Professional Documents
Culture Documents
Chapter 19
Chapter 19
:14
24 6
10
-20 63
-05 13
12 52
STAFF TRAINING CENTRE, PNB HOUSE, NEHRU GROUND, N I T
FARIDABAD 121001
email: bo4177@pnb.co.in/itcentre@pnb.co.in/
INDEX
:14
Sr No Title
24 6
10
1 Cyber Crime
-20 63
2 ATM Response Code
-05 13
:14
bombing Denial of Service attack, Salami attacks, Virus / worm
attacks, Web jacking, Data diddling etc.
24 6
10
Types of Cyber Crime:
-20 63
forged so that mail appears to originate from one source but actually
has been sent from another source.
12 52
:14
24 6
10
-20 63
-05 13
12 52
Salami Attack: When negligible amounts are removed &
accumulated in to something larger. These attacks are used for the
commission of financial crimes.
Data diddling: This kind of an attack involves altering raw data just
:14
before it is processed by a computer and then changing it back
after the processing is completed.
24 6
10
-20 63
PHISHING
VISHING
KEYLOGGERS
:14
Key loggers can hardware- or software-based. Hardware-based ones can
simply nestle between the keyboard connector and the computer’s port.
24 6
Software-based ones can be whole applications or tools knowingly used or
10
downloaded, or malware unknowingly infecting a device.
-20 63
-05 13
SKIMMING/CLONING
The act of using a skimmer to illegally collect data from magnetic strip
12 52
The cloned card can be used as a genuine card for carrying out POS
purchase or ATM withdrawal.
Online Frauds
Large number of people are falling prey to the traps of cyber criminals
who are now using latest techniques like Artificial Intelligence (AI)
Algorithms to crack ATM passwords/ PINs
the more recently it would have been touched. Using such correlations,
PINs/ password are being cracked.
Security Aspects
As regards to Security Aspects, for Home PC Users
:14
To Secure E-Mail Account:
Never Use personal information (e.g. user name, birth date, month,
standard words login name etc.) as passwords.
Create a different password for each online E-mail account you use.
:14
case of any problems
show vendors have taken measures to secure their sites such as a lock
icon on the browser's status bar or a website URL that begins "https:"
(secure hyper text protocol).
Avoid using ATMs which are not surveilled properly with video
cameras.
Always examine the ATMs for any suspicious attachments (in ATM
rooms walls or the machine). Hide the keypad area while entering the
PIN.
Press multiple random number keys (buttons) before leaving the ATM
machine/ POS machine/ Smart Locks to generate non-meaningful
heat signatures.
:14
Properly check the SMSs and emails sent by your bank regarding any
transaction. Contact your Bank instantly, if a suspicious transaction is
24 6
10
spotted.
-20 63
Follow @CyberDost on Twitter, YouTube, Facebook, Instagram,
Public, Koo and LinkedIn to know more about safety tips
-05 13
12 52
**********************
ATM Response Code
CODES DESCRIPTION
00 Transactionapproved
withbalance:Transactionapprovedandokaywithdisplayofbalance.
01 Transaction approved without display of balance: Transaction approved
and okaywithout display of balance.
50 Unauthorized Usage: Card is not authorized for usage.
:14
51 Expired Card: Card used is expired.
52 Invalid Card: No CAF record for Card is available.
53 Invalid PIN: Incorrect PIN is being used.
24 6
10
54 Database problem: Card could not be used because of Base 24/branch
database
-20 63
problem.
55 Ineligible Transaction: Transaction denied because processing restriction
imposed on
-05 13
:14
72 Destination not available: Transaction denied, as the destination is
notavailable. (Database cannot be accessed).
73 Routing Look Up Problem: Transaction declined because of a configuration
problem. 24 6
74
10
Message Edit Error: Transaction declined because invalid data was
-20 63
encountered.
150 Hot Listed
-05 13
**************************
12 52
FinHelp- Important Menu Options
Saving / Current Account
Opening of Savings Account HOAACSB
Verification of Saving Account HOAACVSB
Menu used by branch for Opening of CA/SF Account through BOCUSTCO
Back Office
Modification After Verification HACM
Modification of Saving Account before Verification HOAACMSB
:14
Account Ledger Inquiry HACLI/ HACLINQ
Deposit Cash PCASHDEP
Transaction Maintenance 24 6 HTM
Printing of Passbook
10 HPBP
-20 63
Passbook Print Reset HPBPR
Issuance of Personalized Cheque Book CBSCHQBK
-05 13
:14
Reprinting of DD HDDRPRNT
Cancellation of DD HDDC
Marking of DD lost 24 6 HDDLOST
Issuance of Duplicate DD
10 HDDD
-20 63
DD Status Maintenance HDDSM
DD credit account inquiry HDDIC
-05 13
Inventory Management
12 52
Miscellaneous
Memo Pad Look Up (Add/Delete) HMEMOPAD
Verify A Memo Pad HMPAU
Marking/ modifying Lien HALM
Freezing/ Unfreezing Account HAFSM
Standing Instructions Maintenance HSIM
Standing Instructions Inquiry HSII
Transfer of Accounts between SOLs HACXFSOL
Transfer of Scheme Code of Account HACXFRSC
Finacle Menu Option Help FINHELP
:14
Forwarding Schedule for ODBC entered through HOICM OSRPT
Temporary Overdraft Maintenance HACTODM
24 6
10
PAN Correction PANCORR
-20 63
Transfer of CIF (Menu to be executed by Transferee Branch) CIFTRF
CUSTOMER ID STATUS CUSTSTAT
-05 13
:14
General Deposits Details HGDET
Handling 15G/15H TAXEXM
24 6
10
Handling exemptions/ rebates on TDS EXMPTDS
-20 63
Customer's Term Deposit A/Cs HCUTD
Preferential Rate Update PRFUPD
-05 13
:14
Locker Transactions-History Maintenance HLKCHM
Locker Rent – Charge Collection Maintenance HLKRCM
Locker Operations 24 6 HLKOPS
Locker Reports
10 LKREPM
-20 63
Maintaining waitlist of lockers in CBS WAITLIST
Income/ Expenditure
-05 13
:14
Account Drawing Power Maintenance HACDPM
Getting Approval for Changing DP Indicator for CCOTH CHGDP
Accounts 24 6
Relaxation of Renewal through LenS
10 RENRELAX
-20 63
Updation of Information MSMEREN
Collateral Maintenance
-05 13
Limit Node
Limit Node Maintenance HLNM
Limit Node Details HLNDI
Limit Tree Lookup HLTL
Loans
Loan Account Opening HOAACLA
Loans General Inquiry HLAGI
Loans Overdue Position Inquiry HLAOPI
Loan Repayment Schedule Report HLARSH
Loan Demand Satisfaction Program HLADSP
Loan Lien Process HLALIEN
Loan Interest Transfer Liability HLARA
Loan Pay Off Process HPAYOFF
Loan Statement Print HLAPSP
Loan Demand Generation/Force Interest Run HLADGEN
Loan Modelling HLAMOD
Loan Account Scheduled Payment HLASPAY
Loan Account Rescheduling HLARA
Loan Account Modification After Opening HACMLA
Handling of Subsidy TMPS
Education Loan Details Maintenance EDULOANM
Subsidy Claim of Education Loan EDULOANM
:14
Concession/Relaxation in Interest Rate – Non-MCLR Based INTCM (by ZO User)
Accounts
24 6
Loan Demand Effective Date Change- Simple Interest LAIDC
10
Account Level Relaxation in Service Charges in Loan Accounts RELAXSC
-20 63
Customer Level Relaxation in Service Charges in Loan LOANCHRG
Accounts
-05 13
:14
Guarantee Inquiry HGI
Collection of Bank Guarantee charges APCHCOLL
24 6
10
Non Fund Based Details NFDTL
-20 63
Generation of Solvency Certificate for Borrower and Non SOLV
Borrower Customers
Beneficiary Name Modification during BG Extension BENCHG
-05 13
FOREX
12 52
:14
Financial Transaction Inquiry HFTI
Financial Transaction Report HFTR
Audit File Inquiry 24 6 HAFI
DMS/ Control Reports Check
10 CTRPTCHK
-20 63
-05 13
************************************************
**
12 52
Service Plus Service Desk(SPSD)
• Service Plus Service Desk (SPSD) is a tool, implemented by the Bank to provide
a single platform to the branches to escalate their technology related issues to
Circle / ZO/Central IT Helpdesk, other Departments of ITD or other concerned
Divisions
• SPSD tool has the following advantages:
:14
24 6
10
User can keep Document
It is a single Standardized
-20 63
attachment
platform for the solutions for a track of the It has well functionality in
end user i.e.
frequent SPSD problem defined TAT
branches can this helps the
/ request
refer all their problems can through the and official at CO IT
-05 13
• Please note that user_id of all the present branches ( SOLs) is already created
in the system. Whenever a new Sol is opened in CBS, SPSD user_id is also
created simultaneously. The user-id is 6 digit SOL-ID of the SOL.
• The new user-id is created with default Password as ‘pnb’.
• On login for the first time, user is advised to change the default password.
• Incumbent-In-charges are required to assign the job of maintaining the user-id
and password to designated official through an office order and password
confidentiality should be maintained as per information security policy of the
Bank.
The Service Plus Service Desk tool is accessible through Service Desk
(SPSD) link available on Home Page of Finacle login .
:14
24 6
10
-20 63
-05 13
12 52
• On clicking the SPSD link, user is taken to the following screen. On this screen , you
can search the issue in knowledge base by typing the keywords in field marked by red
box. One can also filter the search by selecting the right value in product picklist,
shown here in blue box
• If we are not able to find the solution , we can check the checkbox as shown below
and
continue to SPSD portal by clicking Service Desk(SPSD). We will be redirected to login
page.
:14
• For login authorized user has to enter user name & password in the respective
fields.
• User is advised to use keyboard Tab button or mouse for moving from user
24 6
10
name field to password field. If <enter> key is pressed after giving user name,
-20 63
it will display error message “Login failed for user id <user id>.
-05 13
12 52
• On successful login, following screen comes. The system shows identified TOP
Solutions stored in the ‘Knowledge Base’ archive of the SPSD tool. Other such
problems can be viewed by clicking on ‘Browse More Solutions’ button (screen
shot given as below).To view the full detail of the problem & solution provided
for that issue, user should click on the relevant problem as can be seen below:
:14
• In the ‘knowledge Base’, problems / solutions on a particular issue or topic can
be viewed by entering a ‘Key Word’ in the field ‘Search for a solution using
24 6
10
keyword’.
-20 63
-05 13
12 52
• By referring to the resolution suggested, user might be able to solve the issue
at his level. In case, desired solution is not found in ‘Knowledge Base’, user can
escalate the problem to Circle Help Desk team by clicking on ‘Click here to
create a New Incident’ button.
:14
• For creating a new incident , user should fill following details:
I. Contact no over which concerned person may be contacted
24 6
10
II. Incident Area
-20 63
III. Employee Name & PF no
IV. Priority
V. Incident description - It helps the help desk analyst in quick understanding
-05 13
of the problem. The complete description may include ‐ the activity user
was doing when the error occurred, the menu option in which the error
12 52
occurred, the process stage at which the error occurred, the detail of
problem being faced etc.
:14
24 6
10
-20 63
-05 13
• If the user has already lodged the incident and subsequently wants to
12 52
• The user can track the status of a request by entering the incident_id in
‘incident no.’ field. On clicking the ‘GO’ button system will display the complete
log detail / status of the call.
12 52
• We can also click on ‘You have _ open incidents’ link which will display list of
all open incidents. We can open the desired incident.
Add Comment
• We can interact with the circle help desk through the ‘Add Comment’ button
as shown in screenshot below. We can enter necessary comments in the
description area and click on ‘Save’ button.
:14
24 6
10
-20 63
Close Request:
-05 13
• We can also close the request at its end if in the meantime, We have found
solution to the problem or otherwise wants to close the call by clicking on the
12 52
Reopen Request:
• If the user is not satisfied with the resolution provided by the help desk, or
problem is not resolved with the provided solution or the user wants further
piece of clarification from the help desk, he may re‐open the request.
• To re‐open the incident go to closed calls, select the desired incident & click on
the incident no. The system will display the following screen. Enter the reason
for reopening of the request in the ‘Opening Remarks’ box and <click>
on ‘Reopen Incident’.
• System will reopen the request with the user’s remarks and the request
will be opened with last assignee at circle/central help desk by whom
the call was closed previously.
:14
**************************************
24 6
10
-20 63
Information SecurityPart I
-05 13
Introduction
12 52
• Banking over the years has transformed from manual ledgers to digital ledgers
under CBS, manual entry to digital entry in to the database, shifting from the
brick & mortar system to Alternate Delivery Channels, manual to automated
updations and many more.
• The transformation in Banking was possible due to the change in the way of
storing, accessing and analyzing data. Further, when this data is stored in a
meaningful way it is called as information.
• Information: When data is stored, processed, organized, structured or
presented in a given context so as to make it useful, it is called information. For
eg.
• “10000” is a data,
• “account number 22567843” is a data,
• whereas “Account Balance of account number 22567843 is Rs.10000/-” is a
piece of information.
• All the data is stored at a central server and can be accessed from anywhere in
the world.
• Since, all the customer data and other important data is being stored in a
database, there is a possibility that some one can change or modify the data for
their personal benefit or for the loss of the organization holding such data.
• Thus, it is of paramount importance to protect the computer system
data from those with malicious intentions.
• Information Security refers to the processes and tools designed and deployed to
protect sensitive business information (Data) from unauthorized modification,
disruption, destruction, and unauthorized inspection.
• PNB is committed to ensure the security of Organizational Information Assets
including data of all customers associated with it. We have taken certain
initiatives and prescribed various processes which are to be followed in order to
ensure the Information Security of the Bank.
Responsibility
:14
• All contractors of PNB
• All consultants of PNB
• All temporary staff of PNB and other individuals even if, affiliated with Third
24 6
10
Parties associated with PNB.
-20 63
• Various Divisions involved with Information Security and their responsibilities
are as under:
-05 13
Division Responsibility
12 52
Cyber and Information Security Division Owner of the Information Security Policy
(CISD)
Inspection and Audit Division (IAD) Inspection & Audit Division (IAD) will be
responsible for conducting audit for
compliance of IS Policy. However, HO:
CISD will ensure the compliance and
monitoring of the IS policy
Bank has to designate one officer as Chief Information Security Officer (CISO)
who shall be responsible for articulating the IS Policy. He shall also coordinate the
security related issues within the organization as well as with external agencies. He
shall also be responsible to drive the Information Security Projects (i.e. Firewall,
Antivirus, etc.)
All the employees and external parties as described, are responsible to ensure:
• Confidentiality
• Integrity
• Availability
of Bank’s information assets.
• Confidentiality: It refers to protecting information from being accessed by
unauthorized parties. For e.g. not everybody can sign in to our CBS system,
those with valid user ID and password can log in to it. This is being done to
ensure the confidentiality of data.
• Integrity: Integrity is the maintenance of, and the assurance of the accuracy
and consistency of data and information assets. For e.g. whenever we search
the account balance of a particular account, the correct balance of that account
:14
must be shown.
• Availability: It refers to make available the information assets to authorised
persons on demand. For e.g, whenever a Customer signs in through PNB ONE,
24 6
10
he/ she should see the information related to his/ her account.
-20 63
-05 13
Exception
12 52
• ORMC will take the decision on whether to permit or deny such policy
exceptions depending on business justifications & risk mitigation controls with
the recommendation of CISO and CGM/GM of the concerned Division.In case,
permission is given by ORMC, same will be placed to board for ratification
through RMC.
PERIODIC REVIEW
The Information Security guidelines/ policy will be reviewed by CISO and placed to
Board through Steering Committee on Information Security routed through Risk
Management Committee(RMC):
• Every year or at the time of any major change occurs in existing IT
environment affecting policy and procedures whichever is earlier or,
• Whenever any changes affecting the basis of the original risk assessment, e.g.
significant security incidents, new vulnerabilities occurs.
COMPETENT AUTHORITY
• Scale IV and above officials designated as asset owner and posted in the
administrative offices will be deemed as Competent Authority for issues related
to Information Security Policy unless explicitly mentioned otherwise.
Due to the nature of Bank’s business, many works are to be outsourced to third
:14
parties for availing specialist’s service. Third party includes various Vendors,
Contractors, Sub contractors and Customers and also includes third party working
from remote location. It carries a risk of unauthorized access to the Information
24 6
assets of the Bank.
10
-20 63
• Third parties should be provided access to Bank’s Information Systems using
-05 13
• Third party user’s access to the banks IT Systems should be restricted to the
minimum services and functions necessary for the business functions performed
by them.
• All 3rd Parties having access to classified information should adhere to Bank’s
IS Policy. The access should be granted to the third party representatives as
per the procedure on need to know basis subject to risk assessment and
approval by competent authority.
IT ASSET MANAGEMENT
Due to the nature of the business of the Bank and subsequent technological
development, Bank’s are required to procure & put to use various IT assets. The
details of IT Assets are as below:
• Information Assets: This includes Databases and data files residing on various
servers, PCs, Laptops, storage etc. including emails.
• Paper Assets: This includes files and documents in paper form (legal
documents, contracts, user manuals and other files) including printouts and fax
messages.
• Software Assets: This includes application, system software, software tools etc.
residing in the system or in storage media.
• Physical Assets: This includes servers, laptops, PCs, network devices, printers,
removable media, storage etc.
• Services: This includes general support utilities like power, air conditioning,
UPS, generators, software & hardware support (customization and
maintenance) etc.
• People Assets: This includes people manning various operations of the above
assets.
• IT Assets are the major component in respect of the Information Security and
thus certain guidelines are required to be followed in this case, which are as
below:
1. IT Assets should be protected in such a way so that the most critical assets
being given maximum protection. For eg. Data Server.
:14
2. IT assets should be clearly identified and inventoried. Each asset will have an
owner who will be responsible for the asset. The IT assets should be properly
labelled and classified as per procedure. The baseline configuration should be
24 6
10
maintained and any changes in configuration should be recorded through
-20 63
Change Management procedure.
HUMAN RESOURCE
-05 13
Due to the nature of the business of the Bank and it’s dependability on the Human
12 52
Resource, the potential risk of Information Security breach through Human Resource
is huge. The risks include:
• Human error
• Lack of competence
• Theft
• Fraud or misuse of facilities etc.
In order to create a secure IT environment, certain guidelines are required to be
followed which are as below:
1. The IT assets and functions should be handled by authorized bank staff. For
example, Bank has defined various work classes in CBS FINACLE with attached
powers. It means that every one is not authorised for all privileges. The same
should be meticulously followed.
2. Employees should be trained appropriately for handling IT Assets.
3. The security roles and responsibilities to be included in the job description.
4. All employees to sign confidentiality & non-disclosure agreements.
5. Segregation of duties to be defined so that no employee performs conflicting
duties. Wherever segregation of duties is not possible, there should be
management control and oversight on the activities of the concerned employees.
6. Information security awareness training should be given to new joinees during
induction program and also on regular interval to staff to enhance their awareness
on range of threats and the appropriate safeguards.
7. Regular and relevant, Information security awareness communications, should be
provided to all staff by various means, such as advisory on mail, through e-
circular site, class room training, electronic updates through Intranet, briefing,
Newsletters etc.
PHYSICAL ENVIRONMENT
Due to the nature of the business of the Bank and with advancement in technology, it
has become imperative to install and use various sophisticated devices and
machineries in the physical area/ premises of Branches/ Offices of Bank. These
devices are the information capturing, processing and accessing terminals. Thus, the
:14
potential risk of breach of Information Security through Physical Environment i.e.
Physical area is very large. The risks include:
1. Natural/ Man made floods or Water seepage.
24 6
10
2. Natural/ Man made Fire hazards
-20 63
3. Rodents
4. Electrical malfunction
5. Inflammable material
-05 13
8. Unauthorized access
9. Damage/ disruption
10. Theft etc.
A. Restricted (Maximum Secured area): Certain areas such as the Server area have
been identified as Maximum security area where the following action may be
implemented:
i. Restricted Access to be provided.
ii. 24*7 Security guards and CCTV coverage should be there.
iii. Access controlled by magnetic access card/Biometric devices etc.
iv. Fire alarm/ suppression systems to be installed.
B. Controlled: The work area and support services facilities will be subject to security
:14
at a level slightly lower than maximum security but in a controlled environment.
C. Normal: Areas like storage areas will be under normal security.
24 6
10
2. Separation:
-20 63
• Adequate separation must be maintained between the server area and electrical
installations in order to avoid any mishap.
-05 13
3. Maintenance of ambience:
Depending on the criticality of installation, e.g. strict controls are required for Data
Centre while in a branch, a lower level of control may suffice, the following guidelines
are to be followed:
The above list is indicative only and depending on the scenarios suitable measures are
to be initiated.
4. Security Inspections:
Periodic Security inspections of all sites and locations having Server Area and/ or
Support Service Area to be conducted. Security inspections of other sites are also
desirable.
5. Monitoring and Logging:
The sensitive sites should be monitored by installing CCTVs & the CCTV footage
should be monitored for any security breach. The logs of various access control
devices like access cards, biometric access etc. should be reviewed and analyzed.
Logs of devices should be stored as per Bank’s Record maintenance policy.
COMPETENT AUTHORITY
The following authority will be treated as Competent Authority for issues related to
Physical & Environmental Security:
:14
• Officials of Scale IV and above for administrative offices
• Incumbent In charge for branches.
24 6
10
COMMUNICATION & OPERATIONS MANAGEMENT
-20 63
Due to the nature of the business of the Banks, communication both internal and
external is inevitable. Thus, the potential risk of breach of Information Security
-05 13
Again, Banks carry out certain information processing work such as credit analysis
etc., thus the potential risk of breach of Information Security through Operation is
also real.
The risk areas are as below:
Thus, in order to ensure the Information Security aspect, certain guidelines are
required to be followed which are available subsequently.
2. Change Management :
:14
Unscheduled/ Emergency changes should be carried out only in case there are critical
production issues and not to be undertaken without proper notification to the
controlling authority.
24 6
10
-20 63
3. Patch & Service pack management:
Patches are basically updates for Software. The patches released by the respective
-05 13
vendor should be identified & evaluated to check whether it is required/ applicable for
the business.
12 52
Only tested versions of the patch or service pack should be considered for application,
wherever needed.
Scalability of processing Power, Memory Requirements and storage capacity for the
critical IT resources to be assessed and planned properly before put to use.
• Performance of information processing facilities to be monitored continuously.
• The data gathered from the monitoring process to be used to project the future
capacity requirements with identifying potential bottlenecks.
• Comparison of the performance requirements of the information processing
facilities from a cost benefit analysis perspective should be done to ensure that
no surplus of capacity or resources exists.
• Based on the business requirements, appropriate alternative arrangements
should be made available in case of failure of equipment and to avoid loss of
data.
• Availability & performance requirements should be clearly reflected in Service
level Agreements of respective services with the service providers.
:14
Functionality of any mobile code is disallowed completely, unless explicitly required.
24 6
10
6. Remote access:
-20 63
Remote access may be permitted only for authorized users and activities by GM-IT.
Further, where feasible a secure remote access should be given to access assets
-05 13
within or from outside Bank premises after getting the necessary approval from GM-IT
subject to multifactor authentication.
12 52
7. Online-Transactions:
All communication involving On-line Transaction should have secure identification and
authentication
8.Unauthorised/Freeware/Malicious Software:
All employees must regularly check and be aware of the dangers of unauthorized or
freeware or malicious software like computer viruses, network worms, Trojan horses,
logic bombs etc.
9. Anti-Virus Management:
The IT systems should have approved Anti-Virus Software with latest version and all
components installed and updated regularly.
System clocks should be synchronized regularly with Bank’s installed NTP server
(Network Time Protocol) .
:14
24 6
10
-20 63
-05 13
12 52
Information SecurityPart II
Due to the nature of the business of the Banks, such as Core Business Solution, ATM
etc, communication networks are inevitable. The networks are also exposed to
possible risk and threats. Thus, in order to maintain a proper IT ecosystem, the
security and protection of Networks are of great importance.
Thus, in order to ensure the Information Security aspect, certain guidelines are
required to be followed for securing the networks which are available subsequently.
1.Centralized Proxy:
The Internet will be provided by the Centralized Proxy.
:14
2. Network Design:
Networks should be designed in conformance with reasonably secure practices. The
design of the network is to be supported by formal documentation of the network
24 6
10
details and users service requirements.
-20 63
3. Network Services:
The network services should be enabled only after assessing the security risks.
-05 13
Use of Wireless Network shall be restricted and reasonably secured based upon
authorization from the competent authority.
5. Network Connectivity:
Access to the network facilities should be on need to have need to do have basis and
restricted to authorized persons only.
7. Security of Firewalls :
The devices should be configured for monitoring network traffic and preventing
security attacks on the system including denial of usage, masquerading etc. The
:14
devices should be capable to generate different alerts based on the priority of
attention needed from the administrator.
Policy as defined by Inspection and Audit Division: Head Office taking into
consideration the legal & regulatory requirements also.
12 52
The critical servers should be monitored and maintained regularly. The activities
of the administrators should be supervised & monitored regularly. The logs
should be retained for appropriate period as per Bank’s Record Maintenance
Policy.
Data is the most important element for Banks. The Customer data so captured should
be accessible at any time and anywhere and at the same time it should not be
accessed by any one who is not authorised to do so. Similarly, the transaction data,
inquiry data etc. all is of immense important for the bank. Data is exposed to possible
risks and threats.
In order to ensure an uninterrupted flow of business and to retrieve the data in case
of exigency when the main Data source is not accessible or un wantedly altered,
Banks must have a Data Back up & Archival management system.
In our Bank, guidelines are there for implementing such systems considering the
Information Security aspect. These guidelines have been bifurcated in 2 different
segments. The first one is to implement security of the data and the second one is to
the Archival of the Backed up data.
:14
The details are available subsequently.
24 6
10
Security Controls:
-20 63
• Audit logs on critical servers and devices should be enabled.
• Backup media movement such as Pen Drive, external Hard Drive etc. should be
controlled to avoid theft of Backup Media.
-05 13
Archived data should be stored on such a platform and using such a technology that
future alteration/ modification/ deletion of the data is not possible, once the data is
archived.
USER MANAGEMENT
The Data available is accessible by various users. But we know that all data is not for
use for every user. For e. g
• A customer should have access only to data related to him/ her. He/ She should
:14
not have access to any body else's data.
• The signature details of any customer should be accessible to employees who
are dealing in transactions and not by all who are working at the Back office of
24 6
10
the Bank.
-20 63
In order to impose restrictions to prevent misuse of data, certain guidelines are
required to be followed considering the Information Security aspect.
-05 13
1. User Category Creation: Certain user categories are required to be created which
are as under:
i. System Administrators
ii) Database Administrators
iii) Security Administrators
iv) Network Administrators
v) Auditors
vi) Application Users
Data access permissions/ privileges are granted for different category of users based
on the requirement.
:14
Certain guidelines are required to be followed for implementing Logical access control
considering the Information Security aspect. The details of such guidelines are
24 6
10
available subsequently.
-20 63
1. User Access Management:
Users should be granted access to information, data and applications strictly on a
-05 13
"need to know" and "need to do” basis. For example, auditors to be given data
access for viewing only and not for conducing any transaction.
12 52
User Ids creation needs to follow a standard naming convention for IT assets to
facilitate user identification and monitoring. For example, our CBS (Finacle) user id
starts with our PF ID followed by the initials of our name. Similar kind of conventions
are to be followed for other applications also.
2. Password Management:
Password Management and allocation should be in accordance with the password
management & allocation guidelines.
:14
6. Privilege Access management :
Usage of privileged user ids is restricted & controlled. Detailed Logical Access
procedures will define the type of access, level of access and permissions for the
24 6
10
servers, applications and databases.
-20 63
7. System Utilities Access :
Access to system utilities is restricted to authorized persons in accordance with
-05 13
The Internet Banking/ Mobile Banking Infrastructure should be separated from the
core banking database. No direct connection to core banking database need to be
allowed. It is to be secured using web-centric services like SSL, Padlock etc. The
users/ customers should be allowed to access the Internet Banking on their request
only. The login credentials are to be generated through automated system to ensure
privacy of passwords. The access logs are being stored in the system for monitoring
purposes.
Due to the nature of the business of the Bank and subsequent technological
development, Bank’s are required to develop or procure various Software or
applications. It is important that while developing or procuring a Software, certain
steps to be followed in order to ensure that the Software is performing the desired
task without any flaw. Any error can bring a tremendous business and financial loss
for the Bank.
:14
a) The security requirements should be specified in the Request for Proposal
and
b) The selection criteria shall be based on secure functionality.
24 6
10
-20 63
Application controls are designed into all software applications to prevent
any loss. Controls such as:
a) Use distinct test environment while developing the software.
-05 13
:14
1, 2012 and thereafter must be adhered to.
Source code of all the versions of software should be kept in secure library etc.
-05 13
Exception may be permitted by an official not less than the level of Executive Director.
Application / Data migration: Data/ Application owner should ensure integrity and
security during the entire process of migration.
:14
i) Security Controls : Access to the Operating System need to be designed in a
way that restricts access rights on need- to-do basis.
ii) Restrictions on changes to software packages: Any change would follow
24 6
10
the defined Change Management procedure
-20 63
iii) Administrator and operator logs : Administrator and operator actions on all
infrastructure & production systems / equipment should be logged and
protected against change
-05 13
Database Security:
12 52
A proper authentication mechanism should be put in place for granting access to the
databases. Direct access to database should not be allowed. In case of requirements,
GM-IT would be the competent authority to provide exception on business
justification. The business owner has to maintain proper logs, initial and final (after
change) view of Database as a compensatory control and put up to DGM-IT.
Privacy of Information:
The Bank is custodian of customer information which may include his / her sensitive
personal information. (Sensitive personal information includes password, bank
account or credit card or debit card or other payment instrument details). Bank takes
reasonable care to protect information of the customer including customer account
data and other information as captured by the information systems from time to time.
The databases are kept separate from the other systems using logical and physical
separation. Any information entrusted by the customer to the bank and also as
collected and logged / captured by network devices and analytic tools is kept
confidential. It is not disclosed to any other person. However, Bank reserves the right
to disclose the information to legal and regulatory authorities if required.
Application Security:
• The applications need to be developed by using a formal Software Development
Life Cycle (SDLC). The security controls should be defined in the application at
the design stage itself. In case of acquired / purchased applications, the
application should be tested for IT General Controls as well as specific controls
before the same is migrated into production environment.
• Before moving into production, the application should be checked for any
vulnerability using appropriate tools. Before moving into production the
application should be audited as per the IT audit policy of the Bank. All
application systems need to have audit trails along with log monitoring
capability. The audit trails need to be stored for a period as stipulated in the
Record Maintenance Policy of the Bank.
:14
be established, maintained and administered in a secure environment.
Use of Authorized software :Only authorized and licensed software should be used
in Bank. Freeware/ Shareware is to be used only after approval of General Manager -
IT.
INCIDENT MANAGEMENT
The term “Incident” means any irregular or adverse event, which occurs on any part
of PNB information systems. Incident management is required to minimize the
damage from security incidents, hence certain guidelines are required to be followed
which are as below:
:14
• Errors resulting from incomplete or inaccurate business data or inaccurate
processing of data
• Crippled internal network etc.
24 6
10
• Incident occurred on system or network that could put the bank’s network/
-20 63
critical systems or a combination of them at risk.
Awareness should be created amongst all employees, contractors and third party staff
-05 13
:14
• Incumbent In-charge/ Functional Manager, CrISO (Circle Information Security
Officer), ZISO(Zonal Information Security Officer), CISO (Chief Information
Security Officer)
24 6
10
-20 63
Learning from Incidents:
a)A follow-up analysis of the incident should be performed after an incident has been
fully handled and restored to normal to avoid further occurrence of the incident.
-05 13
b) A security incident report and Post Incident Report should be prepared and
distributed in SIRT (Security Incident Response Monitoring Team) for advice and
12 52
action.
c) The information gained from the evaluation of incidents should be used to identify
recurring or high impact incidents.
INTERNET SECURITY
Internet is the source of Knowledge and Data sharing and at the same time is the
source of many vulnerabilities. To protect the Bank against such vulnerabilities, it is of
utmost importance to ensure that any internet access by bank’s users/ third party is
through bank’s network in a secure manner. Certain guidelines are to be followed for
protecting Bank’s IT Assets from the vulnerabilities of Internet and they are available
subsequently.
1. Access to Internet:
• PNB provides the Bank officials/ Servers Internet access and access to bank’s
own server on need to know basis and with the appropriate access only after
formal approval from the competent authority.
• The access to Internet to the bank officials should be provided through Bank’s
infrastructure.
• Limited Internet access will be given to third party after formal approval from
the competent authority.
:14
inappropriate and restricted by blacklisting and white listing of the websites through
Proxy server as per business needs.
24 6
10
E-MAIL SECURITY
-20 63
E-MAIL is one of the fastest mode of communication in today’s advance world.
However, E-Mail is also a source through which miscreants penetrate the information
-05 13
subsequently.
The Email id creation/ deletion should be undertaken after approval from the
competent authority. The E-Mail facility should be used for Authorized purpose only as
specified in the E mail Security Policy of IT Division, Head office.
Security Features:
• Users are prohibited from sending restricted Information or data via e-mail.
• For sending business data, encryption and message authentication should be
used.
• Bulk mailing should be available as a service only under exception.
• All Incoming/Outgoing Emails should be scanned for viruses and other malicious
content.
• User login and logouts should be logged and Server Logs will be reviewed
periodically and relevant action will be taken based on the finding.
• All e-mails sent outside pnb.co.in domain should carry an automatic standard
footer banner including an approved disclaimer.
ASSET LABELLING: It must be ensured that all the IT Assets are labeled under the
following scheme:
• PNB/Office/ (Division Name or Department Name or Location)/ Item Code/
Serial Number.
• Assets inventory list to be maintained either physically or digitally and updated
regularly
DATA PURGING:
:14
• To meet legal requirements, organization might need to retain data for a
certain length of time. Organization might also want to retain data for a certain
time period for their own business requirements. Organization can control when
24 6
10
the data can be purged from the system as long as the boundaries enforced by
-20 63
the legal requirements aren't affected.
• By purging the data that's no longer needed to meet legal and business
-05 13
WEB SERVER:
A Web Server is a computer program that delivers content or services to end users
over the Internet. Since web servers are open to public access they can be subjected
to attempts by hackers to compromise the server. Hence, it is of utmost importance
to maintain the Web Security of the Bank. Guidelines related to Web Security:
• All PNB’s Web pages, whether hosted on PNB servers or external Web servers,
will be established, maintained and administered in a secure environment.
• Any Department of PNB will have to seek permission of CGM ITD (GM in
absence of CGM) for creating website for its activities / information whether
hosted internally or with some web hosting service provider.
• While commissioning a website, the relevant guidelines of Govt of India or its
various ministries like, Ministry of Information Technology, Ministry of Finance,
Ministry of Home Affairs, Company Law department, etc., are to be followed.
• Care should be taken that the instructions of regulators like Reserve bank of
India, Securities Exchange Board of India, NCIIPC or Cert-In are followed.
CRYPTOGRAPHY:
:14
authenticity of business critical information during its transmission over un-trusted
networks should be maintained and legal and regulatory requirements of
cryptographic controls should be complied with.
24 6
10
-20 63
Generally, it is much less expensive to build secure software than to correct security
issues after the software package has been completed, not to mention the costs that
may be associated with a possible security breach. This goal is accomplished through
-05 13
***********************************************
Compiled by: Faculty, Staff Training Centre: Faridabad