Knowledge Park: IT &Cyber Security

(Updated upto 06.05.2024)

:14
24 6
10
-20 63
-05 13
12 52
STAFF TRAINING CENTRE, PNB HOUSE, NEHRU GROUND, N I T
FARIDABAD 121001
email: bo4177@pnb.co.in/itcentre@pnb.co.in/

INDEX

:14
Sr No Title
24 6
10
1 Cyber Crime
-20 63
2 ATM Response Code
-05 13

3 Finhelp- Important Menu Options

4 Service Plus Service Desk (SPSD)

12 52

5 Information Security Part I

6. Information Security Part II

 CYBER CRIME
Cybercrime is defined as a crime where a computer is the object of the
crime or is used as a tool to commit an offense.

When computer is targeted then it will give rise to crimes like:

Unauthorized access to computer systems or networks,physically
damaging a computer system, Theft of electric information, Email

:14
bombing Denial of Service attack, Salami attacks, Virus / worm
attacks, Web jacking, Data diddling etc.

24 6
10
Types of Cyber Crime:
-20 63

 Email Spoofing: A spoofed email is one in which e-mail header is

-05 13

forged so that mail appears to originate from one source but actually
has been sent from another source.
12 52

 Spamming: Spamming means sending multiple copies of unsolicited

mails or mass e- mails such as chain letters.

 Cyber Defamation: This occurs when defamation takes place with

the help of computers and / or the Internet. E.g. someone publishes
defamatory matter about someone on a website or sends e-mails
containing defamatory information.

 Harassment & Cyber stalking: Cyber Stalking Means following the

moves of an individual's activity over internet. It can be done with
the help of many protocols available such at e- mail, chat rooms,
user net groups.

 Denial Of Service: When Internet server is flooded with continuous

bogus requests so as to denying legitimate users to use the server or
to crash the server.

 Virus attack: A computer virus is a computer program that can

infect other computer programs by modifying them in such a way as
to include a (possibly evolved) copy of it. Viruses can be file infecting
 or affecting boot sector of the computer. Worms, unlike viruses do
not need the host to attach themselves to.

 Email Bombing: Sending large numbers of mails to the individual or

company or mail servers thereby ultimately resulting into crashing.

:14
24 6
10
-20 63
-05 13
12 52
 Salami Attack: When negligible amounts are removed &
accumulated in to something larger. These attacks are used for the
commission of financial crimes.

 Logic Bomb: It’s an event dependent programme, as soon as the

designated event occurs, it crashes the computer, release a virus or
any other harmful possibilities.

 Trojan Horse: an unauthorized program which functions from inside

what seems to be an authorized program, thereby concealing what
it is actually doing.

 Data diddling: This kind of an attack involves altering raw data just

:14
before it is processed by a computer and then changing it back
after the processing is completed.

24 6
10
-20 63
PHISHING

Phishing is a cybercrime in which a target or targets are contacted by

-05 13

email, telephone or text message by someone posing as a legitimate

institution to lure individuals into providing sensitive data such as
12 52

personally identifiable information, banking and credit card details, and

passwords.

The information is then used to access important accounts and can

result in identity theft and financial loss.They may appear to come from
the Bank or a trusted friend but are actually designed to trick you into
downloading a virus to your computer or directing you to a Web site to
disclose sensitive or personal information.

VISHING

Vishing is a technique of pulling out confidential and personal sensitive

information such as credit card/debit card number, expiry date of card, 3
digits CVV (Card Verification Value) card PIN, OTP (One Time Password),
3D secure code, internet banking user ID and password etc. from the
account holders by deceptive means over phone calls. The term is a
combination of "voice" and phishing.
 Vishing is the criminal practice of using social engineering over the
telephone system, most often using features facilitated by Voice over
Internet Protocol

(VoIP) or by mobile phones, to gain access to private personal and financial

information from the bank customers for the purpose of financial reward.
The fraudsters sometimes use fake caller-ID data/application like True
caller to give the appearance that calls come from a trusted organization.

KEYLOGGERS

Key loggers are a type of monitoring software designed to record

keystrokes made by a user. Criminals use key loggers to steal personal or
financial information such as banking details, which they can then sell or
use for profit.

:14
Key loggers can hardware- or software-based. Hardware-based ones can
simply nestle between the keyboard connector and the computer’s port.
24 6
Software-based ones can be whole applications or tools knowingly used or

10
downloaded, or malware unknowingly infecting a device.
-20 63
-05 13

SKIMMING/CLONING

 The act of using a skimmer to illegally collect data from magnetic strip
12 52

of a credit, debit or ATM card.

 The face plates installed on these machines usually contain hardware

which reads your card’s magnetic stripe before it enters into the original
ATM card slot.

 The information is copied onto another blank card’s magnetic strip.

 The cloned card can be used as a genuine card for carrying out POS
purchase or ATM withdrawal.

Online Frauds

Large number of people are falling prey to the traps of cyber criminals
who are now using latest techniques like Artificial Intelligence (AI)
Algorithms to crack ATM passwords/ PINs

 USE OF HEAT SIGNATURES OF FINGERTIPS

Combination of thermal imaging and Artificial Intelligence (AI) technique
is used wherein AI algorithms are used to accurately guess the
passwords as per the snapped heat signatures. The brighter the area
appear on the thermal image,

the more recently it would have been touched. Using such correlations,
PINs/ password are being cracked.

Security Aspects
As regards to Security Aspects, for Home PC Users

:14
To Secure E-Mail Account:

 Do not open e-mail attachments from unknown sender.

24 6
10
 Most email sites provide "Filter facility" in the option folder, set your
-20 63
email filters, so that the amount of unsolicited email can be limited.

 Use strong passwords that have at least eight characters including

-05 13

numerals and symbols other than alphabets.

12 52

 Never Use personal information (e.g. user name, birth date, month,
standard words login name etc.) as passwords.

 Change your passwords regularly (at minimum, every 90days).

 Create a different password for each online E-mail account you use.

 Do not keep computers online when not in use.

 Never forget to sign out of your email or any other accounts.

To Secure System Data:

 Take regular back-up of important files.

 Regularly download security patches for your operating system

software.

 Use anti-virus software and anti-spyware software to keep your

computer safe and secure. If u feel your machine is infected with
 viruses, then unplug the phone or cable line from your machine. And
scan your entire computer with anti-virus software.

 Be sure that your WIFI Network secured, use a strong password

 Always Choose the anti-virus software that recognizes current viruses,

as well as older ones & updates automatically.

Precautions to be taken during OnlineTransaction:

Only Trust a business or individual seller who gives a physical address

and a working telephone number at which they can be contacted in

:14
case of any problems

 Check your credit card bill at least every month.

24 6
10
 Never reply to or click on links in email or pop-ups that ask for personal
-20 63
information.

 If you're asked for your personal information - your name, email or

-05 13

home address, phone number, account numbers learn how it will be

protected, before you share it. There are some indicators that
12 52

show vendors have taken measures to secure their sites such as a lock
icon on the browser's status bar or a website URL that begins "https:"
(secure hyper text protocol).

 If you are directed to a website to update your information, verify that

the site is legitimate by calling the company directly, using contact
information from your account statements. Never send your personal
information via email because email is not a secure transmission
method.

 “Phishing” pop-up messages usually say that you need to "update"

or "validate" your account information. The message directs you to a
website that looks just like a legitimate organization, but isn't. To trick
you into divulging your personal information so the operators can steal
your identity.

 Read website privacy policies. It explains what personal information the

website collects, how the information is used, and whether it is provided
to third parties. If you don't see a privacy policy - or if you can't
understand it then do business elsewhere.
Preventive steps to protect customers from Online frauds

 Avoid using ATMs which are not surveilled properly with video
cameras.

 Always examine the ATMs for any suspicious attachments (in ATM
rooms walls or the machine). Hide the keypad area while entering the
PIN.
 Press multiple random number keys (buttons) before leaving the ATM
machine/ POS machine/ Smart Locks to generate non-meaningful
heat signatures.

:14
 Properly check the SMSs and emails sent by your bank regarding any
transaction. Contact your Bank instantly, if a suspicious transaction is
24 6
10
spotted.
-20 63
 Follow @CyberDost on Twitter, YouTube, Facebook, Instagram,
Public, Koo and LinkedIn to know more about safety tips
-05 13
12 52

**********************
 ATM Response Code

CODES DESCRIPTION
00 Transactionapproved
withbalance:Transactionapprovedandokaywithdisplayofbalance.
01 Transaction approved without display of balance: Transaction approved
and okaywithout display of balance.
50 Unauthorized Usage: Card is not authorized for usage.

:14
51 Expired Card: Card used is expired.
52 Invalid Card: No CAF record for Card is available.
53 Invalid PIN: Incorrect PIN is being used.
24 6
10
54 Database problem: Card could not be used because of Base 24/branch
database
-20 63
problem.
55 Ineligible Transaction: Transaction denied because processing restriction
imposed on
-05 13

type of transaction being performed.

56 Ineligible Account: The transaction could not be performed because of
restriction on /
12 52

difficulty with the account specified in cardholder‟s CAF record.

57 Transaction not supported: Type of transaction being attempted is not
supported by the
ATM.
58 Insufficient Fund in case of OD accounts.
59 Insufficient Fund in case of Deposit Accounts.
60 User Limit Exceeded: Limit of maximum number of withdrawal allowed
during current
usage period exceeded.
61 Withdrawal Limit Exceeded: Transaction declined because it would have
caused Limit of
cardholders withdrawal allowed during current usage period to be exceeded.
62 PIN tries exceeded: Cardholder had already reached the maximum no. of
PIN tries
allowed for the current usage period.
63 Withdrawal Limit Already Reached: Transaction denied because card
holder has already
reached maximum withdrawal limit during the card usage period.
64 Invalid Credit Card Cash Advance Amount: (Applicable in case of Credit
Card only)
Transaction denied as it did not meet the criteria set for credit of the credit
card issuer.
65 No Statement for information for the Account: Transaction denied by the
host, i.e.
 database.

66 Statement Information Not Available: Transaction denied by the host i.e.

database.
67 Invalid Cash Back Amount; (Applicable in case of cash back deposits)
Transaction declined because amount requested back in a deposit with cash
back transactionexceeded the amount of the deposit.
68 External Decline: Transaction declined as a result of processing by an
external system
(Host).
69 No Sharing Between the card issuer and terminal owner: Transaction
declined when
there is no sharing between card issuer and terminal owner.
70 System Error: Transaction denied because ATM record was faulty.
71 Contact Card Issuer: Transaction declined due to following reasons:
 PAN (Personal Authorization Number) of the card isincomplete.
 Cash withdrawal attempted less than minimum withdrawalallowed.

:14
72 Destination not available: Transaction denied, as the destination is
notavailable. (Database cannot be accessed).
73 Routing Look Up Problem: Transaction declined because of a configuration
problem. 24 6
74
10
Message Edit Error: Transaction declined because invalid data was
-20 63
encountered.
150 Hot Listed
-05 13

**************************
12 52
FinHelp- Important Menu Options
Saving / Current Account
Opening of Savings Account HOAACSB
Verification of Saving Account HOAACVSB
Menu used by branch for Opening of CA/SF Account through BOCUSTCO
Back Office
Modification After Verification HACM
Modification of Saving Account before Verification HOAACMSB

:14
Account Ledger Inquiry HACLI/ HACLINQ
Deposit Cash PCASHDEP
Transaction Maintenance 24 6 HTM
Printing of Passbook
10 HPBP
-20 63
Passbook Print Reset HPBPR
Issuance of Personalized Cheque Book CBSCHQBK
-05 13

Issuance of non- Personalized Cheque Book HICHB

Destroy Cheque Book CHBD
12 52

Cheque Book Maintenance HCHBM

Stop Payment Of Cheque HSPP
Verification Of Stop Payment HSPPAU
Revoke Stop Payment HSPP
Charges Collection HCACC
Account Closure HCAAC
Update Cheque Status HUCS
Opening of Current Account HOAACCA

Verification of Current Account HOAACVCA

Modification of Current Account before Verification HOAACMCA
Printing Statement of Account HPSP
Change CIF ID of Account HCCA
Interest Run for Account HACINT

Transfer of Saving/ Current Account to Operative Category OPACTF

Account Balance Inquiry HACCBAL
Summary Details of a Customer HCUSUM

Current Accounts of Customer HCUCA

Saving Accounts of Customer HCUSB

Deposit Education and Awareness Fund Claim DEAFC

New Mini Deposit Scheme -Opening of Account MDNOAAC

Increase in Threshold Limit THRESHLD

Upgradation of OTP based eKYC accounts, opened online in VKYCACT
Non-face-to-face mode, to full KYC Account
Demand Draft
Issuance of Draft HTM
Printing of single DD HDDPRNT
Printing of all DDs HDDPALL

:14
Reprinting of DD HDDRPRNT
Cancellation of DD HDDC
Marking of DD lost 24 6 HDDLOST
Issuance of Duplicate DD
10 HDDD
-20 63
DD Status Maintenance HDDSM
DD credit account inquiry HDDIC
-05 13

DD debit account inquiry HDDID

Inventory Management
12 52

Inventory Movement Authorization Maintenance HIMAUM

Inventory Movement Between Locations HIMC
Inquire & Split Inventory (Own Location) HISAI
Inquire & Split Inventory (All Location) HISIA
Inquire & Merge Inventory (Own Location) HIMAI
Inquire & Merge Inventory (All Location) HIMIA
Inventory Status Report (All Location) HISRA
Inventory Inquiry All HIIA

Miscellaneous
Memo Pad Look Up (Add/Delete) HMEMOPAD
Verify A Memo Pad HMPAU
Marking/ modifying Lien HALM
Freezing/ Unfreezing Account HAFSM
Standing Instructions Maintenance HSIM
Standing Instructions Inquiry HSII
Transfer of Accounts between SOLs HACXFSOL
Transfer of Scheme Code of Account HACXFRSC
Finacle Menu Option Help FINHELP

Mapping of Menu from Finacle 7 to Finacle 10 MENUHELP

Reports Menu Options Inquiry REPHELP
User Profile Maintenance HUPM
Branch Table Inquiry HBRTI
To capture GST details of Customer CUSTGST
Customer Search CUSTSRCH
Credit Rate Management System CRMS
Suspend CIF ID CUMMSUSP
CIF CREATION BIO-METRIC CCBM
Outstation Instrument Collection Maintenance HOICM

:14
Forwarding Schedule for ODBC entered through HOICM OSRPT
Temporary Overdraft Maintenance HACTODM
24 6
10
PAN Correction PANCORR
-20 63
Transfer of CIF (Menu to be executed by Transferee Branch) CIFTRF
CUSTOMER ID STATUS CUSTSTAT
-05 13

Capturing Biometric Device details for enablement of

Registered Device Services REGRD
BC Cheque Collection Branch BCCHQCOL
12 52

Correction of Constitution Code- PAN Mismatch UPDCONST

Cleansing of Junk Values in Mother’s Name, Father’s Name and
Spouse Name without visiting CRM DETUPD
Concession/ Relaxation in CBS in Non- Credit related Service
Charges CONCESS
Search/Inquire of unclaimed deposits based on UDRN number. UNCLINQ
Term Deposits
Deposit Modeling HDEPMOD
Opening of FD/RD Account HOAACTD
Verification of FD/RD Account HOAACVTD
Modification of FD Account before Verification HOAACMTD
Modification of FD Account after Verification HACMTD
Opening of FD in days FDACOPN
Opening of Flexi RD FOAAC
Closure of Flexi RD FCAAC
Printing of FDR HDRP
Duplicate Receipt of FDR HDUDRP
Modification Of Term Deposit HACMTD
Closure Of Term Deposit HCAACTD
Statement for Flexi FD FLEXIPSP
Deposit Flow Regularization HREGFLOW
Renewal History HRENHIST
TDS Refund HRFTDS
Generation of TDS Certificate HTDSIP
Account Balance details HACDET
Renewal of Term Deposit HTDREN
Extension of period of Term Deposit HTDEXT
Pending Installments List HPLIST
Account Selection HACS

:14
General Deposits Details HGDET
Handling 15G/15H TAXEXM
24 6
10
Handling exemptions/ rebates on TDS EXMPTDS
-20 63
Customer's Term Deposit A/Cs HCUTD
Preferential Rate Update PRFUPD
-05 13

Backdated FD Opening MIPBD

Payment of FD to Customers not maintaining Running Account FDREPAY
12 52

Alternate Delivery Channels

Request for issuance of Internet / Mobile Banking ADCREQ
Debit Card Issuance DCARD
Registration/modification of Transactional Alerts on SMS /
Email ALERTS
Debit Card Inventory Management DCARDINS
Search Account details using Debit Card Details HCDM
Duplicate PIN for PMJDY Cards PINREQ
Issuance of Prepaid cards PPISS
Reloading of Pre-paid Cards PPCLTM
Surrender of Suvidha Card PPSUR
Hotlisting of Debit Card HOTLIST
Credit Card Application CCAPP
Credit Card Payment CCPAY
Generate Application Schedule for Credit Card GENDNLD
Request for NEFT/ RTGS HPORDM
Bulk NEFT HNFTBLK
Bulk RTGS HNRTBLK
NEFT/ RTGS Transaction Inquiry HUTRI
ATM EOD ATMEOD
BNA EOD CAATMEOD
e-statement Registration UPEMAIL
Debit Card Related Reports CARDREP
Doorstep Banking Services DSBS
FDRSAFE
Setting/ Modifying/ Cancelling Safety Ring
Lockers
Locker Key Maintenance HLKKM
Locker Customer Maintenance HLKCM

:14
Locker Transactions-History Maintenance HLKCHM
Locker Rent – Charge Collection Maintenance HLKRCM
Locker Operations 24 6 HLKOPS
Locker Reports
10 LKREPM
-20 63
Maintaining waitlist of lockers in CBS WAITLIST
Income/ Expenditure
-05 13

Expenditure Transaction Maintenance EXTM

To Delete EXTM Number EXTMDEL
12 52

Vendor Management System VENDORM

Menu option to recover charges MCHRG
Income/ GST reversal INCREV
Income/ GST reversal- Bulk Entries INCREVBK
Non-GST Charge Calculation for Loans PNBLACHG
GST External Charges Upload CEXCUPL
Fixed Assets Management System
Fixed Assets Management System FAMS
Reports related to FAMS FAMSRPT
Government Business
NPS Registration HNPSREG
Contribution to NPS NPSCON
SukanyaSmridhi Account - Printing of Passbook PBPSSA
Printing of PPF Passbook PBPPPF
Registration of Customer for Atal Pension Yojana APYREG
Request for PMJJBY PMJJBY
Request for PMSBY PMSBY
Issuance of FasTag FTAGISS
Reloading FasTag FTAGRLD
TIN Collection Branch TINBR
Cash Credit
Opening Of CC Account HOAACCC
Modification Before Verification HOAACMCC
Verification Of Account HOAACVCC
Account Modification HACM
Force Interest Run in CC Account HACINT
Closure HCAAC
Account limit History Maintenance HACLHM

:14
Account Drawing Power Maintenance HACDPM
Getting Approval for Changing DP Indicator for CCOTH CHGDP
Accounts 24 6
Relaxation of Renewal through LenS
10 RENRELAX
-20 63
Updation of Information MSMEREN
Collateral Maintenance
-05 13

Collateral Maintenance HCLM

Linkage Of Collateral HSCLM
12 52

Collateral Look Up HCLL

Modification in collateral related to Loan against Bank Deposit HLACM

Limit Node
Limit Node Maintenance HLNM
Limit Node Details HLNDI
Limit Tree Lookup HLTL

Loans
Loan Account Opening HOAACLA
Loans General Inquiry HLAGI
Loans Overdue Position Inquiry HLAOPI
Loan Repayment Schedule Report HLARSH
Loan Demand Satisfaction Program HLADSP
Loan Lien Process HLALIEN
Loan Interest Transfer Liability HLARA
Loan Pay Off Process HPAYOFF
Loan Statement Print HLAPSP
Loan Demand Generation/Force Interest Run HLADGEN
Loan Modelling HLAMOD
Loan Account Scheduled Payment HLASPAY
Loan Account Rescheduling HLARA
Loan Account Modification After Opening HACMLA
Handling of Subsidy TMPS
Education Loan Details Maintenance EDULOANM
Subsidy Claim of Education Loan EDULOANM

Inquiry on History of Partition Accounts HPHINQ

Inquiry on Partitioned A/c HPARTINQ

Interest Rate Modification in Loan accounts HLINTTM

Concession/Relaxation in Interest Rate – MCLR Based Accounts INTCH (by ZO User)

:14
Concession/Relaxation in Interest Rate – Non-MCLR Based INTCM (by ZO User)
Accounts
24 6
Loan Demand Effective Date Change- Simple Interest LAIDC

10
Account Level Relaxation in Service Charges in Loan Accounts RELAXSC
-20 63
Customer Level Relaxation in Service Charges in Loan LOANCHRG
Accounts
-05 13

Additional Details for PM AwasYojana ADPMAY

Capturing MIS for Restructured Accounts RPCVD

12 52

Udyam Registration Details URDM

Issuance of System Generated No Dues Certificate NDCISSUE

Marking of Fraud in Borrowal Accounts on the basis of CUFRD
Customer ID
Mapping of Restructuring / Rescheduling in CBS system RESDET

Capturing Draw Down Schedule of Term Loan Accounts in CBS DISBSCH

Mandatory Capturing of Operative Account Number / NACH/ PREDISB
Check-off Facility, Contact Details and Other Checks before
Disbursement
Allow Transaction in Loan Interest Income Heads (Access is RINCM
available to ZC users of Credit Departments at Zonal Offices)
Reversal from Vehicle Loan Pool Account DBTPOOL

Capturing Details of Legal Entity Identifier in CBS LOOKLEI

To fetch the Rate of Interest (ROI) of an Interest Table Code ADVINT
or a Loan Account as on a particular date
NPA
Appropriation of Recovery in NPA A/Cs HNPACR

Recording Charges in NPA Accounts NPACHRG

NPA Details NPAD

NPA Account Write-Off & Compromise Details COWO
Letter Generation For Loan Account Follow-up LETGEN
Loans Overdue Demand Reminder/Report HLAODR

Closure of NPA Accounts NPACLS

Restoration to NPA Classification NPARST

NPA Recovery from Inoperative Accounts INNPAREC

Inquiring Various Information about NPA & Standard Accounts NPACBAL

Reversal Of Recorded Interest RIREV

Bank Guarantee/ Non Fund Based Facilities

Outward Guarantee OGM
Bank Guarantee Covering Schedule BGCOV
Guarantees Issued/Liability Register HGILR

:14
Guarantee Inquiry HGI
Collection of Bank Guarantee charges APCHCOLL
24 6
10
Non Fund Based Details NFDTL
-20 63
Generation of Solvency Certificate for Borrower and Non SOLV
Borrower Customers
Beneficiary Name Modification during BG Extension BENCHG
-05 13

FOREX
12 52

Money Transfer Service MTSS

Inward Remittance Maintenance HIRM
Outward Remittance Maintenance HORM
Maintain Export & Outward Bill MEOB
Maintain Import and Inward Bills MIIB
Inward Documentary Credits Maintenance IDCM
Outward Documentary Credit Maintenance ODCM
Maintain Trade Financing Transactions MTFT
Third Party Products
Linking / delinking Bank Account with Demat Account DEMAT
Collection of Premium for PNB Met Life and CHOICe PAYPREM
ASBA Admin ASBA
ASBA Application in Branches ASBABR
ASBA Reports ASBARPT
Syndicate ASBA for uploading the Application File SYNASBA
Syndicate ASBA modification after uploading ASBASCSB
Opening of Simplified Demat Account for Existing to Bank
(ETB) customers, based on existing KYC of customer with Bank OPNDEMAT
Day End Related Menus
Actual Changing Date Of Sol HSCOD
Report For Checking Pendency HSVALRPT
Closure Of Sol Operations HSOLOP
Sol Closure Of Last Day HSCOLD
Sol Status Inquiry HSSI
HSCOD Process Pending Checklist HSCODCHK
Daily security check menu SECCHK
User login Maintenance HSAC

:14
Financial Transaction Inquiry HFTI
Financial Transaction Report HFTR
Audit File Inquiry 24 6 HAFI
DMS/ Control Reports Check
10 CTRPTCHK
-20 63
-05 13

************************************************
**
12 52
 Service Plus Service Desk(SPSD)
• Service Plus Service Desk (SPSD) is a tool, implemented by the Bank to provide
a single platform to the branches to escalate their technology related issues to
Circle / ZO/Central IT Helpdesk, other Departments of ITD or other concerned
Divisions
• SPSD tool has the following advantages:

:14
24 6
10
User can keep Document
It is a single Standardized
-20 63
attachment
platform for the solutions for a track of the It has well functionality in
end user i.e.
frequent SPSD problem defined TAT
branches can this helps the
/ request
refer all their problems can through the and official at CO IT
-05 13

technology related be searched Helpdesk/Centra

problems to system & view escalation l Helpdesk at HO
concerned in ‘Knowledge the final mechanism. to analyze the
persons at CO / HO Base’ resolution. issue effectively.
12 52

Role of Branch User & Steps to be taken by branch for

creating new incident

• Please note that user_id of all the present branches ( SOLs) is already created
in the system. Whenever a new Sol is opened in CBS, SPSD user_id is also
created simultaneously. The user-id is 6 digit SOL-ID of the SOL.
• The new user-id is created with default Password as ‘pnb’.
• On login for the first time, user is advised to change the default password.
• Incumbent-In-charges are required to assign the job of maintaining the user-id
and password to designated official through an office order and password
 confidentiality should be maintained as per information security policy of the
Bank.

The Service Plus Service Desk tool is accessible through Service Desk
(SPSD) link available on Home Page of Finacle login .

:14
24 6
10
-20 63
-05 13
12 52

• On clicking the SPSD link, user is taken to the following screen. On this screen , you
can search the issue in knowledge base by typing the keywords in field marked by red
box. One can also filter the search by selecting the right value in product picklist,
shown here in blue box
• If we are not able to find the solution , we can check the checkbox as shown below
and
continue to SPSD portal by clicking Service Desk(SPSD). We will be redirected to login
page.
 :14
• For login authorized user has to enter user name & password in the respective
fields.
• User is advised to use keyboard Tab button or mouse for moving from user
24 6
10
name field to password field. If <enter> key is pressed after giving user name,
-20 63
it will display error message “Login failed for user id <user id>.
-05 13
12 52

• On successful login, following screen comes. The system shows identified TOP
Solutions stored in the ‘Knowledge Base’ archive of the SPSD tool. Other such
problems can be viewed by clicking on ‘Browse More Solutions’ button (screen
shot given as below).To view the full detail of the problem & solution provided
for that issue, user should click on the relevant problem as can be seen below:
 :14
• In the ‘knowledge Base’, problems / solutions on a particular issue or topic can
be viewed by entering a ‘Key Word’ in the field ‘Search for a solution using
24 6
10
keyword’.
-20 63
-05 13
12 52

• By referring to the resolution suggested, user might be able to solve the issue
at his level. In case, desired solution is not found in ‘Knowledge Base’, user can
escalate the problem to Circle Help Desk team by clicking on ‘Click here to
create a New Incident’ button.
 :14
• For creating a new incident , user should fill following details:
I. Contact no over which concerned person may be contacted
24 6
10
II. Incident Area
-20 63
III. Employee Name & PF no
IV. Priority
V. Incident description - It helps the help desk analyst in quick understanding
-05 13

of the problem. The complete description may include ‐ the activity user
was doing when the error occurred, the menu option in which the error
12 52

occurred, the process stage at which the error occurred, the detail of
problem being faced etc.

Documents can also be attached by clicking link “Attach Document “ button . To

enable the service desk official to easily understand the issue, the user is
advised (wherever possible) to attach the screen shot of error message being
displayed by the system or attach any other piece of information stored in a
separate file in PC or attach scanned copy of the document with the call.
• On clicking the ‘INCIDENT AREA’ button, following screen will appear from
which user may select the most appropriate incident area related to the
problem to be escalated.
• For example, if issue relates to CBS, he should click on ITD‐CBS. System will
display various ‘group’ under this ‘incident area’.
• Other ‘sub‐group’ will be displayed on clicking the relevant ‘group’.
Make the appropriate selection from the given options.

:14
24 6
10
-20 63
-05 13

• If the user has already lodged the incident and subsequently wants to
12 52

attach a document, user should go to Home Page of SPSD and click on

‘You have _ open incidents’ link or enter the request number and click ‘Go’
Button. Click on the ‘incident id’ to which the document is to be
attached. The call will be opened. You can attach the document in the
same.
 :14
24 6
10
-20 63
Track Incident Status
-05 13

• The user can track the status of a request by entering the incident_id in
‘incident no.’ field. On clicking the ‘GO’ button system will display the complete
log detail / status of the call.
12 52

• We can also click on ‘You have _ open incidents’ link which will display list of
all open incidents. We can open the desired incident.
Add Comment
• We can interact with the circle help desk through the ‘Add Comment’ button
as shown in screenshot below. We can enter necessary comments in the
description area and click on ‘Save’ button.

:14
24 6
10
-20 63

Close Request:
-05 13

• We can also close the request at its end if in the meantime, We have found
solution to the problem or otherwise wants to close the call by clicking on the
12 52

‘Close Request’ button and adding call closure comments.

Reopen Request:
• If the user is not satisfied with the resolution provided by the help desk, or
problem is not resolved with the provided solution or the user wants further
piece of clarification from the help desk, he may re‐open the request.
• To re‐open the incident go to closed calls, select the desired incident & click on
the incident no. The system will display the following screen. Enter the reason
for reopening of the request in the ‘Opening Remarks’ box and <click>
on ‘Reopen Incident’.
• System will reopen the request with the user’s remarks and the request
will be opened with last assignee at circle/central help desk by whom
the call was closed previously.
 :14
**************************************
24 6
10
-20 63

Information SecurityPart I
-05 13

Introduction
12 52

• Banking over the years has transformed from manual ledgers to digital ledgers
under CBS, manual entry to digital entry in to the database, shifting from the
brick & mortar system to Alternate Delivery Channels, manual to automated
updations and many more.
• The transformation in Banking was possible due to the change in the way of
storing, accessing and analyzing data. Further, when this data is stored in a
meaningful way it is called as information.
• Information: When data is stored, processed, organized, structured or
presented in a given context so as to make it useful, it is called information. For
eg.
• “10000” is a data,
• “account number 22567843” is a data,
• whereas “Account Balance of account number 22567843 is Rs.10000/-” is a
piece of information.
• All the data is stored at a central server and can be accessed from anywhere in
the world.
• Since, all the customer data and other important data is being stored in a
database, there is a possibility that some one can change or modify the data for
their personal benefit or for the loss of the organization holding such data.
 • Thus, it is of paramount importance to protect the computer system
data from those with malicious intentions.
• Information Security refers to the processes and tools designed and deployed to
protect sensitive business information (Data) from unauthorized modification,
disruption, destruction, and unauthorized inspection.
• PNB is committed to ensure the security of Organizational Information Assets
including data of all customers associated with it. We have taken certain
initiatives and prescribed various processes which are to be followed in order to
ensure the Information Security of the Bank.

Responsibility

• The guidelines of Information Security is applicable to

• All Employees of PNB

:14
• All contractors of PNB
• All consultants of PNB
• All temporary staff of PNB and other individuals even if, affiliated with Third
24 6
10
Parties associated with PNB.
-20 63
• Various Divisions involved with Information Security and their responsibilities
are as under:
-05 13

Division Responsibility
12 52

Cyber and Information Security Division Owner of the Information Security Policy
(CISD)

Information Technology Division (ITD) Implementation/ deployment of IS Policy

Inspection and Audit Division (IAD)
Inspection & Audit Division (IAD) will be
responsible for conducting audit for
compliance of IS Policy. However, HO:
CISD will ensure the compliance and
monitoring of the IS policy

Bank has to designate one officer as Chief Information Security Officer (CISO)
who shall be responsible for articulating the IS Policy. He shall also coordinate the
security related issues within the organization as well as with external agencies. He
shall also be responsible to drive the Information Security Projects (i.e. Firewall,
Antivirus, etc.)
All the employees and external parties as described, are responsible to ensure:
• Confidentiality
• Integrity
• Availability
of Bank’s information assets.
• Confidentiality: It refers to protecting information from being accessed by
unauthorized parties. For e.g. not everybody can sign in to our CBS system,
those with valid user ID and password can log in to it. This is being done to
ensure the confidentiality of data.
• Integrity: Integrity is the maintenance of, and the assurance of the accuracy
and consistency of data and information assets. For e.g. whenever we search
the account balance of a particular account, the correct balance of that account

:14
must be shown.
• Availability: It refers to make available the information assets to authorised
persons on demand. For e.g, whenever a Customer signs in through PNB ONE,
24 6
10
he/ she should see the information related to his/ her account.
-20 63
-05 13

Exception
12 52

• In case a situation is identified in which Information Security policy cannot be

applied, the matter should be raised with the respective Divisional Head/ Chief
General Manager (CGM)/ General Manager (GM) in conjunction with the
relevant IT assets Owner/s and stakeholders, who will recommend the
exception to CISO.

• ORMC will take the decision on whether to permit or deny such policy
exceptions depending on business justifications & risk mitigation controls with
the recommendation of CISO and CGM/GM of the concerned Division.In case,
permission is given by ORMC, same will be placed to board for ratification
through RMC.

PERIODIC REVIEW

The Information Security guidelines/ policy will be reviewed by CISO and placed to
Board through Steering Committee on Information Security routed through Risk
Management Committee(RMC):
 • Every year or at the time of any major change occurs in existing IT
environment affecting policy and procedures whichever is earlier or,
• Whenever any changes affecting the basis of the original risk assessment, e.g.
significant security incidents, new vulnerabilities occurs.

COMPETENT AUTHORITY

• Scale IV and above officials designated as asset owner and posted in the
administrative offices will be deemed as Competent Authority for issues related
to Information Security Policy unless explicitly mentioned otherwise.

GUIDELINES FOR THIRD PARTY

Due to the nature of Bank’s business, many works are to be outsourced to third

:14
parties for availing specialist’s service. Third party includes various Vendors,
Contractors, Sub contractors and Customers and also includes third party working
from remote location. It carries a risk of unauthorized access to the Information
24 6
assets of the Bank.
10
-20 63
• Third parties should be provided access to Bank’s Information Systems using
-05 13

hardware and software platforms and technologies approved by the Bank at

Bank premises only. The approval for such access will be provided byCGM (GM
in absence of CGM) on the recommendation of the business process owner.
12 52

• Third party user’s access to the banks IT Systems should be restricted to the
minimum services and functions necessary for the business functions performed
by them.
• All 3rd Parties having access to classified information should adhere to Bank’s
IS Policy. The access should be granted to the third party representatives as
per the procedure on need to know basis subject to risk assessment and
approval by competent authority.

IT ASSET MANAGEMENT

Due to the nature of the business of the Bank and subsequent technological
development, Bank’s are required to procure & put to use various IT assets. The
details of IT Assets are as below:
• Information Assets: This includes Databases and data files residing on various
servers, PCs, Laptops, storage etc. including emails.
• Paper Assets: This includes files and documents in paper form (legal
documents, contracts, user manuals and other files) including printouts and fax
messages.
 • Software Assets: This includes application, system software, software tools etc.
residing in the system or in storage media.
• Physical Assets: This includes servers, laptops, PCs, network devices, printers,
removable media, storage etc.
• Services: This includes general support utilities like power, air conditioning,
UPS, generators, software & hardware support (customization and
maintenance) etc.
• People Assets: This includes people manning various operations of the above
assets.
• IT Assets are the major component in respect of the Information Security and
thus certain guidelines are required to be followed in this case, which are as
below:
1. IT Assets should be protected in such a way so that the most critical assets
being given maximum protection. For eg. Data Server.

:14
2. IT assets should be clearly identified and inventoried. Each asset will have an
owner who will be responsible for the asset. The IT assets should be properly
labelled and classified as per procedure. The baseline configuration should be
24 6
10
maintained and any changes in configuration should be recorded through
-20 63
Change Management procedure.

HUMAN RESOURCE
-05 13

Due to the nature of the business of the Bank and it’s dependability on the Human
12 52

Resource, the potential risk of Information Security breach through Human Resource
is huge. The risks include:
• Human error
• Lack of competence
• Theft
• Fraud or misuse of facilities etc.
In order to create a secure IT environment, certain guidelines are required to be
followed which are as below:

1. The IT assets and functions should be handled by authorized bank staff. For
example, Bank has defined various work classes in CBS FINACLE with attached
powers. It means that every one is not authorised for all privileges. The same
should be meticulously followed.
2. Employees should be trained appropriately for handling IT Assets.
3. The security roles and responsibilities to be included in the job description.
4. All employees to sign confidentiality & non-disclosure agreements.
5. Segregation of duties to be defined so that no employee performs conflicting
duties. Wherever segregation of duties is not possible, there should be
management control and oversight on the activities of the concerned employees.
6. Information security awareness training should be given to new joinees during
induction program and also on regular interval to staff to enhance their awareness
on range of threats and the appropriate safeguards.
7. Regular and relevant, Information security awareness communications, should be
provided to all staff by various means, such as advisory on mail, through e-
circular site, class room training, electronic updates through Intranet, briefing,
Newsletters etc.

PHYSICAL ENVIRONMENT

Due to the nature of the business of the Bank and with advancement in technology, it
has become imperative to install and use various sophisticated devices and
machineries in the physical area/ premises of Branches/ Offices of Bank. These
devices are the information capturing, processing and accessing terminals. Thus, the

:14
potential risk of breach of Information Security through Physical Environment i.e.
Physical area is very large. The risks include:
1. Natural/ Man made floods or Water seepage.
24 6
10
2. Natural/ Man made Fire hazards
-20 63
3. Rodents
4. Electrical malfunction
5. Inflammable material
-05 13

6. Electrical shocks/ short circuits

7. Unshielded strong magnetic fields
12 52

8. Unauthorized access
9. Damage/ disruption
10. Theft etc.

The different physical areas are as below:

1. Server area: This will constitute the Data Centre, DRDC, NOC, Server Rooms,
and Communication Room etc.
2. Support Services Area: Such as UPS Room, Battery Banks, Fire Fighting
Equipment and Generator Room, Circle Network Centres etc.
3. Work Area: This will include the working space for the employees / external
parties engaged in running the Information Processing Facilities.
4. Storage Area: This will include the store room for spares, record room, file
storage etc.
5. General Banking Area: This will include customer lounges, ATMs, Kiosks etc.

Thus, to ensure the Information Security aspect, maintenance of the security of

Physical Environment is of utmost importance.
Certain guidelines are required to be followed in this case, which are available
subsequently

1. Security risk area:

A. Restricted (Maximum Secured area): Certain areas such as the Server area have
been identified as Maximum security area where the following action may be
implemented:
i. Restricted Access to be provided.
ii. 24*7 Security guards and CCTV coverage should be there.
iii. Access controlled by magnetic access card/Biometric devices etc.
iv. Fire alarm/ suppression systems to be installed.

B. Controlled: The work area and support services facilities will be subject to security

:14
at a level slightly lower than maximum security but in a controlled environment.
C. Normal: Areas like storage areas will be under normal security.

24 6
10
2. Separation:
-20 63
• Adequate separation must be maintained between the server area and electrical
installations in order to avoid any mishap.
-05 13

• Similarly, within server area physical separation can be made to segregate

server area into different zones like networking area, backup area etc.
12 52

3. Maintenance of ambience:

Depending on the criticality of installation, e.g. strict controls are required for Data
Centre while in a branch, a lower level of control may suffice, the following guidelines
are to be followed:

• Bank should provide fire detection and suppression;

• Power conditioning such as voltage stabiliser etc,
• Air conditioning and humidity controls and other environmental controls as
deemed necessary,
• All portable assets and removable media devices should be secured overnight
under Lock & Key.

The above list is indicative only and depending on the scenarios suitable measures are
to be initiated.

4. Security Inspections:
Periodic Security inspections of all sites and locations having Server Area and/ or
Support Service Area to be conducted. Security inspections of other sites are also
desirable.
5. Monitoring and Logging:

The sensitive sites should be monitored by installing CCTVs & the CCTV footage
should be monitored for any security breach. The logs of various access control
devices like access cards, biometric access etc. should be reviewed and analyzed.
Logs of devices should be stored as per Bank’s Record maintenance policy.

COMPETENT AUTHORITY

The following authority will be treated as Competent Authority for issues related to
Physical & Environmental Security:

:14
• Officials of Scale IV and above for administrative offices
• Incumbent In charge for branches.

24 6
10
COMMUNICATION & OPERATIONS MANAGEMENT
-20 63
Due to the nature of the business of the Banks, communication both internal and
external is inevitable. Thus, the potential risk of breach of Information Security
-05 13

through communication channel is real.

12 52

Again, Banks carry out certain information processing work such as credit analysis
etc., thus the potential risk of breach of Information Security through Operation is
also real.
The risk areas are as below:

• Information processing methods

• Various business functions
• Information across communication networks and technological infrastructures.

Thus, in order to ensure the Information Security aspect, certain guidelines are
required to be followed which are available subsequently.

1. Documentation of Operational Process :

The standard operational procedures for IT operations as approved by the competent

authority to be strictly followed. For example- E-Mail policy and usage guidelines.
The documents to be stored in a secured environment and protected from
unauthorized access.

2. Change Management :

Changes to IT facilities and systems should be controlled in order to ensure that

changes made to a production component are applied in a secure and proper manner.
Certain guidelines as below are to be followed:
• All changes should be scheduled and reviewed after the roll out. All the change
requests must be documented.
• For example, creation of any new Menu. The need of the creation with the
desired functionality, roll out schedule everything to be documented.

:14
Unscheduled/ Emergency changes should be carried out only in case there are critical
production issues and not to be undertaken without proper notification to the
controlling authority.
24 6
10
-20 63
3. Patch & Service pack management:

Patches are basically updates for Software. The patches released by the respective
-05 13

vendor should be identified & evaluated to check whether it is required/ applicable for
the business.
12 52

Only tested versions of the patch or service pack should be considered for application,
wherever needed.

Role and Responsibility of IT Assets owner departments/divisions for updating patch

should be in accordance with Patch management procedure.

4. Capacity Management Planning:

Scalability of processing Power, Memory Requirements and storage capacity for the
critical IT resources to be assessed and planned properly before put to use.
• Performance of information processing facilities to be monitored continuously.
• The data gathered from the monitoring process to be used to project the future
capacity requirements with identifying potential bottlenecks.
• Comparison of the performance requirements of the information processing
facilities from a cost benefit analysis perspective should be done to ensure that
no surplus of capacity or resources exists.
 • Based on the business requirements, appropriate alternative arrangements
should be made available in case of failure of equipment and to avoid loss of
data.
• Availability & performance requirements should be clearly reflected in Service
level Agreements of respective services with the service providers.

5. Mobile Computing Controls against mobile code:

Mobile code is any program, application, or content capable of moving while

embedded in an email, document or website. Mobile code uses network or storage
media, such as a Universal Serial Bus (USB) flash drive, to execute local code
execution from another computer system. The term is often used in a malicious
context as most of the Mobile code creates varying degrees of computer and system
damage.

:14
Functionality of any mobile code is disallowed completely, unless explicitly required.

24 6
10
6. Remote access:
-20 63
Remote access may be permitted only for authorized users and activities by GM-IT.
Further, where feasible a secure remote access should be given to access assets
-05 13

within or from outside Bank premises after getting the necessary approval from GM-IT
subject to multifactor authentication.
12 52

7. Online-Transactions:

All communication involving On-line Transaction should have secure identification and
authentication

8.Unauthorised/Freeware/Malicious Software:

All employees must regularly check and be aware of the dangers of unauthorized or
freeware or malicious software like computer viruses, network worms, Trojan horses,
logic bombs etc.

9. Anti-Virus Management:

The IT systems should have approved Anti-Virus Software with latest version and all
components installed and updated regularly.

10. Data purging:

It is to be ensured that preservation of purged/ removed data is to be done in
synchronization with IAD HO guidelines on Record Maintenance Policy and is subjected
to legal and regulatory requirements.

11. Business Continuity Planning (BCP)

Business Continuity plan as formed by the Bank to be followed to ensure continuation

of operations under adverse conditions (i.e. interruption from natural or man-made
hazards) without much loss of time and Data.

12. Clock Synchronization:

System clocks should be synchronized regularly with Bank’s installed NTP server
(Network Time Protocol) .

:14
24 6
10
-20 63
-05 13
12 52

Information SecurityPart II

NETWORK SECURITY MANAGEMENT CONTROL

Due to the nature of the business of the Banks, such as Core Business Solution, ATM
etc, communication networks are inevitable. The networks are also exposed to
possible risk and threats. Thus, in order to maintain a proper IT ecosystem, the
security and protection of Networks are of great importance.

Some of the Networks used in Banks are as below:

 • Local Area Network (LAN),
• Wide Area Network ,
• Wireless Area Networks etc.
The risk areas are as below:
• Physical damage
• Hacking
• Unauthorised access etc.

Thus, in order to ensure the Information Security aspect, certain guidelines are
required to be followed for securing the networks which are available subsequently.

1.Centralized Proxy:
The Internet will be provided by the Centralized Proxy.

:14
2. Network Design:
Networks should be designed in conformance with reasonably secure practices. The
design of the network is to be supported by formal documentation of the network
24 6
10
details and users service requirements.
-20 63
3. Network Services:
The network services should be enabled only after assessing the security risks.
-05 13

4. Wireless Network Security:

12 52

Use of Wireless Network shall be restricted and reasonably secured based upon
authorization from the competent authority.

5. Network Connectivity:
Access to the network facilities should be on need to have need to do have basis and
restricted to authorized persons only.

6. Security of Routers/ Switches :

• Routers/ Switches and consoles are to be kept in a physically secure location.
• Routers/ Switches should require a user to enter a user Id and password to gain
access to the command prompt.
• Routers/ Switches passwords is to be stored (e.g. in router configuration files)
in an encrypted form.
• Routers / Switches passwords are to be changed on a regular basis.
• Routers/ Switches should have appropriate login banners.
• Copies of the router/switch configuration files should be restricted to authorized
persons.
• The upgrades for routers should be evaluated for applicability and suitability.
 • The maintenance fixes must be applied on the routers during non-peak or off
business-hour times.
• Latest configuration of all the routers/ switches should be backed up regularly.
• The router/ switch audit logs to be reviewed regularly where applicable.

7. Security of Firewalls :

The firewall design and architecture to be decided based on the security

requirements of the internal PNB network.

8. Intrusion Protection System (IPS):

The devices should be configured for monitoring network traffic and preventing
security attacks on the system including denial of usage, masquerading etc. The

:14
devices should be capable to generate different alerts based on the priority of
attention needed from the administrator.

9. Auditing & Logging: 24 6

10
-20 63
The critical events including system events, access and operations should be
logged. The audit logs should be protected from unauthorized access. The logs
should be retained for appropriate period as per Bank’s Record Maintenance
-05 13

Policy as defined by Inspection and Audit Division: Head Office taking into
consideration the legal & regulatory requirements also.
12 52

10. Monitoring and Maintenance:

The critical servers should be monitored and maintained regularly. The activities
of the administrators should be supervised & monitored regularly. The logs
should be retained for appropriate period as per Bank’s Record Maintenance
Policy.

DATA BACKUP & ARCHIVAL MANAGEMENT

Data is the most important element for Banks. The Customer data so captured should
be accessible at any time and anywhere and at the same time it should not be
accessed by any one who is not authorised to do so. Similarly, the transaction data,
inquiry data etc. all is of immense important for the bank. Data is exposed to possible
risks and threats.

Some of the risk areas are as below:

 • Data may be deleted intentionally or unintentionally.
• Data may be altered by unauthorised people.
• Data may not be accessible due to technical issues.
• Data may not be accessible due to natural calamity or any incident and
subsequent damage to the server etc.

In order to ensure an uninterrupted flow of business and to retrieve the data in case
of exigency when the main Data source is not accessible or un wantedly altered,
Banks must have a Data Back up & Archival management system.

In our Bank, guidelines are there for implementing such systems considering the
Information Security aspect. These guidelines have been bifurcated in 2 different
segments. The first one is to implement security of the data and the second one is to
the Archival of the Backed up data.

:14
The details are available subsequently.

24 6
10
Security Controls:
-20 63
• Audit logs on critical servers and devices should be enabled.
• Backup media movement such as Pen Drive, external Hard Drive etc. should be
controlled to avoid theft of Backup Media.
-05 13

• Backup media should be clearly and distinctly labelled.

• The backup media needs to be tested at least annually for
12 52

availability/readability of data for restoration.

• The retention period of the backup should be maintained as per the record
maintenance policy of the Bank, complying with the regulatory and legal
requirements and directives.
• On expiry of the life of the media, the data should be transferred to other
appropriate media and the old media shall be destroyed to prevent any data
leakage.

• Security Logs on devices should be protected against tampering and

unauthorized access.
• One copy of backup storage media needs to be stored off-site. The off-site
location needs to be carefully chosen to ensure that it is located at a sufficient
distance to be unaffected by any disaster at the original site
• Backup media to be protected from unauthorized access through encryption.
• In order to protect the confidentiality and integrity of sensitive data, all backup
data classified as confidential and having a required need for confidentiality
and/ or integrity, should be stored in encrypted format only
Data Archival:

Archived data should be stored on such a platform and using such a technology that
future alteration/ modification/ deletion of the data is not possible, once the data is
archived.

USER MANAGEMENT

The Data available is accessible by various users. But we know that all data is not for
use for every user. For e. g

• A customer should have access only to data related to him/ her. He/ She should

:14
not have access to any body else's data.
• The signature details of any customer should be accessible to employees who
are dealing in transactions and not by all who are working at the Back office of
24 6
10
the Bank.
-20 63
In order to impose restrictions to prevent misuse of data, certain guidelines are
required to be followed considering the Information Security aspect.
-05 13

The details are as follows:

12 52

1. User Category Creation: Certain user categories are required to be created which
are as under:
i. System Administrators
ii) Database Administrators
iii) Security Administrators
iv) Network Administrators
v) Auditors
vi) Application Users

Data access permissions/ privileges are granted for different category of users based
on the requirement.

2. Classification of User Type:

Users are to be classified according to their types and need to be assigned work role
as per the User Category created.

The User types are as under:

 Bank Employees: The powers and privileges are to be assigned to employees
as per their role & designation complying Bank’s guidelines.
  Third party: These users may normally undertake roles under all the user
categories except as Application users as per their functional specifications.
 Customers: These are users with defined access to information resources in
the software applications.

Logical access to be controlled for all the users.

LOGICAL ACCESS CONTROL

As discussed previously, in order to ensure the confidentiality, integrity and

availability of data across the Bank, there is a necessity to implement Logical access
control. The meaning of Logical access control is to control the access of data by user
based on various logics. Different logics are created for different User category and
User type considering the business need.

:14
Certain guidelines are required to be followed for implementing Logical access control
considering the Information Security aspect. The details of such guidelines are
24 6
10
available subsequently.
-20 63
1. User Access Management:
Users should be granted access to information, data and applications strictly on a
-05 13

"need to know" and "need to do” basis. For example, auditors to be given data
access for viewing only and not for conducing any transaction.
12 52

Access Logs should be monitored and reviewed regularly.

User Ids creation needs to follow a standard naming convention for IT assets to
facilitate user identification and monitoring. For example, our CBS (Finacle) user id
starts with our PF ID followed by the initials of our name. Similar kind of conventions
are to be followed for other applications also.

2. Password Management:
Password Management and allocation should be in accordance with the password
management & allocation guidelines.

3. User Authentication & Log On:

Users accessing the system may be identified & authenticated using their credentials
only before granting the access.

4. Logical Security on User Media :

Floppy drives, CD/DVD writers, USB Ports & Card Slots on end-user machines need to
be disabled in order to prevent data theft/ leakage. The same may be enabled for
specific business requirement after getting approval from the competent authority. If
somebody wants to access Bank’s network through his/ her own device, such devices
are to be controlled and monitored.

5. Security of Unattended User Media :

The user to ensure not to leave any equipment unattended when logged in. An
appropriate locking mechanism, e.g., a password protected screen saver may be
used. The active sessions should be terminated, when not in use. All paper &
computer media based IT assets need to be stored in suitable locked cabinets when
not in use, especially beyond working hours. Important information, when printed,
should be cleared from printer immediately.

:14
6. Privilege Access management :
Usage of privileged user ids is restricted & controlled. Detailed Logical Access
procedures will define the type of access, level of access and permissions for the
24 6
10
servers, applications and databases.
-20 63
7. System Utilities Access :
Access to system utilities is restricted to authorized persons in accordance with
-05 13

business functions and business needs.

12 52

8. Security of Alternate Delivery Channels:

ATMs should have a constrained user interface. It should present a user with a limited
list of permitted operations and prevent from escaping to any other system interface.
Bank should make mandatory disclosures of risks, responsibilities and liabilities of the
customers in doing business through mobile phone etc through a disclosure template.

The Internet Banking/ Mobile Banking Infrastructure should be separated from the
core banking database. No direct connection to core banking database need to be
allowed. It is to be secured using web-centric services like SSL, Padlock etc. The
users/ customers should be allowed to access the Internet Banking on their request
only. The login credentials are to be generated through automated system to ensure
privacy of passwords. The access logs are being stored in the system for monitoring
purposes.

INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT &

MAINTENANCE

Due to the nature of the business of the Bank and subsequent technological
development, Bank’s are required to develop or procure various Software or
applications. It is important that while developing or procuring a Software, certain
steps to be followed in order to ensure that the Software is performing the desired
task without any flaw. Any error can bring a tremendous business and financial loss
for the Bank.

The guidelines which are to be followed are as below:

Controls Related to System Development Life Cycle:

 Planning and Initiation Phase: A risk analysis needs to be performed to
determine the threats associated and the corresponding security controls
required for the Software.

 Acquisition/ Development/ Procurement Phase: While purchasing an

information system or software,

:14
a) The security requirements should be specified in the Request for Proposal
and
b) The selection criteria shall be based on secure functionality.
24 6
10
-20 63
Application controls are designed into all software applications to prevent
any loss. Controls such as:
a) Use distinct test environment while developing the software.
-05 13

b) Validation of input & output data.

c) Checks to detect inconsistent data.
12 52

d) Control of internal processing & sequence of processing.

e) Limited Manual Intervention & controls over any overrides.

To protect against potential covert channels or Trojan code, the following

controls be implemented:
a) Programs to be bought only from competent and reputed sources preferably
with
source code so the code may be verified.
b) Preferably evaluated products to be used.
c) Codes once installed should have controlled access and modification.
d) An Asset Inventory should be created which will capture the details like- Asset
name, Storage location and Warranty details, licensing details, etc., of the IT
assets and it is to be updated regularly to reflect changes.
 Testing Phase: The modifications, enhancements and installation or
implementation of new systems should be subject to-“Module Test”,
“Integration Test” and “Acceptance Test” by the appropriate users prior to
installation into production.
 Auditing Phase: The new system has to be audited. Deployment of the same
should be done after compliance of all audit identified irregularities.

 Implementation Phase :Before the implementation of a new system,

standard operating procedures including the security controls need to be
prepared.

 Operations/ Maintenance Phase :The requisite procedures for operational

tasks should be documented and updated regularly. Access to this system
documentation shall be restricted. Access rights be reviewed periodically.

 Disposition Phase :Disposal or re-use of systems shall be in accordance with

its classification. While disposing off the assets, the provisions of “E-waste
Management & Handling Rules, 2011” notified by Central Government on May

:14
1, 2012 and thereafter must be adhered to.

 Control of Operational Software: The audit log of all updates to operational

24 6
10
programs are to be maintained. All previous versions should be maintained for
-20 63
contingency / roll back purpose.

Source code of all the versions of software should be kept in secure library etc.
-05 13

Appropriate controls with respect to management of software & software

library such as segregation of duty should be ensured.
12 52

 Protection of System Test Data: Separate authorization should be obtained

every time the operational data is used for testing.

 Technical Review of applications after Operating System Changes:The

OS should be periodically updated with the new release of patches from the
vendors. All such changes to the OS should be tested in a testing environment
to ensure that there is no adverse impact on the security of the applications
running on that system.

 Restriction on Changes to Software Packages : Wherever feasible, vendor

supplied software packages should not be modified. If changes are essential
then the original software shall be retained and the changes shall be applied to
a clearly identified copy. While executing the changes, care should be taken to
avoid the possibility of compromising the built in controls protection of log
information.

 Administrator and operator logs : Administration and operators logs should

be reviewed regularly.
  System Acceptance Parameter :
a) System acceptance parameter may include a formal certification and
accreditation process to verify that the security requirements have been
properly addressed.
b) Either the developer should be CMMI level 3 certified or else a CMMI level 5
company may certify the software complying the security requirements.

Exception may be permitted by an official not less than the level of Executive Director.

Application / Data migration: Data/ Application owner should ensure integrity and
security during the entire process of migration.

Operating System Security :

:14
i) Security Controls : Access to the Operating System need to be designed in a
way that restricts access rights on need- to-do basis.
ii) Restrictions on changes to software packages: Any change would follow
24 6
10
the defined Change Management procedure
-20 63
iii) Administrator and operator logs : Administrator and operator actions on all
infrastructure & production systems / equipment should be logged and
protected against change
-05 13

Database Security:
12 52

A proper authentication mechanism should be put in place for granting access to the
databases. Direct access to database should not be allowed. In case of requirements,
GM-IT would be the competent authority to provide exception on business
justification. The business owner has to maintain proper logs, initial and final (after
change) view of Database as a compensatory control and put up to DGM-IT.

Privacy of Information:
The Bank is custodian of customer information which may include his / her sensitive
personal information. (Sensitive personal information includes password, bank
account or credit card or debit card or other payment instrument details). Bank takes
reasonable care to protect information of the customer including customer account
data and other information as captured by the information systems from time to time.
The databases are kept separate from the other systems using logical and physical
separation. Any information entrusted by the customer to the bank and also as
collected and logged / captured by network devices and analytic tools is kept
confidential. It is not disclosed to any other person. However, Bank reserves the right
to disclose the information to legal and regulatory authorities if required.

Application Security:
 • The applications need to be developed by using a formal Software Development
Life Cycle (SDLC). The security controls should be defined in the application at
the design stage itself. In case of acquired / purchased applications, the
application should be tested for IT General Controls as well as specific controls
before the same is migrated into production environment.
• Before moving into production, the application should be checked for any
vulnerability using appropriate tools. Before moving into production the
application should be audited as per the IT audit policy of the Bank. All
application systems need to have audit trails along with log monitoring
capability. The audit trails need to be stored for a period as stipulated in the
Record Maintenance Policy of the Bank.

Web Server Security :

All PNB’s Web pages, whether hosted on PNB servers or external Web servers, need to

:14
be established, maintained and administered in a secure environment.

i) Controls for ensuring secure Web Server:

24 6
10
a) Web servers should be restricted properly so that traffic between the internet and
-20 63
the web server is isolated from the internal network.
b) The integrity of electronically published information should be secured against
unauthorized modification. Proper authorization process is followed before any
-05 13

information is made public.

c) Minimum 256 bit SSL is used to secure browser to web server communication and
12 52

also ensure server authentication.

ii) Web Site Development Standard:

The following information should be placed on the home page of the Web sites.
i) Necessary Disclaimer ii) Terms of Use and Privacy Policy

Sharing of Information Assets :Before sharing of Bank’s information assets with

third parties & outside organization, risk assessment should be undertaken and
appropriate controls should be put in place to ensure compliance to Bank’s
Information Security policy.

Use of Authorized software :Only authorized and licensed software should be used
in Bank. Freeware/ Shareware is to be used only after approval of General Manager -
IT.

INCIDENT MANAGEMENT
The term “Incident” means any irregular or adverse event, which occurs on any part
of PNB information systems. Incident management is required to minimize the
damage from security incidents, hence certain guidelines are required to be followed
which are as below:

During an Incident the information regarding the incident to be collected and

analyzed apart from recovering the incident and avoidance of same in future. Incident
management must cover different types of potential security incidents such as :
• Theft of / damage to computer hardware equipment and communication
network
• Loss of Id/ access cards
• Abusive usage of bank assets
• Information system failures and loss of service
• Illegal access to a system/ Breaches of confidentiality
• Deliberate denial of service
• Virus and Worm incidents

:14
• Errors resulting from incomplete or inaccurate business data or inaccurate
processing of data
• Crippled internal network etc.
24 6
10
• Incident occurred on system or network that could put the bank’s network/
-20 63
critical systems or a combination of them at risk.

Awareness should be created amongst all employees, contractors and third party staff
-05 13

to report suspected security weaknesses quickly.

12 52

Incident Classification & Handling :

i) The various incidents should be classified into Major, Minor and Ignorable based
on the severity of the impact caused by the incidents.
ii) Incidents should be escalated to the asset/ functionality owners as per the
escalation matrix defined.
iii) Action to correct and recover from incidents and system failures should be
controlled and documented at the earliest for ensuring Business integrity.
iv) Audit trails and similar evidence must be collected and secured, for:
• Internal problem analysis and Use as evidence in relation to a potential breach
of contract or in the event of civil or criminal proceedings e.g. IT Act.
• Negotiating for compensation from software and service suppliers.
• Settlement of Insurance claims, wherever applicable.
• Root cause analysis of the incident should be done to avoid re-occurrence of the
incident.
• Corrective actions should be taken to minimize the impact of incidents or
reduce chances of recurrence.
Incident Reporting :
a) Users should report incidents through designated channels.
b) A record must be kept for all security incidents, which are under investigation.
c) The procedure for collection and safeguarding of evidence should be defined and
documented for purpose of disciplinary action within the organization as well as to
ensure their admissibility in the court.
d) For reporting Cyber Security incidents, concerned officials should follow the process
as mentioned in Cyber Security Policy and Cyber Crisis Management Plan (CCMP) of
the Bank.

Incident Handling & Roles of Persons at Different Level:

All major & minor type of incidents should be reported as quickly as possible to
concerned authority in accordance with the reporting structure mentioned in the
Incident Management Procedure.

Roles and Responsibilities as mentioned in Incident Management Procedure

should be followed by:

:14
• Incumbent In-charge/ Functional Manager, CrISO (Circle Information Security
Officer), ZISO(Zonal Information Security Officer), CISO (Chief Information
Security Officer)
24 6
10
-20 63
Learning from Incidents:
a)A follow-up analysis of the incident should be performed after an incident has been
fully handled and restored to normal to avoid further occurrence of the incident.
-05 13

b) A security incident report and Post Incident Report should be prepared and
distributed in SIRT (Security Incident Response Monitoring Team) for advice and
12 52

action.
c) The information gained from the evaluation of incidents should be used to identify
recurring or high impact incidents.

Security Operations Centre:

In the SOC, SIEM (Security Information and Event Management) solution should be
used for monitoring and analyzing of logs of different types of systems, devices,
security application events such as system logs, firewall activity, Intrusion Prevention
System (IPS) activity, antivirus activity, individual vulnerabilities, etc.

INTERNET SECURITY

Internet is the source of Knowledge and Data sharing and at the same time is the
source of many vulnerabilities. To protect the Bank against such vulnerabilities, it is of
utmost importance to ensure that any internet access by bank’s users/ third party is
through bank’s network in a secure manner. Certain guidelines are to be followed for
protecting Bank’s IT Assets from the vulnerabilities of Internet and they are available
subsequently.
1. Access to Internet:
• PNB provides the Bank officials/ Servers Internet access and access to bank’s
own server on need to know basis and with the appropriate access only after
formal approval from the competent authority.
• The access to Internet to the bank officials should be provided through Bank’s
infrastructure.
• Limited Internet access will be given to third party after formal approval from
the competent authority.

2. Authorized and Unauthorized use of Internet :

Internet usage should be restricted to serve approved business requirements.

3. Web Site Blocking :

Internal users should be blocked from accessing websites that are deemed

:14
inappropriate and restricted by blacklisting and white listing of the websites through
Proxy server as per business needs.

24 6
10
E-MAIL SECURITY
-20 63
E-MAIL is one of the fastest mode of communication in today’s advance world.
However, E-Mail is also a source through which miscreants penetrate the information
-05 13

security system of any organisation. In order to protect the information transmitted

through E-Mail, certain guidelines are required to be followed which are available
12 52

subsequently.

The Email id creation/ deletion should be undertaken after approval from the
competent authority. The E-Mail facility should be used for Authorized purpose only as
specified in the E mail Security Policy of IT Division, Head office.

Security Features:
• Users are prohibited from sending restricted Information or data via e-mail.
• For sending business data, encryption and message authentication should be
used.
• Bulk mailing should be available as a service only under exception.
• All Incoming/Outgoing Emails should be scanned for viruses and other malicious
content.
• User login and logouts should be logged and Server Logs will be reviewed
periodically and relevant action will be taken based on the finding.
• All e-mails sent outside pnb.co.in domain should carry an automatic standard
footer banner including an approved disclaimer.

COMPLIANCE, ASSET LABELLING and DATA PURGING

COMPLIANCE :The objective of ensuring compliance is to avoid breach of any
criminal and civil law and statutory, regulatory or contractual requirements. All the
employees should be aware about legal aspects of using information systems and
their responsibilities for ensuring compliance to the same.

ASSET LABELLING: It must be ensured that all the IT Assets are labeled under the
following scheme:
• PNB/Office/ (Division Name or Department Name or Location)/ Item Code/
Serial Number.
• Assets inventory list to be maintained either physically or digitally and updated
regularly

DATA PURGING:

:14
• To meet legal requirements, organization might need to retain data for a
certain length of time. Organization might also want to retain data for a certain
time period for their own business requirements. Organization can control when
24 6
10
the data can be purged from the system as long as the boundaries enforced by
-20 63
the legal requirements aren't affected.

• By purging the data that's no longer needed to meet legal and business
-05 13

requirements, organization can improve the overall daily performance of their

servers systems and more precisely estimate future storage and server needs.
12 52

Thus, Return on Infrastructure (ROI) will improve for existing hardware,

maintenance, and future hardware requisitions.

WEB SERVER, COMPUTING ENVIRONMENT MANAGEMENT

WEB SERVER:
A Web Server is a computer program that delivers content or services to end users
over the Internet. Since web servers are open to public access they can be subjected
to attempts by hackers to compromise the server. Hence, it is of utmost importance
to maintain the Web Security of the Bank. Guidelines related to Web Security:

• All PNB’s Web pages, whether hosted on PNB servers or external Web servers,
will be established, maintained and administered in a secure environment.
• Any Department of PNB will have to seek permission of CGM ITD (GM in
absence of CGM) for creating website for its activities / information whether
hosted internally or with some web hosting service provider.
• While commissioning a website, the relevant guidelines of Govt of India or its
various ministries like, Ministry of Information Technology, Ministry of Finance,
Ministry of Home Affairs, Company Law department, etc., are to be followed.
 • Care should be taken that the instructions of regulators like Reserve bank of
India, Securities Exchange Board of India, NCIIPC or Cert-In are followed.

COMPUTING ENVIRONMENT MANAGEMENT:

The latest Security and Operating System Patches are implemented on the concerned
systems and devices as per the Patch Management Procedure.

CRYPTOGRAPHY & SECURE CODING

CRYPTOGRAPHY:

Cryptographic controls are to be used for the protection of the confidentiality,

authenticity and integrity of information that is considered at risk or for which other
security controls do not provide adequate protection. Confidentiality, integrity &

:14
authenticity of business critical information during its transmission over un-trusted
networks should be maintained and legal and regulatory requirements of
cryptographic controls should be complied with.
24 6
10
-20 63
Generally, it is much less expensive to build secure software than to correct security
issues after the software package has been completed, not to mention the costs that
may be associated with a possible security breach. This goal is accomplished through
-05 13

the implementation of security controls while coding.

12 52

***********************************************
Compiled by: Faculty, Staff Training Centre: Faridabad