Appendix III 124 Appendix IV 125
    6. List of Figures SR.NO. CONTENTS PAGE (S) CHAPTER:1 – INTRODUCTION 1.3 Figure No. 1 – IS Risks 7 CHAPTER : 2 - LITERATURE REVIEW 2.2 Figure No. 2: Security Management process 14 2.3 Figure No. 3 Occupations of Computer Crime 23 Defendants 2.3 Figure No. 4 Types of Computer Crimes 24 2.3 Figure No. 5 Average Computer Crime Losses 24 2.3 Figure No. 6 Victims of Computer Crimes 25 2.3 Figure No. 7 Computer Crime Cases in Courts 26 2.3 Figure No.8: TCO Analysis 31 2.6 Figure No. 9: IT Spending Patterns 43 Chapter : 3 – METHODOLOGY 3.3 Figure No.10: Selection of Data Collection Method 50 Chapter : 4 – ANALYSIS 4.3 58 Figure No.11:- Respondents based on the type of organisation 4.3 59 Figure No.12:- Respondents based on the location of the organisation 4.3 60 Figure No.13:- Respondents by Job Description 4.3 61 Figure No.14:- IT spending as a part of budget 4.3 63 Figure No.15:-Percentage of IS functions outsourced 4.3 64 Figure No.16:-Risk Mitigation Policies
    7. 4.3 65 Figure No.17:-Unauthorised access in the recent past 4.3 66 Figure No.18:-Security Technologies used 4.3 68 Figure No.19:-Security Audits 4.3 69 Figure No.19:- IS Awareness Training 4.3 71 Figure No.20:- Critical Issues 4.3 73 Figure No.21:- Responses based on the Age Groups 4.3 74 Figure No.22:- Respondents based on Income group. Chapter : 5 – CONCLUSION 5.1 81 Figure No.23:- Suspicious Activity Investigation Report 5.1 83 Figure No.23:- ATM / Debit card Fraud Claim Format
    8. List of Tables SR.NO. CONTENTS PAGE (S) CHAPTER : 2 - LITERATURE REVIEW 2.3 Table No.1: Types of Attacks 16 2.7 Table No.2: Risk Mitigation Strategy 45
    9. Executive Summary The Environmental Challenges Most organisations recognize the critical role that information technology (IT) plays in supporting their business objectives. But today's highly connected IT infrastructures exist in an environment that is increasingly hostile—attacks are being mounted with increasing frequency and are demanding ever shorter reaction times. Often, organisations are unable to react to new security threats before their business is impacted. Managing the security of their infrastructures—and the business value that those infrastructures deliver—has become a primary concern for IT departments. Furthermore, new legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organisations to manage their IT infrastructures more closely and effectively than in the past. Many government agencies and organisations that do business with those agencies are mandated by law to maintain a minimum level of security oversight. Failure to proactively manage security may put executives and whole organisations at risk due to breaches in fiduciary and legal responsibilities. A Better Way The holistic roadmap to security risk management provides a proactive approach that can assist organisations of all sizes with their response to the requirements presented by these environmental and legal challenges. A formal security risk management process enables enterprises to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives organisations a consistent, clear path to organise and prioritise limited resources in order to manage risk. The benefits of using security risk management would be realised when the cost-effective controls that lower risk to an acceptable level are implemented. The definition of acceptable risk, and the approach to manage risk, varies for every organisation. There is no right or wrong answer; there are many risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Investing in a risk management process—with a solid framework and clearly defined roles and responsibilities—prepares the organisation to
    10. articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the organisation to make significant progress toward meeting new legislative requirements. During a risk assessment process, qualitative steps identify the most important risks quickly. A quantitative process based on carefully defined roles and responsibilities follows next. Together, the qualitative and quantitative steps in the risk assessment process provide the basis on which you can make solid decisions about risk and mitigation, following an intelligent business process. Critical Success Factors There are many keys to successful implementation of a security risk management program throughout an organization. First, security risk management will fail without executive support and commitment. When security risk management is led from the top, organizations can articulate security in terms of value to the business. Next, a clear definition of roles and responsibilities is fundamental to success. The Information Security Group owns identifying the probability that the risk will occur by taking current and proposed controls into account. The Information Technology group is responsible for implementing controls that the Security Steering Committee has selected when the probability of an exploit presents an unacceptable risk. Investing in a security risk management program—with a solid, achievable process and defined roles and responsibilities—prepares an organization to articulate priorities, plan to mitigate threats, and address critical business threats and vulnerabilities.
    11. Executive Summary The Environmental Challenges Most organisations recognise the critical role that Information Technology (IT) plays in supporting their business objectives. But today's highly connected IT infrastructures exist in an environment that is increasingly hostile where attacks are being mounted with increasing frequency and are demanding ever shorter reaction times. Often, organisations are unable to react to new security threats prior to their business being impacted. Managing the security of their infrastructures and the business value that those infrastructures deliver, has become a primary concern for IT departments. Furthermore, new legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organisations to manage their IT infrastructures more closely and more effectively than in the past. Many government agencies and organisations that do business with those agencies are mandated by law to maintain a minimum level of security oversight. Failure to proactively manage security may put executives and entire organisations at risk due to breaches in fiduciary and legal responsibilities. A Better Way The holistic roadmap to security risk management provides a proactive approach that can assist organisations of all sizes with their response to the requirements presented by these environmental and legal challenges. A formal security risk management process enables enterprises to operate in the most cost efficient manner with a known and acceptable level of business risk. It also gives organisations a consistent, clear path to organise and prioritise limited resources in order to manage risk. The benefits of using security risk management would be realised when the cost-effective controls that lower risk to an acceptable level are implemented. The definition of acceptable risk, and the approach to manage risk, varies for every organisation. Even so, there is no absolute right or wrong answers, inspite of the various risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Investing in a risk management process,
    12. with a solid framework and clearly defined roles and responsibilities, prepares the organisation to articulate priorities, mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the organisation to make significant progress toward meeting new legislative requirements. During a risk assessment process, qualitative steps identify the most important risks quickly. A quantitative process based on carefully defined roles and responsibilities follows next. Together, the qualitative and quantitative steps in the risk assessment process provide the basis on which you can make solid decisions regarding risk and its mitigation, following an intelligent business process. Critical Success Factors There are many keys to the successful implementation of a security risk management program throughout an organisation. First, security risk management will fail without executive support and commitment. When security risk management is led from the top, organizations can articulate security in terms of value to the business. Next, a clear definition of roles and responsibilities is fundamental to its success. The IS Group acknowledges and identifies the ‘risk - probability factor’ that the risk will occur by taking into account the current and proposed controls. The Information Technology group is responsible for implementing controls that the Security Steering Committee has selected when the probability of an exploit presents an unacceptable risk. Investing in a security risk management program that translates into a solid, achievable process with defined roles and responsibilities prepares an organisation to articulate priorities, mitigate threats, and address critical business threats and vulnerabilities.
    13. CHAPTER 1 INTRODUCTION 1.1 Background Information is an asset that, like other important business assets, is essential to an organisation’s business and therefore needs to be updated regularly and suitably protected. Since most of the businesses in the present and recent past have been electronically connected in networks, the IS and its management plays a major role. As a result of this existing and ever-increasing interconnectivity, information is now exposed to a growing number and a wide variety of threats and vulnerabilities. Businesses are vulnerable to various kinds of information risks inflicting varied damage and resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers or facilities. To control IS risks, the management needs to anticipate and be aware of the potential threats, risks and resultant loss and accordingly deploy the necessary controls across the environment. IS is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise the return on investment (ROI) and thereby extend the business opportunities. “Security is like oxygen; when you have it, you take it for granted, But when you don’t, getting it becomes the immediate and pressing priority” ----- Joseph Nye, Harvard University. An IS Risk can be defined as any activity or event which threatens the achievement of identified business objectives by compromising ‘Confidentiality’, ‘Integrity’, ‘Availability’ of the business information1. 1: NASSCOM – KPMG IS GUIDE BOOK- http://www.nasscom.org/download/Nasscom_Cover.pdf Access date: January 07, 2006.
    14. It is essential for the organisations to observe, review and analyse their electronic systems, due to the advent of the Internet era, such that any malicious activity which occurs becomes predictable. Keeping this in mind, ‘IS Risk Management’ in large corporations such as Banks is essential since they are reliant on Information Technology (IT) and IT systems in the processing, storage and transmission of company and customer data. As a consequence, in the event of an IT System failure, be it through the malicious or technical event of system failure or information loss, it would not be feasible to use manual processing as an alternative or solution to the problems. There are also a number of security issues surrounding IS like the increased mobility of banks has resulted in remote access from wireless and through the internet. Access to a bank’s information assets are no longer limited to its internal employees, working from a fixed known location or fixed environment. The value of the computers and hardware may be valued in thousands of dollars, however the information which may be contained as data, could be more in value. There's probably not a business owner out there who doesn't make sure with some regularity that the locks intended to keep intruders off the premises are doing their job. But owners of small and medium-size businesses tend to be much less vigilant when it comes to IS Management— even though the potential risks of an IS breach can be far more staggering than those posed by a burglar. Destructive viruses, worms and hackers don't discriminate by the size of an organisation. Data loss, lost productivity, decreased profits, opportunity costs, privacy concerns and corporate liability are some of the areas where companies are vulnerable. Publicly held companies have an additional accountability for the integrity of their financial reporting data and systems under laws and acts such as the Sarbanes-Oxley Act, etc.
    15. 1.2 Purpose of the Study IS is a continual imperative for banks as vulnerabilities in IS / Information Availability are continuously being exploited in new ways. Security of new technologies / channels need to be focused, for e.g., E-commerce, online banking and debit cards. This becomes even more essential in the light of increase in fraud related losses in these areas along with the existing technologies and manual transaction processing risks. Banks have always been and are one of the most important targets for hackers, crackers and cyber criminals, as IS breach may lead to potential losses. These losses may lead to downfall of the banking industry and thus have its impact on the economy. The actual losses on account of IS issues are difficult to estimate. However, 639 companies that responded to the 2005 CSI/FBI Computer Crime and Security Comment [s1]: Was it a country Survey ,reported total losses of $130 million with viruses, unauthorised access specific survey? If so, please mention country and theft of proprietary information accounting for 80% of it. Given the risks, IS should be a top priority of any organisation — and not just for its IT department. That's where a formal IS Management Program comes in.
    16. Case Study: Newspaper clipping – Banks notify customers of data theft.2 Placed below is a news item that appeared in the money and business section of the website http://home.netscape.com. The summary of the news item is presented below: Summary: • More than 100,000 customers of Wachovia Corp. and Bank of America Corp. have been notified that their financial records may have been stolen by bank employees and sold to collection agencies. • So far, Bank of America has alerted about 60,000 customers whose names were discovered by police, while Wachovia has identified 48,000 current and former account holders whose accounts may have been breached. • Both banks are providing the affected customers with free credit reporting services. • In a separate case with a potential for identity theft, laptop containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen last month from the car of an MCI financial analyst. MCI would not comment on whether the data was encrypted. • The bank record theft was exposed last month when police in Hackensack, N.J., charged 9 people, including 7 bank workers in an alleged plot to steal financial records of thousands of bank customers. Money and Business: http://channels.netscape.com/ns/pf/story.jsp?floc. Access Date: July 07, 2006. 1.3 Importance of the Study All organisations today face a certain level of security risk. In fact, the deployment of technologies such as ‘Intrusion Detection and Monitoring’ acknowledges that a certain level of suspicious or malicious activity is likely to get through. It also acknowledges that there are internal threats (maybe from disgruntled employees, or simply human error) which have to be countered with skill and imagination.
    17. It is important to recognise that all organisations accept some level of risk. Risk is, after all, a trade off between the amount of money you wish to spend on counter-measures, against the perceived level of threat and vulnerability, to protect the estimated value of your assets. The important thing is that risk is identified, and either a) mitigated, b) transferred, c) insured, or d) clearly documented as a risk acceptance. Figure No. 1 – IS Risks 2: http://channels.netscape.com/ns/pf/story.jsp? Access date: March 20, 2006.
    18. Security risk is also heavily influenced by time. For example, if a new virus is released, for which no patch is available, then the rate of infection is critical. All organisations are subject to security threats, as these expose their vulnerabilities. For this increases significantly with factors, such as their need to do business over the Internet, the profile of the organisation, and the value of their assets. High profile corporations are under constant threat because of the possible infamy associated with security breaches. Some of the key threats to organisations include: • Virus, Trojans and Worms • Phishing • Pharming • Email SPAM • Web Site Defacements • Denial of Service Attacks (DoS) • Spoofing • Identity theft • War walking, War driving, etc., (Wireless Network Threats) • Theft of information (e.g. credit card details, source code, biotechnology secrets), etc., Hence, this study may prove important and extremely significant as it would provide better in-sights with regards to updating security personnel. This would definitely enable them to handle any kind of security issues at any given point of time.
    19. 1.4 Statement of the Problem Based on the problem definition, the objectives of the research will be: • To identify and examine the current IS landscape prevailing in various Banks. • To identify the information risks and security concerns threatening the Banks. Comment [R2]: Kindly suggest what • To determine the loss of revenue because of the information loss due to can be done here. Are there any metric for the same? various reasons such as virus attacks, unauthorised access, theft, pilferage, Comment [s3]: Will you quantify this is amount? If not, what is the metric security breach or by calamity / disaster. used to measure loss? • To determine the cost in the IRSMS implementation. Comment [s4]: In my opinion, these Research Questions 1.5 should b Comment [R5]: Would it ok if we don not include questions 2 and 8 … … marked in red. OR kindly suggest what The research will address the questions such as: amendments can be done? • What are the information risks and security threats involved in the Banks? • What benefits will be derived by implementing these systems in the existing scenario? • What should be the ideal characteristics of the IRSMS? • What functions in security and risk management must be accomplished by an IRSMS to support Banks? • What would be the Total Cost of Ownership (TCO) for the institution? Hypotheses 1.6 • The security policies in the same organisation (Bank) may differ based on the geographic location. • Many Banks prefer accepting the security risk rather than mitigating, transferring or avoiding it. • IRSMS policies show wide variations across all types of financial institutions (here the type of bank would be considered, i.e. Apex / Public
    20. Sector Commercial / Private Commercial / Co-operative / Foreign bank.) Research Methodology 1.7 The method of inquiry involved both primary as well as secondary data collection. Questionnaire was prepared taking into account the necessity of qualitative as well as quantitative analysis. Primary data collection is done by inviting responses through means of a questionnaire, from the IS Officers/ IT officers, Certified Information Systems Auditors, Certified Information Systems Managers, Compliance officers, etc., with a minimum of 1-3 years of experience in the ‘IS Risk Management’ field. Secondary data was gathered from various published sources, authentic journals, past research papers, newspapers, magazines and articles. 1.8 Limitations • The findings are based entirely upon the research conducted in India and hence may not be applicable to other countries of the world on counts of technological diversity and contextual forces. • These kind of researches need to be done periodically to gauge the authenticity of the security risk management program designed in an organisation such as banks, due to the constant changing technology and its vulnerabilities. • To prove the hypotheses “The security policies in the same organisation (Bank) may differ based on the geographic location”, the research may not have considered several banks of similar type. It may be limited to same bank with different locations. • The research may not be able to provide the exact financial figures or the financial impact due to the occurrence of the IS Threats and the Risk that is followed because of the reputation risk involved in it. The respondents might not provide complete, incomplete, partial or authentic information regarding the questions posed for the survey.
    21. 1.9 Overview of the Paper An introduction to the topic of research “IS Risk Management” is provided in Chapter 1. The introduction focuses on aspects such as: • Background of the Research Study, • Purpose and Importance of the Study, • Problem Statement, • Research Questions With Certain Assumptions, • Research Methodology. It also throws light on the limitations of the study research. In the Literature Review, the research provides a close look and feel of the similar incidents in the past and in the present amongst various banks across the country and the globe. The basic intention of this academic report is to spread awareness regarding IS Threats and the Risk which follows them. The researcher has tried to collect several examples from within the country or across the globe which are on similar lines. Chapter 3 is dedicated to the methodology of the research. It points towards to sources of the data and information collection through surveys, questionnaires, personal interviews, authentic articles on the web, magazines, etc. This chapter re-visits the research questions, research hypotheses, etc. mentioned in Chapter 1. This chapter also highlights the method of inquiry and the method of analysis when the data is collected. Chapter 4 illustrates the analysis performed on the data to obtain the desired results. The analysis also throws more light on the key findings which I came across while performing the analysis. Chapter 5 provides the overall findings and the conclusions based on the survey, the analysis and also from the management perspective. This chapter also mentions, what needs to be done in order to prevent the IS Threats from recurring and the steps taken to prevent them. Infact, the steps need to be incorporated in the initial procedures of both, personnel management, and sourcing and change management decisions. The bottom-line being “Prevention is always better than cure”.
    22. CHAPTER 2 LITERATURE REVIEW Introduction The chapter provides further insights regarding the traditional definition of IS and Risk Management along with its historical background. This also puts light on the makeover or the phase shift which has occurred in the field of IT. The chapter also defines the scope of Information Systems and IS. The literature review shows how the IS and Risk Management is applicable to the banks. Why is it essential to take the responsibility and subdue the threats causing the financial losses to the business sector as well as to the national and world economies? In order to achieve this feat it becomes even more important to understand what kinds of attacks are possible and the manner in which they should be dealt with? Due to the scope and limited constraint, this academic research is unable to throw light on all the threats or mention the remedies for them. But, even so, a wide range of threats have been mentioned below with some actual facts. The literature review also attempts to focus on the computer frauds that have occurred and their repercussions. It also points out the reason why computer crimes are difficult to prove in a court of law. The types of computer crimes, their impacts or effects and the victims are explained in the review. The review also focuses on drawing the readers’ attention towards the understanding of IS at length. The focus area for all the organisations, including banks, is the IT spending pattern, which is already considered and explained in the review.
    23. History of IS and Risk Management 2.1 • IS Management – A Concept IS Management is the process used to identify and understand risks to the Confidentiality, Integrity, and Availability of Information and Information Systems. • Phase Shift of IS The role of IS has changed during the past few years. ‘The Traditional definition of protecting networks and the datacenters has undergone a shift in focus resulting in the enablement of the businesses with security solutions actually moving the business forward or even to the next step. Security is now a way of life and a must-do for businesses in order to survive. Hence, it has become obvious that, wherever the information goes, security follows.’ No longer can IS be an afterthought. An increased need for efficiency and productivity, reducing costs, reaching multiple markets and faster time- to- market are few business benefits which are driving organisations to make IS a part of the organisational DNA.
    24. 2.2 Scope of IS “IS Management defines the controls we must implement to ensure we sensibly manage computer related risk”3 Not just technology, but people and processes too – “defense in depth”. An ongoing, continuous activity ~ you don’t just “do” security as a one-off event. © Source: Deloitte Touche Tohmatsu Figure No. 2: Security Management process IS is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities. 3: Driving an IS Program in the Tertiary Environment; www.auckland.ac.nz/security; access date: November 28, 2005. 4: http://www.keyitsolutions.com/information_security_management.htm ; access date: November 28, 2005
    25. A basic IS model should encompass Confidentiality, Integrity and Availability; however there are also additions such as Accountability and Auditability.2 In other words, “The objective and focus of the IS Management is to protect and manage the Information assets”. How is IS Applicable to Banks? 2.3 \"IS is definitely a journey, not a destination--there are always new challenges to meet.\" -- Chief IS officer at a major financial services corporation Banking Institutions have become ‘critical centers of gravity’. A collapse in the banking institution can lead to collapse in the banking sector and cause a huge setback to economy of the nation, which would also concern world at large. This makes them more attractive targets for potential adversaries. Potential adversaries could be either malicious or non-malicious. Among the malicious adversaries would be hackers (including phreakers, crackers, trashers and pirates), terrorists/ cyber terrorists, organised crime, other criminal elements, competitors and disgruntled employees. On the other hand, careless or poorly trained employees would be non-malicious adversaries, who, either through lack of training, lack of concern, or lack of attentiveness, poses a threat to the Information Systems. Adversaries would employ attack techniques that could be classified as passive or active, insider, close-in or distribution attacks. Some of them explained below. ‘Passive attacks’ involve passive monitoring of communications sent over public media and include monitoring plaintext, decrypting weakly encrypted traffic, and password sniffing and traffic analysis. 5 : Source: http://www.securesynergy.com/library/artcles/125-2003.php; 6: Defining Information Threats, Felix Mohan, CEO - Secure synergy; access date: May 05, 2006.
    26. Active attacks would include attempts to: Serial No. Type of attack 1 Circumvent or break security features 2 Introduce malicious code (such as computer viruses, trojans or worms) 3 Subvert data or system integrity 4 Modify data in transit 5 Replay (insertion of data) 6 Hijack sessions 7 Masquerade as authorised user 8 Exploit vulnerabilities in software that runs with system privileges 9 Exploit network trust 10 Set in denial of service Table No.1: Type of Attacks In ‘Close-in attacks’ an unauthorised individual gains close physical proximity to the networks, systems, or facilities for the purpose of modifying, gathering, or denying access to, information. Gaining such proximity is accomplished through surreptitious entry, open access, or both. Close-in attacks include modification of data, information gathering, system tampering, and physical destruction of the local system. A person who is either authorised to be within the physical boundaries of the IS processing system or has direct access to the IS processing system can be responsible for the insider attacks. Insider attacks are usually difficult to detect and to defend against. ‘Distribution attacks’ maliciously modify hardware or software between the time of its production by a developer and its installation, or when it is in transit from one site to another. The risks of serious IS failures are all around us. Breaches, such as teenage hackers and e-mail viruses which were once a nuisance only for information technology professionals now pose a significant risk for executives and can
    27. threaten intellectual property and brand equity. Each new lapse in security is highlighted by glaring media coverage, amplifies consumer awareness and concern. The disclosure by Master-Card that 40million of its credit and debit card account details had been exposed is yet another more indication of the magnitude scale of the problem. Certainly, the growing fear of identity theft is a matter of concern for executives in industries that interact directly with consumers. A recent survey conducted in conjunction with the Merchant Risk Council, in the US, revealed that over 90 per cent of retailers agreed that consumers make purchasing or transaction decisions based on their trust in the company’s ability to secure their data. Also, almost 90 per cent felt that IS is or will become a point of competition in the retail sector. IS is not just an issue for retailers and banks – all companies face new risks, ranging from industrial espionage to sabotage. Compounding these concerns, compliance fears generated by Sarbanes- Oxley and the forthcoming Basel II accord have fostered an environment of risk aversion inside many organisations. Of course, there are plenty of risks to fear. The process of opening companies to the internet has exposed a multitude of software vulnerabilities, especially as many older systems were not developed with this security in mind. Building stronger walls around enterprise systems can help to keep out some unwanted visitors, but those clever invaders or disloyal insiders who find their way into the fortress discover a treasure trove of information once they have gained access. To make matters worse, many risks lie deeply hidden within the extended enterprise. While most large companies have taken significant actions to beef up their own internal security, their smaller partners often harbour risks that open the entire enterprise to vulnerability. Every day, business partner’s take unseen risks and, when partners experience security failures, it has the same devastating impact. In the case of MasterCard, the loss arose out of a security breach at the Card Systems Solutions – a small, private payment processor with only about 100 employees. Card Systems quickly felt the pain of the mistake as both Visa and American Express promptly withdrew their business, pushing Card Systems into a
    28. financial crisis. Yet the fact that the problem was not within Visa or MasterCard made little difference to consumers, who rightly saw the problem as the responsibility of the credit card companies. The escalation of security breaches and the painful surprise many executives feel when a failure occurs in their business have brewed a culture of fear within many organisations. Vendors within the security industry have quickly capitalised on this fear along with the confusion around new compliance measures, such as Sarbanes-Oxley. But before tossing money at a cure in the hope that it will eliminate these new risks, managers should first work to incorporate information risk into an overall enterprise risk management strategy. Like any other risk within the company, security risks must be identified and balanced against the benefits and costs of mitigation. Unfortunately, in contrast to many other business risks, the discussion about IS risk has focused solely on the negative experiences. Of course, no one likes a bad outcome. A hurricane, like a security failure that exposes sensitive customer information, results in damage and cost. However, in other areas of business, risk is associated with return – higher risks yield higher returns. This is also true for IS risk. Very often, IT risks arise from sloppiness or corner-cutting, such as the failure to follow best software development practice or to test and audit new systems. In some instances, this notion is true. However, many IT risks occur within the context of a larger business strategy with associated rewards. For example: • Working with a small innovative start-up company whose promising software solution could generate significant returns, but could also harbour the associated risk of the small company’s IT environment • Starting or acquiring operations in low-cost countries where the infrastructure is less secure • Outsourcing business processes to suppliers with lower-cost structures but unknown or hard-to-monitor security practices
    29. • Exposing internal business data to customers and partners to help with the creation of new services or reduce operating costs. All of these create security risk, even with the best practices. Becoming aware of the risks is just the first step in building an effective management strategy. In our survey of retailers, over 85 per cent said that the level of IS offered by their suppliers was important to them. Yet we find that companies in each industry are struggling to develop effective ways to measure and manage security risks across their extended enterprise. A simple way to reduce security risk is to limit business innovation – to avoid partnering, pull systems offline and lock down the fort. This is a serious mistake. Instead, risk should be balanced with reward. Embedding IT risk into your overall enterprise risk management strategy implies establishing a risk posture that does not seek to eliminate security risk, but rather manages it. The key is first to understand the vulnerabilities, threats and consequences. Vulnerabilities are areas that can be exploited by malicious individuals or organisations. Examples could include poorly maintained software (such as failing to patch known security holes), poor security practices (such as inadequate password and identity management), or the exposure of older systems with an unknown security to the internet. Given these vulnerabilities, what are the threats? Are there outsiders who are motivated and capable of exploiting the vulnerability? Or are there insiders who may be tempted to steal intellectual property? Finally, if the security was breached, what are the consequences? Would they be primarily internally observed or would they impact external groups, such as customers or business partners? Internal failures, like viruses, generate real operational costs for the IT department but rarely put the company into a catastrophic tailspin. On the other hand, external failures, such as a breach of customer information, can be much more painful, warranting far greater attention. To manage risk in the most effective way possible, companies should include IS in the broader perspective of business risk management, where the board of directors governs the company’s
    30. overall risk posture. This same perspective must also be applied to business partners. For many companies, measuring supplier risk will require new tools for supplier security qualification. Like those tools used to assess a supplier’s product quality, supply chain reliability, or its long-term financial viability, suppliers should be qualified using a technical assessment of security and an assessment of the supplier’s information risk management practices. Risks of working with a new partner can then be balanced against the benefit that the partner delivers. Most importantly, managing information risk is everyone’s responsibility – not simply the job of IT executives. Rather than viewing IT executives as security guards, technology- savvy executives – from corporate directors to line managers – should act as consultants to the entire organisation. CIO’s with strong business and technical skills are uniquely qualified to help educate the organisation and chart a course to bring IT risk into the overall risk management strategy. Bringing IT into the enterprise risk management strategy will not only protect against catastrophic operational surprises, but will empower managers to seize the exciting opportunities before them. Computers have been in existence in European and American countries for a long time. Consequently, frauds associated with the computer environment have also been in existence for a long time. The American Institute of Certified Public Accountants (AICPA) was commissioned to conduct a study of EDP- related frauds in the banking and insurance sectors. The study, Report on the Study of EDP-Related Fraud in the Banking and Insurance Industries, revealed many shocking findings, the more significant of which are: • In some cases, fraud occurred during normal transaction process cycle; • Many took advantage of the weaknesses in the system of internal controls; • Most frauds were in input area; • Input was either unauthorised or proper input was manipulated; • File maintenance was common method;
    31. • Manipulation involved extending due dates on loans / or changing names and addresses; • Loss from reported cases worked up to several million US dollars; • In all cases, perpetrators were employees. Dawn P. Parker, Senior Management Systems Consultant and Researcher on computer crime and security in a report for the National Institute of Justice, US Department of Justice, identified 17 crime techniques, the more significant of which are • Eavesdropping or Spying: This involves wire-tapping and monitoring radio frequency emissions. • Scanning: Scanning prevents sequential change of information to automated system to identify those items that receive a positive response, such as: • Telephone Numbers • User IDs • Passwords • Credit Cards • Masquerading: In this, the perpetrator assumes the identity of an authorised computer user. • Piggy - backing: This can occur when the user signs off or a session terminates improperly. The terminal is left in an active state or in a state where it is assumed that the user is still active. • Data Diddling: It involves changing data before or during their input into the computer. • Trojan horse: It is a convert placement or alteration of computer instructions or data in a program so that the computer performs unauthorised functions. It is primary method for inserting abusive acts, as in salami techniques.
    32. • Logic Bomb: It is an unauthorised act of program instructions inserted into a regular program such that an unauthorised or malicious act is perpetrated at a predetermined time. • Data Leakage: It involves removal of data from a computer system or facility. The National Center for Computer Crime Data, a Los Angeles-based research organisation, has been providing information on computer crimes. The statistics relate to: • Average computer crime losses; • Victims of the computer crimes; • Occupations of the computer crime defendants; • Types of computer crime; • Computer crime cases in courts.
    33. Occupations of Computer Crime Defendants 30 26 26 25 20 19 No. of Cases 15 10 10 6 6 6 5 1 0 Ex-employees of Unemployeed or Employees (Acc. To Miscellaneous Law Enforcers Students Professionals Accomplices Computer Criminals Victims Comp.) Sources of Crimes Figure No. 3 Occupations of Computer Crime Defendants
    34. Damage to Theft of softwareExtortion information Harrasment Alternation of Theft of services Data Damage of Hardware Theft of money Figure No. 4 Types of Computer Crimes It was seen that computer crime losses were very high, with theft of services and money contributing the maximum. Commercial users topped the list of computer crime victims. $100,000 $93,600 $80,000 $55,166 $60,000 $40,000 $20,000 $10,517 $0 Theft of money Theft of Damage to program / data system /data Figure No. 5 Average Computer Crime Losses
    35. 40 36 35 30 25 20 17 17 15 % of cases 12 12 10 5 4 2 0 Banks Miscellaneous Individuals Commercial users Universities Government Telecommunications Victims of Computer Crimes Figure No. 6 Victims of Computer Crimes Technology improvements provide greater sophistication for users. However, they also create significant security and control concerns. It is also of great concern that a computer criminal is less likely to be caught than a bank robber. Parker conducted two studies on general and computer bank frauds and embezzlement respectively in 1976. The two studies revealed that average losses from computer bank frauds and embezzlement were approximately six times higher than those from general bank frauds. • Computer crimes in India In India, although computers made an entry much later, we are catching up fast in the area of computer frauds, too. However, most of the crimes do not get reported as the organisations are hesitant to file a report as it might affect their credibility.
    36. Found not guilty, Found Guilty, 8% 16% Pleaded Guilty, 76% Figure No. 7 Computer Crime Cases in Courts Few of the reported cases in the press are mentioned below • The Hindu, on March 7, 1996 carried a report, ‘Quantum jump in the number of bank frauds, according to which Mr. R Janakiraman, former deputy governor, Reserve Bank of India, while addressing a session on frauds in banks and other financial institutions – prevention and detection organised by the Institute of Criminological Research, Education and Services (ICRES), observed that the frauds committed by the bank employees in collusion with outsiders accounted for the largest number of frauds rather than those committed single-handedly either by the bank employees or outsiders’.
    37. • India today, in its February 28, 1999 issue carried a report, ‘High-tech frauds – Thieving with technology’ • The Economic Times report, ‘Banks feel techno-crime byte’ dated December 19, 1996 – mentioned how Sanjay Subharwal and his accomplice who cracked the Automatic Teller Machine (ATM) code of his sister-in-law’s account after 99 attempts and siphoned off Rs. 1.52 lakh. • The Economic Times dated January 12, 1997 stated “The days of Nagarwallas using VVIP names to withdraw millions from a bank are old hat.” • India Today in one of its issues reported, “Hacking New Frontiers” wrote “R. Srinivasan’s employers, a stock broking firm in Chennai, were very happy with him and his proficiency in their new computers. He brought in new clients and increased the volume of shares traded. But the company was losing heavily on share transactions. A few months later, the managers found out why: Srinivasan’s “clients” were no more than electronic entities, existing only on the pathways of their computers. Losses: Rs. 50 lakh.” Giving another example, the report says: “No one knew when account no. 20456 became active. The Bank of India’s computer at Mumbai’s Mulund branch only recorded that its owner Ganesh Rao had drawn Rs. 76,700 since February. So when Rao was overdrawing on April 3, they took a second look at him. Before them was Sanjay Rajbhar, a computer professional who ran a network controlling accounts. In a bank that still maintains huge, yellowing ledgers. Rajbhar had found a defunct account and resurrected it with a few key-strokes.
    38. Technology is a strategic resource available at a cost albeit with an altered risk-benefit matrix. --- Ashok Bhattacharya General Manager – Technology, State Bank of Mysore. Technology has become the backbone of human civilisation. Technology, its concepts, gadgets and formulations are matters of common use spanning drawing rooms of our residences to board rooms of corporates, to halls of deliberations at the United Nations (UN). Though technology and its applications have remained the subject of debates from time to time, contribution of technology in the field of business, health, education, entertainment, information and communication and , of course, banking are growing day by day. For most of us, it is no more a question of whether to use technology or not, it is more a question of how to exercise our options in using technology. Which, when and what-if are some of the major questions that banks and financial services industry have to consider to roll out technology, maintain it and upgrade the same. Indeed, strategic use of IT is the vital part of business intelligence that banks are relying upon for growth and viability to face the competition, and this reliance will be sharpened in the days to come in order to handle Customer Relationship Management (CRM) issues effectively. Public Sector Banks (PSBs), which have large portfolios in terms of business and employment, are in various stages of migrating to new systems. As a matter of fact, this new strategic system may generally be identified with “Core Banking” aided by ATM networks and other e-process. Some of the important features of such migration / upgradation are: • From distributed / stand alone banking to core baking / anywhere banking. • Alternative delivery channels like ATMs, Internet Banking, Credit Cards, Smart Cards and Kiosks. • Cross-selling products like insurance, money market and other financial products.
    39. • Use of multimedia, online help and assistance. • Electronic Fund Transfers (EFT). • Digitisation of data, online encryption and straight-through processing. • Business Continuity and Risk Mitigation including KYC (Know Your Customers) and AML (Anti-Money Laundering) implementation. • Online trading, settlement, treasury, domestic and cross-border transactions. • Data Warehousing, MIS and Business Intelligence – Decision Support System. • Intra-Bank email systems, which incidentally revolutionised banks’ internal communications, introducing online knowledge repository, training / applicable instructions / job cards, etc. • Considering that technology is a risk multiplier both in operations and business, properly manned, and a sophisticated disaster recovery process are in place. These quanta jump in technology, envelopes the whole organisational entity, its activities, interfaces and all stakeholders. For a large organisation like a PSB, on the backdrop of which the present article is based, having about 650 retail branches, business transactions exceeding Rs. 30,000 cr., providing direct employment to about 10,000 persons, automation decisions are size-oriented. Sizes of operations have a critical bearing on choice, cost and consequences of the IT projects. The general method adopted by PSBs is to make a preliminary survey of actual functional systems in various other banks, appoint consultants and arrive at desired specifications of the system to be procured and then go for tendering for a suitable software/ hardware and related services. All PSBs follow Central Vigilance Commission’s (CVC) guidelines in selecting the final vendor for software, hardware accessories and maintenance thereof. It may be mentioned here that a precise cost benefit analysis may not be always feasible as
    40. technological upgradation, new technology, etc. are mostly required to remain in the market and / or to retain the market share. Notwithstanding the same, while selecting technology and finalizing roll out plan, PSBs do take care of the following factors • New technology will bring in new risks and accordingly, the cost benefit and risks of the new technology need to be considered and optimised for maximum productivity, • The life of the technology is also becoming shorter and shorter. For this reason banks / financial institutions also need to be ready with resources and plough back of revenue enhancements so that systems can be replaced before they become totally obsolete, • The agreement to purchase / hire services level agreements; each must be legal besides technologically feasible so that buyers can use the system as required by them and vendor failures are avoided. • At this stage, banks / financial institutions may also finalise the process of User Acceptance Test (UAT) that they would like to follow before commercial roll out of the system at the branches / offices. This is very important and must be developed with a professional approach as otherwise banks will suffer avoidable pangs and costs of customisation with high risk situations. • If the system purchased is on a turnkey basis, then confidence level of such UAT should be very high. • It would also be appropriately pragmatic for the bank to prepare an action plan of converting fixed costs to take full advantage of new technology / upgradation. Suitable steps to remove road blocks which prevent such conversion / replacement be tackled. Based on the above components, below are the schematic triangles of concerns that bankers / financial institutions would do well to keep in mind while selecting / rolling out expensive and all encompassing technologies.
    41. Figure No. 8: - TCO Analysis Figure No.8: TCO Analysis No doubt, the implementation of a new system, say, Core Banking Solutions (CBS), that is now being set up in most of the banks will enhance banking services in a visible manner. The customers of a branch now become the customers of the whole bank. Speed and accuracy of the transaction processing, money transfers, remittances, local and national clearing, all get enhanced enabling the bank to handle more transactions with the cost of transactions with the cost of transaction coming down to a great extent. Thus, CBS coupled with ATM network and Internet Banking and Real Time Gross Settlement (RTGS) gives the customer the facility of doing business with the bank round the clock without visiting the bank’s branch. Internet Banking is very popular with young clientele as utility payments, travel arrangements, bill payments and even purchase of cinema tickets can be done sitting at home or at office.
    42. As RTGS has also been enabled in many commercial bank branches, the reach of Electronic Funds Transfers System (EFTS) now stand highly enhanced. It is clearly visible that technology is a strategic resource available at a cost, albeit with an altered risk – benefit matrix. As a matter of fact, every upgradation of technology may become a risk multiplier if appropriate risk mitigation steps have not been embedded in the system and provided in the handling procedure itself. One of the risk areas is “outsourcing”, in which because of consideration of core competency and costs, outsourcing all technological inputs including hiring of hardware, software livewire are resorted. Business Process Outsourcing (BPO) has become a mantra in most of the private enterprises, which have high adaptability to new technologies. Even there, appropriate levels of agreement are reached and roadblocks set up to prevent control of the business passing on from hands of management to hands of BPO. In commercial banks, outsourcing is mainly done to obtain assistance wherever they lack core competency to handle highly technological jobs including troubleshooting of IT systems. Here also, many banks have tried to use in-house people to maintain their systems, but this mostly resulted in legacy of problems creating handicaps for the bank to move speedily to new technology platforms. Outsourcings of technological services, at least to launch an IT project, are quite common in today’s banking industry. Banks have asked by regulators to finalise a policy of outsourcing so that risks of outsourcing critical basic applications are managed properly. Further, the salary structures of PSBs also do not permit employment of highly qualified experts in the area of technology. Recently, SBI and TCS have joined hands to float a separate company, which presumably will not have such salary and perquisites / constraints and would, therefore, be able to retain the technical experts for a reasonable time. It may also be noted that new technologies invariably give rise to new opportunities, which can be harnessed under the general expression of Business Process Re-engineering (BPR). The CBS, which is
    43. operating on a centralized data and information reservoir, has the ability to convert a branch customer into a bank customer and, thereby, make it possible to process many hitherto distributed banking activities into centralized activity. Banks are coming up with outlets, Centralised Processing Units (CPUs), where all loan processing, renewal, and documentation for all branches are done, leaving branches free for marketing and business of cross-selling. Banks that have rolled out CBS find a grand by product opportunity to take such B2C initiatives, which have vastly improved credit appraisal, disbursement, documentation, deposit mobilization, cheque and customer instruction processing. As an example, it may be elaborated that, previously, all cheques in clearing would come to the branches for verification of signature, balances and payment thereof. But now, service branches are having all this information on the screen itself and cheques need out travel to the branches, thus, eliminating time and ensuring quality. This new technology or new system is highly successful when it meets the following criteria: • Increase in revenue / volume of business • Reduction of cost of operations • Reduction in delivery time for most B2C transactions. • Improving general customer service and loyalty of customers. Most of the banks and financial institutions and even insurance companies that are using high level of IT are endeavoring to measure success of their investment decisions by actual movement of the above factors. The beneficial impact of modern day technology has ushered in a new era in services available to bank customers. Some such features are: Transacting from any branch; specialised collections, remittances and fund transfers; 24 / 7; banking through ATMs and Internet banking; Automated payments; Automated Standing Instructions (ASIs); Using bank’s Web portals for latest rates, new products and terms; Submission of stock and other statements for loan account customers; with RTGS facility, funds transfer to accounts with other banks has also become possible.
    44. While technology (to be more precise information and Internet technology) has brought in metamorphic changes in the area of banking and financial services, problems do persist in various areas – some are new, some also suffer from aggregation of risk owing to change in technology. Having rolled out CBS – latest in banking technology – in 100% of our branches along with a network of ATMs, Internet Banking, RTGS, etc., we find many problems, if handled either before installation or immediately on roll out, would strengthen the banks delivery, customer satisfaction and bottom line. Some such problem areas are as under: • Biometric Access Control In spite of decades of history of full computerisation in banks even under CBS, most banks’ internal access control is based on individual ID and password. Abuse of this system in a large organisation is well- known and difficult to combat; thus, it needs to replace the system by biometric system – preferably, the ID of individual employee of the bank should be replaced by his / her fingerprints. It would then be easier to track and eliminate all possible abuses or mistakes. • UAT We have mentioned the importance of UAT earlier. It is reiterated that through PSBs know fully well their inputs and the required outputs, data for testing comprehensively new systems are not generally available. Banks are depending on the vendor’s expertise in these matters and generally mistakes are rectified through trial and error. In this context, Auditability of systems assumes considerable importance. • MIS Data Warehousing Generally, CBS available in the market may not come with a full blow MIS or data warehousing capability. These need to be developed or the existing one has to be integrated. • Input Control / Output Reports The CBS is a platform mainly for handling Bank to Customer (B2C) transactions. Normally, no problem is envisaged from transactions to reporting level which has gone through a proper UAT. But large banks always find it quite
    45. difficult to ensure full accuracy at the input levels. An error of input, mapping and legacy problems at the granular level creates data integrity problems. • Variability of Cost The success of new technology lies in harnessing its ability to cut down transaction cost, as also replacing fixed cost b variable cost. But this is not happening at the required place and time and often new technology represent additional cost without reduction of fixed cost already existing. • Captive users Some of the major problems have come up in the fact that banks that have selected, and installed new technology have become captive users of the vendors. This problem may further accentuate in the absence of proper service level agreements. • Attrition Many of the bank staff members who have adopted and quickly master new technology may be leaving the bank with better offers, creating gaps for day - to - day management. • Service Level Agreements (SLAs) However, many of these problems are not insurmountable, but definitely controllable. With appropriate planning and consultation they can be managed, subject to the existence of appropriate agreement of hiring / purchasing / outsourcing and SLAs. A professional arrangement in this area will ensure continuity of vendor’s stake, which is important. • Systems and operation, Documentation / Manuals In the new system, fully developed documentation should be available. Online help generally does not meet the requirement of users. Sometimes, these are not available and vendors themselves suffer from the attrition, thus creating a somewhat a chaotic situation during commercial run of the system, which may degenerate unless appropriate control and administration is exercised. Prevention is always better than cure.
    46. • B2B / Government Business, etc. A large part of a bank’s business is treasury management, and bank to bank transactions, including multi- currency transactions. Some of the PSBs are also entrusted to do government business. Most of these core banking systems do not have proper modules where such transactions and transactional MIS can be processed simultaneously. The additional requirements need to be anticipated and negotiated with the vendors at the opportune time. Suitable middleware can be used in this regard. “India is a software powerhouse. But its IT security practices are pathetic and consumers should beware” --- Sucheta Dalal – Consulting Editor of MONEYLIFE Last June an employee with Hong Kong Bank in Bangalore was arrested following an investigation into a theft of pound sterling 230,000 from a British customer’s account. Earlier this month, Channel 4 of London controversially claimed that “credit card data, along with the passport and driving license numbers, are being stolen from call centers in India and sold to the highest bidder”. A survey on the Global State of the IS 2006, by www.CSOonline.com says: “Most executives with security responsibilities have made little or no progress in implementing strategic measures that could have prevented many of the security mishaps reported this year. Only 37% of respondents said they have an overall security strategy”. Worse, “a large proportion of security executives admitted they are not in compliance with regulations that specifically dictate security measures their organisation must undertake” even though the consequences were stiff penalties, including prison sentences, for the executives. The study by CSO, CIO and PricewaterhouseCoopers (PwC) covered 7,791 respondents in 50 countries.
    47. While things are pretty bad on the global IT security front, things are worse in India. The study says: “Our of the most unsettling findings in this year’s study is the sad state of security in India, by a wide margin the world’s primary locus for IT outsourcing. India lags far behind the rest of the biggest IT powerhouses in the world; these findings should cause considerable concern. Many survey respondents in India admitted to not adhering to the most routine security practices. Extortion, fraud and intellectual property theft occurred last year are double and even quadruple those of the rest of the world. Nearly one in three Indian organisations suffered some financial loss because of a cyber attack last year, compared with one of five worldwide and one out of eight in the United States.” According to CSOonline.com, “The problem is obvious, but right now it’s apparently easier to ignore than to address. Harder to ignore is the constant news of large organisations losing laptops packed with unencrypted personal data on millions of customers. Every report that such incidents should motivate companies to tighten security, but every year the survey indicates that’s not happening.” The IS Scenario in India 2.4 Banking institutions are getting more and more conscious about the IS taking into consideration the scams that have occurred in the past and continued to do so even today. A flood of new security attacks targeting banking customers over the last twelve months has forced organisation or regulatory bodies to introduce new directives and methodologies such as the recommended use of two- factor authentication by online banks by the end of 2006. These groups believe that single-factor authentication (the use of a username and password) is now inadequate to protect users against recent internet scams such as Phishing, Pharming and RAT attacks. By the end of 2006, many Asian online banks will be required to implement the new directives covering two-factor authentication, which relies on something the consumer has, such as a token or smartcard. This would help identify the individual more specifically. Introducing the methodology
    48. in relatively short span of time would be the next big challenge faced by the banks. This would also have to ensure that the chosen method is convenient enough for broad consumer adoption while keeping costs down. Banks in India need to be complimented on the inculcation of technology in a large way in their day-to-day operations. In a short span of less than two decades, customers of the banks have felt the positive impact of technological solutions implemented by banks. The customer in a bank has a virtual menu of options as far as delivery channels are concerned and all these are the benefits of technology, with the most visible benefits happening in the areas of payments for retail transactions. A variety of Cards, Automated Teller Machines (ATM’s), Electronic Based Fund Transfers (EFT), Internet Banking, Mobile Banking are all some of the latest technology based payment solutions, which have gained large acceptance amongst Indian Banking arena. While addressing a critical topic such as technology which has today become a basic necessity rather than a luxury in the banking sector, the various components must be examined which comprise the building blocks on which the banking would be functioning in the morrow. I would, therefore, enlist some of the major aspects which appear to be the corner stones in the road that we are paving so that the highway would ensure free, safe and secure conduct of the banking services and business. Technology implementation comes with its attendant requirements too. A few major aspects which need to be reckoned relate to the • Need for standardization – across hardware, operating systems, system software and application software to facilitate inter- connectivity of systems across branches. • Need for high levels of security – in an environment which requires high levels of confidentiality; IS is an important requirement. • Need for a technology plan which has to be periodically monitored and also upgraded consequent upon changes in the technology itself.
    49. • Need for business process re-engineering with a large scale usage of computers – the objective is not merely mechanise activities but to result in holistic benefits of computerization for both the customer and the staff at the branches. • Sharing of technology experiences and expertise so as to reap the benefits of the technology implementation across a wider community. With technological solutions rapidly evolving, more new products and services may soon become the order of the day. This technology evolution needs to be thoroughly supported by the IS practices and procedures in order to avoid the chaotic situation otherwise. Prominent among the attendant challenges is the paradigm shift in the concept of security. With the delivery of channels relating to funds based services, such as, movement of funds electronically between different accounts of customers taking place with the use of technology, the requirements relating to security also need to undergo metamorphosis at a rapid pace. Various concepts, such as, digital signatures, certification, storage of information in a secure and tamper- proof manner all assume significance and have to be a futuristic part of the practices and procedures in the day-to-day functioning of banks of tomorrow. Security requirements have to be provided from a two pronged perspective - first for the internal requirements of the banks themselves and the second relating to the legal precincts of the laws of the land. It is indeed a matter of satisfaction that the ‘INFINET’ (Indian Financial Network) is a safe, secure and efficient communications network for the exclusive use of the banking sector, which provides for the inter-bank communication. 7: Abstract from the Address by Shri. V. Leeladhar, Deputy Governor, Reserve Bank of India at the IT@BFSI- 200 Conclave, Bangalore, on June 9, 2005.
    50. The key advantage of ‘INFINET’ is its own security framework in the form of the ‘PUBLIC KEY INFRASTRUCTURE’ (PKI), which is in conformity to the provisions of the Information Technology Act, 2000. Several large financial institutions are now starting to implement two-factor authentication, to re- establish trust with their users, fearing that if nothing is done profits will be lost, customer confidence will drop, and the leading to a loss of brand image in a long run. “At YES BANK, our priority is delivering solutions that take into account present and future customer needs,” said H. Srikrishnan, CIO and Executive Director, YES BANK. “We identified that current and prospective customers have access to a PC with a reliable bandwidth connection, but a key concern was the ability for us to guarantee a high level of security, giving them the confidence to use Internet banking without the worry of fraud or theft. Thus, our priority was addressing this issue and identifying a solution, which would improve customer confidence and provide a reliable and user-friendly experience.” According to recent surveys conducted by various IS organisations, identity theft has seen looms over any other kind of crime worldwide. Currently the IS implementation in banks suffers from deficiencies such as: • A comprehensive Security Risk Assessment is not being conducted before drafting a security policy for the bank. • The Acceptable Usage Policy (AUP) is not communicated to all staff of the bank. • The scope of Information Systems Audit at branches is restricted to checklist audits. • Defined Vulnerability Assessment Policy has not been set out for the data centers of banks. 8: http://www.securitypark.co.uk/article.asp?articleid=25068andCategoryID=1; access date: August 26, 2006
    51. ICICI Bank Phishing scam targets customers in India Phishing is a relatively new phenomenon in India, though united States, South America and Europe have reeling under its impact for years now. The new scam mail targeting the rather soft Indian customer who in terms of awareness on such activities, goes ahead and tries a contemporary trend in international online arena. It tells users that a popular bank is updating their online security mechanism, so the user should key – in his information in the website that fake email leads them to! Security Analysts at (name undisclosed) an Internet Security company warn that a Phishing mail in the name of one of India’s leading Banks, ICICI, has been found to be spammed to targeted user groups for the last couple of weeks, aiming sensitive financial Information. The mail reads that the ICICI bank is upgrading to a new SSL Server to insulate customers against online theft and other related criminal activities. Users are told to confirm their personal banking information following the given mail. It also warns that if the user does not complete the form, the online bank account will be suspended till further notification. Once the user clicks on the link, he is taken to a bogus website that looks identical to the original one, where he is made to part with his account number, password and PIN number. Phishing is the cyber form of ‘Identity Theft’ using fake spam emails and fake websites of reputed financial organisations. You receive an email that seems to be coming from a reputed bank, credit card firm, Auction website or any other financial institution. The message tries one of the several tricks to induce you to click on the link provided in the email and gets you to reveal your personal information. This stolen information is used for sophisticated Online Robbery, Identity theft and other Internet related crimes. The Anti-Phishing Working Group, an industry consortium formed to fight this mode of crime, says the attacks in recent months where double that of what were reported in the same months last year. With commerce growing rapidly, Phishing attempts may grow multifold this year, faking more brands and institutional loot more victims around the globe.
    52. 2.5 Understanding Information Security (IS) In view of the critical implications of Information Security (IS) for banks and financial institutions, it is necessary to emphasise that the management of the bank should have a good understanding of the IS risks. • IS is not only the concern of the Information Technology Department but for the entire organisation. It is said that “Security in an organisation is as strong as its weakest link”. Hence, each and every user of information, right from the senior management to the clerk in the branch has to be involved in any security initiative taken by the bank. This will mean that they have to be aware of the security threats and should practice the laid down policies and procedures. • IS Policy has to be aligned to the business objectives by a proper IS Risk Assessment. This means that the risks identified and measured during structured IS Risk Assessment should be mitigated with effective security policy and procedures. • IS Policy cannot be the same for all banks despite there being similarities in their business function. This is due to the reason that each bank has its unique risks which might be multidimensional considering their locations, their services, their business goals and their technical infrastructure. • Banks can optimize their resource spending in IS by strategising their security spending to mitigate their high impact risks identified during there IS Risk Assessment. Hence, IS should be seen as an investment. • Security Audits at branches need to be conducted by qualified personnel as it needs to encompass an audit through the computer.
    53. • IS consists of CIA principle. Hence in every decision, the security requirement of CIA has to be observed. • IS Risk Assessment is not only restricted to Vulnerability Assessment of technical infrastructure but extends to identifying critical assets, their threats and organisational vulnerabilities. It also includes Business Impact Analysis (BIA), measuring risks and suggesting appropriate controls. 2.6 Spending patterns (Technologically and Financially) According to the Gartner report on IT spending of financial services, the worldwide financial sector spends about US$ 129 billion annually on IT services. The Worldwide Financial Services Industry Spends about $129 billion Annually on IT Services WORLDWIDE FINANCIAL SERVICES IT SERVICES SPENDING ($ Billion) 154 CAGR 145 6 3% 136 129 123 114 Financial Services IT Services – Key Facts FY 02 FY 03 FY 04 FY 05 FY 06 FY 07 Source – Gartner Figure No. 9: IT Spending Patterns
    54. According to a report from Indian Institute of Information Technology - The application of Information and Communication technology to the banking sector has been growing in the recent past. IT spending by the BFSI segment, jumped by a healthy 18 percent during 2002-03 to touch Rs. 60 billion (US $1.24 billion). Indian Banks on an average spend an estimated amount of Rs. 1.5 billion on software and hardware for core and internet banking services, on an average. According to industry estimates, the BFSI segment accounts for around 10 percent of the total IT industry and about 28 percent of the domestic IT market. Spending by the BFSI segment is expected to jump to Rs. 98 billion during 2004- 05 fiscal. The main driver for the increasing use of IT in banking is the need to cater to the growing and changing expectations of the customers who relentlessly demand continuous improvement in the quality of services offered, reduction in charges and access to new products. In the context of global competition, the banks have to use other factors to facilitate the increasing IT investments. The Centre Vigilance Commission lays down certain statutory requirements for banks in this regard i.e. achieve 100% branch computerization, availability of certification services for ensuring the security of electronic transactions with an eye on the growing size, complexity and integrity of the financial markets. Technological advancements bring along concerns on the privacy, confidentiality and integrity of information. It is being seen that such concerns have a major impact on the functioning and existence of banks and financial institutions. While many banks in India have taken steps to improve their IS much still remains to be achieved It is often perceived by the management of banks that IS is technical and complex. Contrary to this is that IS is similar to any other area of managerial decision. Further, IS investment should also have a return on investment. This is to be achieved by an effective IS Risk Assessment. 9: Implementing IS in Banks---- http://www.sisa.co.in/images/PDF/WhitePaper_ImplementingISinBanks.pdf
    55. 2.7 CTO/ CIO’s viewpoint “The best way to approach IS is from the business side – ask what the business need is, assess the risk and fashion a risk mitigation strategy that fits”. -- S Krishna Kumar, GM (IT) and CISO, SBI. The devising of an appropriate and suitable security strategy depends upon several aspects such as breadth of the organisations business, volume of transactions per day/ month, scale of operation, (no. of years in the current business) necessity of data migration, competition in the sector, etc. Processes • Upper management buy – in • Concept of six pillars of safety: governance, structure, risk assessment, risk management, communication and compliance. • Policy approval at board level • Risk mitigation processes • Documented standards and procedures • Management overview for controllers • Service Level Agreement (SLA) monitoring Technology • Firewall • Anti-virus • IDS (Intrusion Detection Systems) • Management Tools Table No.2: Risk Mitigation Strategy The security strategy must be in-line with the business needs and the complexities, so as to prove holistic in approach and should include all the components needed for the IS program.
    56. “IS has commitment and support at the highest level in the organisation. The state of IS is periodically reviewed by the top management.” All the pillars are equally critical in providing IS assurance, rather than merely focusing on the security products and penetration tests. IS derives its strength from the highest authority, the board, which has approved the bank’s IS policies and provided direction and support mechanisms to evolve the required standards and procedures. “Risk mitigation is not a one-size-fits-all process, and takes different routes depending on the risk and business imperatives. This needs to be devised after considering business needs vis-à-vis security controls. Being a financial organisation, the banks are subject to a number of regulations, both internal and external in nature. These are considered an integral part of the Security Architecture. “It is necessary that all the personnel across the business understand the underlying philosophy and basis of the security policy. Merely writing a security policy and sending it to the different departments will never succeed.” “It is not good enough to have just the performance levels specified in a Service Level Agreement (SLA). The organisation should also be able to measure service levels, use appropriate measurement metrics, build adequate deterrents against under-performance and monitor the performance of all the outsourcing agreements.” Business Continuity and Disaster planning bear a lot of importance in the IS Strategy or Program. On this, Mr. Kumar observes “that a Disaster Recovery (DR) system has been set up for critical applications in a different city and periodic mock drills are conducted.” “An important but often neglected aspect of the DR plan is to shuffle a core team of operations personnel between production and DR sites periodically. This ensures the availability of skilled resources at the DR site. They are current with the latest state of the production application”, says Kumar.
    57. 2.8 Summary The basic IS needs of banks and financial institutions are very similar to those of most large organisations. The problem in the banks is that they are fairly high value targets. Gaining unauthorised access to a bank’s customer records can make identity theft easy on a large scale. Unauthorised access to customer records creates operational, legal and reputational risks for banks. Currently banks are spending approx 5-6% of their total IT Budget on security and this amount of money may prove to be inadequate to ensure effective ISRM considering the threats existing in the e-world today. Not only should the banks spend more on IS but also ensure that their IS risks are mitigated. A structured IS Risk Assessment will enable banks to accomplish this objective. A Return on Investment (ROI) in IS should be demanded by the management. Further banks should approach IS in a structured manner.
    58. CHAPTER 3 METHODOLOGY 3.1 Introduction This chapter elaborately discusses the methodology of this study. The research questions and assumptions (hypotheses) proposed in Chapter 1 are presented here. All phases of the research design, data collection, location of the research performed, method of inquiry and statistical analysis are reviewed. Finally, summary of the whole chapter is done. The research can be categorised as a combination of exploratory and descriptive study seeking insights into the IS and Risk Management in banks in India. 3.2 Research Questions and Research Hypotheses The research assumptions (hypotheses) framed in the study posses a strong background of the literature review. The combination of the research assumptions (hypotheses) and the literature review prove their importance in the study for answering the research questions. The answers to the research questions would provide a good in-sight for the IS professionals and executives regarding various scenarios and complexities posed prior to designing an IS and Risk Management System. • Research Questions The research will address the questions as mentioned below • What are the information risks and security threats involved in the Banks? • What benefits will be derived by implementing these systems in the existing scenario? • What should be the ideal characteristics of the Information Risk and Security Management Systems?
    59. • What functions in security and risk management must be accomplished by an IRSMS to support Banks? • What would be the Total Cost of Ownership (TCO) for the institution? • Hypotheses • The security policies in the same organization (Bank) may differ based on the geographic location. • Many Banks prefer accepting the security risk rather than mitigating, transferring or avoiding it. • IRSMS policies show wide variations across all types of financial institutions (here the type of bank would be considered, i.e. Apex/ Public Sector Commercial/ Private Sector Commercial/ Co-operative/ Foreign bank, etc. 3.3 Data Collection / Collected Primary data collection is done on the basis of personal interviews along with responses based on the questionnaire filled by the IS / Management personnel, Information Systems Auditors, Information Systems Inspection Personnel, Network Security Professional, Network Administrators, Information Systems Administrators, etc. The data is also collected from the customers’ of the banks in order to understand the awareness among them, which might instigate quick development, deployment and improvement in the IS and Management methodologies and techniques in the respective banks. The data collected from the customers is a value addition to the research in order to achieve certain insights regarding the IS threats which might have been overlooked as they might not have been informed or not registered. These customer inputs would also help us analyse the overall success of the banks in terms of IS and Risk Management. The choice of an adequate data collection method should mainly be based on the type of research problem investigated (Kiplinger 1986). Figure 3.1 indicates which choices were made at various decision levels related to the data collection method. At each level, the option selected is shaded.
    60. Data Collection Longitudinal research Cross-Sectional Experimental research Non-experimental Survey Observation Mail Internet Personal Telephone Figure No.10: Selection of Data Collection Method • Cross-Sectional Research Research can either be cross-sectional or longitudinal. In this study, a cross-sectional design research has been applied. Cross-sectional research involves the collection of information from any given sample of population elements. Longitudinal research on the other hand provides an in-depth view of the situation and the changes that take place over time. Scholars recognise that representative sampling and response biases are serious problems of longitudinal research. In longitudinal research, the cooperation of panels is required. Respondents’ refusal to co-operate, panel mortality, and payment of panel members increase the lack of representative sampling. Furthermore, response bias is increased as a result of the fact that panel members more consciously perform the investigated behaviors and that new panel members tend to increase the investigated behavior. Finally, longitudinal research implicitly requires long data collection periods. Based on these arguments and
    61. the objective of this study, a cross-sectional research is considered to be adequate in order to provide the required information in a valid and representative way. • Non-Experimental Research In this study, a non-experimental method as opposed to an experimental research method is used. Non-experimental research is generally defined as “systematic, empirical inquiry in which the scientist does not have direct control of independent variables because their manifestations have already occurred or because they are inherently not manipulable”. While experimental research generally allows obtaining high levels of internal validity as a result of the possibility to control, randomly assign, and manipulate, its lower external validity and artificiality are considered to be weaker elements. As this study aims at generating generalizable results for a wide range of IS and Risk Management situations, external validity is an important, additional evaluation criterion. Consequently, the use of non-experimental research is suitable for the purpose of this study. • Survey Research Survey methods are generally classified into mail, internet, telephone, and personal surveys. Non-experimental research designs can consist of observation as well as survey methods of data collection. In this study, survey research design was chosen, which is defined as “interviews with a large number of respondents using a pre-designed questionnaire”.
    62. • Personal Interviewing In this study, personal surveys were conducted in order to gather the required data. A personal interview is generally defined as “a questionnaire administration method in which the interviewer and respondent have a face-to- face contact”. According to many experts, the personal interview “far overshadows the others as perhaps the most powerful and useful tool of social scientific survey research”. Personal interviews outperform mail, internet, and telephone surveys on nearly all criteria, except for interviewer control and bias, cost, and social desirability. Several efforts were made in order to overcome these potential weaknesses. The use of structured questionnaires that included detailed respondent instructions automatically diminished the risk of interviewer bias. Further, interviewers were not aware of the underlying hypotheses of the study and could therefore not consciously influence the responses. Thus the data collection involved in this study used non-experimental research based personal surveys and telephonic interviews on a cross-sectional basis. Location of the Data 3.4 The data was collected with relative difficultly from Inspection Departments of various banks, IS and Risk Management cells, Information Systems Auditors, Network administrators, Information Systems Administrators, IS Specialist (Project Managers, Quality Assurance, Development Head for any IS software or hardware solutions), etc., Apart from this the data is also collected from the customers regarding their awareness about the IS threats in banks. With a
    63. responsible and critical team of intellectuals forming the basis of this research, the remaining part of the questionnaires was filled by a large number of customers (common man) of the banks. It was based on the domicile status of the customer, to his staying in Mumbai or having moved into the city recently. This research gave further insights regarding the depth of IS awareness in other parts of the country. The data collected was obtained from a fair mix of gender, age groups, educational background and income class. 3.5 Pilot Test Pilot tests are often conducted to improve the content of questionnaires. Respondents helped to evaluate the structure, wording, difficulty or ease of answering questions as well as the time necessary to complete the questionnaire. Feedback regarding the format and structure of the questionnaire was considered and changes were made to the questionnaire. Suggestions were taken to clarify the survey instructions, using less technical words. A preliminary study was conducted to test the questionnaire. With respect to the topic of research the pilot test was done with people from varied backgrounds. The respondents gave their valuable suggestions during the personal meetings or discussions regarding the questionnaires and also regarding the technique of mining more information with tactful personal interviews. These interactions have really helped in shaping up the actual questionnaire. Participants of the pilot study were not included in the main study.
    64. 3.6 Method of Inquiry A self-administered survey was utilised to collect data. The questions were developed in a manner, which would help in analysing the various IS threats and the Risk Management methodologies used to mitigate, transfer, avoid or accept the risks. Based on past researches, the data was gathered from both primary as well as secondary sources. The questionnaire was a blend of open and closed ended questions, which provided a range of possible responses to almost all questions, which made it easy for the respondent to select from a range of possible answers. The questionnaires were distributed to a convenience sample of 150 in various banks in India, with varied locations and to a sample of 100 customers of various banks in India, but limited only to the Mumbai region. Among the 150 respondents few of them had less than 1 year of experience in the IS and Risk Management area, and hence those who had not managed these kinds of responsibilities were removed for a usable sample size of 133. Among the 133 respondents, 8 respondents did not fill all the details asked in the questionnaire, and hence were not considered for the study and thus a usable sample of 125 was used for evaluation. Among the 100 customer respondents few of them did not have any inclination towards the IS nor were they interested in the new things. They were really satisfied with all the traditional means of transactions with the banks.
    65. 3.7 Analysis Performed on the Data Different statistical methods were used for the data analysis using Microsoft Excel and Statistical Package for the Social Sciences (SPSS). Descriptive statistics were generated to evaluate the distribution of variables and appropriate statistical techniques were used to study the data collected. 3.8 Summary This methodology chapter has provided a discussion related to the methods and procedures applied in this dissertation. The chapter has discussed the objectives of this dissertation, research questions in order to fulfill the objectives, and methods used to collect and analyse the data required by the research questions. Survey respondents were delineated by appropriate sampling process. To analyse the data collected, a set of data analysis methods were used. The results from all of the analysis methods have been discussed in detail in the following chapter.
    66. CHAPTER 4 ANALYSIS 4.1 Introduction The questionnaires from the respondents surveyed has been analysed in two parts, the first part contains the responses of the Security Professionals, Certified Information Systems Auditors / Managers and the personnel who are directly responsible for drafting, evaluating, maintaining and enhancing the IS. A fair percentage of the respondents are actually involved in the day – to – day activities pertaining to the IS policy implementation and the remaining are the third party individuals who have contributed their views on the IS implementation. The second part contains the responses from the customers of the banks from Mumbai region.
    67. 4.2 Key Findings Some of the key findings from the participants in the survey are summarized below: • words, if the financial losses are Virus attacks continue to be the minimised, then effectively it will source of greatest financial losses. account in the increase in the profit Unauthorised access, hacking, etc., of the banks. are the second greatest threat / • source of financial losses. The third According to respondents, the greatest source of the financial loss management in the banks is still are considered to be the ones related not very much keen on to laptops (or mobile hardware) and outsourcing the IS procedures. the theft of proprietary information. They prefer to have in-house IS • Officer for handling the The fourth source of the financial procedures or many a times it is losses these days is being the social preferred to accept the risk. At the engineering (e.g. Phishing, most an external consultant to Pharming, etc.) • advise the policies is appointed to These four categories amount to assist the in-house IS Officer. more than 50% of financial losses. • • The no. of IS Audits is increasing The losses due to the lack of in the recent past. Co-operative physical security have decreased banks are also trying to get considerably in the recent past. • themselves certified from the The use of PKI infrastructure and Quality, Audit and Compliance encryption methodologies is institutions such as DNV, BVQI, increasing and being promoted etc. widely, according to most of the respondents. • The annual investment done by the BFSI segment should be focused and have to be marginally increased in order to have much more secured environment for operations. In other
    68. 4.3 Detailed Survey Results • Respondents’ Area (Banks) Information on the organisations and the individuals representing those organisations that responded to this survey are summarised below. To encourage respondents to share information about occasions when their defences were overrun and, in particular, to provide data regarding financial damages, the survey was conducted anonymously. A necessary result of this is that direct longitudinal analyses are not possible. • Respondents based on the type of organisation Apex Body – 13% Nationalised Banks – 16% Co – operative Banks – 19% Private Banks – 10% Foreign Banks operating in India – 13% Third Party Views (CISA, CISM, Network Administrators, etc.) – 29% (Rounded off to the nearest %) 30 25 20 15 10 5 0 Apex Body Nationalised Co-op Private Foreign Third Party Figure No.11:- Respondents based on the type of organisation
    69. As shown in the figure above, the type of organisations covered by the survey include many areas from both the private and public sectors. The largest no. of responses came from the third party viewers (CISA, CISM, Network Administrators, external Auditors, etc.). It accounted for almost a one – third of the entire responses received through the questionnaire. The second largest responses were achieved medium and small co-operative banks which totaled to almost one – fifth of the total responses. The third largest no. of responses was from the public sector Nationalised banks which accounted for almost 16% of the responses. Private Banks were the lowest respondents. It may be because of the cut – throat competition existing in the BFSI sector among all the private banks. • Respondents based on the location of the organisation Metro Cities – 45% B – Class Cities – 22% C – Class Cities – 13% Rural Areas – 6% Branches across the country – 14% (Also considered foreign banks operating in India) (Rounded off to the nearest whole %) 45 40 35 30 25 20 15 10 5 0 Metro Cities B-class C-Class Rural Areas Branches across the country Figure No.12:- Respondents based on the location of the organisation
    70. The figure above shows the responses of organisations having their presence in various parts of the country. The largest no. of responses came from the Metro Cities which was evident and expected. It accounted for almost a one – half of the entire responses received through the questionnaire. The second largest responses were achieved from the B – Class Cities which totaled to more than one – fifth of the total responses. The third largest no. of responses was from the banks (Indian + Foreign) having their branch offices all over India which accounted for almost 14% of the responses. Banks in the rural areas were the lowest respondents. The primary reason behind this was the scarce use of technology for the day – to – day transactions, might be due to the heavy investments which are required or due to less acceptance by the rural customers. • Respondents by Job Description Internal IS Officers – 5% Certified Information Systems Auditors – 29% Certified Information Systems Managers – 12% Network Administrators – 21% Project Managers (IS Sectors) – 7% Systems Administrators – 18% Others – 8% 30 25 20 15 10 5 0 taff s er s rs rs A M ger CIS CIS istrato ato Oth lS ana istr r na inin min tM Inte jec Ad dm Pro tems rk A two ys Ne S Figure No.13:- Respondents by Job Description
    71. The figure above shows the responses obtained by the survey based on the job descriptions / designations of the respondents in various organisations having their presence in various parts of the country. The largest no. of responses came from the Certified Information Systems Auditors, which accounted for almost one – third of the total responses. The second largest responses were achieved from the Network Administrators, which totaled to more than one – fifth of the total responses. The third largest no. of responses was from the Systems Administrators, who are responsible for maintaining and proper functioning of the Information Systems in the banks (Indian + Foreign) having their branch offices all over India which accounted for almost 18% of the responses. Internal IS Officers in the banks were the lowest respondents. The primary reason behind this was the confidentiality of the information. The information leakage to the outside world might be a source of reputation loss and would attract the malicious threats which would in turn be a source of financial loss. The other respondents included a few Chief IS Officers (CISO’s), Quality Assurance personnel, external auditors, etc. • Percentage of IT Budget Spent on the IS Not Aware 10% 5-6% 3-4% 1-2% 0 5 10 15 20 25 30 35 40 45 50 Figure No.14:- IT spending as a part of budget The budgeting and financial issues are the concerns most of the times, when it comes to the IS Risk Management as it is an on going process and needs continuous updating. The respondents very hesitantly provided the information on
    72. the IT expenditure on the IS Risk Management as apart of the IT Budget. As illustrated in the figure above, a 46% of the respondents indicated that their organisation allocated only 1 - 2% for the IS Risk Management from the total IT budget. Around 10% indicated a figure ranging from 3 - 4% as the amount spent on the IS. A 5 – 6% budget was indicated by 4% of the respondents. A major portion of the respondent community claimed that their organisation spent a relatively huge amount on the IS Risk Management. This portion amounted to almost 23% who claimed of spending around 10% of the IT budget on the IS issue. The remaining (17%) group of respondents was either not aware of the expenditure on IS or preferred not to answer the question. They amounted for almost 1/5th of the total respondents. • Percentage of IS Functions Outsourced IT outsourcing has become a trend in BFSI as well as some other sectors. Along with the generic IT outsourcing, responsibility of Information Management and Security has also seen its future into outsourced environment. Off-late, it has been noticed that many banks have outsourced these jobs to IT giants, in order to cut down on the operating costs and the resources required for handling them. The Service Level Agreements (SLA’s) are signed among the outsourcing company and the outsourced company for a specific period and based on the minimum service criteria. The result of the survey makes it evident.
    73. 0%, 40% 40% 35% 50-75%, 26% 30% 100%, 20% 25% 20% 25-50%, 14% 15% 10% 5% 0% 100% 50-75% 25-50% 0% Figure No.15:-Percentage of IS functions outsourced Among the results, 20% respondents have indicated that the IT and IS functions are completely (100%) outsourced to the third party vendors by entering into the SLA’s. Around 26% of the respondents have mentioned that partial agreement is in place for the IT outsourcing and external auditing of the Information Systems. The Information Systems Management and the Security is internally taken care off, and only third party auditors (external auditors) are appointed to verify genuine operations, claimed 14% of the respondents. The remaining group (40%) of the respondents mentioned that no outsourcing is done and have a team of internal auditors for verifying genuine operations. • Policies to mitigate the risks externally Regardless of the measures an organisation may take to protect its systems using technical computer security measures such as the use of passwords, biometrics, antivirus software and the like, there will be risks of financial loss that still remain. As mentioned in the earlier chapters, that the IS Risks can be identified, and either a) mitigated, b) transferred, c) insured, or d) clearly documented as a risk acceptance. Insuring the Physical Assets as well as Information Assets is a method of mitigating the risk, externally. Hence, purchasing Cyber Insurance, the organisations might reduce the remaining
    74. risks. As per the survey conducted, 40% respondents claim that their organisations have purchased the Cyber Insurance Cover, while remaining 60% lack this cover. There is a phenomenal increase in the Cyber Insurance Cover subscription, since past few years, added some of the respondents. 70 Not Insured, 60 60 50 Insured , 40 40 30 20 10 0 Insured Not Insured Figure No.16:-Risk Mitigation Policies • Unauthorised access to the Information Systems in the recent past (last 5 years) The figure below shows that there has been a decline of the overall frequency of successful attacks on the computer systems. Furthermore, the percentage of respondents answering that there was no unauthorised use of their organisation’s computer systems was around 1/3rd of the total respondents. The percentage of respondents who indicated not knowing if such unauthorised use occurred, was a small amount, which also indicates that employees are aware of these kinds of attacks. The managements have taken up this issue seriously in several organisations and are providing in-house as well as external training to the employees to understand the importance and necessity of IS and Risk Management, according to various respondents. The data reported in the table below, also paints the picture of a slow decline in the frequency of attacks on the computer systems.
    75. 2006 34 2005 35 2004 24 2003 27 2002 23 2001 26 0 10 20 30 40 50 Figure No.17:-Unauthorised access in the recent past • Security Technologies used Respondents were asked to identity the types of security technology used by their organisations. The reports were similar to the observation done before getting the responses from the respondents. Almost all the organisations use the Anti- Virus software’s for the protection of their Information Systems and the much valued Information, from the viruses, trojans or similar malicious content, etc. The second most used solution was Firewalls. Although, the Firewall solution is used in a mixed pattern i.e. as software solution as well as a hardware appliance, it has not been segregated taking into consideration that this is an academic research. This also amounted for almost 98% of the organisations. The category of anti-spy ware showed up as the third most used security technology with more than 4/5th of the respondents reporting its use. Intrusion Detection Systems (IDS) were being used by almost 70% of the organisations. The emerging technologies like the Biometrics had fewer acceptances comparatively, at this point in time because of several reasons such as installation and maintenance and the cost to implement it. But it would really interesting to see that if the use of biometrics will continue to grow at a rapid rate in years to come. The other technologies / policies such as reusable
    76. account / login passwords, encryption for data (transit and storage), RFID, public key infrastructure (PKI), Forensic tools, log management software, application- level firewalls, intrusion prevention systems (IPS), specialised wireless security systems, etc., had a considerable usage in various organisations all around the country. There were many limitations in finding this data as the respondents are either not aware of what technologies are being used or they were reluctant in expressing their views about the same. Anti - Virus Firewall Anti - Spyware Intrusion Detection System Encryption Reusable password Intrusion Prevention System Application Level firewall Smart cards Forensics tools Public key Infrastructure Specialised wireless security system Biometrics Other 0 20 40 60 80 100 120 Figure No.18:-Security Technologies used
    77. • Security Audits Traditional security metrics are haphazard at best; at worst they give a false impression of security that leads to inefficient or unsafe implementation of security measures. It is very important to evaluate the effectiveness of the IS done in the organisations. To evaluate the same, the respondents were asked a question, “What techniques are used by your organisation to assist in the evaluation of the effectiveness of its IS”? The respondents were comfortable answering this question and indicated that there are many techniques such as Security Audits (Internal or External), Penetration Testing, etc. which are being used by their organisations. The details are illustrated in the figure below. Approx. 75% of the respondents mentioned that their organisations use Security Audits conducted by their internal staff, making Security Audits the most popular technique in the evaluation of IS. The Security Audits extensively done by the external organisations were indicated as about 55%. Some other techniques – Penetration Testing (45%), Automated Tools (40%), email Monitoring software (48%) or the Web Activity Monitoring software (50%) are also used, but comparatively less, for the evaluation of the effectiveness of the IS activities. These activities range from 40 - 50% in different organisations. 10: FBI 2006 --- http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf, access date: October 12, 2006.
    78. 45 Penetration Testing Security Audits (Internal) 75 40 Automated tools Security Audits (External) 55 E-Mail Monitoring Software 48 Web Activity Monitoring Software 50 0 10 20 30 40 50 60 70 80 Figure No.19:-Security Audits • IS Awareness Training The participants in the survey were also asked to rate the importance of the security awareness training to their organisations in each of the several areas. The percentages of the respondents indicating that security awareness was very important are shown in the figure below. The top five rated areas in IS Awareness Training were: • Understanding the Security Policy (82%) • Understanding the IS Management Systems (70%) • Understanding the IS related threats (66%) • Understanding the Business Continuity and Disaster Recovery Planning and implementations (68%) • Understanding of the IS softwares and appliances (55%) Apart from these five, there are many other areas where the IS Awareness Training is required, so that every user ensures that the malicious threats do not attack the most valued Information Systems.
    79. Forensics 23 Investigation 38 Cryptography 34 Information Security 55 softwares & appliances Information Security related 66 threats BCP / DRP 68 Information Security 70 Managements Systems Security Policy 82 0 10 20 30 40 50 60 70 80 90 Figure No.19:- IS Awareness Training • Most Critical Issues in next two years Finally, the participants were asked to put across their views on the emerging IS threats which would be affecting the smooth functioning of Information Systems and would challenge the CIA concept. The respondents really came ahead to give their views open heartedly since, this was a generic question which was not a point for the reputation risk, business risk, or financial risk. • Data Protection and application software – 100% • Identity theft and leakage of private and confidential information – 98% • Virus, Trojans and Worms – 100% • Access Control (e.g.: passwords) – 75% • User education, training and awareness – 85% • Wireless Infrastructure Security – 64% • Ad ware and Spy ware – 66% • Key loggers and Root kits – 59%
    80. • Social Engineering (e.g. Phishing and Pharming) – 89% • Mobile (handheld) computing devices – 67% • Patch Management – 45% • Intrusion Detection Systems – 51% • E-mail attacks (e.g. spam) – 95% • Employee misuse – 34% • Physical security – 78% • Two- factor authentication – 32% • DoS – Denial of Service – 23% • PKI implementation – 47%
    81. Data protection 100 Identity Theft 98 Virus, Trojans & Worms 100 Access Control 75 User Awareness 85 Wireless Security 64 Adware & Spyware 66 Key loggers & Roott kits 59 Social Engineering 89 Mobile Devices 67 Patch Management 45 Intrusion Detection 51 Email Attacks 95 Employee Misuse 34 Physical Security 78 Two Factor Authentication 32 DoS 23 PKI Implementation 47 0 20 40 60 80 100 120 Figure No.20:- Critical Issues
    82. • Respondents’ Area (Customers) Responses were also invited from 100 customers of the various banks having at least one branch office in the Mumbai region. The 100 customers were also from the Mumbai region. These were done to enhance the study and to understand in depth, whether are the customers aware about IS or they do not bear any relation with IS. The study included the responses from the customers into consideration since; IS Risk Management is a new concept as far as Indian banks are concerned. More over, IS Risk Management should be a joint effort. Not only the banks and their employees are responsible for maintaining the Information Systems and providing IS, but the customers are also a integral part of the entire process. e.g.: A bank has taken due care to prevent / protect against social engineering threats such as Phishing and Pharming, but the customer is not aware of these concepts and reveals his passwords / login names to third party, might be unintentionally, unawareness, etc., even then his account can be hacked. The responses were as per the expectation as far as Mumbai region was concerned. Most of the customers are at least aware regarding the concept named IS. The responses were a mixed bag on the basis of the age group, income levels, education, gender, etc. Out of 100 responses invited the usable were only a sample of 50, since the 40 of the total did not answer all the required questions, and 10 of the total completely not aware of IS Risk Management. Out of the remaining 50 responses 50% fall in the age group of 16 – 35 years. 30% of 50 fall in the age group of 35 – 55 years. 20% of 50 fall in the age group of above 55 years. The figure below illustrates the above break up of the responses based on the age group factor. This trend was observed since the respondents in the 16 – 35 years age group are more inquisitive regarding the Information Technology and use the ATM centers, Internet Banking, Phone banking, Kiosks, Credit cards, debit cards, etc more frequently than the other age group
    83. respondents do. A part of these age group respondents are highly educated, well informed business executives or highly salaried employees, who have broad exposure and inclination towards usage of Internet. Hence, they are aware and concerned regarding the IS, at least for their bank or account. 10 25 15 Total of 50 respondents Figure No.21:- Responses based on the Age Groups Out of the remaining 50 responses, 20% fall in the income level of less than Rs. 2, 00,000 p.a. 45% of 50 fall in the income level of more than Rs. 2, 00,000 p.a. – Rs. 5, 00,000 p.a. 30% of 50 fall in the income level of Rs. 5, 00, 000 – Rs. 15, 00,000 p.a. and the remaining 5% of the 50 responses fall in the income level of more than Rs. 15, 00,000 p.a.
    84. 5 20 30 Total of 50 respondents. 45 All figures in % Figure No.22:- Respondents based on Income group. Here, the responses are high from the respondents from the income group of Rs. 2, 00,000 p.a. – Rs. 5, 00, 000 p.a. These respondents are normally from the working class or salaried employees. Due to the hectic schedule of the jobs, they prefer using Internet banking, Phone Banking, etc., and hence are more used to and aware about IS. The second highest respondents were the again salaried employees at good positions or owners of small businesses. They also use Internet banking for their transactions for credit card bill payment, EFT, share trading, etc. Hence, they are also quite concerned regarding the IS. The educational factor was also taken into consideration during the invitation of responses to the questionnaires. It was more than obvious that more the education level, more was the respondent aware of concepts such as Information Systems, IS Risk Management, etc. as he had an exposure of the new technologies emerging world wide.
    85. CHAPTER 5 CONCLUSION AND RECOMMENDATIONS Information related to the Bank and its customers is a highly valuable asset. IS helps in protecting these assets from unauthorised use, disclosure, modification or destruction, whether accidental or intentional. Protecting Bank and customer information is a responsibility of all employees that requires awareness and diligence. The ultimate responsibility for safeguarding Bank and customer information lies with each individual employee. Therefore, all employees who have access to systems that store and/or access such information are required to understand and comply with any and all specific policies, procedures, standards and guidelines established in support of the IS Program. Taking into consideration the all the analysis in the previous chapter, it is evident that many things have to be taken care off on a continual basis. The IS is a continual process which needs to be specifically monitored and enhanced time and again. In order to implement the IS Risk Management successfully there are many attributes that need to be considered in terms of IT / IS Governance. These attributes include Implementation of ISO 17799 / BS 7799, CobiT, etc., physical security, logical security, access controls, Business Continuity and Disaster Recovery Planning, etc. Within the scope of the academic research, there has an attempt to analyse the varied situations that actually occur in various banks at different security levels.
    86. While this topics can be related to various facets, yet on the basis of this research the following conclusion emerge: • Based on the Survey Findings The survey has provided the results regarding the IS awareness based on the type of the organisation, location of the organisation and job description. The responses give us better in-sights regarding the currently existing IS landscape prevailing in various banks, with relation to kind of systems or policies are in place to cater to the ever - increasing demands of the IS sector. The survey has also tried to get in-depth information regarding the currently existing threats and the malicious contents in the cyber world as on date. As an academic research, there were some limitations in this study. The study has revealed that there is an intense need for the banks to have a close watch on the IS threats that concern the bank and its reputation in an attempt to find better ways to transfer, mitigate, prevent or accept the risk involved in the same. The research has been successful to an extent in determining the losses borne by the banks due to the various reasons such as malicious attacks due to virus, trojans, worms, identity theft, unauthorised access, security breach or by un-intentional misuse or mistake due to lack of technical know–how, expertise or awareness. As mentioned above, there are some limitations to this report. The report has not been able to include any instances regarding the losses which caused due to natural disaster / calamities within the Indian context. The exact cost factor could not be calculated for the implementation of the IS Systems. Most of the security software solutions or appliances are implemented in an assorted manner. There is no standardisation for the IS Systems implemented till date. The entire implementation depends upon several factors like spending pattern or the IT budget for IS, location of the organisation, the intellectual resources available to those banks, etc. The views of all the banks or the branches or the customers of the bank are too varied to reach at a certain conclusion. Infact, it can be said that all banks do take steps that they feel appropriate for preventing, mitigating, transferring or accepting risks.
    87. On the basis of this, it is essential that there should be correctly drafted policies and procedures to face the IS issues. The IS policy must essentially include factors relating to the physical, logical security, access control, Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP). All these factors are very essential as far as the IS threats are concerned. The physical logical security, access control, etc. are the factors generally implemented in order to prevent the risk while the BCP and DRP are implemented after the risk is accepted or after the threats have made their impact. The BCP /DRP concept is used to restart the business’ mission critical applications within a very short span of time by allowing the organisation to bear the minimum losses. • Based on the Information Systems Management Practices Since, IS is the most important attribute of the Information Systems Risk Management Systems, the policies / procedures should be followed and implemented even as the employees are hired. Every organisation (banks in the case of this academic research) needs to have an appropriate Information Systems Management Practices. Since, the Information Systems Management Practices reflect the implementation of the policies and procedures developed for various IS- related management activities. In most organisations, the IS department is a service department and its role is to help other customer centric departments for their effective and efficient operations. IS Management provides the lead role to assure that the organisation’s information and the information processing resources under its control are properly protected. This would include leading and facilitating the implementation of an organisation- wide IT Security program, which should include the development of the BCP and DRP related to IS department functions in support of the organisation’s critical business processes. A major component in establishing such programmes is the application of risk management principles to assess the risk to IT assets, mitigate these risks to an appropriate level as determined by the management and monitor the residual risks.
    88. Management activities to review the policy / procedure formulations and their effectiveness within the IS department should include practices such as personnel management, sourcing and IT change management, etc. • Personnel Management Personnel management relates to the organisational policies and procedures for hiring, promotion, retention and termination. The effectiveness of these activities, as they relate to the IS function, impacts the quality of staff and the performance of the IS duties. • Hiring An organisation’s hiring practices are important to ensure that the most effective and efficient staff is chosen and that the bank is in compliance with the legal recruitment process. Some of the common controls should include: • Back ground Checks • Confidential Agreements • Employee Bonding to protect against losses due to theft, mistakes and neglect • Conflict of Interest Agreements • Non Compete Agreements Control risks include • Staff may not be suitable for the position they are recruited to fill • Reference checks may not be carried out • Temporary staff and third party contracts may introduce uncontrolled risks • Lack of awareness of confidentiality requirements may lead to the compromise of the overall security environment. The above mentioned control risks need to be taken care off / mitigated / accepted / transferred before drafting the hiring policies / procedures for the bank.
    89. • Employee Handbook • Security policies and procedures • Bank’s expectations • Employee benefits • Vacation (Holiday policies) • Overtime rules • Performance Evaluations • Emergency procedures • Disciplinary actions for: • Excessive absence • Breach of confidentiality and/ or security • Non Compliance with policies In general, there should be a published code of conduct for the bank that specifies all employees’ responsibilities towards the bank. • Education and Training: Training should be provided on a regular basis to all employees based on the concerned areas where employee expertise is lacking. This should particularly be so for IS professionals, given the rapid rate of change of technology and products. Training not only assures more effective and efficient use of IS resources, but also strengthens employee morale. Training must be provided when new hardware and / or software is being implemented. Training should also include relevant management training, project management and technical training, so as to avoid the mistakes which occur because of lack of knowledge or ignorance. Cross training should involve more than one individual being properly trained to perform a specific job or a procedure. This practice would have the advantage of decreasing dependence on one employee and can be a part of succession planning. It also provides a backup for personnel in the event of their
    90. absence for any reason and, thereby, providing for continuity of operations. However, in using this approach, it would be prudent to first assess the risks regarding employee handling the system. Sourcing Sourcing practices relate to the way in which the organisation will obtain the IS functions required to support the business. Organisations can perform all the IS functions in-house (in sourcing) in a centralised manner, or outsource all functions across the globe. The sourcing strategy should consider each IS function and determine which approach allows the IS function to meet the enterprise’s goals. Delivery of IS functions should include: • In-sourced – Fully performed by the organisation’s staff. • Out sourced – Fully performed by the vendor’s staff • Hybrid – performed by a mix of organisation’s and vendor’s staff, can include joint ventures / supplement staff. Organisational Change Management Change Management is managing IT changes for the organisation, where a defined and documented process exists to identify and apply technology improvements at the infrastructure and application(s) level that are beneficial to the organisation thereby involving all levels of the organisation that are impacted by these changes. Apart from all these activities the banks need to have a properly documented, implemented and followed reporting format for each of the Information Systems. Some of the formats have been mentioned below as samples:
    91. • Suspicious Activity Investigation Report Figure No.23:- Suspicious Activity Investigation Report In the event that an employee discovers a breach of customer information, the following procedures must be completed to report the breach to the senior management. • Employee that discovers breach must immediately notify his/her manager. • Manager must contact the Bank’s IS Officer and provide a full report of the incident.
    92. • IS Officer will commence a preliminary investigation. The investigation will include an interview of all individuals with knowledge of the breach. The IS Officer will coordinate the investigation with the Bank’s Director of Information Technology and the Director of Security. • If the investigation determines that a breach has occurred, the IS Officer will inform the Executive Management Committee. • Through consultation with the Director of Security and the Executive Management Committee, the IS Officer will determine whether to inform law enforcement authorities. • The IS Officer will provide a detailed incident report to the Board of Directors at the following Board meeting, including a risk assessment related to the breach that includes an assessment of actual damages as well as potential damages. • Prompt reporting of a breach allows the Bank to: • Prevent future similar breaches; • Determine the source of the breach; and, • Involve law enforcement at an early stage, if applicable. • Reporting Suspicious Transactions The Bank places significant responsibility on employees regarding the identification of potential identity theft transactions. This responsibility is placed on employees; particularly branch and customer service employees, because employees are the Bank’s first and most effective line of defense against fraudulent transactions stemming from identity theft. Through use of the Bank’s procedures, employees will generally resolve most transactions that may initially appear suspicious. However, on occasion it will not be possible to resolve the suspicious nature of a transaction. Under these circumstances employees must refer these suspicious transactions to the Bank’s Loss Prevention Officer.
    93. The Bank should develop procedures for reporting suspicious activity. It is important that each employee be familiar with these procedures. Reporting of suspicious transactions is required not only by policy but also by federal regulation. The Bank is subject to punitive actions if the Bank is found negligent in its reporting responsibilities. • Release of ATM or Debit Card Fraud Claim Figure No.23:- ATM / Debit card Fraud Claim Format • Branch Security Review Checklist (Provided in Appendix – I) • Night Inspection Evaluation Form • Record Retention Policy • Monitoring Chart for InfoSec Contract Provisions to Service providers • Risk Assessment Matrix • Risk Analysis Worksheet • Bomb Call Warning Form
    94. The nationwide increase in computer and identity theft crimes makes it likely that customer service employees of the Bank will encounter the customers who have been victimised. If a customer requests assistance in resolving a case of identity theft, employees should provide the following information: • Suggest that the customer contact the fraud departments of credit bureaus and request that the credit bureaus place a “fraud alert” and a “victim’s statement” in the customer’s credit file. The fraud alert puts creditors on notice that the customer has been the victim of fraud and the victim’s statement asks creditors not to open additional accounts without first contacting the customer. Suggest that the customer requests a free credit report from the credit bureaus . • Suggest that the customer review the credit reports in detail to determine if any fraudulent accounts have been established. The customer should also determine if any unknown inquiries have been made. Unknown inquiries may be indicators of someone attempting to establish a fraudulent account; • Suggest that the customer contact all financial institutions and creditors where the customer has accounts. The customer should request that they restrict access to the customer’s account, change any password or close the account altogether, if there is evidence that the account has been the target of identity theft. • Suggest that the customer file a police report to document the crime 5.1 General Password Guidelines Bank employees use passwords to access various resources. These resources include access to personal computers, the network, voicemail, the Internet, etc. User IDs and passwords are used to authenticate employees to the particular resource and are used to track user activity while using that resource. Temporary passwords are usually assigned to employees when access is initially granted to a resource. It then becomes the employee’s responsibility to establish a strong secure password.
    95. Employees must be aware of the characteristics of strong and weak passwords in order to ensure adequate protection of Bank and customer information. If someone obtains an employee’s User ID and password, that individual can imitate the employee without the system being aware. Any damage created by the intruder will appear to have been created by the employee. Poor, weak passwords have the following characteristics: • The password contains less than eight characters; • The password is a word found in a dictionary; • The password is a common usage word such as: • Names of family, pets, friends, co-workers, sports, teams, movies, shows, license plate number, birth dates, etc.; • Computer terms and names, commands, sites, companies, hardware, software; • Birthdays, User ID and other personal information such as addresses and phone numbers; • Word, number or keyboard patterns like “aaabbb,” “qwerty,” “123321;” • Any of the above spelled backwards; or, • All the same characters or digits, or other commonly used or easily guessed formats. Strong passwords have the following characteristics: • Contain both upper and lower case letters; • Have digits and punctuation characters as well as letters; • Are at least eight characters long; • Are not a word in any language, slang, dialect, jargon, etc.; and, • Are not based on personal information, names of family, etc.
    96. Employees should refrain from writing down the password. Instead, employees should create passwords that can be easily remembered. One way to accomplish this is to create a password based on a song title, affirmation or other phrase. For example, the phrase might be “Everyday I sing one song” and the password could be “EDIs1s@@g” or some other variation. 5.2 Password Protection Refrain from using the same password for Bank accounts as for other non- Bank accounts (i.e., personal email account, etc.). When possible, refrain from using the same password for multiple Bank accounts. For example, use a different password for network and email access. Do not share passwords with anyone, including Bank personnel. All passwords must be treated as highly sensitive information. List of DON’Ts for the employees • Don’t reveal your password over the phone to anyone – not even individuals who claim to be calling from the IT Department; • Don’t reveal your password in an email message; • Don’t reveal your password to your manager or any other Bank employee; • Don’t talk about your password in front of others; • Don’t hint at the format of a password (i.e., “my family name”); • Don’t reveal your password on questionnaires or security forms; • Don’t share your password with family members; • Don’t reveal your password to co-workers while on vacation; • Don’t leave your password anywhere on or near your workstation (i.e., post-it notes, under mouse pads, etc.); and, • Don’t create passwords for group use or shared passwords. Passwords should be unique to each person. • Do not provide your password to anyone who requests or demands it. Refer the incident to the Bank’s IS Officer. Call the IT Department
    97. immediately to change your password if you suspect that your password has been compromised. 5.3 Changing Passwords Bank policy requires passwords to be changed regularly, but an employee may change a password at any time if there is a possibility that the password has been compromised. Generally, the Bank’s various computer systems do not permit employees to reuse a previously used password for a minimum period of time, as defined by the system. For example, a system may prevent employees from using the same password in a six-month period. Systems prompt for password changes when change is required. To save time and effort, passwords should be changed before they expire. If a password has been compromised or forgotten, the user may obtain a new password or have their password reset by contacting the appropriate department (i.e., IT Department, Training Department, etc.). 5.4 Security Breach Examples The following are some examples of security breaches: • A person gains access to a computer terminal and is able to obtain the “personal information” of a Bank customer(s); • Employee emails a file containing “personal information” to an individual outside the Bank for purposes other than official Bank business; • Employee takes home and subsequently loses a CD containing customer loan information; • Employee loses a laptop containing customer loan write-ups and other loan application information; • Diskette containing “personal information” is stolen; and, • Employee copies customer “personal information” to a diskette and uses information for unauthorised purposes.
    98. 5.5 Bank Procedures The most effective means of complying with the Privacy Law is to prevent the breach of any customer information. Breaches are prevented by exercising due care when working with customer data or computer systems that access such data. Examples of due care: • Logging off the network when leaving a computer/workstation for an extended period of time; • Using password protected screensavers; • Refraining from copying customers’ personal information on disks or CDs; • Keeping disks and CDs that contain personal information in a secure location; • Never emailing outside the Bank any documents/files that contain confidential information; • Ensure your workstation (PC) is positioned in a manner that prevents someone from viewing confidential information; • Protecting passwords; and, • Being alert to suspicious activity related to the theft/compromise of personal information. 5.6 Downloading Software Downloading unlicensed software is a violation of copyright laws, and downloading any software from the Internet, including screensavers, without appropriate controls and testing puts the Bank at risk. No software should be downloaded from the Internet without the written approval from the Director of Information Technology. The purchase and installation of any software on Bank computers must be approved by the Director of Information Technology.
    99. 5.7Laptop Security The following are some basic techniques to protect laptop computers and to secure information on laptop computers: • Do not disable or alter the anti-virus software that is installed on laptop computers; • Do not program passwords, User IDs, private encryption keys or personal information on a laptop; • Store back up diskettes or CD’s separately from the laptop device; • Do not leave the laptop unattended, whether in an unlocked, unattended vehicle, in plain view in hotel rooms, or overnight at your workstation in the office; • Exercise caution with laptops in airports, especially at security screening checkpoints; and, • Immediately report lost or stolen laptops to the Director of Information Technology. 5.8Fax Machines Fax machines present a potential IS risk. It is important to ensure that no confidential information is left unattended on a fax machine. Further, fax machines generally print the first page of any communication sent as the delivery confirmation. If a cover page is not used then the confirmation page may include confidential information that may be forgotten or discarded inappropriately. Confidential messages sent by FAX must be clearly marked with a confidentiality disclaimer.
    100. 5.9Internet Security Concerns Viruses and hackers are active on the Internet and try to create and exploit security vulnerabilities. Security services ensuring confidentiality, integrity and authenticity are not automatically provided when using the Internet or Web. In addition, information from Internet sites cannot be relied upon to be authentic or accurate. As such, employees must exercise common sense and due care when using the Internet. 5.10 Physical Security The Bank should implement physical security procedures to protect the security of its people and assets. Examples of security measures include the use of keypad access to protected areas, visitor badges for non-employees and keys for entry into secure areas. Secured doors must NEVER be left open or unattended. All visitors to the corporate offices must be sent to the receptionist to obtain a “visitor” badge. Further, all visitors must be escorted within secured areas. Bank employees should remain diligent at all times in order to identify and report suspicious individuals. 5.11 Monitoring and Inspections To help ensure that Bank employees work in a safe and secure environment, the Bank reserves the right to take certain actions to protect the safety and security of employees, customers, agents, vendors, and the company’s property and premises. These actions, in accordance with applicable law, include recording, monitoring, conducting surveillance, inspecting and/or reviewing: • Company premises and property, or Bank resources, including work areas, lockers, interoffice/business mail, e-mail, computers,
    101. telephones, voice mail, internet, intranet, or any other communication system established for business purpose; • Employees’ personal property located on company premises and employees’ personal banking transactions at the Bank; and, • Employees are expected to cooperate in company inspections, monitoring, and recording. To summarise and conclude the research, the IS threats are revisited below: • Data Protection and application software • Identity theft and leakage of private and confidential information • Virus, Trojans and Worms • Access Control (e.g.: passwords) • User education, training and awareness • Wireless Infrastructure Security • Ad ware and Spy ware • Key loggers and Root kits • Social Engineering (e.g. Phishing and Pharming) • Mobile (handheld) computing devices • Patch Management • Intrusion Detection Systems • E-mail attacks (e.g. spam) • Employee misuse • Physical security • Two- factor authentication • DoS – Denial of Service • PKI implementation, etc., There are several benefits which can be derived from the implementation of the IS Systems in the existing scenario. They would be as mentioned below: • The Information Systems would be protected from the malicious threats existing in the cyber world as on date.
    102. • The setup of the IS Systems would prevent or minimise the losses of the valuable information assets of the bank. • Would prevent reputation losses. • Would provide a secure environment to perform all essential functions, etc. The research claims to disprove the hypotheses mentioned in Chapter 1. • The security policies in the same organisation (Bank) may differ based on the geographic location. There was no indication or hint from the responses invited from the customers or the employees regarding the difference in the policies, in the same organisation, at different locations. The respondents mentioned that there were some differences in the roles / job descriptions of the employees or the procedures used to implement and follow the policies, but the policies were same throughout the organisation. • Many Banks prefer accepting the security risk rather than mitigating, transferring or avoiding it. The research survey as well as the observation has shown that the banks are still ready to accept the risk, instead of transferring, preventing or avoiding it. The analysis in Chapter 4 also shows that, when it comes to transferring the risk only 40% of the banks (organisations) are insured and the rest are still not insured. The IT spending pattern also indicates that when it comes to preventing or avoiding risk, most of the banks or organisations lack the funds or focus and hence cannot work on the residual risks. This may also occur because of lack of expertise and awareness regarding IS and the repercussions due to its breach. This is normally observed in the rural branches or branches located in small towns. Then, the banks are left with no option but to accept the risk.
    103. • ISMS policies show wide variations across all types of financial institutions (here the type of bank would be considered, i.e. Apex/ Public Sector Commercial/ Private Sector Commercial/ Co-operative/ Foreign bank, etc. The ISMS policies do not change at large, even though the type of the bank is different. The policies are more or less the same, but the mode of implementation might be different. Since the RBI does not have any transactions with the common public, so the policies might differ here. The only difference between all other banks and the APEX body (Reserve Bank of India) policies would be due to the mode of operation
    104. CHAPTER 6 BIBLIOGRPHY Offline Reference Articles (Magazines) • E-Wallet lost in Rules, Current Account, MONEYLIFE, August 31, 2006, Volume 1, Issue 13, page no. 8. • Target e-scammers, Personal Business, Techlife, MONEYLIFE, August 31, 2006, Volume 1, Issue 13, page no.56. • Phishers Target e-payment Users – Personal Business, Techlife, MONEYLIFE, August 31, 2006, Volume 1, Issue 13, page no. 56. • Banking with Technology – The Road Ahead, RBI Newsletter, Volume 31, No.2, July 31, 2005. • Pandey S., July 22, 2006, Email Worms of World Cup 2006: Dos and Don’ts, MONEYLIFE, Volume 1, Issue 10, page no. 56. • Dalal S, October 26, 2006, Personal Vigil Pays, Sucheta’s Solutions, MONEYLIFE, Volume 1, Issue 17, page no. 40. • Dalal S, October 26, 2006, Beware of Insecure IT Networks , Sucheta’s Solutions, MONEYLIFE, Volume 1, Issue 17, page no. 42 - 43 • Of Tracers and Strings, October 26, 2006, Personal Business, Techlife, MONEYLIFE, Volume 1, Issue 17, page no.56. • Pandey S., July 07, 2006, While Browsing in a Cyber Cafe, MONEYLIFE, Volume 1, Issue 9, page no. 58. • Target You, September 28, 2006, Personal Business, Techlife, MONEYLIFE, Volume 1, Issue 15, page no.56. • Bhattacharya A, October 2006, A Strategic Resource, Technology in Banks, Chartered Financial Analyst, page no. 41 – 43. • D’Souza S, April 2004, ‘Biometrics’ The Future is now, TRENDS, NEWSWIRE, CHIP, Volume 1, Issue 6, page no. 26 – 27.
    105. • D’Souza M, April 2004, The Truth about Wireless, NETWORK UNWIRED, COVER STORY, CHIP, Volume 1, Issue 6, page no. 28 – 34 • Brooks and Lanza, 2006, Why Companies Are Not Implementing Audit, Antifraud and Assurance Software… and How to Fix It, Commentary, Information Systems Control Journal, Volume 1, page no. 30 – 31. • Smith M, 2006, Overview of Mobile Technology, Feature, Information Systems Control Journal, Volume 1, page no. 48 – 54. • Singleton Tommie, 2006, What Every IT Auditor Should Know About Wireless Telecommunication, IT Audit Basics, Information Systems Control Journal, Volume 4, page no. 19 – 21. • Pironti John, 2006, Information Security Governance: Motivations, Benefits and Outcomes, Feature, Information Systems Control Journal, Volume 4, page no. 45 – 48. • Musaji Yusuf, 2006, A Holistic Definition of IT Security – Part 1, Feature, Information Systems Control Journal, Volume 3, page no. 43 – 46. • Musaji Yusuf, 2006, A Holistic Definition of IT Security – Part 2, Feature, Information Systems Control Journal, Volume 4, page no. 51 – 56. • Singleton Tommie, 2006, What Every IT Auditor Should Know About Wireless Cyber forensics, IT Audit Basics, Information Systems Control Journal, Volume 3, page no. 17 - 19. • Sriram Revathy M., Systems Audit, Tata McGraw – Hill Publishing Company Ltd., New Delhi, ISBN 0-07-463888-2, page no. 20 – 25.
    106. Online Reference Articles (Websites) • Information Security Management Best Practice Based on ISO/IEC 17799, http://web10.epnet.com/externalframe.asp?tb=1and_ug=sid+CF486055%2DDFE 6%2D4133%2D9895%2D43D853AA7F23%40sessionmgr6+dbs+aph+cp+3+1B BCand_us=frn+1+hd+False+hs+True+cst+0%3B1%3B2+or+Date+fh+False+ss+ SO+sm+ES+sl+0+dstb+ES+mh+1+ri+KAAACB5A00052317+89FCand_uso=% 5F0andfi=aph_17554308_ANandlpdf=trueandpdfs=537Kandbk=Randtn=2andtp= CPandes=cs%5Fclient%2Easp%3FT%3DP%26P%3DAN%26K%3D17554308% 26rn%3D1%26db%3Daph%26is%3D15352897%26sc%3DR%26S%3DR%26D %3Daph%26title%3DInformation%2BManagement%2BJournal%26year%3D200 5%26bk%3Dandfn=1andrn=1, access date: January 06, 2006. • Strategies and Financial Instruments for Disaster Risk Management in Latin America and the Caribbean, http://www.iadb.org/sds/doc/ENV145- StratFinanciaInstruments-E.pdf, access date: January 06, 2006. • Disaster Risk Management Programme, http://www.ndmindia.nic.in/EQProjects/goiundp2.0.pdf, access date: January 06, 2006. • Put IT security at top of biz to-do list, http://web30.epnet.com/citation.asp?tb=1and_ug=sid+22A6C4C7%2D8455%2D4 718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2Cbwh %2Cc1h+cp+3+ECEDand_us=frn+1+hd+False+hs+False+or+Date+fh+False+ss +SO+sm+ES+sl+%2D1+dstb+ES+mh+1+ri+KAAACB1C00000789+2B8Fand_u so=%5F3andfn=1andrn=1, access date: January 06, 2006. • Put IT security at top of biz to-do list1, http://web30.epnet.com/citation.asp?tb=1and_ug=sid+22A6C4C7%2D8455%2D4 718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2Cbwh %2Cc1h+cp+3+ECEDand_us=frn+1+hd+False+hs+False+or+Date+fh+False+ss +SO+sm+ES+sl+%2D1+dstb+ES+mh+1+ri+KAAACB1C00000789+2B8Fand_u so=%5F3andcf=1andfn=1andrn=1, access date: January 06, 2006.
    107. • Bottom-Up InfoSec Trumps Top-Down, http://web30.epnet.com/externalframe.asp?tb=1and_ug=sid+22A6C4C7%2D8455 %2D4718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2 Cbwh%2Cc1h+cp+3+ECEDand_us=hd+False+hs+False+or+Date+fh+False+ss+ SO+sm+ES+sl+%2D1+ri+KAAACB1C00000789+dstb+ES+mh+1+frn+1+6513a nd_uso=%5F3andfi=aph_18686588_ANandlpdf=trueandpdfs=175Kandbk=Candt n=102andtp=CPandes=cs%5Fclient%2Easp%3FT%3DP%26P%3DAN%26K%3 D18686588%26rn%3D3%26db%3Daph%26is%3D00104841%26sc%3DR%26S %3DR%26D%3Daph%26title%3DComputerworld%26year%3D2005%26bk%3 DCandfn=1andrn=3and, access date: January 06, 2006. • Feds Make Security a Priority in IT Purchases, http://web30.epnet.com/externalframe.asp?tb=1and_ug=sid+22A6C4C7%2D8455 %2D4718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2 Cbwh%2Cc1h+cp+3+ECEDand_us=hd+False+hs+False+or+Date+fh+False+ss+ SO+sm+ES+sl+%2D1+ri+KAAACB1C00000789+dstb+ES+mh+1+frn+1+6513a nd_uso=%5F3andfi=aph_18458078_ANandlpdf=trueandpdfs=861Kandbk=Candt n=102andtp=CPandes=cs%5Fclient%2Easp%3FT%3DP%26P%3DAN%26K%3 D18458078%26rn%3D6%26db%3Daph%26is%3D00104841%26sc%3DR%26S %3DR%26D%3Daph%26title%3DComputerworld%26year%3D2005%26bk%3 DCandfn=1andrn=6and, access date: January 06, 2006. • Playing Nice With Physical Security, http://web30.epnet.com/externalframe.asp?tb=1and_ug=sid+22A6C4C7%2D8455 %2D4718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2 Cbwh%2Cc1h+cp+3+ECEDand_us=hd+False+hs+False+or+Date+fh+False+ss+ SO+sm+ES+sl+%2D1+ri+KAAACB1C00000789+dstb+ES+mh+1+frn+1+6513a nd_uso=%5F3andfi=aph_18458521_ANandlpdf=trueandpdfs=174Kandbk=Candt n=102andtp=CPandes=cs%5Fclient%2Easp%3FT%3DP%26P%3DAN%26K%3 D18458521%26rn%3D7%26db%3Daph%26is%3D00104841%26sc%3DR%26S %3DR%26D%3Daph%26title%3DComputerworld%26year%3D2005%26bk%3 DCandfn=1andrn=7and, access date: January 06, 2006.
    108. • Investment Banking and Security Market Development: Does Finance Follow Industry, http://www.people.hbs.edu/banand/investmentbanking.pdf, access date: April 04, 2006. • (Goldman Sachs) Conference of Electronic Security in the Payments System, http://www.newyorkfed.org/newsevents/events/banking/1997/confelec/managsec. html, access date: April 04, 2006. • DENY ALL AND NET2S HIGHLIGHT SECURITY THREAT TO INVESTMENT BANKING COMMUNITY, http://www.net2s.com/majic/sites/1/doc/CP_2005/Deny_All_and_Net2S_release_ FINAL_FINAL.pdf, access date: April 04, 2006. • Managed Security Services, http://www.btglobalservices.com/business/ie/en/products/docs/mss_singles.pdf, access date: April 04, 2006. • Security and Privacy: http://newsroom.cisco.com/dlls/tln/tlsummit/pdf/Security_and_Privacy_Summit_ Overview.pdf?sid=ETL_200_HP_MPC4, access date: April 04, 2006. • An IT security manager’s checklist, http://www.expresscomputeronline.com/20051226/bestdefence03.shtml, access date: April 04, 2006. • VoIP vs. the good old telephone, http://www.expresscomputeronline.com/20060410/management02.shtml, access date: April 04, 2006. • Information Security Research Center, http://www.csoonline.com/research/infosec/networks.html, access date: April 04, 2006. • http://www.csoonline.com/research/infosec/response.html, access date: April 04, 2006. • Information Security Risk Assessment, http://www.ffiec.gov/ffiecinfobase/booklets/information_security/02_info_securit y_%20risk_asst.htm, access date: April 04, 2006.
    109. • Understanding and Influencing Attackers’ Decisions: Implications for Security Investment Strategies, http://weis2006.econinfosec.org/prog.html, access date: August 22, 2006. • IS THERE A COST TO PRIVACY BREACHES? AN EVENT STUDY, http://weis2006.econinfosec.org/docs/40.pdf , access date: August 22, 2006. • Bootstrapping the Adoption of Internet Security Protocols, http://weis2006.econinfosec.org/docs/46.pdf, access date: August 22, 2006. • Justifying Spam and E-mail Virus Security Investments: A Case Study http://weis2006.econinfosec.org/docs/13.pdf, access date: August 22, 2006. • 2004 Global Risk Management, http://www.deloitte.com/dtt/cda/doc/content/dtt_financialservices_GlobalRiskMa nagementSurvey2005_061204.pdf, access date: August 22, 2006. • Top five imperatives for Banks in 2005, http://www.infosys.com/finacle/pdf/Top_Five_Imperatives_for_Banks_in_2005.p df, access date: August 22, 2006. • A broader context for information security, http://mba.tuck.dartmouth.edu/digital/PressHits/FTSecurity.pdf, access date: August 22, 2006. • Spotlight on Operational risk management, http://www.kpmg.com/Rut2000_prod/Documents/4/OperationalRisk.pdf, access date: August 22, 2006. • Spotlight on Credit risk management, http://www.kpmg.com/Rut2000_prod/Documents/4/CreditRiskManagement.pdf, access date: August 22, 2006. • Customer Case Study: Thomas Weisel Partners, http://www.ncircle.com/pdf/weisel_final.pdf, access date: August 22, 2006. • Bank Outsourcing Management, http://www.fwfinancial.org/documents/BOMFall05.pdf, access date: August 22, 2006.
    110. • (31032006)The Records Compliance Management Company, http://www.axsone.com/pdf/ILM_for_Investment_Banking.pdf, access date: March 31, 2006. • DENY ALL AND NET2S HIGHLIGHT SECURITY THREAT TO NVESTMENT • BANKING COMMUNITY, http://www.net2s.com/majic/sites/1/doc/CP_2005/Deny_All_and_Net2S_release_ FINAL_FINAL.pdf, March 31, 2006. • Security Solutions to Support Compliance with the Gramm-Leach-Bliley Act, http://www.verisign.com/static/005563.pdf, access date: August 22, 2006. • The Place of Risk Management in Financial Institutions, http://fic.wharton.upenn.edu/fic/papers/95/9505.pdf, access date: August 22, 2006. • A Few Good Metrics --- http://www.csoonline.com/read/070105/metrics.html, access date: October 12, 2006 • How Can Security Be Measured? http://www.isaca.org/Template.cfm?Section=HomeandCONTENTID=24174andT EMPLATE=/ContentManagement/ContentDisplay.cfm, access date: October 12, 2006 • IS RISK ASSESSMENT MEASUREMENT --- http://www.isaca.org/Template.cfm?Section=Downloads6andCONTENTID=187 43andTEMPLATE=/ContentManagement/ContentDisplay.cfm, access date: October 12, 2006 • FBI 2006, http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf, access date: October 12, 2006. • ASP SECURITY http://infosecuritymag.techtarget.com/articles/october01/features_ASP_security.s html#t1, access date: November 04, 2006. • http://www.tcs.com/0_media_room/releases/200209sept/20020917_riskscan.htm, access date: November 04, 2006.
    111. • Checklist for Information Security Steps, http://www.bankersonline.com/tools/infosec_newchecklist.pdf , access date: November 04, 2006. • Know Thy Firewall, http://www.bankersonline.com/technology/rm_knowthyfirewall.html, access date: November 04, 2006. • Access Controls and User Permissions, http://www.bankersonline.com/tools/infosec_newchecklist.doc, access date: November 04, 2006. • Sample risk analysis, http://www.bankersonline.com/tools/security/rm_sampleriskanalysis.xls, access date: November 04, 2006. • Employee Guide to Information Security, http://www.bankersonline.com/tools/infosecguide_jt.doc, access date: November 04, 2006. • InfoSec Service Provider Risk Assessment Matrix, http://www.bankersonline.com/tools/serviceprovider_matrix.doc, access date: November 04, 2006. • InfoSec Contract Provisions Monitoring Chart, http://www.bankersonline.com/tools/sp_contractmonitoring.doc, access date: November 04, 2006. • Branch Security Review Checklist, http://www.bankersonline.com/tools/branchsecurity2.doc, access date: November 04, 2006. • Night Inspection Evaluation Form, http://www.bankersonline.com/tools/nightinspecform.doc, access date: November 04, 2006. • Suspicious Activity Investigation Report, http://www.bankersonline.com/tools/operational/suspiciousactivityinvestigationre port.doc, access date: November 04, 2006.
    112. • Sample Investigative Report, http://www.bankersonline.com/tools/sampinvrept.html, access date: November 04, 2006. • RECORD RETENTION POLICY, http://www.bankersonline.com/tools/RecordRetention2.doc, access date: November 04, 2006. • Bomb Warning form, http://www.bankersonline.com/security/warningform.doc, access date: November 04, 2006. • http://www.bankersonline.com/tools/tools_security.html#newchecklist, access date: November 04, 2006. • http://www.bankersonline.com/tools/tools_ppp.html#1c, access date: November 04, 2006. • IT Security Challenges, http://www.networkmagazineindia.com/200304/20030406cov1.jpg, access date: November 04, 2006. • Current and Planned use of Technologies, http://www.networkmagazineindia.com/200304/20030407cov1.jpg, access date: November 04, 2006. • Causes of unavailability of critical business systems, http://www.networkmagazineindia.com/200304/20030408cov1.jpg, access date: November 04, 2006. • What are the current access control measures used?, http://www.networkmagazineindia.com/200304/20030410cov1.jpg, access date: November 04, 2006. • What are the encryption tools being used?, http://www.networkmagazineindia.com/200304/20030409cov1.jpg, access date: November 04, 2006. • Network Magazine (Information Security : A new approach), http://www.networkmagazineindia.com/200304/cover1.shtml, access date: November 04, 2006.
    113. • What are the prevalent security tools and practices? http://www.networkmagazineindia.com/200304/20030411cov1.jpg, access date: November 04, 2006. • How effective is your Security Policy, http://www.networkmagazineindia.com/200211/cover1.shtml, access date: November 04, 2006. • The ROI of Security, http://www.sei.cmu.edu/news-at ei/columns/security_matters/2006/05/security-matters-2006-05.htm, access date: November 04, 2006. • Information Technology Examination Officer's Questionnaire, http://www.fdic.gov/regulations/examinations/questionnaire/index.html, access date: November 04, 2006. • Positioning and Basic Structure of the Security Policy, http://www.kantei.go.jp/foreign/it/security/2001/g3.html, access date: November 04, 2006. • Information Security Management BS 7799.2:2002 - Audit Check List, http://www.sans.org/score/checklists/ISO_17799_checklist.pdf#search=%22quest ionnaire%20for%20Information%20security%20%26%20risk%20management% 22, access date: November 04, 2006 • Largest Public sector bank, http://www.alliedindia.com/casestudies.html, access date: November 04, 2006. • Largest Private Bank, http://www.alliedindia.com/case_bank.html, access date: November 04, 2006. • Security concerns of banking IT systems should be guarded, http://www.banknetindia.com/banking/6911.htm, access date: November 04, 2006.
    114. APPENDIX – I QUESTIONNAIRE General Information Name of the organization… Type of Organization: (Apex Body) Central Bank (Public Sector Commercial Bank) Nationalised Bank Private Sector Commercial Bank Co-operative Bank Foreign Banks in operating in India Location: Metro Cities B- Class Cities C- Class Cities Rural Areas Name & Designation of the respondent:
    115. Risk Assessment Questions The answers to the following questions would help in understanding and evaluating the threats to the information resources in the organizations. A. Physical Security Sr. Criterion Risk Criterion Total Risk X Value Weight 1 Are physical access controls (like identity badges, security cards, etc.) available? Are they fully adequate and effective? (a) Yes, fully adequate and effective. (b) Yes, reasonably adequate and effective. (c) Totally ineffective. 2 Status of environmental controls (air conditioners, smoke detectors, etc) (a) Always up to the standards. (b) Not always up to the standards. (c) Not monitored. 3 Are good house keeping procedures distributed? (a) Yes, strictly followed and kept up-to-date. (b) Yes, mostly followed and reasonably up-to-date. (c) No procedure available. 4 Have physical security aspects been audited? (a) Yes, less than a year ago. (b) Yes, more than a year ago.
    116. (c) Never. 5 Are mission critical systems in a location to which access is restricted to authorised personnel only? (a) Yes, adequately. (b) Yes, reasonably. (c) No. 6 Are all desktops and notebooks equipped with anti-theft devices? (a) Yes, adequately. (b) Yes, reasonably (c) No. 7 Are power protection devices installed to protect the systems from any power disruptions? (a) Yes, adequately. (b) Yes, reasonably. (c) No. 8 Are hacker attempts on desktops, laptops and servers reported to abuse@bank.com? (a) Yes, always (b) Yes, in some cases (c) Never. 9 Are any devices such as Smoke Detectors, Water detectors, Fire Suppression systems, temperature sensors, etc., installed to safeguard the systems/ servers from such unforeseen incidents? (a) Yes, are checked regularly. (b) Yes, checked whenever required. (c) Not installed.
    117. B. Personnel Security Sr. Criterion Risk Criterion Total Risk X Value Weight 1 Are employment verifications performed prior to hiring? (a) Yes (b) Yes, sometimes. (c) Never. 2 Are employees required to sign conflict of interest or code of conduct statements at the time of hiring? (a) Yes, always. (b) Yes, sometimes. (c) Never. 3 Are all the concerned employees handed over a copy of the security procedures at the time of hiring? (a) Yes, always. (b) Yes, but not regularly. (c) Never. 4 Are all employees often reminded about the importance of computer security? (d) Yes, always. (e) Not regularly. (f) Never. 5 Has personnel security aspects been audited? (a) Yes, less than a year ago. (b) Yes, more than a year ago. (c) No.
    118. C. Data Security Sr. Criterion Risk Criterion Total Risk X Value Weight 1 Are security standards, policies and guidelines about data security distributed to all the employees? (a) Yes, fully adequate and up-to- date? (b) Yes, reasonably adequate but needs improvement. (c) Never, not available. 2 Are the security aspects of the operating systems adequate and used effectively to control access to the data files? (a) Yes, used effectively. (b) Not used effectively. (c) Security features not adequate. 3 Are access rules and privileges for gathering data files always in line with employee’s job duties? (a) Yes, always. (b) Mostly. (c) No. 4 Are data / system owners custodians established for all critical and sensitive data? (a) Yes, always. (b) Yes, mostly. (c) No. 5 Are data / system user established for all important data files? (a) Yes, always.
    119. (b) Yes, but not always. (c) Never. 6 Do data /system users need permission from the data system owners before making the changes to all critical and sensitive data files and programs? (a) Yes. (b) Yes, permission is delegated. (c) No permission needed. 7 Have data security aspects been audited? (a) Yes, less than a year ago. (b) Yes, more than a year ago. (c) Never.
    120. D. Data Backup and Recovery. Sr. Criterion Risk Criterion Total Risk X Value Weight 1 Does the bank regularly take the server back-up? Does the server backup procedure include secure off-site storage? (a) Yes, once in a week. (b) Yes, once in a quarter. (c) Never. 2 Does the bank periodically test restoration of server files? (a) Yes, regularly. (b) Yes, whenever required. (c) Never. 3 Do all users store the local data in a single directory to simplify backup and ensure all data is captured? (a) Yes, always. (b) Yes, whenever required. (c) Never. 4 Are backup needs periodically reviewed? (a) Yes, less than a year ago. (b) Yes, more than a year ago. (c) Never.
    121. E. Applications Software Security Sr. Criterion Risk Criterion Total Risk X Value Weight 1 Are security standards, policies and guidelines about application software security distributed to all the employees? (a) Yes, fully adequate and up-to- date? (b) Yes, reasonably adequate but needs improvement. (c) Never, not available. 2 Do functional users and auditors participate in systems development and maintenance? (a) Yes, users and auditors participate. (b) Yes, sometimes the users do but not the auditors. (c) Neither users nor auditors participate. 3 Is there a standard system development and maintenance methodology and is it followed? (a) Yes, always. (b) Not always. (c) No methodology exists. 4 Are software packages purchased and used? (a) Used with major changes. (b) With minor changes. (c) Used but with major changes and combined with the in-house
    122. developments. 5 Are appropriate application software updates and security patches being applied in a timely manner to all bank computers and servers? (a) Yes, regularly. (b) Yes, when required. (c) No, done only during the maintenance stage. 6 Does the staff have the appropriate level of access to applications based on their current responsibilities? (a) Yes, it is verified. (b) Yes, it is provided to all. (c) No such policy in place. 7 Is application access promptly removed for employees who have left the department? (a) Yes, promptly. (b) Yes, when identified. (c) No such policy in place.
    123. F. Systems Software Security Sr. Criterion Risk Criterion Total Risk X Value Weight 1 Are security standards, policies and guidelines about systems software security distributed to all the employees and are they adequate? (a) Yes, fully adequate and up-to- date. (b) Yes, reasonably adequate but needs improvement. (c) Never, not available. 2 Are proper files for monitoring security violations listed and reviewed? (a) Listed & reviewed. (b) Listed but not reviewed. (c) Neither listed nor reviewed. 3 Are powerful utility programs prescribed and controlled properly? (a) Yes. (b) Normally, yes. (c) Never. 4 Have systems software security aspects been audited? (a) Yes, less than a year ago. (b) Yes, more than a year ago. (c) Never.
    124. G. Telecommunications Security Sr. Criterion Risk Criterion Total Risk X Value Weight 1 Are security standards, policies and guidelines about telecommunications security distributed to all the employees and are they adequate? (a) Yes, fully adequate and up-to- date. (b) Yes, reasonably adequate but needs improvement. (c) Never, not available. 2 Are there any special features to effectively control access to the telecommunication programs and data files and are they being used effectively? (a) Yes, used effectively. (b) Yes, but not used effectively. (c) Not in place. 3 Are terminal IDs parts of the user identification and authentication process? (a) Yes, always. (b) Yes, but not always. (c) Never. 4 Are security related controls over the program, data and message transmission activities adequate and effective? (a) Yes, fully adequate and effective. (b) Yes, fairly adequate but needs
    125. improvement. (c) Not at all adequate or effective. 5 Have telecommunications security aspects been audited? (a) Yes, less than a year ago (b) Yes, more than a year ago. (c) Never. 6 Does the bank allow modems attached to servers/ systems that can receive calls? (a) Not allowed at all. (b) Allowed sometimes. (c) Always allowed.
    126. H. Computer Operations Security Sr. Criterion Risk Criterion Total Risk X Value Weight 1 Are updated and acceptable standards, policies and guidelines about computer operations security distributed to employees? (a) Yes, adequate and up-to- date. (b) Yes, reasonably adequate but needs improvement. (c) Not in existence. 2 Are access control systems built into the operating systems adequate, and are they used effectively to control operations staff’s access to applications and systems software and data files? (a) Yes, used effectively. (b) Yes, not used effectively. (c) No, not enable. 3 Are backup procedures for data and software adequate and well- documented and are the procedures being followed? (a) Yes, being followed rigidly. (b) Procedures are not followed regularly. (c) No procedures. 4 Are all sensitive data used for authenticating a user, such as passwords, stored in protected
    127. files? (a) Yes, up-to-date. (b) Yes, but not up-to-date. (c) No 5 Does the bank deactivate accounts for terminated or transferred employees in a timely manner? (a) Yes, handled very promptly. (b) Yes, during mass deactivation. (c) No. 6 Does the bank periodically review current employee accounts that have not been used in a long time and consider deactivating them? (a) Yes, carried out regularly. (b) Yes, some times. (c) Never. 7 Does the bank log and review multiple tries to enter a password for a given account? (e.g.: locking out a user after three unsuccessful log-in attempts.) (a) Yes, followed rigidly. (b) Yes, not followed rigidly. (c) No policy in existence.
    128. J. Review and Response Sr. Criterion Risk Criterion Total Risk X Value Weight 1 Is there a documented procedure for handling exceptions to security policies and standards? Does this procedure include higher management level too? (a) Yes (b) No 2 Are particularly sensitive systems and infrastructures formally identified on a periodic basis? (a) Yes (b) No 3 Are all the Information Systems in the premises insured for risk? (a) Yes (b) No 4 Is there an alternate way for transferring the risk? (a) Yes (b) No
    129. APPENDIX – II GLOSSARY Authorized User: A University employee, student or other individual affiliated with the University who has been granted authorization by the Electronic Information Resource Proprietor, or his or her designee, to access an Electronic Information Resource and who invokes or accesses an Electronic Information Resource for the purpose of performing his or her job duties or other functions directly related to his or her affiliation with the University. The authorization granted is for a specific level of access to the Electronic Information Resource as designated by the Electronic Information Resource Proprietor, unless otherwise defined by University policy. An example of an Authorized User includes someone who handles business transactions and performs data entry into a business application, or someone who gathers information from an application or data source for the purposes of analysis and management reporting. Business Continuity Plan: A plan for the continued operation of critical business administration in the case of a disaster affecting normal functioning. A Business Continuity Plan is more all-inclusive than a Disaster Recovery Plan, which normally relates to information systems only. Overall business continuity planning is not within the scope of these Guidelines. Computer Virus: An example of Intrusive Computer Software (see definition below). Disaster: Any event or occurrence that prevents the normal operation of Electronic Information Resource(s) for a period of time, such that the resulting disruption and/or losses exceed the acceptable limits established consistent with these Guidelines. A disaster may occur as a result of a natural disaster (such as a flood, fire or earthquake), employee error or other accidents, long-term system failures, and criminal or malicious action.
    130. Disaster Recovery Plan: A written plan including provisions for implementing and running Essential Electronic Information Resources at an alternate site or provisions for equivalent alternate processing (possibly manual) in the event of a disaster. Intrusive Computer Software: Intrusive computer software (such as a computer virus) is an unauthorized program designed to embed copies of itself in other programs, to modify programs or data, or to self-replicate. Intrusive computer software may be spread via removable storage media or via a network. The term \"intrusive computer software\" as it is used in these Guidelines is intended to encompass the variety of such unauthorized programs, including viruses, bacteria, worms, Trojan Horses, etc. Security: Measures taken to reduce the risk of 1) unauthorized access to or modification of Electronic Information Resources, via logical, physical or managerial means; and 2) damage to or loss of Electronic Information Resources through any type of disaster (such as employee error or other accidents, long-term system failures, natural disasters, and criminal or malicious action). Security also encompasses measures taken to reduce the impact of any violation of security or a disaster that occurs despite preventive measures. Server: A multi-user computer, including mainframes, servers, and personal computers providing services to multiple users. A computer employed as a single-user workstation is not considered a server. Annual Loss Expectancy (ALE): The total amount of money that an organization will lose in one year if nothing is done to mitigate a risk. Annual Rate of Occurrence (ARO): The number of times that a risk is expected to occur during one year. Asset: Anything of value to an organization, such as hardware and software components, data, people, and documentation.
    131. Availability: The property of a system or a system resource that ensures that it is accessible and usable upon demand by an authorized system user. Availability is one of the core characteristics of a secure system. CIA: Confidentiality, Integrity, and Availability. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes (ISO 7498-2). Control: An organizational, procedural, or technological means of managing risk; a synonym for safeguard or countermeasure. Cost-benefit analysis: An estimate and comparison of the relative value and cost associated with each proposed control so that the most effective are implemented. Decision support: Prioritization of risk based on a cost-benefit analysis. The cost for the security solution to mitigate a risk is weighed against the business benefit of mitigating the risk. Impact: The overall business loss expected when a threat exploits a vulnerability against an asset. Integrity: The property that data has not been altered or destroyed in an unauthorized manner. Mitigation: Addressing a risk by taking actions designed to counter the underlying threat.
    132. Mitigation solution: The implementation of a control, which is the organizational, procedural, or technological control put into place to manage a security risk. Probability: The likelihood that an event will occur. Qualitative risk management: An approach to risk management in which the participants assign relative values to the assets, risks, controls, and impacts. Quantitative risk management: An approach to risk management in which participants attempt to assign objective numeric values (for example, monetary values) to the assets, risks, controls, and impacts. Reputation: The opinion that people hold about an organization; most organizations' reputations have real value even though they are intangible and difficult to calculate. Return On Security Investment (ROSI): The total amount of money that an organization is expected to save in a year by implementing a security control. Risk: The combination of the probability of an event and its consequence. Risk assessment: The process by which risks are identified and the impact of those risks determined. Risk management: The process of determining an acceptable level of risk, assessing the current level of risk, taking steps to reduce risk to the acceptable level, and maintaining that level of risk. Single Loss Expectancy (SLE): The total amount of revenue that is lost from a single occurrence of a risk.
    133. Threat: A potential cause of an unwanted impact to a system or organization. Vulnerability: Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat.
    134. APPENDIX – III POCKET MATERIAL • FLASH FILMS INCLUDED IN THE CD • FLASH SCREEN SAVERS INCLUDED IN THE CD
    135. APPENDIX – IV BRANCH SECURITY REVIEW CHECKLIST BRANCH: Date: Section 1 Physical Vulnerability YES NO N/A 1. Do all office windows permit an unobstructed view of the bank’s interior? 2. Are all exterior doors and windows equipped with tamper- resistant locks? 3. If the office is located in a mall or a multi-tenant office building, is the ceiling crawl space separated from the crawl space over the adjacent stores offices? 4. Are entrances from the basement, corridors, and upper floors secured? 5. Are all non-public entrances secured during business hours? 6. Is the area surrounding the office free of visual obstructions such as architectural and landscaping features which could provide cover for would be robbers? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    136. Section 2 Lighting Systems YES NO 1. Do all lights illuminate all areas surrounding the building including ATM’s, night depositories, walkways and parking lots? 2. Does branch have an independent power source (battery or generator power) for emergency lighting? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    137. Section 3 Vaults YES NO 1. Is the vault equipped with a ventilator to provide air to an employee in the event of a lock in? 2. Is the vault equipped with an alarm or a telephone so an employee can signal for help if locked in? 3. Are all employees trained in procedures to follow if locked in the vault? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    138. Section 4 Alarm Systems - General YES NO 1. Is the alarm control panel located inside the vault or in another secured area? 2. Is the telephone junction box located in a secured area? 3. Are the alarm terminals in the telephone junction box unmarked and known only to selected bank officials? 4. Are preventive maintenance inspections of the alarm system and independent power source conducted by a qualified service contractor at least once every six months? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    139. Section 5 Point or Burglar Alarms YES NO 1. Are burglar alarms installed on all vaults, night depositories, ATM’s, and safes? 2. Is there an emergency power supply to assure continuous operation of the burglar alarm system for at least 80 hours in the event of a power failure? 3. Has a burglar alarm response procedure (including all clear) been developed that conforms with local police response procedures? 4. Are procedures for operating, testing, and maintaining the burglar system in place and rigorously followed? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    140. Section 6 Silent Robbery Alarms YES NO N/A 1. Is the office protected by a silent alarm system? 2. When triggered does the alarm report directly to police or an intermediate or proprietary monitoring station? 3. Has a robbery response plan been established and implemented which conforms to local police alarm response procedures? 4. Are alarm actuators located at each teller station, inside the vault, and at all other workstations where currency is handled or customers are served? 5. Can all alarm actuators be operated covertly? 6. Do all employees receive initial training on how to actuate the alarm system and under what circumstances they should do so? 7. Do all employees test their alarm actuators at least once a month? 8. Are silent alarm annunciation lights installed in the employee lounge and back offices to alert employees when a robbery is in progress? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    141. Section 7 Closed-Circuit Television Surveillance Systems YES NO 1. Is the VCR working properly and are the camera angles appropriate? 2. Do cameras provide surveillance of all office entrances? 3. Do cameras provide surveillance of all teller stations? 4. Are CCTV pictures periodically monitored by branch or security personnel during business hours? 5. Is video from each camera continuously recorded? 6. Are recorded videocassettes properly labeled and retained for at least one month before being erased and re-recorded? 7. Is test video periodically reviewed by the security officer for coverage and clarity? 8. Are all VCR heads cleaned routinely according to an established schedule? 9. Is the system inspected by a qualified service technician at least twice a year? 10. Are the video tapes changed on a regular schedule, i.e. each day, every Monday …..? (review tape log and copy current page) 11. Is the camera coverage and VCR recording checked on a daily basis, to ensure quality pictures and that the system is working correctly? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    142. Section 8 Night Depository YES NO 1. Is the area surrounding the night depository properly illuminated? 2. If state or local ordinances specify lighting requirements, does your lighting system comply? 3. Is the bag depository door equipped with a tamper resistant lock? 4. If the unit designed to prevent “fishing” and “trapping” of deposits? 5. Is the depository located so any activity around the unit is visible from a public area? 6. Are architectural and landscaping features around the night depository designed to deprive would be robbers of concealed positions to await customers making deposits? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    143. Section 9 Automatic Teller Machines YES NO 1. Does the ATM have dual control? 2. Are the cash dispenser and depository chute designed to prevent “fishing” and “trapping”? 3. Is the surveillance camera positioned to record criminal activity at and around the ATM? 4. Is the ATM located so any activity around the ATM is visible from a public area? 5. Are architectural and landscaping features around the ATM designed to deprive would be robbers of concealed positions to await customers making deposits or withdrawals? 6. If a remote ATM, is the service equipped with a silent robbery alarm, telephone, or other means of communication with law enforcement officials? 7. If a remote ATM, is the service entrance equipped with a viewing port or closed- circuit television system that allows personnel inside the service room to view activity outside? 8. Does the ATM provide customers with adequate privacy to prevent bystanders from observing details of their transactions (e.g., entry of their pin numbers)? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    144. Section 10 Teller Stations YES NO 1. Are teller counters of sufficient height to discourage a bandit from vaulting them or are they otherwise protected (e.g., by bullet-resistant windows)? 2. Are teller counters manufactured with bullet-resistant materials or equipped with under-counter steel? 3. Are access gates to teller areas kept secured during banking hours? 4. Are all tellers equipped and trained to use bait money, dyepacks or electronic homing devices in the event of a robbery? 5. If teller nameplates or badges are used, are only first names used? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation: Section 11 Safe Deposit Operations YES NO 1. Are renters positively identified before granting access? 2. Is each coupon booth checks immediately after the customer leaves? Recommended Corrective Action and Date of Implementation: General Comment Section:
    145. Supporting Documentation:
    146. Section 12 Opening Procedures YES NO 1. Is the all clear signal changes at least once every quarter? 2. Are employees instructed to contact the security officer or the police if the all clear signal is not displayed within the allotted time? 3. Are the employees instructed not to gather at the bank entrance while awaiting entry? 4. Are all persons except office employees refused entry to the office before opening? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    147. Section 13 Closing Procedures YES NO 1. Are all employees instructed to look for strangers and suspicious customer behavior at the end of the business day and to actuate surveillance cameras and notify the security officer or branch managers if their suspicions are aroused? 2. Is the banking office inspected to ensure all valuables have been secured, all customers have left, all exterior windows and doors are securely locked, and all alarms, lighting, and security devices intended for use during nonbusiness hours are operating? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    148. Section 14 Key and Combination Control YES NO 1. Is the number of keys assigned to employees kept to a minimum? 2. Is a log maintained listing all employees who have received office keys? 3. If a terminated employee fails to return a key, or is otherwise suspect, are the locks changed on all exterior doors? 4. Are excess keys kept in a locked box in a secure area? 5. Is dual control maintained over vault and safe combinations so that no single employee is capable of accessing the vault or safe alone? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    149. Section 15 Bait Money, Dye Packs and Electronic Homing Devices YES NO 1. If the bait money, dyepack or electronic device is disguised as strapped currency, is it banned with a fresh band and does it appear identical to regular strapped currency? 2. Is bait money, dyepack or electronic homing device kept in an accessible place in each teller’s top drawer? 3. Is bait money, dyepack or electronic homing device also kept with cash reserves in the vault or safe? 4. Does bait money consist of used Federal Reserve Notes? 5. Are bait money forms initialed, dated and filed with the security officer or his designee? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    150. Section 16 Height Markers YES NO 1. Are height reference markers or visible strips of tape installed at a six foot height on the door frames at all entrances to the office? 2. Are height reference markers indicating counter height installed at each teller station? 3. Are all employees trained to use height reference markers to estimate a suspect’s height? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    151. Section 17 Visitor Identification Procedures YES NO 1. Is access to non-public areas within the banking office by doors and gates that are locked at all times? 2. Is a log book maintained to document all visitors entering restricted areas of the banking office? 3. Is the visitors identity and authorization verified by telephone to the visitor’s company or office unless both the visitor and the reason for the visit is known to office personnel? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    152. Section 18 Rubbish Retention YES NO 1. Is rubbish from the lobby, teller areas and other locations where transactions are conducted, collected on a daily basis? 2. After the retention period has expired are all documents (e.g., deposit or withdrawal slips, voided checks, application forms, etc.) shredded, incinerated or disposed of by bonded recycling company which guarantees their destruction? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation: Section 19 Evidence Protection YES NO 1. Are employees trained to follow established procedures for handling and protecting evidence? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation:
    153. Section 20 Fire Security YES NO 1. Is the office protected by smoke detectors and fire alarms? 2. Are an adequate number of multi-purpose fire extinguishers located in accessible locations? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation: Section 21 Training YES NO 1. Do branch personnel know what to do if they receive a bomb threat or extortion / kidnap call? 2. Do branch personnel know the importance of maintaining confidentiality of security and operations procedures? Recommended Corrective Action and Date of Implementation: General Comment Section: Supporting Documentation: Branch Security Review Checklist - http://www.bankersonline.com/tools/branchsecurity2.doc access date: November 04, 2006.

    + m9821735856m9821735856, 8 months ago

    custom

    1088 views, 0 favs, 0 embeds more stats

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 1088
      • 1088 on SlideShare
      • 0 from embeds
    • Comments 0
    • Favorites 0
    • Downloads 141
    Most viewed embeds

    more

    All embeds

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved