Professional Documents
Culture Documents
To Comply Board Approved ICT Security Policy Version 4.3 2023
To Comply Board Approved ICT Security Policy Version 4.3 2023
To Comply Board Approved ICT Security Policy Version 4.3 2023
Version: 4.3
Trust Bank Limited
May, 2023
Confidentiality
No part of this document may be disclosed verbally or in writing, including by reproduction, to any third party without the
prior written consent of the Bank. This document, its associated appendices and any attachments remain the property of the
Bank and shall be returned upon request.
©Trust Bank
4.3 Problem Management.....................................................................................................................15
4.3.1 Objective of Problem Management....................................................................................................15
4.3.2 Problem Management Policy..............................................................................................................15
4.4 Capacity Management.....................................................................................................................16
4.4.1 Capacity and Performance Management............................................................................................16
4.4.2 Performance Monitoring of IT Resources............................................................................................16
4.4.3 Capacity Planning of IT Resources......................................................................................................16
Chapter 5............................................................................................................................................................ 18
5.0 Infrastructures Security Management.............................................................................................18
5.1 Infrastructure Security Governance.................................................................................................18
5.2 Hardware and Software Security Policy..........................................................................................18
5.2.1 Software Modification and Code Review.............................................................................................19
5.2.2 Updates & Patch Management...........................................................................................................19
5.3 Secure System Development Policy.................................................................................................19
5.4 Laptop Policy...................................................................................................................................20
5.5 BYOD Controls.................................................................................................................................20
5.6 Device Controls (Desktop and Laptop)............................................................................................20
5.7 Security Baseline.............................................................................................................................21
5.7.1 Server Virtualization...........................................................................................................................21
5.7.2 Operating System Hardening..............................................................................................................21
5.7.3 Network Hardening............................................................................................................................22
5.7.4 Database Hardening...........................................................................................................................22
5.8 Data Encryption...............................................................................................................................23
5.9 Cryptography...................................................................................................................................23
5.9.1 Cryptographic Key Management.........................................................................................................24
5.10 Vulnerability Assessment (VA) and Penetration Testing (PT).......................................................23
5.11 Network Security Management.....................................................................................................24
5.11.1 Network Access Control....................................................................................................................24
5.11.2 Network Administration and Maintenance.......................................................................................25
5.11.3 Backup and Log Inspection...............................................................................................................25
5.12 Internet Access Management........................................................................................................26
5.13 Email Management........................................................................................................................26
5.14 Virus and Malicious Code Protection.............................................................................................27
5.15 Security Device Management.............................................................Error! Bookmark not defined.
5.15.1 Baseline for System Configuration....................................................................................................27
5.15.2 Router & Firewall Usage...................................................................................................................28
5.15.3 Router & Firewall Configuration.......................................................................................................28
5.16 Cyber Security Governance and Security Operations Centre........................................................27
©Trust Bank
5.17 Data Center Controls.....................................................................................................................29
5.17.1 Physical Security of Data Center and DR Site....................................................................................30
5.17.2 Environmental Security of Data Center and DR Site..........................................................................30
5.17.3 Fire Prevention of Data Center and DR Site......................................................................................30
5.17.4 Equipment Security of DC & DR........................................................................................................31
5.17.5 Working outside Designated Office Hours.........................................................................................31
5.18 Branch Server Room Controls........................................................................................................31
5.18.1 Physical Security Branch Server Room...............................................................................................32
5.18.2 Branch Server Room Environmental Security.....................................................................................32
5.18.3 Branch Server Room Fire Protection.................................................................................................32
5.19 Mobile Device and Teleworking.....................................................................................................32
5.20 Work from Home (WFH) Security..................................................................................................33
5.21 Remote Access (VPN)....................................................................................................................33
Chapter 6............................................................................................................................................................ 34
6.0 IT Operation Management...............................................................................................................34
6.1 Operation of CBS, Application & System.........................................................................................34
6.1.1 Operating time schedule....................................................................................................................35
6.1.2 IT Division responsibilities..................................................................................................................35
6.1.3 Employee’s responsibilities.................................................................................................................36
6.2 Third Party Management.................................................................................................................36
6.2.1 Third Party Software..........................................................................................................................36
6.2.2 Third Party Service Delivery................................................................................................................36
6.3 Asset Management..........................................................................................................................36
6.4 Disposal Policy.................................................................................................................................37
6.4.1 Disposal Policy of IT Equipment..........................................................................................................37
6.4.2 Disposal Policy for Data /Documents/Payment Cards (Debit/Credit/Prepaid)......................................37
6.4.3 Considering factors for Data and Software removal............................................................................38
6.4.4 Factors regarding Deleting Data- technical aspects..............................................................................38
6.4.5 Re-use of items from obsolete equipment..........................................................................................39
6.5 Insurance Fund & Depreciation........................................................................................................39
6.6 Data Leak Protection (DLP) Policy...................................................................................................39
6.6.1 Data in Motion...................................................................................................................................39
6.6.2 Data at Rest.......................................................................................................................................39
6.6.3 Data in Use........................................................................................................................................40
6.7 Clear Desk and Clear Screen Management......................................................................................40
6.8 Information Handling......................................................................................................................40
6.9 Information Classification................................................................................................................40
6.9.1 Responsibility.....................................................................................................................................40
©Trust Bank
6.9.2 Classification......................................................................................................................................41
6.9.3 Labelling............................................................................................................................................41
6.9.4 Handling............................................................................................................................................41
6.10 SECURITY CLASSIFICATION DEFINITIONS........................................................................................42
6.10.1 PUBLIC.............................................................................................................................................42
6.10.2 INTERNAL USE ONLY.........................................................................................................................42
6.10.3 PROTECTION....................................................................................................................................42
6.10.4 CONFIDENTIAL.................................................................................................................................43
6.10.5 PROTECTION....................................................................................................................................43
Chapter 7............................................................................................................................................................ 44
7.0 User Access Management................................................................................................................44
7.1 User ID Management.......................................................................................................................44
7.2 Maintenance of System Users.........................................................................................................45
7.3 Password Control.............................................................................................................................46
7.4 Input Control...................................................................................................................................46
7.5 Privileged Access Management.......................................................................................................46
7.6 Data Confidentiality.........................................................................................................................47
7.7 Data Protection and Privacy............................................................................................................48
7.8 User Log Reports..............................................................................................................................48
Chapter-8............................................................................................................................................................ 49
8.0 Business Continuity & Disaster Recovery Management..................................................................49
8.1 Business Continuity Plan.................................................................................................................49
8.1.1 Guideline of BCP................................................................................................................................49
8.1.2 Maintaining the BCP...........................................................................................................................50
8.1.3 Testing Continuity Plan.......................................................................................................................50
8.2 Disaster Recovery Management......................................................................................................50
8.2.1 Disaster Recovery Policy.....................................................................................................................51
8.2.2 DR Site Operation..............................................................................................................................51
8.3 Backup and Restore Policy..............................................................................................................51
Chapter 9............................................................................................................................................................ 53
9.0 Acquisition and Development of Information Systems...................................................................53
9.1 ICT Project Management.................................................................................................................53
9.2 In-house Software...........................................................................................................................53
9.2.1 In-house Software Development........................................................................................................53
9.2.2 Software/Application Rollout.............................................................................................................53
9.3 Statutory Requirements...................................................................................................................54
9.4 In-house Application Security..........................................................................................................54
9.5 Software Security Framework..........................................................................................................55
©Trust Bank
9.6 Software Documentation.................................................................................................................55
9.7 Outsourced Software Procurement Policy.......................................................................................56
9.8 Software licensing............................................................................................................................56
9.9 Legal reference................................................................................................................................57
Chapter 10.......................................................................................................................................................... 58
10.0 Service Provider Management.......................................................................................................58
10.1 Outsourcing....................................................................................................................................58
10.1.1 Outsourcing Governance..................................................................................................................58
10.1.2 Practices of Outsourcing activities.....................................................................................................58
10.1.3 Considering factors for Outsourced System.......................................................................................59
10.1.4 Vendor Selection..............................................................................................................................59
10.1.5 Vendor Management.......................................................................................................................61
10.2 Service Level Agreement Policy.....................................................................................................61
10.3 Cross-border System Support........................................................................................................62
10.4 Data Ownership.............................................................................................................................62
Chapter 11.......................................................................................................................................................... 63
11.0 Alternative Delivery Channels.......................................................................................................63
11.1 ATM and POS Transactions............................................................................................................63
11.2 Internet Banking............................................................................................................................64
11.2.1 Security of Internet Banking.............................................................................................................64
11.2.2 Operation of Internet Banking..........................................................................................................65
11.2.3 Awareness for Internet Banking........................................................................................................65
11.3 Payment Cards...............................................................................................................................65
11.3.1 Payment Card Industry Data Security Standard (PCIDSS)....................................................................66
11.3.2 Card Data Retention Policy...............................................................................................................67
11.4 Auxiliary Services...........................................................................................................................67
11.4.1 SMS Banking Service........................................................................................................................67
11.4.2 Phone Banking Service.....................................................................................................................67
11.5 Contact Center Security.................................................................................................................68
Chapter-12.......................................................................................................................................................... 69
12.1 Customer Education.......................................................................................................................69
12.2 Customer Awareness Program......................................................................................................69
12.2.1 Preparing work plan.........................................................................................................................69
12.2.2 Define objective of the program.......................................................................................................70
12.2.3 Formulating primary channels for the program................................................................................70
12.2.4 Formulating program through interactive broadcast media...............................................................70
12.2.5 Outcome/Effectiveness of each awareness program..........................................................................70
Chapter-13.......................................................................................................................................................... 71
©Trust Bank
13.1 Human Resources Security Management......................................................................................71
13.1.1 Prior to Employment........................................................................................................................71
13.1.2 Screening.........................................................................................................................................71
13.1.3 Terms and Conditions of Employment..............................................................................................71
13.1.4 Information and Cyber Security Awareness Program.........................................................................71
13.1.5 Termination and Change of Employment..........................................................................................72
13.1.6 Social Media Policy..........................................................................................................................72
13.1.7 Social Engineering Policy..................................................................................................................72
13.2 Sanctions on ICT Security Policy Violations...................................................................................73
Acronyms............................................................................................................................................................ 74
Annexures........................................................................................................................................................... 75
Annexure 1 76
Service Request Form.................................................................................................................................76
Annexure 2 77
User Acceptance Test..................................................................................................................................77
Annexure 3 78
Dispensation Form......................................................................................................................................78
Annexure 4 79
Incident Reporting Form.............................................................................................................................79
Annexure 5 80
Remote VPN Access REQUEST FORM...........................................................................................................80
©Trust Bank
Document Profile
Revision Number 4.3
Document ID TBL-ISMS-POL-01- ICT Security Policy
Reviewed By ICT Security Committee
Document Owner CISO
Document Approver Board of Directors
Approved Date 15-05-23
Revision History
Approval List
Name Position Date
Humaira Azam MD & CEO 15-05-23
EC 18-07-23
Board 12-08-23
The Banking industry has changed the way they provide services to their customers and process information
in recent years. Information and Communication Technology (ICT) has brought about this momentous
transformation. Security of Information for a financial institution has therefore gained much importance, and
it is vital for us to ensure that the risks are properly identified and managed. Moreover, information and
information technology systems are essential assets for the bank as well as for their customers and
stakeholders. Information assets are critical to the services provided by the banks to their customers.
Protection, Data privacy and maintenance of these assets are critical to the organizations’ sustainability.
Trust Bank Limited (TBL) is one of the new generation private sector banks in the country competing with
another 56 banks nationwide which includes some nationalized, foreign, and local commercial banks.
Technological change and diffusion of new technologies are moving at an incredible pace. Such development
and diffusion accelerates the importance of innovation of the bank if the bank is to remain competitive. Trust
Bank Limited should take appropriate measures and responsibility of protecting the information from
unauthorized access, modification, disclosure and destruction.
a) Risk Assessment: TBL will conduct a risk assessment to identify information security risks, assess the
likelihood and impact of those risks, and prioritize risk mitigation activities.
b) Risk Treatment: TBL will select and implement appropriate controls to mitigate identified risks to an
acceptable level.
c) Information Security Controls: TBL will implement a set of information security controls based on
industry-recognized standards and best practices.
d) Incident Management: TBL will establish an incident management process to detect, respond to,
and recover from security incidents.
e) Business Continuity: TBL will develop and maintain a business continuity plan to ensure the timely
recovery of critical business functions and information systems in the event of a disruption
1.4 Scope
This Policy is a systematic approach required to ensure security of information and information systems
within TBL Head Office and Branches from which Bank’s information is accessed including home and offsite. It
covers information that is electronically generated, received, stored, printed, scanned and typed. However,
the provisions of this policy shall be applied to:
An Acceptable Use Policy is intended to protect TBL employees, partners and the Bank from illegal or
damaging actions by individuals, either knowingly or unknowingly. This ICT Security Policy is a systematic
approach of controls required to be formulated for ensuring security of information and ICT systems.
a. HRD has a responsibility to inform the relevant departments and appropriate channels when an
employee is leaving the Bank. Systems Administration will then immediately revoke all access rights
previously assigned to the user.
b. PRIVATELY owned equipment belonging to employees must not be connected to the Bank’s
infrastructure. Any unauthorized equipment connected to the Bank’s infrastructure will be identified
and disconnected and the user shall be held accountable, which may result in disciplinary action.
c. HACKING, trying to gain unauthorized access to any computer system within the Bank constitutes a
criminal offence and will be subjected to the appropriate Legal process and/or Bank’s disciplinary
procedures.
Under no circumstances is an employee of TBL authorized to engage in any activity that is illegal under local,
regulatory or international law while utilizing TBL owned resources.
1.6 Authority
This policy has full support from the Management, Executive Committee and Board of Directors of TBL. This
policy is currently effective for all TBL employees and computer systems.
1.7 Violations
Violations may result in disciplinary action in accordance with bank policy. Failure to observe these guidelines
may result in disciplinary action by the bank depending upon the type and severity of the violation, whether it
causes any liability or loss to the bank or the presence of any repeated violation(s).
b) Information security personnel are responsible for implementing, maintaining, and continuously
improving the ISMS.
c) All employees, contractors, consultants, and third-party partners are responsible for complying with
this policy and related procedures, reporting security incidents, and participating in security awareness
training.
a. As Information & Communication Technology (ICT) is changing rapidly with global environment, the ICT
Policy may be amended and upgraded time to time accepting the better policies.
b. Such amendment or modification should be done in consultation with the concern
divisions/departments.
c. EC and Board of TBL will finally approve the policy as per recommendation of the ICT Security and
Policy Review Committee.
The ICT Security Management of Trust Bank ensures that the ICT functions and operations are efficiently and
effectively managed. The ICT Security Management of Trust Bank also ensures maintenance of appropriate
systems documentations, particularly for systems, which support financial reporting. Trust Bank participates
in ICT security planning to ensure that resources are allocated consistent with business objectives which also
is a part of ICT Security Management. Sufficient and qualified technical employees are employed so that
continuance of the ICT operation area is unlikely to be seriously at risk all times.
Core principles for ICT security management are in the following areas:
i. Risk assessment
ii. Organizing information security
iii. Asset management
iv. Data center physical security
v. Information related communications and operations management
vi. Technology based access control
vii. System development and maintenance
viii. Information security incident management
ix. Business continuity management
x. IT security compliance
Trust Bank shall be aware of the capabilities of ICT and be able to appreciate and recognize opportunities and
risks of possible abuses. ICT Security Management deals with Roles and Responsibilities, ICT Security Policy,
Documentation, Internal and External Information System Audit, Training and Awareness, Insurance or Risk
coverage fund.
Information Security activities are concerned with the protection of Information from unauthorized use or
accidental modification, loss or release. Information Security is based on the following three elements:
i. Confidentiality - ensuring that Information is only accessible to those with authorized access.
ii. Integrity - safeguarding the accuracy and completeness of Information and processing methods. Assets
can be modified only by authorized persons/parties or only in authorized ways.
iii. Availability - ensuring that authorized Users have access to Information when required. Assets are
accessible to authorized parties at appropriate times.
ICT Governance as part of corporate governance is aimed at ensuring that IT is also managed with standards
in accordance with best practices that ensure the Bank’s information and related technology, support its
business objectives and its resources are used responsibly and its risks are managed appropriately.
Information security governance requires strategic, senior management commitment, resources and
assignment of responsibility for information security. ICT Governance stakeholders include Board of Directors,
MD/CEO, IT Steering Committee, IT Risk Management Committee, Chief Information Security Officer (CISO),
Chief Risk Officer (CRO) and Senior Business Executives. The Board of Directors and Executive Management
(IT Steering Committee) shall be responsible for overall ICT Governance.
Members of the Board need to be aware of the organization’s information assets and their criticality to
ongoing business operations. This can be accomplished by periodically providing the Board with the high-level
results of comprehensive risk assessments and business impact analysis. It may also be accomplished by
business dependency assessments of information resources. A result of these activities should include Board
members validating/ratifying the key assets they want protected and confirming that protection levels and
priorities are appropriate to a recognized standard of due care. The major responsibility of the Board for ICT
supervision is:
Information security affects all aspects of an organization. To ensure that all stakeholders affected by security
considerations are involved, a steering committee of executives shall be formed to serves as an effective
communication channel for management’s aims and directions and provides an ongoing basis for ensuring
alignment of the security program with organizational objectives. ICT Steering Committee shall ensure that IT
organizational structure exists, evaluate ICT investments, resource usage to ensure that it is in line with ICT
strategies and the Bank business objectives.
The committee is responsible for identifying, assessing and proposing mitigation for every information-security-
related risk. The responsibility of the committee will be carried out by interacting with various committees
and stakeholders and preparing plans, proposals, policies, procedures and guidelines.
2.3 Documentation
a. Internal Information System (IS) Audit shall be carried out by Internal Audit of the bank. Internal IS
audit shall be conducted by personnel with sufficient IS Audit expertise and skills.
b. IT Security Unit will coordinate with IS audit team for performing Vulnerability Assessment (VA) and
Penetration Test (PT).
c. Computer-Assisted-Auditing Tools (CAAT) may be introduced in the process to perform IS audit
planning, monitoring/auditing, control assessment, data extraction/analysis, fraud
detection/prevention and management.
d. Internal Information System audit shall be done once in every one year. The report must be
preserved as ready reference for Bangladesh Bank and Audit Committee.
e. Banks should also ensure that audit issues are properly tracked and, in particular, completely recorded,
adequately followed up and satisfactorily rectified.
f. An annual system audit planned to be developed covering critical/major technology-based
services/processes and ICT infrastructure.
g. The branch shall take appropriate measures to address the recommendations made in the last Audit
Report. This must be documented and kept along. IC&C Division shall also ensure that audit issues
are properly tracked, recorded, adequately followed up and satisfactorily rectified.
h. The branches shall take appropriate measures to address the recommendations made in the last
Audit Report. This must be documented and kept along with the Audit Report.
a. TBL may engage external audit for their information systems auditing in-line with their regular IS
audit. The external audit report shall be preserved for regulators as and when required.
b. The audit report shall be preserved for regulators as and when required.
a. IT Division should obtain standard certification or license whichever is required for the services that are
associated with Microsoft platforms (Windows OS and Office), Card Platform, Clearing/BACH, Core
Banking Software and Mobile Banking Platform.
b. Additionally, exposed/public portals issues such as Website, Internet Banking, Mobile Banking,
Payment Card Data etc. also need standard certification and licenses like SSL and HTTPS etc.
c. Upon approval, IT Division may introduce other certification and licenses which are necessary for
inclusion for new system or platform on prior approval if required. In this regard, IT Division should
place budgetary approval and implementation plan to appropriate authority (i.e. MD/EC/BoD) for
deploying or renew of license/certificate.
IT Risk is a growing component of total Operational Risk. As business increasingly depend on IT to automate
processes and store information, IT Risk Management is emerging as a separate practice. Organizations
across sectors and industries have begun to consolidate functions to develop a more comprehensive, focused
approach to IT Risk. IT Risk includes security, availability, performance and compliance elements, each with its
own drivers and capacity for harm.
Considering the circumstances the major factor of IT Risk Management includes Management of IT assets and
configuration and change processes as particular problem are as Best-in-class IT Risk management requires a
disciplined approach that includes IT Risk awareness, quantification of business impacts, solution design and
implementation across people, process, and technology, and creation of a sustained IT Risk Management
program complete with performance measurement and a model for continuous improvement.
Effective risk management system will be in place for any new processes and systems as well as a post‐launch
review. The risk management function should be ensured awareness of, and compliance with, the ICT security
control policies, and to provide support for investigation of any ICT related frauds and incidents.
a. An ICT Risk Management Committee should be formed to govern the overall IT security risks and
relevant mitigation measures. The committee will be formed with representatives from AD, IT
Security Unit, IT, RMD, Operations and IC&C.
b. The ICT Risk Management Committee shall formulate “ICT Risk Management Policy” for the bank.
The policy shall include the followings for Risk Governance:
i. Risk Appetite and Risk Tolerance shall be reviewed and approve especially for new technology,
new organizational structure, new business strategy and other factors require the enterprise to
reassess its risk portfolio at a regular interval. Risk Appetite shall be in terms of combinations of
frequency and magnitude of risk to absorb. Similarly, Risk Tolerance which needs to define
tolerable deviation from the level set by risk appetite. Such defined appetite and tolerance
needs approval from the Board/ICT Risk Management Committee and dearly communicated to
all stakeholders.
ii. Risk Ownership shall be defined to individuals for ensuring successful completion. Risk
accountability shall state the owner with required resources and have the authority to approve
the execution and/or accept the outcome of an activity within specific IT Risk processes.
iii. Risk measurement needs to be formulated for understanding of the actual exposure to IT risk
by Open Communication, enabling definition of appropriate and informed risk responses.
iv. Risk criteria with risk grading for each event should be developed. A procedure shall be defined
to external stakeholders regarding the actual level of risk and risk management processes in
use.
v. Risk Awareness for well understanding and recognized as the means to manage risks. TBL shall
aware amongst all internal stakeholders of the importance of integrating risk and opportunity
in their daily duties. Moreover, TBL shall be transparent to external stakeholders regarding the
actual level of risk and risk management processes in use.
c. IT Security Unit shall report status of identified ICT security risk to the ICT Security Committee and
ICT Risk Management Committee as and when required.
IT Operation Management covers technology procedure supervision including capacity management, request
management, change management, incident and problem management, asset management, operating
environment events and request management. Trust bank’s objective is to achieve the peak levels of
technology service excellence by minimum outfitted risk.
All change request by the branch or division should be processed through Business Committee for approval first.
Business Committee should prepare Business Requirement Document (BRD) which needs to cover the
process of any specific change, requirements of system changes and the impact that will have on business
processes, security matrix, reporting, interfaces, etc.
a. Change Control
To effectively manage information resources, initial or baseline configurations of the information
resources, change management must be established prior to deployment.
b. Configuration Control
Configurations of information resources must be periodically reviewed to identify new vulnerabilities
and security requirements.
c. Standard Configuration
Standard configurations of hardware and software must be used to maintain a high level of
information security, enable cost-effective and timely maintenance and repair, and protect the
information resources against unexpected vulnerabilities.
d. Up gradation of software tools and database:
Change of technology may be required. In-house software requirement is approved from
appropriate authority.
e. General Controls
i. Initiating from a central management console.
ii. Providing scheduling, desktop management, standardization tools to reduce the costs
associated with distribution and management.
iii. Providing ongoing deployment for both new and legacy systems in mixed hardware and OS
environments.
iv. Scanning the entire network (IP address by IP address) and providing information such as
service pack level of the machine, missing security patches, key registry entries, weak
passwords, users and groups, and more.
v. Analyzing scan results using filters and reports to proactively secure information resources
(e.g., installing service packs and hot fixes, etc.).
vi. Audit trails shall be maintained for business applications.
An incident occurs when there is an unexpected disruption to the standard delivery of ICT services. The Bank
should appropriately manage such incidents to avoid a situation of mishandling that result in a prolonged
disruption of ICT services.
a. CERT shall be established and staffed to manage and respond to information security incidents.
b. The team shall be formed with representatives from IT Division, IT Security Unit and RMD with
necessary technical and operational skills to handle major incidents.
c. Information security incidents or events shall be reported in a timely manner to the required parties to
enable proper review of vulnerable controls and establishment of appropriate corrective measures in
order to reduce the likelihood of recurrence.
d. The team shall be responsible for specific event resolution and submit a post incident report to Head of
IT and IT Security Unit. IS Audit team and Head of IT Security Unit shall review all incident report for
compliance.
e. The team shall initiate incident response procedures in the event of a security incident to contain the
incident, protect the confidentiality and integrity of the Bank’s information and information resources.
f. As incidents may trail from numerous factors, root¬ cause and impact analyses need to be performed
for major incidents which result in severe disruption of ICT services. The team shall be responsible for
processing all incident reports and all follow up activities. The incident reports shall cover:
i. Identify and analysis of the root cause
ii. Analyze impact analysis covering:
Extent of the incident including information on the systems, resources, customers that
were affected;
Magnitude of the incident including foregone revenue, losses, costs, investments, number
of customers affected, implications, consequences to reputation and confidence;
Breach of regulatory requirements and conditions as a result of the incident.
iii. Corrective and Preventive Measures
Immediate corrective action to be taken to address consequences of the incident. Priority
shall be placed on addressing customers' concerns.
Measures to address the root cause of the incident.
Measures to prevent similar or related incidents from occurring.
iv. Summarizing the causes
v. Frequency and damage assessments of information security incidents.
vi. Define incident severity levels
g. The management shall arrange necessary training for managing and working as response team.
h. The team will be reshuffled at a particular interval of minimum once in a year.
i. In some situations, major incidents may further develop adversely into a crisis. Senior management
shall be kept apprised of the development of these incidents so that the decision to activate the
disaster recovery plan (DRP) can be made on a timely basis.
a. Information Processing Systems shall be protected against events that may jeopardize information
security by contaminating, damaging, or destroying information resources.
b. An Incident Management Framework shall be developed by Bank’s IT Security Unit and RMD for
incident management. The framework needs to cover:
i. Definition of Information security incidents or events
The aim of problem management is to determine and eliminate the root cause to prevent the occurrence of
repeated incidents. Problem management looks at wide-spread or recurring incidents and determines root
causes. Problem management can also prescribe changes in order to provide temporary workaround
solutions or to address the underlying problems.
The goal of problem management is to reduce the number and business impact of problems. The problem
management system ensures that problems are not only resolved, but also investigated to prevent
recurrences by establishing the root cause of incidents and then initiate actions to improve or correct the
situation. The objectives of Problem Management are to:
While the objective of incident management is to restore the ICT service as soon as possible, the aim of
problem management is to determine and eliminate the root cause to prevent the occurrence of repeated
incidents. The problem management policy shall cover:
The goal of capacity management is to ensure that ICT capacity meets current and future business requirements
in a cost-effective manner and to ensure that adequate capacity is available and that best and optimal use is
made of it to meet required performance needs.
IT Security Unit and IT Division shall ensure that the use of resources is monitored, tuned, and projections
made of future capacity requirements to ensure the adequate system performance.
This addresses the control over the IT process of managing the performance and capacity of information
systems that satisfies the business requirement to ensure that adequate capacity is available and that best
and optimal use is made of it to meet required performance needs. It is enabled by data collection; analysis
and reporting on resource performance, application sizing and workload demand and takes into
consideration:
IT Division shall ensure that the performance of IT infrastructure resources is continuously monitored and
exceptions are reported in a timely and comprehensive manner. The monitoring of such activity can be
conducted using licensed tool or by means of a separate hardware. The following holds:
a. Central management and monitoring of performance, utilization response rate and status of all
LAN/WAN Links connecting all clients, Head Office and information system location shall be done
multiple times daily from the Date Center.
b. Managing and monitoring of performances of critical application in the bank’s information system shall
be done centrally.
c. Managing and monitoring of performance of all application and file servers shall be done on regular
interval.
d. There shall be detail monitoring of all processes and implementation of appropriate thresholds to
determine and plan additional resources to meet operational and business requirements effectively.
IT Division shall review hardware performance and capacity to ensure that cost-justifiable capacity always exists
to process the workloads. The capacity planning will be done in the following manner:
a. Monitoring and planning of capacity for databases hosting the Bank’s information system application
files shall be done once in a year.
b. Servers require particular attention, because of the much greater cost and lead time for
procurement of new capacity.
f. When identified as availability requirements, IT Division shall ensure prevention of resources from
being unavailable by implementing fault tolerance mechanisms, prioritizing tasks and equitable
resource allocation mechanisms. There shall be timely acquisition of required capacity, taking into
account aspects such as resilience, contingency, workloads and storage plans.
Security means protection of Data and Equipment from Internal and External threats. Data, the priceless
assets of the Bank should be protected from any level of hackers. Infrastructures Security Management
describes how TBL will manage the procurement, configuration, operations, and maintenance of information
resource hardware and software, whether located in the Bank or at offsite premises, in a manner that ensures
information security. Technology (hardware and software) security shall be implemented and maintained with
the appropriate level of technical and administrative controls to protect technology and operations
infrastructure from intentional or unintentional unauthorized use, modification, disclosure, or destruction.
Change control procedures, virus protection procedures, and standard configurations of hardware and
software must be implemented to reduce the Bank’s exposure to unacceptable risks and vulnerabilities.
To avoid fraud and forgery data and equipment should be maintained in a secured manner. Priority should be
given at the highest level for the security aspects of data and equipment. Security Policy includes data, data
handling, user and access control of users, external attack, hardware and location & position of hardware.
The Bank shall establish necessary processes and technical controls to ensure that technology security is
maintained on its entire infrastructure.
a. IT Division and IT Security Unit shall be responsible for implementing the policy and securing of
servers/workstations.
b. IT Division shall be responsible for maintaining policies by setting standards and developing the
security processes and procedures.
c. IT Division shall be responsible for implementing processes and procedures.
d. The internal IT audit team shall review Audit trails and enforcement of the policy.
e. IT Division and IT Security Unit will jointly conduct coordination with IS Audit Team for conducting VA
& PT.
a. All software that can be modified must be managed through change control and management
process upon approval of Business Team.
b. Software containing modifications must be documented detailing the extent of the modifications.
The modifications must be fully reviewed, tested, documented, and installed in a controlled
environment to avert possible adverse effects on the security of the production environment.
c. Custom programs that contain custom programming or scripts may be subject to an independent
code review. The independent code review will review the source code and documentation to verify
compliance with software design documentation and programming standards and to ensure the
absence of malicious code.
a. Successful Patch Management requires a robust and systematic process. The Patch Management
Lifecycle involves a number of key steps: preparation, vulnerability identification and patch acquisition,
risk assessment and prioritization, patch testing, patch deployment and verification.
b. Testing team of IT Division shall perform rigorous testing of security patches before deployment into
the production environment.
c. Information resources must use approved standard operating systems, including all approved
updates and patches. Operating systems must have controls in place to prevent a compromise of the
integrity of the computer operating system environment and must be configured to comply with
operating system security requirements.
d. Patches shall be rigorously tested in a non-production environment in order to check for unwanted
or unforeseen side effects;
e. A roll back plan shall be developed to include backing up the systems about to be patched to be sure
that it is possible to return to a known-good working configuration should something go wrong with
the patch and to ensure patches are installed properly, testing information resources after
installation; and documenting all associated procedures, such as specific configurations required.
f. Patch management shall be capable of highly granular patch update and installation administration
(i.e. treating patches and mainframes, servers, desktops, and laptops separately), Tracking machines,
and updating and enforcing patches centrally and verifying successful deployment on each machine.
g. Deploying client settings, service packs, patches, hot fixes, and similar items Bank wide in a timely
manner in order to address immediate threats.
a. Laptops will be provided to selected employees (e.g. Executives, Auditors, Managers, IT Officials etc.).
b. A request form needs to be filled for a laptop with proper justification by his Head of Division to
purchase and procurement Division.
c. User will take all reasonable measures to ensure the physical and digital security of the laptop like
locking the laptop in a secure location when it is not in use, changing the password as often as
required by User.
d. The laptops need to be in TBL domain system and have antivirus system installed with updated
definition. User will not install personal software on laptop.
e. If a laptop is lost or damaged by the employee, an amount equal to its depreciated value will be
deducted from his salary and a new one will be given to him as per procedure.
f. In the event of termination, retirement, Laptops must be returned to IT Division.
g. Obsolete laptops will be returned to IT Division. After sensitive data removal IT Division may dispose
it with GSSD.
a. The use of all personal portable/external storage devices e.g. smartphones, laptops, USBs is prohibited;
b. For emergency onsite support by vendors they may connect to TBL guest network, which shall be
completely separated from corporate network.
a. To prevent damage of data and hardware, all Desktop and Laptop computers should be connected to
online or offline UPS.
b. Users are applying the “lock workstation feature” (ctrl/alt/delete, enter) when leaving a desktop or
laptop for unattended computers.
c. Password protected screen saver shall be used to protect Server, Desktop and Laptop from
unauthorized access. This period should not be more than One (01) minutes.
d. Confidential or sensitive information that stored in laptop and desktop must be encrypted.
e. All employees of the bank are responsible to turn off their personal Desktop/Laptop computers and
monitors at the end of each workday. When laptop computers are actively connected to the network
or information systems, these are not left unattended.
f. Laptop computers are stored by its authorized user. Computer media and several removal storages
(e.g. diskettes, CD ROMs, zip disks, pads, flash drives) shall be controlled.
g. Other information storage media containing private data such as paper, files, tapes, etc. are stored
as a tape backup or CD backup in a protected location or locked cabinet when not in use.
h. Individual users do not have authority to install or download software applications and/or
executable files to any desktop or laptop computer without any prior authorization. Please note that
only designated personnel from hardware or network department have privilege to installation or
download.
Non-essential services - TBL shall configure operating system to run the services required to perform the
tasks for which it is assigned.
Patches and Fixes - As an ongoing task, it is essential that all operating systems be updated with the
latest vendor supplied patches and bug fixes
Password Management - Most operating systems today provide options for the enforcement of strong
passwords. TBL shall ensure that users are prevented from configuring weak, easily guessed passwords.
Unnecessary accounts - All guest, unused and unnecessary user accounts must be disabled or removed
from operating systems. It is also vital to keep track of employee turnover so that accounts can be
disabled when employees leave an organization.
File and Directory Protection - Access to files and directories must be strictly controlled through the use
of Access Control Lists (ACLS) and file permissions.
Updating Software and Hardware - TBL shall ensure that all networking software together with the
firmware in routers are updated with the latest vendor supplied patches and fixes.
Password Protection- TBL shall ensure that all the routers and wireless access points are protected with
strong passwords and relevant security.
Unnecessary Protocols and Services - All unnecessary protocols and services must be disabled and,
ideally, removed from any hosts on the network. For example, in a pure TCP/IP network environment it
makes no sense to have AppleTalk protocols installed on any systems.
Ports - All the unused ports must be blocked by a firewall and associated services disabled on any hosts
within the network.
Wireless Security - Wireless networks must be configured with highest available security level like with
WPA, WPA2 or any higher available level.
Restricted Network Access - TBL shall ensure that proper steps are taken to prevent unauthorized access
to internal networks. The first line of defense should involve a firewall between the network and the
internet. Other options include the use of Network Address Translation (NAT) and access control lists
(ACLs). Authorized remote access should be enabled through the use of secure tunnels and virtual private
networks.
Physical Database Server Security- The physical machine hosting a database of Trust Bank Ltd. should be
housed in a secured, locked and monitored environment to prevent unauthorized entry, access or theft.
Firewalls for Database Servers- The database server of Trust Bank Ltd. must be located behind a firewall
with default rules to deny all traffic. The database server firewall is to be opened only to specific
application or web servers. Firewall rule change control procedures should be in place and notification of
rule changes should be distributed to System Administrators (SAs) and Database Administrators (DBAs).
Firewall rules for database servers are to be maintained and reviewed on a regular basis by SAs and DBAs.
Database Software- Database software need to be patched to include current security patches.
Provisions are to be made to maintain security patch levels in a timely fashion. Application/Web
Servers/Application Code- Destination systems receiving in scope data should be secured in a manner
commensurate with the security measures on the originating system. All servers, applications and tools
that access the database need to be documented. Configuration files and source code are to be locked
down and only accessible to required OS accounts. Application code is preferred to be reviewed for SQL
injection vulnerabilities. No "Spyware" is allowed on the application, web or database servers.
Administration Accounts/Permissions/Passwords- DBAs will review all requested script and database
changes to ensure the security of the system is not compromised. Accounts with system administration
capabilities are to be provided to as few individuals as is practical, and only as needed to support the
application. Passwords for all DBA operating system accounts and database accounts have to be strong
passwords, and must be changed when administrators/contractors leave positions.
User Database Roles / Permissions / Passwords / Management & Reporting- Secure authentication to
a. Encryption is the process of converting information using an algorithm to make the information
unreadable to anyone except those possessing the decryption key required.
b. For Data encryption, Crypto Technology and VPN technology will be engaged to encrypt and decrypt
sensitive data travelling through WAN or Public network. TBL may engage other certified technology
on requirement for out bounding data security.
5.9 Cryptography
The vulnerability scan (or even a vulnerability assessment) looks for known vulnerabilities and reports
potential exposures. A penetration test is designed to actually exploit weaknesses in the architecture of TBL
systems.
a. IT Security Unit shall conduct VA & PT scan of ICT infrastructure on periodic basis to detect potential
security vulnerabilities
b. An external vulnerability scan may be conducted from outside the TBL Network. Internal
vulnerability scan shall conduct from inside the Trust Bank Limited on period basis.
c. A combination of automated tools and manual techniques shall be deployed to perform a
comprehensive VA. For web- based systems, the scope of VA shall include common web
vulnerabilities such as SQL injection, cross-site scripting etc.
d. A process shall be established by IT Security Unit to remedy issues identified in VAs and perform
subsequent validation of the remediation to validate that gaps are fully addressed.
e. Penetration test shall be conducted with proper backup taken of all the servers or systems that
would be associated during the test.
This section describes how the Bank secures access to TBL’s networks to ensure that confidentiality, integrity
and availability are maintained. It applies to all information that the Bank collects, stores, processes,
generates or shares to deliver services and conduct business, including networks from external partners and
clients connecting to the Bank’s information systems and networks.
The Bank shall apply Network Access Control mechanisms to authenticate and filter where possible network
connections connecting to its network either from CLIENTS or PARTNERS who works with the Bank to ensure
against unauthorized access and security of its networks, information and information systems.
a. IT Division will ensure Network Design Should to be well documented and implemented under a
documented plan.
b. Access should be restricted and controlled by Network Admin. Network equipment should be
housed in a secure environment and should be checked and monitored.
c. Network security devices, such as firewall as well as intrusion detection and prevention system must
be installed to protect the network perimeters.
d. Groups of information services, users, and information systems should be segregated in networks.
e. Unauthorized access and electronic tampering should be controlled strictly by IT Division.
a. Network administrators shall regularly monitor for software updates for firewall/router to block
attacks that can exploit known vulnerabilities
b. Network administrators need to verify regularly of the systems integrity (namely the removal or
change of files).
c. Before any change of configuration is implemented on a Server or an active device (Router, Switches,
Firewalls, etc.), there must be a documented approval for the change. A sign off from the other
concern department may also be in place before such changes are implemented.
d. Changes records of firewalls and routers shall follow proper change management process and duly
authorized.
e. Configuration of devices, including permitted protocols and services shall be documented.
f. Periodic review of Firewall and router rule sets and when there is any change to network diagram.
g. Daily monitoring of Network device logs.
a. All network device configuration backups need to be taken on monthly basis and whenever there is
change applied to the existing configuration (system software, rules, etc.). Backups need to be stored
in a safe place and should only be accessible to authorized personnel.
b. There shall be unchanged records of abnormal events to allow for their reconstruction.
c. Network administrators will be notified within a reasonable time whenever a significant incident needs
attention (i.e. intrusion, disk full, etc.)
d. After every configuration change of any firewall/router, a revision to the rules and configuration
must be performed, and the changes should be tested both internally and externally.
e. Revisions to the firewall/router rules must be performed periodically. These revisions need to be
performed at least once in a year.
The Internet is an unregulated environment. Network team of IT Division shall filter Internet access as per
policy and will not be liable for any material viewed or downloaded by users that violates its Information
Security Policy or any other statutory or regulatory compliance. Users shall be individually accountable for
their actions over the Internet. Use of the Internet must be consistent with the Bank’s standard for business
conduct and must occur as part of the normal execution of the employee’s job responsibilities.
a. Access to the Internet is provided for banking business purposes only. A form needs to be filled
(Annexure- 1).
b. Internet will be provided to selected employees (e.g. all Department/Division Heads, Executives,
Managers, Credit/Fex, IT Officials etc.) with need to know basis and approval from Head of Division.
c. Employee should not make inappropriate use of their access to the Internet. They must not use
Bank systems to access illegal or other improper material.
d. All download may be blocked as per Management decision. If any download requires proper request
of download may submit to IT division.
e. Employee should not subscribe to chat rooms, dating agencies, messaging services or other on-line
subscription Internet sites unless they pertain to work duties.
f. Programs, including screensavers, must not be downloaded from the Internet without authorization
from the management. All desktop and laptop screen must contain Trust Bank logo.
g. IT Security Unit may monitor Internet usage by employees.
h. Abuse of Internet access will be dealt with severely relative to seriousness. Minor abuse will lead to
removal of the privilege of access from an individual’s workstation.
i. Vendors requiring temporary internet may be granted access through separate Wi-Fi, which is not
connected to corporate LAN.
j. Official documents should not be stored in any cloud storage like Google Drive, Dropbox etc.
a. All employees should have his/her personal email address with Username and Password at the time
of joining (Annexure 1).
b. Mail Server size will be within 02 GB for each employee. User cannot send attachment more than 10
MB file size. Only the original holder of the email is authorized to use an email for official purpose.
c. Every mail has to come from an Individual employee and he/she is responsible for his/her mail
according his responsibilities and job description.
d. All emails shall have an automatic footer that contains the appropriate legal disclaimer set out by the
Bank about confidentiality of the email content and users are prohibited from amending or deleting
it.
e. Confidential material sent by e-mail should be so marked but sent only with caution.
f. Employee should minimize the number of messages in their email in-box to ensure maximum
efficiency of the delivery system. Folders should be set up and messages filed accordingly.
g. All workstation users may have email access as per their job responsibilities. Division Heads and
Branch Managers should ensure that there is no abuse of this privilege.
h. Email is to be used for banking business only. Bank confidential information must not be shared
outside of the bank without authorization. Users are also not to conduct personal business using the
computer or email.
i. Corporate email address must not be used for any social networking, blogs, groups, forums, etc.
unless having management approval.
j. TBL email system is not to be used for the creation or distribution of any offensive, or disruptive
messages, including messages containing offensive comments about race, gender, age, sexual
orientation, pornography, religious or political beliefs, national origin or disability.
©Trust Bank Inter Page
k. The email system must not be used to send illegal or inappropriate material. Users shall not use
profanities, obscenities, or derogatory remarks in email messages regarding employees, customers,
competitors, or others.
l. Bank retains the right to access and view all Emails sent and received by the Email system. This right
is exercised solely through the IT Division on the instructions of Managing Director.
m. Users’ mailbox shall be retained five (05) years online and later archived for compliance reference.
Malicious Codes (Viruses, Worm, Spyware, Rootkit etc.) are unwanted program that cause malicious damage
to various systems. Anti-Virus software helps to identify, delete or prevent these Malware and quarantine
them as appropriate. Anti-virus software must be updated frequent as per policy because new viruses are being
released almost on a daily basis. This section describes how the Bank establishes appropriate controls against
malicious codes, virus, Trojans and various malwares.
a. All machines, networked and standalone computers, should have up-to-date anti-virus protection
whether it is connected to network or not for malicious code protection.
b. Antivirus software should be updated with the latest virus definition file. All computers in the network
will get updated signature of anti-virus software automatically from the server at a predefined
schedule on all workstations of TBL.
c. Software and data supporting critical business activities must be regularly scanned or searched to
identify possible malicious code. Files received on electronic media of uncertain origin or unknown
networks must be checked for malicious code before use. Attachments to electronic mail must be
checked for malicious code before use.
d. Awareness program will be arranged for the users about computer malware and their prevention
mechanism to ensure that users receive adequate training on anti-malware responses, including
opening of mail attachments, and on identifying possible hoaxes.
e. The installation of anti-virus software on all machines is the responsibility of the IT Division. A
formal process for managing attacks from malicious code must include procedures for reporting
attacks and recovering from attacks.
f. Employee should virus-scan all media (including zip disks and CDs) before first use. The IT Division
will provide assistance and training where required.
g. On detection of a virus, employee should notify the IT Division who will provide assistance. Under
no circumstances PC user of Bank should not attempt to disable the virus scanning software.
h. The CERT team shall be responsible for incident management, for gathering information about any
cases of non-compliance with this policy.
The objective of this policy is to define a security policy for all Firewalls/Routers and other network security
devices to ensure that the production network traffic is controlled through the definition of rules that permit
or deny access to the information transmitted over the network.
Moreover, standard security configuration is required for each and every network component This included
bank’s own network equipment, manage solution equipment and wireless devices.
a. Prior to installing a system on the network, all vendor-supplied defaults (including but not limited to
passwords, simple network management protocol (SNMP), and community strings) shall be changed
and unnecessary accounts eliminated.
a. A firewall is required and is present at each internet connection and between any Demilitarized Zone
(DMZ) and the internal network.
b. It should be ensured that firewall will be in place on the network for any external connectivity.
Regular checkup and update of firewall is necessary by authorized personnel.
c. Perimeter firewalls are installed between any wireless networks and the cardholder data environment.
These firewalls are configured to deny or control any traffic (which has a valid business justification)
from the wireless environment into the cardholder data environment.
d. It shall be ensured all Internet traffic coming to and going from TBL network must pass through
secure gateway (i.e. Firewall, Proxy etc.) and other network devices. Only specific types of network
traffic are allowed beyond the organization’s exterior firewalls.
e. The firewall(s) shall be configured to block download of software from the Internet.
f. The file system database of the system should be stored in a secure way (offline or in a read only
media). After the installation of a network device or after any change to its configuration, it is
necessary that administrators perform testing to ensure that the firewall is working correctly. After
any installation, a hash of the configuration file should be preserved.
g. Bi-annual rule-set review shall be followed for firewalls and routers.
a. The allowed traffic for each application should be defined, and the firewalls and or routers explicitly
configured to accept only such traffic. The rules that impose the highest restrictions should be used.
By default, nothing should be allowed, and the permissions should be granted according to
requirements. All network services, protocols and ports should be disabled, except the ones that are
strictly necessary.
b. Firewalls are configured, on the basis of the scope assessment and the analysis of data flows, to
restrict inbound and outbound traffic to that which is necessary for the data environment and to
restrict connections between untrusted networks and system components. All other
inbound/outbound traffic is specifically denied, e.g. using an explicit ‘deny all’.
c. Firewall and router configuration files are secured and synchronized, in that running configuration
files and start-up configuration files (used during re-boot), have the same, secure configuration.
d. The firewall performs stateful inspection (dynamic packet filtering) ensuring only established
connections are allowed into the network.
e. The Network team with coordination with DC Manager shall maintain firewall and router
configurations which lists services, protocols and ports necessary for business. If insecure
services/protocols/ports are necessary (e.g. FTP) exception approval or compensating controls shall
be implemented.
©Trust Bank Inter Page
5.16 Cyber Security Governance and Security Operations Centre
a. The Board of Directors through its committees shall have overall responsibility for the cyber security
program. It shall provide leadership and direction for effective conduct of the processes. The Board
shall ensure that cyber security governance is integrated into the organizational structure and
relevant processes.
b. The enterprise network infrastructure should be secured and protected against cyber threat with the
appropriate types of Firewall (Layer 7) with intrusion detection and prevention capabilities (IDS/IPS),
while encryption should be used to protect data in transit or in backup media.
c. Firewalls and IPS should protect internal network from unauthorized intruder in the network
perimeters, secure the card holder data environment and minimize the impact of security exposures
originating from third party or overseas systems, as well as from the internal trusted network.
d. An information Security Operations Centre (SOC) shall be established to address technology
vulnerability, contingency planning, 24 x 7 monitoring/visibility of enterprise network and processes
to facilitate prompt detection of unauthorized or malicious activities.
e. There shall have dedicated and secure physical space for the SOC to engender teamwork, brain-
storming, knowledge-sharing among members and quick response time. The SOC shall also be
protected with both technical and physical controls and equipped with necessary tools to keep the SOC
employee abreast of imminent cyber events.
f. The SOC shall be equipped with a Security Information and Event Management (SIEM) solution that
aggregates data from various security feeds to provide real-time analysis of security alert. Where
applicable, the SOC shall be able to perform prompt remediation service.
g. For intuitive correlations and prompt visibility of the bank‟ security posture, feeds to the SIEM shall
also include logs from network devices, vulnerability assessment systems; application and database
scanners; penetration testing tools; IDS/IPS; and enterprise antivirus system.
h. Logs shall be protected and retained for defined period to facilitate future investigation.
i. The SOC shall be up and manned continuously (24x7), managed and administered by skilled IT
professionals with technical knowledge, experiences and suitable credentials in areas such as operating
systems, networking, cryptography, database administrator, digital forensic, etc. For effective
monitoring, shifts work schedule shall be adopted.
j. The SOC team shall have adequate knowledge of the business environment and infrastructure in
order to prioritize the most appropriate response when cyber-incidents occur.
k. There shall be a capacity planning tool/process that communicates SOC infrastructure (SIEM) storage
to enable the SOC team balance task workload with available resources.
l. Risk and vulnerability assessment vulnerability assessment shall be conducted on the SOC
infrastructure. The SOC infrastructure and processes shall be continually audited.
m. It shall have a forensic laboratory equipped with specialized forensic tools to support incident response
investigation efforts.
n. The SOC shall have well documented processes to
triage various types of cyber-incidents with appropriate response approved by the
business process owners for operational consistency
identify, analyze and report emerging threats
gather and preserve evidence for Forensic Investigation
IT Division shall maintain physical security of the DC, DR and Branch server room. Physical access control,
Environmental security and fire protection etc. are maintains in DC and DR.
a. Physical security must be applied to Trust Bank Data Center (DC) and Disaster Recovery Site (DR).
b. DC and DR must be a restricted area and unauthorized access must be prohibited.
c. Entrance into the DC and DR will be restricted by bio-matrix or retina based access controller.
d. Access authorization list will be maintained and reviewed periodically for the authorized person to
access the Data Center.
e. Access authorization procedures will exist and be applied to all persons (e.g. employees and
vendors). Unauthorized individuals and cleaning crews must be escorted during their stay in the Data
Center.
f. Access log with date, time and purpose will be maintained for the vendors, service providers and
visitors entered into the Data Center.
g. Security guard will be available for 24 hours.
h. Emergency exit door will be available.
a. Protection of Data Center from the risk of damage due to fire, flood, explosion and other forms of
disaster will be designed and applied.
b. Raised floor with removable blocks or channels alongside the wall will be prepared to protect data
and power cables from interception and any sort of damages.
c. Water detection devices will be placed below the raised floor.
d. Any accessories not associated to Data Center will not be allowed to store in the Data Center.
e. Closed Circuit Television (CCTV) camera will be installed for monitoring.
f. The sign of "No eating, drinking or smoking" will be in display.
g. Dedicated office vehicles for any of the emergencies will always be available on site. Availing of
public transport must be avoided while carrying critical equipment outside the bank’s premises to
avoid the risk of any causality.
h. Data Center will have dedicated full‐time supported telephone communication.
i. Address and telephone or mobile numbers of all contact persons (e.g. fire service, police station,
service providers, vendors and all ICT personnel) must be available to cope with any emergency
situation.
j. Power supply system and other support units must be separated from production site and placed in
secure area to reduce the risks from environmental threats.
k. Power supply from source (Main Distribution Board or Generator) to Data Center must be dedicated.
l. There should be two (02) sets of generator sets with enough diesel supply.
m. The following environmental controls will be installed and shall be regularly tested and maintenance
service contract shall be for 24x7 basis:
i. Uninterrupted Power Supply (UPS) with backup units
ii. Backup Power Supply
iii. Temperature and humidity measuring devices
iv. Water leakage precautions and water drainage system from Air Conditioner
v. Precision cooling with backup units.
vi. Emergency power cutoff switches where applicable
vii. Dehumidifier for humidity control
a. It shall be ensured that wall, ceiling and door of Dc and DR will be fire resistant.
b. Fire suppression equipment will be installed and conduct a fire drill on an annual basis to test the
a. Physical layout of Data Center including power supply and network connectivity will be documented.
b. Equipment shall be sited and protected to reduce the risks from environmental threats and hazards,
and opportunities for unauthorized access.
c. All IT equipment in DC & DR shall be protected from power failures and other disruptions caused by
failures in supporting utilities.
d. Power and telecommunications cabling shall be protected from interception or damage and should
be concealed. Both cables should be laid separately to reduce interference and be concealed.
e. Equipment shall be maintained to ensure its continued availability and integrity.
f. Equipment (i.e. Laptop, Tablet, and Router etc.), information or software shall not be taken offsite
without prior authorization. Security guard must seek Gate Pass before the equipment is taken
offsite.
g. Tracking information shall be recorded for all physical media that is taken off site describing
where/how this is to be used and when it will be returned.
h. Security shall be applied to off-site equipment, taking into account the risks of working outside the
Bank’s premises.
i. All media shall be secured against loss or copying; this includes controls for physically securing all
media (including but not limited to computers, removable electronic media, paper receipts, paper
reports).
a. Access to the DC & DR premises is expressly restricted on non-working days (weekends and public
holidays).
b. However, there may be cases where officials require access to the premises. In such cases, approval
must be sought through Head of IT and other concern division for the final approval. The approval
must be granted on/before the close of business of the prior day. Emergency approvals can be
sought via email/SMS.
c. Security guard shall deny access to the DC & DR for any employee without authorization.
d. All employees must vacate the DC & DR after permitted time period. It is the responsibility of DC
Manager to remove such personnel from the premises except through authorization of the Head of
IT.
a. TBL shall have a proper cabling management plan to determine the entry path of the cables into the
IT rack i.e., whether the cables will enter the IT rack through the roof or the floor. If entering from
the top, the location of IT rack roof cutouts and their proximity to the vertical cable channels need to
be considered. If entering bottom (the cables will most likely run under a raised floor), eliminate any
obstructions in the base that can interfere with the cable entry path.
b. TBL shall separate power and data cables to prevent EMI (erratic or error-prone data transfers).
c. TBL shall ensure that copper data cables and fiber optic cable runs are separated, because the
weight of copper cables can damage the fiber.
d. TBL shall maintain a consistent cable jacket color coding standard for each type of cable in the tray,
Branch having servers at their premise must have following physical, environmental and Fire protection facilities
to be installed.
i. Server/network room/rack must have a glass enclosure with lock and key under a responsible person.
j. Physical access shall be restricted, visitors log must exist and to be maintained for the server room.
k. Access authorization list must be maintained and reviewed on regular basis.
l. Server/network room/rack shall be air-conditioned. Water leakage precautions and water drainage
system from Air Conditioner shall be installed.
m. UPS shall be in place to provide uninterrupted power supply to the server and required devices.
n. Power supply shall be switched off before leaving the server room if otherwise not required.
o. The sign of "No eating, drinking or smoking" shall be in display.
p. Access authorization procedures shall be strictly applied to vendors, service providers, support
employee and cleaning crews.
q. Access authorization list shall be maintained and reviewed periodically for the authorized person to
access the Server Room.
a. There will be a provision to replace the server within shortest possible time in case of any disaster.
b. Water leakage precautions and water drainage system from Air Conditioner will be installed in all
TBL Branches.
c. Power generator will be in place to continue operations in case of power failure.
d. UPS (Online) will be in place to provide uninterrupted power supply to the server.
e. Proper attention must be given on overloading electrical outlets with too many devices.
f. Electricity earthling is located beside the generator room and used properly all over including the
server room.
Fire extinguisher must be placed outside of the server room. This must be maintained and checked on
periodic basis.
This policy describes how the Bank allows usage of Mobile devices as part of normal business processes. The
Bank also ensures that due care is exercised over the mobile device usage and of the data they hold. Mobile
devices include but not limited to mobile phones, smart phones, tablet computers, memory sticks, external
storage devices, and all forms of portable multimedia devices.
The Bank shall ensure information security when using mobile devices to generate, process, transact or store
information resources that originate terminate or that are processed through the Bank’s information systems.
The protection required should be commensurate with the risks associated with compromise of
confidentiality, integrity, availability and authenticity of such information resource.
The Bank SHALL apply necessary technical Control mechanisms to ensure a safe environment and platform for
the use of such mobile device over its networks, systems and services including the data they contain.
a. All The Bank supplied mobile devices and their contents remain the property of The Bank and are
subject to regular audit and monitoring. These devices should only
b. Baseline security shall be enforced on all device.
c. Default setting and password must be changed.
d. All information classified as “confidential” must be encrypted if stored on a mobile device. Until
encryption policy is implemented enterprise-wide, confidential information must not be stored on
mobile devices
e. Portable devices should not be used to store sensitive/confidential information.
f. A lost or stolen device must be reported immediately to IT Division for remote wiping.
g. Devices must not be “jailbroken” or “rooted”* or have any software/firmware installed which is
designed to gain access to functionality not intended to be exposed to the user.
h. Users must not load pirated software or illegal content onto their devices. Only applications authorized
by the Bank can be run on mobile devices.
i. Devices must be kept up to date with manufacturer or network provided patches.
j. Embedded camera on handheld devices might be disabled in restricted environment.
k. Mobile Device settings (passwords etc.) must be consistent with the Bank’s Password policy
l. Disposal and decommissioning of mobile devices must conform to the Asset management and
Change Management Policy/Procedures.
All mobile devices generating, accessing, processing, transacting or storing The Bank information must comply
with the policy outlined above
a) Remote access shall only be allowed after through due diligence and Remote VPN Access Request Form
(Annexure - 5) needs to be filled.
b) Remote access for vendors shall only be activated on need to know basis and must be de-activated
immediately after use.
c) Remote access technologies must automatically disconnect VPN users after a specified period of
inactivity.
d) Remote access applicable to all TBL employees and contractors working for IT Division,
e) Only approved VPN client software may be used to establish VPN connections to TBL network.
Chapter 6
ICT Operation Management covers the dynamics of technology operation management including change
management, asset management, operating procedures and request management. The objective is to
achieve the highest levels of technology service quality by minimum operational risk.
a. Operating procedures shall be documented, maintained and are made available to all Users who
need them.
b. Changes to information processing facilities and systems shall be controlled and documented.
c. Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or
unintentional modification or misuse of organisational assets.
d. Development, test and operational facilities shall be separated to reduce the risks of unauthorised
access or changes to the operational system.
e. The Bank shall ensure that the security controls, service definitions and delivery levels included in
the third party service delivery agreement are implemented, operated and maintained by the third
party. The Bank shall ensure that the written agreement includes an acknowledgement that service
providers are responsible for securing cardholder data and other data or information of the Bank in
their possession.
f. The Bank shall regularly monitor and review the services, reports, records and PCI DSS compliance
status provided by third parties and shall carry out regular audits.
g. The Bank manages changes to the provision of services, including maintaining and improving existing
information security policies, procedures and controls, taking account of the criticality of business
systems and processes involved and re-assessment of risks.
h. The Bank shall ensure that the use of resources is monitored, tuned, and projections made of future
capacity requirements to ensure adequate system performance.
i. Acceptance criteria for new information systems, upgrades and new versions shall be established
and suitable tests of the system(s) shall be carried out during development and prior to acceptance.
j. Back-up copies of information and software shall be taken and tested regularly in accordance with
the agreed back-up policy.
k. Networks shall be managed and controlled in order to be protected from threats, and to maintain
security for the systems and applications using the network, including information in transit.
a. Operation time-clock for users of any systems like applications, database and CBS etc. must be
defined as per management guidelines. It may be changed with the change of banking operation
schedule through notice/circular/guideline of the Management in line with Bangladesh Bank.
b. The time may be changed by the competent authority with proper written approval if necessary, in
case of any specific users.
c. Access to database, applications shall be restricted especially during weekends/holidays except for
special events like month end, half yearly end and year end purpose.
d. Audit trail must be available to review the user profile in the application.
a. IT Division shall be responsible for the administration of access controls to all computer systems of TBL.
b. IT Division may process addition, deletions, and changes of user related information upon receipt of
a written request from the end user’s supervisor/branch incumbent.
c. IT Division shall maintain a list of administrative access codes and passwords and keep this list in a
locked place.
d. IT Division will be responsible for allowing access to any PC, Laptop, printer, modem etc. of TBL into
the system based on the necessity.
v. Will be responsible for all computer transactions that are made with his / her User ID and password.
w. Must not disclose passwords (CBS, intra apps, email etc.) to others.
x. Passwords must be changed immediately if it is suspected that they may have become known to
others. Passwords should not be recorded from where these may be easily obtained.
y. Should maintain the confidentiality of their own password and under no circumstance it should be
disclosed to someone else.
z. Should change password from time to time and be maintained confidentially.
aa. Should use passwords that will not be easily guessed by others and password complexity is to be
ensured.
bb.Should log out from systems and lock computer while leaving the workstation/computer even for a
short period of time.
cc. Should not attempt to access by using the accounts of other users.
dd.Login password of the user must be changed after first login.
a. All third-party software developed under contract or funded by the Bank must be considered the
property of the Bank unless otherwise stated in the contract.
b. Third-party software procured by the Bank but considered a required component of an information
resource used in an essential business activity must be licensed to the Bank.
c. It is the goal of IT Division to keep licensing accurate and up to date. The Bank shall sign escrow
agreement for licensed software to protect source code.
d. A written integrity statement must be provided with significant third-party software that provides
assurances that the software does not contain undocumented features or hidden mechanisms that
could be used to compromise the software or operating system security.
a. The Bank shall ensure that the security controls, service definitions and delivery levels included in
the third party service delivery agreement (SLA) are implemented, operated and maintained by the
third party.
b. SLA shall be reviewed yearly/periodically and approved by appropriate authority
(Management/EC/BoD).
c. IS Audit team shall regularly monitor and review the services, reports, records and compliance status
provided by third parties and shall carry out regular audits.
a. Prior to procuring any new ICT assets, compatibility assessment (with existing system) shall be
performed.
b. AII ICT asset procurement shall be complied with the procurement policy of Bank.
c. Each ICT asset shall be assigned to a custodian (an individual or entity) who will be responsible for
the development, maintenance, usage, security and integrity of the asset.
d. All ICT assets shall be clearly identified and labeled. Labeling shall reflect the established
classification of assets.
Technology equipment often contains parts which cannot simply be thrown away. Proper disposal of equipment
is both environmentally responsible and often required by law. In addition, computer accessories like hard
drives, USB drives, CD-ROMs and other storage media contain various kinds of information, some of which is
considered sensitive. In order to protect organizations data, all storage media must be sanitized appropriately
by overwriting or degaussing prior to disposal.
a. Since a common area for data breaches is on archived media or computers that are no longer in use,
many new privacy laws require businesses to securely destroy data when it reaches end of life.
Formatting a hard drive or deleting files using built-in operating system features leaves the files open
to being recovered by a third-party with simple tools.
b. Any sensitive data no longer in use needs to be securely decommissioned either by overwriting,
degaussing, encryption, or physical destruction of the storage medium. Whether a business is donating
a system to a charity, selling it by open tender simply disposing of it, the secure destroying steps
needs to be performed.
c. All data on equipment’s and associated storage media’s must be destroyed or overwritten before
sale, donate or disposal:
i. A committee/team lead by Support & Service Department to be formed for this purpose
with one official from IT Division, one from Administrative Division, one from IC&C and one
official from Legal Affairs Division.
ii. The committee will sit at least once in a year and as and when required.
iii. The obsolete, disposal and re-use procedure to be recorded in a register.
All the Software are purchased and licensed for use within the Bank and is therefore not transferable with a
PC. All software must be removed from hardware that is being disposed of. To ensure that these
considerations are taken into account all PCs must be disposed of under the supervision of proper authority.
Merely deleting the visible files is not sufficient to achieve this, since data recovery software could be used by
a new owner to “undelete” such files. The disk-space previously used by deleted files needs to be overwritten
with new, meaningless data - either some fixed pattern (e.g. binary zeroes) or random data. Similarly,
reformatting the whole hard disk may not in itself prevent the recovery of old data as it is possible for disks to
be “unformatted”.
A better approach is to reformat the hard disk, installing a clean copy of the original operating system, and
then run a suitable application on the free space. This should leave a machine in a suitable state for disposal.
a. Adequate insurance coverage or risk coverage fund shall be maintained for critical IT infrastructure
(DC, DRS etc.) to mitigate the IT risks may occur.
b. IT Division shall coordinate with S&D Department for insurance coverage for computer equipment.
All insurance matters for computer hardware shall be conducted by S&DD of the Bank as per the
policy.
c. General insurance needs to cover Fire damage, Water damage from a flood, complete loss through
theft, Damage resulting from vandalism.
d. Depreciation shall be charged on computer hardware as per bank’s policy.
e. Necessary risk coverage fund shall be maintained.
a) Media backups shall be securely stored offsite. The storage location is reviewed at least
annually to determine it is a secure environment.
b) All paper and electronic media that contain cardholder data shall be physically secured.
Storage containers used for information to be destroyed shall be secured / locked.
c) All media are classified in line with the Bank’s classification policy and so as to reflect the
sensitivity of the data stored on the media.
d) Media sent outside the facility is logged, authorized by management and sent via secure
courier or method that can be tracked.
e) Periodic media inventories (minimum annually) are undertaken to ensure secure storage
and maintenance of hardcopy and electronic media.
f) No users shall be allowed to store official data in cloud storage.
6.9.1 Responsibility
a) The owner of each asset shall be responsible for its classification, for ensuring it is correctly labeled
and for its correct handling in line with its classification.
b) The intended recipient of any information assets sent from outside the Bank becomes the
owner of that asset.
6.9.2 Classification
1. IT Division shall classify information into three levels of classification (Public, Internal Use Only, and
Confidential).
2. The classification level of all assets is identified, both on the asset and in the asset inventory.
3. The classification information must be included in the document footer, which must be manually
set to appear on all pages of the document or on the media on which it is recorded.
4. Information received from outside the Bank shall be re-classified by its recipient (who becomes
its owner) so that, within the Bank, it complies with this procedure.
5. Information that is not marked with a classification level shall be turned to its sender for
classification; if it cannot be returned, it is destroyed.
6. The classifications of information assets are reviewed annually by their owners and if the
classification level can be reduced, it will be. The asset owner is responsible for declassifying
information.
7. Confidential information is specifically restricted to the Board of Directors, Executive Management
and specific professional advisers. Information that falls into this category must be marked
‘Confidential’, and its circulation is kept to a minimum with the names of the people to whom it
is limited identified on the document. Each copy of a document that has this level of
classification is numbered and a register is retained identifying the recipient of each numbered
copy. Confidential information sent by e-mail must be encrypted and digitally signed,
appropriately, and sent only to the e-mail box of the identified recipient. Confidential
information can only be processed or stored on facilities which have been assessed in line with
Risk Management Procedure as providing adequate security for such information.
6.9.3 Labelling
1. Documents are labeled as set out above, in the document footer. Documents that do not have
footers are marked by addition of a physical, stick-on label.
2. Removable and storage media (CD-ROMs, USB sticks, tapes, etc.) are labeled:
a. Red: Confidential
b. Yellow: Internal Use Only
c. Green: Public
3. Electronic documents and information assets are labeled by marking them with their
Classification level at either the header or footer.
4. Information processing facilities should not be conspicuously labeled to reveal or suggest their
identity.
6.9.4 Handling
1. Information assets shall be handled by individuals that have appropriate authorizations or on
facilities that meet what the Bank’s specified requirements.
2. The requirements for transmission, receipt, storage and declassification of classified and restricted
information are described above. Destruction of information media shall be carried out by someone
who has an appropriate level of authorization and in line with the requirements of Media and
Information Handling Procedure
3. Confidential documents shall be circulated in secure pdf format / as read-only documents.
6.10.1 PUBLIC
Public data is information that may or must be open to the general public. It is defined as information with no
existing local, national or international legal restrictions on access or usage. Public data, while subject to the
Bank disclosure rules, is available to all members of the organization’s community and constituency and to all
individuals and entities external to the organization community and constituency. By way of illustration only,
some examples of Public Data include:
1. Employment data
2. The organization partner or sponsor information where no more restrictive confidentiality
agreement exists
3. Internal telephone books and directories
4. All the organization constituency members’ data
6.10.3 PROTECTION
Internal Use Only data
1. Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure
2. Must be stored in a closed container (i.e. file cabinet, closed office, or department where physical
controls are in place to prevent disclosure when not in use.
3. Must not be posted on any public website
4. Must be destroyed when no longer needed subject to the organization records management policy.
Destruction may be accomplished by:
a) “Hard Copy” materials must be destroyed by shredding or another process that destroys the
data beyond either recognition or reconstruction. After destruction, materials may be
disposed of with normal waste.
b) Electronic storage media shall be sanitized appropriately by overwriting at sector level or
degaussing prior to disposal. Disposal of electronic equipment must be performed in
accordance with the organization’s electronic equipment disposal policy.
6.10.5 PROTECTION
Confidential data
1. When stored in electronic format, must be protected with strong passwords and stored on servers
that have protection and encryption measures provided by third party provider in order to protect
against loss, theft, unauthorized access and unauthorized disclosure.
2. Must not be disclosed to parties without explicit management authorization
3. Must be stored only in a locked drawer or room or an area where access is controlled by a guard,
cipher lock, and/or card reader, or that otherwise has sufficient physical access control measures to
afford adequate protection and prevent unauthorized access by members of the public, visitors, or
other persons without a need-to-know
4. When sent via fax must be sent only to a previously established and used address or one that has
been verified as using a secured location.
5. Must not be posted on any public website.
6. Must be destroyed when no longer needed subject to the organization’s Records Management
Policy. Destruction may be accompanied by the following:
a) “Hard Copy” materials must be destroyed by shredding or another process that destroys
the data beyond either recognition or reconstruction. After destruction, materials may be
disposed of with normal waste.
b) Electronic storage media shall be sanitized appropriately by degaussing prior to disposal.
Disposal of electronic equipment must be performed in accordance with the Bank’s Disposal
Policy.
The MD/CEO, CISO must be notified in a timely manner if data classified as Confidential is lost, disclosed to
unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized
use of the bank’s information systems has taken place or is suspected of taking place.
The objective of this chapter is to specify Information Security Policies and Standards to be adopted by the
bank. This chapter covers the basic and general information security controls applicable to all functional
groups to ensure that information assets are protected against risk.
This chapter describes how the Bank secures access to its information assets to ensure that confidentiality,
integrity and availability are maintained. It applies to all information that the Bank collects, stores, processes,
generates or shares to deliver services and conduct business, including information received from or
exchanged with external partners and clients and also to information systems.
a. The Bank shall control access to information on the basis of business and security requirements.
b. Access control rules and rights to applications, expressed in standard user profiles, for each user or
group of users are clearly stated, together with the business requirements met by the controls.
c. The security requirements of each business application are determined by a risk assessment that
identifies all information related to the application and the risks to that information.
d. The access rights to each application take into account:
1) The classification levels of information processed within that application and ensure that there is
consistency between the classification levels and access control requirements across the
systems and networks.
2) Data protection and privacy legislation (if existent) and contractual commitments regarding access
to data or services.
3) The “need to know” principle (i.e. access is granted at the minimum level necessary for the role).
4) Everything is generally forbidden unless expressly permitted.
5) Rules must always be enforced and guidelines for enforcement shall be provided.
6) User initiated changes to information classification labels shall be prohibited.
7) User initiated changes to user permissions shall be prohibited.
8) Rules that require specific permission before enactment SHALL be enforced.
9) Any privilege that users require to perform their roles, subject to need-to-use basis and event-
by- event basis SHALL be enforced.
e. The Bank shall provide standard user access profiles for common roles in the Bank.
f. Management of access rights across the network shall be applied and monitored and in line with
Controls A.9.2 of Annex A Controls
g. User access requests, authorization and administration are segregated as described in ISO 27001
Controls A.9.3
h. USER access requests are subject to formal authorization, periodic review and removal in line with
documented procedures.
i. Management of access to network and network services shall be applied and monitored and in line
with Controls A.9.1.2 of Annex A Controls
j. Management shall develop processes and controls to restrict installation of software on both
production and client official systems
a. The branch incumbent should select executives and Officers as ‘User’, who used to work in the CBS.
Everyone should have a user ID. Every individual should maintain a password to work into the
system.
b. Operation Division shall permit every individual ‘User’ against their assigned official works/jobs and
responsibilities.
c. Individual ‘User’ should be liable for each transaction entered by them as marked in the application
log file and transaction file against their user ID.
d. Operations Division should maintain a ‘User’ list with given permissions to
the individuals with duly signed and date or generated from system.
k. Administrative password of Operating System, Database and Banking Application will be kept in
sealed envelope under safe custody (centralized/decentralized) which is the responsibility of concern
divisions/branch heads.
l. Passwords shall be between 8-12 characters in length; containing a combination of upper, lower case
alphabets, numerals and special characters e.g (~!@#$%^&*+) for all IT platform’s except for SWIFT.
m. User ID needs to be locked up after three (03) unsuccessful login attempts. IT Division should ensure
user ID and password will not be same.
n. IT Division will ensure password history maintenance will be enabled in the system to allow same
passwords to be used again after at least three (03) times.
o. Password will be validated for a time interval after that user must have to change password. The
maximum validity period of password should not be beyond 30 to 90 days cycle.
p. To control the maximum number of invalid login attempts should be specified properly in the
system. (maximum 03 consecutive times).
q. Users should change their passwords when prompted by the system in the case of networked
machines or on a regular basis for standalone machines.
r. Bank’s employees are responsible for the security of their password which they should not divulge,
even to colleagues.
s. Passwords shall be stored on secure systems, separate from application system data and are
protected by encryption. The default passwords on all new equipment shall be changed to conform
to the Bank’s password requirements before the equipment is brought into service.
t. Passwords must be rendered unreadable during transmission and storage on all system components
using strong cryptography.
u. Password reset requests must be initiated through the Bank’s user access workflow (confirmation from
supervisor or written evidence) and cannot be initiated by telephone.
v. Bank’s IT Division will ensure audit trail must be available to review the user profile in the application.
a. It must be ensured that, software will not allow the same user to be both maker and checker of the
same transaction. In this regard, the system should have such availability, otherwise the checking
should be done manually or any other approved way by the authority, but the maker and checker
should to be different.
b. Session time‐out period and Maximum idle time of a session/system/application for users should be
approval by IT Division (currently it is 03 min).
c. Audit trail must be clearly marked with User ID, date and time stamp.
d. All systems activities and inputs to applications are synced to central time server (NTP).
a. Privileges shall be allocated on a need-to-use and event-by-event basis upon proper approval from
respective division/department/branch Head. Head of respective division/department/branch will
define the role of each admin for each system.
b. The roles of each privilege user/admin shall only grant access rights and system privileges based on
roles as defined.
c. The approved request for allocation of a privilege initiated by the user concerned shall be forwarded
to the System Administrator.
d. The System Administrator shall retain a log of all authorized privileges in the central log server.
e. The roles of the privilege users/admins will be documented and will be reviewed as and when required.
a. When stored in electronic format, must be protected with strong passwords and stored on servers
that have protection and encryption measures provided by third party provider in order to protect
against loss, theft, unauthorized access and unauthorized disclosure.
b. Must not be disclosed to parties without explicit management authorization
c. Agreements, SLA or some other means which is considered as confidential must be stored only in a
locked drawer or room or an area where access is controlled by a guard, cipher lock, and/or card
reader, or that otherwise has sufficient physical access control measures to afford adequate
protection and prevent unauthorized access by members of the public, visitors, or other persons
without a need-to- know.
d. Must not be posted on any public website and be destroyed when no longer needed. Destruction
may be accompanied by the following:
“Hard Copy” materials must be destroyed by shredding or another process that destroys the
data beyond either recognition or reconstruction. After destruction, materials may be disposed
of with normal waste.
Electronic storage media shall be sanitized appropriately by degaussing prior to disposal.
Disposal of electronic equipment must be performed in accordance with the Disposal Policy.
e. Operations Division and IT Security Unit must be notified in a timely manner if data classified as
Confidential is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to
unauthorized parties, or if any unauthorized use of the information systems has taken place or is
suspected of taking place.
a. Log Reports to be maintained for access into the system and uses of different
applications accordingly in detail.
b. The following functions must be recorded:
Log-in attempts,
Password changes
File creations, changes and/or deletions
c. The audit trail event record should specify:
Type of event
When the event occurred
User ID associated with the event
Program or command used to initiate the event.
d. Audit trail and log Reports for all exceptions of the system should also be maintained
properly.
Effective business continuity measures are critical for any business entity. Trust Bank is committed to
protecting its employee and ensuring the continuity of critical businesses and functions in order to protect
the Trust Bank outlets, mitigate risk, safeguard revenues and sustain both stable financial market and
customer confidence. The development, implementation, testing and maintenance of an effective global
Business Continuity and Disaster Recovery Plan are required to sustain these objectives.
To further our commitment in the event of a significant business disruption, as well as meet all regulatory
requirements, Trust Bank’s infrastructure includes a Business Continuity Management (“BCM”) group that is
an integral part of Trust Bank's normal business operations. BCM plans, tests, and manages crises concerning
business lines and functions’ relocation and recovery. Business Continuity and Disaster Recovery
Management is required for planning of business resiliency for critical incidents, operational risks take into
account for Data Center disasters and the recovery plan.
a. TBL should have a Business Continuity Plan (BCP) team under Operations Division addressing the
recovery of disaster to continue its operation. The bank shall establish a continuity planning
framework, which defines the roles, responsibilities and methodology to be adopted in case of a
disaster. TBL should ensure that a written Business Continuity Plan is developed containing the
followings:
i. Guidelines on how to use the continuity plan.
ii. Emergency procedures to ensure the safety of all affected employee.
iii. Recovery procedures meant to bring the business back to the state it was before the incident
or disaster.
iv. Procedures to safeguard and reconstruct.
v. Co-ordination procedures with public authorities.
vi. Communication procedures with stakeholders, employees, key customers, critical suppliers,
stockholders and management.
vii. Contact information on continuity teams, affected employee, customers, suppliers, public
authorities and the media.
b. Primary objective of BCP should focus on the followings:
i) Survive in a disaster and re-establish normal business operations.
ii) The contingency plan shall cover the business resumption planning and disaster recovery
planning.
c. BCP should address the followings:
i) Critical application programs
ii) Responsible parties
iii) Third-party services
iv) Personnel and supplies
v) Emergency grab list such as backup tapes, laptops, flash drives, etc.
vi) Emergency contacts, addresses and phone numbers of employees, venders and agencies.
vii) Data files and time frames required for recovery after disaster occurs.
viii) Disaster recovery site map
ix) Action plan to restore business operations within the specified time frame for: i) office hour
disaster ii) outside office hour disaster.
©Trust Bank Inter Page
8.1.2 Maintaining the BCP
a. The IT continuity plan shall be maintained (changed, updated and tested) whenever there is a major
change to the technological infrastructure of the Bank’s information system. Examples of situations
that might necessitate updating plans include the acquisition of new equipment, or upgrading of
operational systems and changes in:
i. Personnel
ii. Addresses or telephone numbers
iii. Business strategy
iv. Location, facilities and resources
v. Legislation
vi. Contractors, suppliers and key customers
vii. Processes, or new/withdrawn ones
viii. Risk (Technical, operational and financial).
b. BCP must be tested and reviewed regularly to ensure the effectiveness. Maintaining the IT continuity
plan shall be done annually or as need arises.
c. Documents related to BCP must be kept in a secured off‐site location. One copy shall be stored in the
office for ready reference.
d. The BCP shall be coordinated with and supported by the Business Impact Analysis (BIA) and the
Disaster Recovery Plan (DRP) considering system requirements, processes and interdependencies.
e. BCP shall be circulated to all relevant stakeholders. The recipients need to preserve a copy of
amended plan whenever any amendment or alteration takes place.
a. To have an effective continuity plan, management must test the plan to ensure its adequacy, and to
ensure that management and employees understand the implementation.
b. Table-top testing of various scenarios (discussing the business recovery arrangements using example
interruptions)
c. Simulations (particularly for training people in their post-incident/crisis management roles)
d. Technical recovery testing (ensuring information systems can be restored effectively)
e. Testing recovery at an alternate site (running business processes in parallel with recovery operations
away from the main site)
f. Tests of supplier facilities and services (ensuring externally provided services and products will meet
the contracted commitment)
g. Complete rehearsals (Stress testing of personnel, equipment, facilities and processes).
h. There should be BCP team under Operations Division which will ensure that all concerned parties
receive regular training sessions regarding the procedures to be followed in case of an incident or
disaster and perform testing at least once in a year.
a. DR site shall be equipped with compatible hardware and telecommunication equipment to support
the critical services of the business operation in the event of a disaster.
b. Physical and environmental security of the DR site or near DC shall be maintained.
c. Disaster Recovery center to be setup in a remote & secured area, which would be located in a
separate power phase and low risk Earth Quake area.
d. Parallel systems to be setup for each unit of Branch or Head office.
e. Backup Systems to be ready instantly / with a short notice for each unit of Branch or Head Office.
f. Redundancy is a must for All Servers, Applications, WAN connectivity, WAN equipment and LAN setup.
g. Information security shall be maintained properly throughout the recovery process.
h. Data mirroring (where possible RAID setup) to be implemented for all servers.
i. Recovery cell for computer systems to be ready for instant support.
The section describes how the Bank manages backup of systems data and devices to ensure continuity in the
event of disaster. The Bank should apply all necessary technical and management control mechanisms to ensure
that backup of its information systems and networks are adequately performed and controlled.
This policy has been designed and implemented with disaster recovery/business continuity (i.e. the ability to
recover recent live data in the event of a partial or total loss of data) as key deliverable and is not therefore
designed as a method of archiving material for extended periods of time.
a. IT Division shall provide the appropriate central repository infrastructure for all employee to store
critical files/documents and all employee shall be individually responsible for data held locally on their
desktop or laptop computer.
b. IT Division and IT Security Unit along with the users shall ensure the safety and security of the backup
copies of information from not being damaged by natural calamities and theft (if possible to be sent
at off‐site location).
c. At least one copy of backup shall be kept on‐site for the time critical delivery. Backups shall only be
stored in secure offsite location. Only authorized personnel shall have access to the backup
application and media copies.
For any new application or function for the bank requires analysis before acquisition or creation to ensure
that business requirements are met in an effective and efficient manner. This process covers the definition of
needs, consideration of alternative sources, review of technological and economic feasibility, execution of risk
analysis and cost‐benefit analysis and conclusion of a final decision to 'make' or 'buy'.
a. In drawing up a project management framework, it should be ensured that tasks and processes for
developing or acquiring new systems include project risk assessment and classification, critical
success factors for each project phase, definition of project milestones and deliverables. It should be
clearly defined in the project management framework, the roles and responsibilities of employee
involved in the project.
b. Project plan for all ICT projects shall be clearly documented and approved. In the project plans, the
deliverables should be set out clearly to be realized at each phase of the project as well as
milestones to be reached.
c. User functional requirements, business cases, cost-benefit analysis, systems design, technical
specifications, test plans and service performance expectations should be approved by the relevant
business units and ICT management.
d. IT Division in coordination with IT Security Unit shall establish management oversight of the project
to ensure that milestones are reached and deliverables are realized in a timely manner.
a. There should have a test environment to ensure the software functionalities before implementation.
b. User Acceptance Test should be carried out and signed‐off before going live.
c. Software Development Life Cycle (SDLC) with User Acceptance Test (UAT) shall be followed and
conducted in the development and implementation stage. User Verification Test (UVT) for post
deployment shall be carried out.
d. Support agreement must be maintained with the provider for the software used in production with
the confidentiality agreement.
a. All the software procured and installed shall have legal licenses and record of the same shall be
maintained by the respective unit/department of Trust Bank.
b. There shall have a separate test environment/server to perform end-to-end testing of the software
functionalities before implementation.
c. User Acceptance Test (UAT) shall be carried out and signed by the relevant business units/departments
before rolling out in LIVE operation.
d. Necessary Regulatory Compliance requirements for banking procedures and practices and relevant
laws of Government of Bangladesh must be taken into account.
e. Any bugs and/or defects found due to design flaws must be escalated to higher levels in Software
Vendors' organization and Bank in time.
f. Support agreement must be maintained with the provider for the application software used in
production with the confidentiality agreement.
g. Escrow agreement shall be signed with renowned escrow provider to protect source code for
outsourced software.
a. Application security encompasses measures taken throughout the application's life-cycle to prevent
exceptions in the security policy of an application or the underlying system (vulnerabilities) through
flaws in the design, development, deployment, upgrade, or maintenance of the application.
Applications only control the use of resources granted to them, and not which resources are granted
to them. They, in turn, determine the use of these resources by users of the application through
application security.
b. Application security includes:
i. Knowing the threats.
ii. Securing the network, host and application.
iii. Incorporating security into software development process
iv. In-house software needs to be developed in such a way, so that it can prevent the threats
incurred in the following classes:
v. Input Validation
vi. Authentication
vii. Authorization
viii. Configuration Management
ix. Sensitive information
x. Session management
xi. Cryptography
xii. Parameter manipulation
xiii. Exception Management
xiv. Auditing
xv. Logging
Category Considerations
Are credentials secured if they are passed over the network?
Are strong account policies used?
Authentication Are strong passwords enforced?
Are you using certificates?
Are password verifiers (using one-way hashes) used for user passwords?
What gatekeepers are used at the entry points of the application?
How is authorization enforced at the database?
Authorization Is a defense in depth strategy used?
Do you fail securely and only allow access upon successful confirmation of
credentials?
How are session cookies generated?
How are they secured to prevent session hijacking?
How is persistent session state secured?
Session
How is session state secured as it crosses the network?
management
How does the application authenticate with the session store?
Are credentials passed over the wire and are they maintained by the application?
If so, how are they secured?
What algorithms and cryptographic techniques are used?
How long are encryption keys and how are they secured?
Cryptography
Does the application put its own encryption into action?
How often are keys recycled?
Does the application detect tampered parameters?
Parameter
Does it validate all parameters in form fields, view state, cookie data, and HTTP
manipulation
headers?
Auditing and Does your application audit activity across all tiers on all servers?
logging How are log files secured?
10.1 Outsourcing
10.1.1 Outsourcing Governance
a. The Board of Directors and Senior Management should form a team or committee regarding risks
associated with ICT outsourcing. Before appointing a service provider, due diligence shall be carried
out to determine its viability, capability, reliability, track record and financial position. Accordingly,
a ICT Outsourcing Committee shall be formed. The responsibility of the committee or team will be
as follows:
i. Evaluate the risks of all existing and prospective outsourcing and the policies that apply to
such arrangements.
ii. Procedural activities for undertaking regular review of outsourcing strategies and
arrangements for their continued relevance.
b. Concern Division/Department and Legal Cell shall ensure that contractual terms and conditions
governing the roles, relationships, obligations and responsibilities of all contracting parties are set out
fully in written agreements. A formal contract between Bank and the outsourcer shall exist to
protect both parties.
c. IT Division, IT Security Unit and concern division/department should develop a contingency plan for
critical outsourced technology services to protect them from unavailability of services due to
unexpected problems of the technology service provider. This may include termination plan and
identification of additional or alternate technology service providers for such support and services.
d. Concern Division/department shall maintain a service catalogue or system generated Dashboard
for all third party services received preserving up-to-date information of each service rendered,
service provider name, service type, SLA expiry date, service receiving manager, service reporting,
emergency contact person at service provider, last SLA review date, etc.
e. ICT outsourcing shall not result in any weakening or degradation of the bank's internal controls. The
Bank shall require the service provider to employ a high standard of care and diligence in its
security policies, procedures and controls to protect the confidentiality and security of its sensitive
or confidential information, such as customer data, object programs and source codes.
f. IT Security Unit and “Review committee of ICT Security Policy” shall monitor and review the
security policies, procedures and controls of the service provider on a regular basis, including
periodic expert reports on security adequacy and compliance in respect of the operations and
services provided by the service provider.
g. Service providers’ needs to develop and establish a disaster recovery contingency framework which
defines its roles and responsibilities for documenting, maintaining and testing its contingency plans
and recovery procedures.
a. Licensing arrangements, code ownership, engine and platform ownership and the protection of
intellectual property rights relating to the outsourced project.
b. Contractual requirements for secure design, coding and testing.
c. Providing the supplier with an approved threat model.
d. Acceptance testing of the deliverable.
e. Supplier provision of evidence that minimum security thresholds were used to establish acceptable
levels of information security.
f. Supplier provision of evidence that the deliverable has been adequately tested against all known
vulnerabilities.
g. Escrow arrangements.
h. The organization’s audit rights over development processes and controls.
i. Documentation of the build environment.
j. Division responsibility for compliance.
a. Administrative Division shall form a team comprising of personnel from Functional Departments and
IT Division for vendor selection. Vendor selection process must have conformity with the
Procurement Policy of TBL.
b. Based upon some criteria a weight age matrix will be done for software evaluation. Vendor selection
criteria for application must address the following:
i. Market presence:
The vendor needs to be registered, renowned, high profile market presence.
ii. Years in operation:
a. There shall have Service Level Agreements (SLA) with vendors. The Annual Maintenance Contract
(AMC) with the vendor shall be active and currently in-force.
©Trust Bank Inter Page
b. Dashboard with significant details for SLAs and AMCs shall be prepared and kept updated.
c. Concern Division/department/branches will ensure that the equipment require servicing/maintenance
are free from sensitive live data. Support of IT Division must be taken in this regard.
d. The requirements and conditions covered in the agreements would usually include performance
targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency
planning, disaster recovery capability and backup processing facility.
e. Service contracts with all service providers including third‐party vendors shall include:
i. Pricing
ii. Measurable service/deliverables
iii. Timing/schedules
iv. Confidentiality clause
v. Contact person names (on daily operations and relationship levels)
vi. Roles and responsibilities of contracting parties including an escalation matrix
vii. Renewal period
viii. Modification clause
ix. Frequency of service reporting
x. Termination clause
xi. Penalty clause
xii. Warranties, including service suppliers’ employee liabilities, 3rd party liabilities and
the related remedies
xiii. Geographical locations covered
xiv. Ownership of hardware and software
xv. Documentation (e.g. logs of changes, records of reviewing event logs)
xvi. Right to have information system audit conducted (internal or external).
a. The bank shall provide official authorization/assurance to the group who is liable on behalf of the
mother company to ensure data availability and continuation of services for any circumstances e.g.
diplomacy changes, natural disaster, relationship breakdown, discontinuity of services, or others in
applicable cases.
b. The DR Site shall be multi‐layered in terms of physical location and redundancy in connectivity.
a. The data related to CBS, Mobile Banking, Card System and any other system in DC and DR (e.g.
router configuration file, firewall configuration file, server patch etc.) will be the sole ownership of
Trust Bank.
b. IT Division has to protect and possess all sorts of data of the DC and DR in case of migration of any
technical platform.
Alternative Delivery Channel (ADC) is a distribution channel strategy used for delivering financial services
without just relying on bank branches. While the strategy may complement an existing bank branch network
for giving customers a broader range of channels through which they can access financial services. Alternative
Delivery Channel (ADC) can also be used as a separate channel strategy that entirely forgoes bank branches.
The bank’s Digital Banking Division (DBD) shall include the essential ADC channels which are as follows:
a. Use of technology, such as plastic cards, internet or mobile phones, to identify customers and record
transactions electronically and, in some cases, to allow customers to initiate transactions remotely
b. Use of (exclusive or nonexclusive) third-party outlets, such as PayPoints, post offices and small
retailers, that act as agents for financial services providers and that enable customers to perform
functions that require their physical presence, such as cash handling and customer due diligence for
account opening etc.
c. Offer of at least basic cash deposit and withdrawal in addition to transactional fund transfer or
payment services.
d. Structuring of the above so that customers can use these banking services on a regular basis (available
24 hours a day) and without needing to go to bank branches at all.
Examples of branchless banking technologies are the Internet, automated teller machines (ATMs), POS
devices, EFTPOS devices and mobile phones. Each of these technologies serve to deliver a set of banking
services and are part of distribution channels that may be used either separately or in conjunction to form the
overall distribution channel strategy.
a. Proper physical security and data security should be ensured for ATM and POS transactions. ATM
needs to be installed with following devices:
i. Anti-skimming device to detect the presence of unknown devices placed over or near a card
entry slot.
ii. Tamper-resistant keypads to ensure that customers' PINs are encrypted during transmission
b. Video surveillance activities should be conducted for 24x7 and preserve for at least one year.
c. Centralized online monitoring system for Cash Balance, Loading-Unloading functions, Disorders of
machine, etc. should be installed.
d. There should be a mechanism to detect and send alerts for follow-up response and action.
e. Security personnel will deploy for all ATM devices on 24 hour basis.
f. An inspection schedule have to be maintain all ATM/POS devices frequently to ensure standard
practice (i.e., environmental security for ATM, anti-skimming devices for ATM, POS device surface
tempering,
Information involved in internet banking facility passing over public networks shall be protected from fraudulent
activity, dispute and unauthorized disclosure or modification. Internet systems may be vulnerable as financial
services are increasingly being provided via the internet. As a counter-measure, security strategy shall be
developed and put in place measures to ensure the confidentiality, integrity and availability of its data and
systems.
a. Information involved in internet banking passing over public networks should be protected from
fraudulent activity, contract dispute, and unauthorized disclosure and modification.
b. Logical access control techniques may include user-ids, passwords, smart cards or other industry
standards. 2048-bit Certificates encryption with digital certificate should be implemented as required
to ensure data protection.
c. Accuracy, reliability and completeness should be ensured for information processing, storage and
transmission between its clients. Proper tools (e.g. SSL, TLS etc.) should be implemented for
processing and transmission control to ensure system and data integrity.
d. Adequate measures should be placed to plan and track capacity utilization as well as guard against
online attacks including denial-of-service attacks (DoS attack) and distributed denial‐ of-service
attack (DDoS attack).
e. TBL Management may authorize personnel, system auditor or any organization who will undertake
periodic penetration tests of the system with prior approval from the appropriate authority (i.e.
MD/EC/BoD), which may include:
i. Implementation of captcha validation tool to protect against attempt to guess passwords
using password-cracking tools.
ii. Attempting to overload the system using DDoS (Distributed Denial of Service) & DoS (Denial
of Service) attacks.
iii. Attempting to expose system using middleman (man-in-the-middle attack, man-in-the-
browser and man-in-the-application) attacks.
iv. Checking of commonly known holes in the software, especially in the browser and the e-
mail software.
v. Checking the weaknesses of the infrastructure.
vi. Taking control of ports.
vii. Cause application crash.
viii. Injecting malicious codes to application and database servers.
ix. Searching for back doors traps in the programs.
a. Digital Banking Division will provide assurance to its clients on protection and authentication of
online access and transactions performed over the internet using printed or web media (e.g. FAQ,
brochure, email etc.).
b. Proper initiatives should be taken to educate clients about threats of and safeguard against them in
online environment using printed or web media (e.g. FAQ, brochure, email etc.).
c. The bank’s official website will maintain a web portal for customers to register for this service and
ensure correct and mandatory information is provided. A process will be uploaded in the portal site.
Payment cards exist in many forms; with magnetic stripe cards posing the highest security risks. Sensitive
payment card data stored on magnetic stripe cards is vulnerable to card skimming attacks. Card skimming
attacks can happen at various points of the payment card processing, including ATMs, payment kiosks and
POS terminals.
For payment card services procedure must comply with the industry security standards, e.g. Payment Card
Industry Data Security Standard (PCI DSS) to ensure the security of cardholder's data. The PCI DSS includes
following requirements for security management, policies, procedures, network architecture, software design
and other protective measures.
a. Card Division shall implement adequate safeguards to protect sensitive payment card data.
b. It shall be ensured that sensitive card data is encrypted to ensure the confidentiality and integrity of
these data in storage and transmission.
Bank providing the payment card services must comply with the industry security standards, e.g.‐ Payment
Card Industry Data Security Standard (PCIDSS) to ensure the security of cardholder’s data. PCIDSS can be
acquired by sharing or by third party vendor. The PCI DSS includes following requirements for security
management, policies, procedures, network architecture, software design and other protective measures:
a. PINs used in transactions should be processed using equipment and methodologies to ensure that they
are kept secured.
b. Cryptographic keys used for PIN encryption/decryption and related key management should be
created using processes to ensure that it is not possible to predict any key or determine that certain
keys are more probable than other keys.
c. Secret or private Keys should be conveyed or transmitted in a secured manner.
d. Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be
displayed).
e. Unencrypted Key loading to hosts and PIN entry devices should be handled in a secured manner.
f. Randomized Keys should be used in a manner that prevents or detects their unauthorized usage.
g. Keys should be administered in a secured manner.
h. Equipment used to process PINs and keys should be managed in a secured manner.
SMS Banking Service enables clients to know their account balances and mini statements instantly by just
sending an SMS. SMS Banking service also provides instant notification regarding ATM, POS and salary
disbursement transactions as and when it happens. SMS banking standards has been included in the TBL ICT
Security Policy by taking following measures:
a. Firstly, customer has to register for this service by filling up a prescribed form and ensure latest
mobile number is updated with the Bank. The mobile number will then be linked to the client’s
account.
b. When opening an account in for SMS Banking service, it’s important for the customer and the bank
to make sure that correct and complete information, and that the information is verified and
protected.
Phone Banking Service enables clients to know their account balances and mini statements instantly though a
telephonic call. To access this service customer must fill up the Phone Banking Application Form and must
acknowledge the Terms & Conditions for the service.
a. Firstly, customer has to register for this service by filling up a prescribed form.
a. Proper customer verification process must be ensured to reduce identity theft/fraud. Agents shall
ask random security questions i.e. Father’s/Mother’s/Spouse's Name, Address/Date of Birth or Last
Few Transaction details to verify customers identify.
b. Voice network access should be ensured by device certificate and/or user name and password.
c. Calls restriction should be enforced by device, user, and other criteria, such as time of day.
d. Security devices i.e. Firewall/IPS to be implemented to monitor and filter authorized and
unauthorized VoIP traffic, and track unusual voice activities.
e. Regular OS updates should be implemented for all VOIP devices.
f. Separate VLANs to be used to segment Voice Traffic from Data Traffic.
g. Voice Traffic should be encrypted to protect sensitive customer information.
h. IP-PBX server should be hardened with unnecessary services disabled.
i. SSH Root access should be disabled with SSH login via Secure Key and change default ports.
j. The IP-PBX system should be installed in a secure location with restricted access.
k. VoIP logging should be enabled to monitor activity.
With the advent of electronic Banking, customer’s experience of Banking is therefore no longer fully under
control of a Bank. Customers are equipped to do Banking through self-help. The best defense against frauds is
awareness of customer. Fraudsters constantly creating more diverse and complex fraudulent mechanism
using advanced technology and social engineering techniques to access their victims accounts. Therefore it is
imperative for Banks to conduct regular awareness program among consumers.
It is also important to educate other stakeholders, including bank employees, who can then act as resource
persons for customer queries, law enforcement personnel for more understanding response to customer
complaints and media for dissemination of accurate and timely information.
The awareness program can be carried through awareness material, advertisements, promotion campaign
and official website. The following communication channel could be used to engage customers successfully.
a. Provide information about fraud risk trends, types or controls to target customers or people need to
know.
b. Help consumers to identify areas of vulnerabilities to fraud attempts and make aware of their
responsibilities in relation to fraud prevention.
c. Help to build a strong culture of security and associated risk with better understanding and
commitment.
d. Help to reduce the number of incidents related to direct and indirect loss for the bank.
e. Ensure effectiveness of the program by delivering through appropriate channel.
f. Motivate individuals to adopt recommended guidelines or practices.
Continuous improvement cannot occur without knowing how the existing program is working. A well-
calibrated feedback strategy must be designed and implemented. Since the target groups obtain information
from a variety of sources, primary and interactive communication channels may not be adequate. Effective of
the program can be generated in more by introducing the followings:
a. Interactive guidance in the form of helplines
b. Customer meets and interactive sessions with specialists
c. Talk shows on television/radio
This chapter describes how the Bank establishes appropriate processes for the employment of manpower
and resources for managing its security programs efficiently and effectively.
The Bank shall establish necessary processes to ensure that suitable and qualified employee and resources
are hired in order to effectively manage its security investments and initiatives.
13.1.2 Screening
Human Resources Division (HRD) shall conduct background verification and checks for all candidates upon
employment with the Bank in accordance with relevant laws, regulations, ethics and proportional to the
classification of the information to be accessed. HRD shall observe the following controls when considering a
candidate for employment:
a) Take actions commensurate with the Bank’s business needs, and with relevant legal regulatory
requirements.
b) Take into account the classification(s)/sensitivity of the information to be accessed, and the
perceived risks.
c) Include in the recruitment process, where appropriate, components such as identity verification,
character references and Curriculum Vitae verification based on the sensitivity of the job position.
Employees as well as third parties to the Bank are obliged to sign the terms and conditions of their
employment or engagement which will clearly state their responsibilities as regards Information Security
during their regular course of work. The following terms shall apply:
a) A Confidentiality Agreement shall be signed by all employees as well as third parties before access
is granted to sensitive information.
b) Legal responsibilities and rights regarding copyright laws or data protection legislation shall apply.
c) Responsibilities of employees, vendors or third parties for handling of information received from
other companies or external parties are stated.
d) At the time of induction, employees shall be given training/orientation on the Information Security
Policy and means to access it for their reading and understanding.
e) All users must acknowledge the information security policies for adherence in writing or electronically.
a) Employees shall limit personally identifiable information (e.g. Mobile, email, House address, family
details etc.) while using social networking sites like Facebook, Twitter, LinkedIn, Instagram etc. They are
also encouraged not to accept friend/connection request blindly on social sites.
b) Employees shall not post official document to social sites.
c) Employees shall not post/like/share subversive, false, hatred, politically motivated, defamatory,
controversial or otherwise objectionable content, page or group.
d) Employees shall avoid posting status updates/details about current location or
itinerary/vacation/recreational information to reduce identification.
e) Corporate Branding & Market Communication Department (CBMC) shall be responsible for maintaining
official Facebook/Twitter/LinkedIn account.
The goal of ICT security policy is not only to ensure compliance to the requirements but also, to impart
discipline. Internal compliance indicates that the employees are aware and willing to follow the rules and
regulations set out by ICT security policies.
Strict compliance to ICT security policies and guidelines is expected at all times by all employees of the Bank
and appropriate penalties shall be meted out for non-compliance. ICT security policies specifically relate to the
under listed and extend to other associated policies not listed below.
The following represents infraction levels and commensurate sanctions based on severity of the policy
violations.
1. Level I Violators: They shall be verbally cautioned by appropriate authority.
2. Level II Violators: They shall be served a written query and expected to give a written undertaking never
to repeat same.
3. Level III Violators: Shall be issued a stern warning letter (this has a huge bearing on performance appraisal)
Reference No:
Initiator Details
Employee Name
Email Address
Employee ID
Office Extension
Request Date
SN TASK STATUS
REF. TEST SCRIPT PASS FAIL
PAGE
1
2
3
4
5
6
7
COMMENTS:
Reference: Date:
Bank Name :
Branch/Division Name :
Requested by :
Requestor's Designation :
Requestor's Telephone :
Request Date :
………………………………………………………………………………………….………………………………………………………………………………
………………………………………………………………………………………….………………………………………………………………………………
Justification:
………………………………………………………………………………………….………………………………………………………………………………
Plan of mitigation:
…………………………………………………………………………………….……………………………………………………..…….
Mitigation Date:
form. Name :
Designation :
Comments :
Date :
Reference No:
Initiator Details:
Name Division/Department
Employee ID Signature Approx. Loss Amount
Incident Date Reporting Date Incident Duration
Name
Email Address
Company Name
Address
Contact Number
Request Date
Access Duration Start Date & Time End Date & Time
TBL Contact &
Designation
(Page 1 of 3)
TECHNICAL CONTACTS
The details provided in this section are to facilitate technical communication between TBL and the Connecting
Party in order to implement the new connection.
Email Address
Primar
Desk Phone
y
Cell Phone
Alternate Phone/Pager
Name
Email Address
Secondary
Desk Phone
Cell Phone
Alternate Phone
Device name
Hardware
Model
Connection Type
(Page 2 of 3)
(Page 3 of 3)