Introduction

ØCyber security vs Information Security

ØWhich model of information security are we moving towards?

ØBasic tenets

ØWho is it applicable to?

ØWho is the owner of the document and who can give exceptions?

Objectives of IS Policy

ØMeet the Confidentiality, Integrity and Availability(CIA)  of the Bank’s information assets as per the levels of requirements.

ØSecure information systems and services against cyber risks through appropriate security controls and vulnerability management programs

ØComply with legal and contractual requirements.

Øcreate adequate information security awareness among all employees

Information assets

ØApplications and IT Infrastructure, viz., data centres, wide area networks, local area networks, internet leased lines, security infrastructure, and end points that are hosted/managed/governed and are used/owned/provided by the Bank

ØAll data/information received, accessed, processed, stored, retrieved or communicated electronically in all formats including but not limited to documents, textual, numeric, audio, images and videos

Information security strategy

Organisational and reporting structure

ØIT Sub Committee of the Board - primary driver for the advancements of IT systems in the Bank

ØAudit and Risk Management Sub-committee of the Board (ARMS) - deliberates on the various risks being faced by Bank, mainly pointed out by audit conducted by Inspection Department and provides necessary guidance in risk mitigation

ØRisk Monitoring Committee (RMC) - Deputy Governor in charge of Risk Monitoring Department

Organisational and reporting structure

ØInformation Security Steering Committee (ISSC): For Protected Systems - chairmanship of Executive Director of Risk Monitoring Department.

ØRegional Office Security Group (RSG)/ Central Office Department Security Group (CODSG)  -  smooth implementation of the IS policy across ROs and CODs respectively

Access control

nAccess to information and information systems shall be granted on a need-to have basis only

nMaintain logs and review to detect unauthorized access

nUser access provisioning - formal user registration and deregistration procedure

Access control

nReview of user access rights – at least quarterly

nManagement of generic user accounts - Appropriate procedure shall be implemented for using generic user accounts to implement the operational or functional requirements in a safe and accountable manner

Access control

nManagement of secret authentication information of users - passwords, user ids, pins, OTPs shall be generated, stored, transmitted and used in safe and appropriate manner, use best practices

nContent management and security - content-checking mechanism needed – eg ekp

nSecure log-on procedures - VPN shall be established for remote access, prudent practices by employees for passwords, user ids, secret keys and other access tokens

Information security assets

ØAssets: Information assets; Physical Assets and Technology Infrastructure

ØInformation assets include Business documents, applications, infrastructure components, services and systems

ØClassification: Based on criticality and sensitivity

ØInformation Classification: Secret, Confidential, Internal and Public

Operations Security

nUse of open-source software - may be considered without compromising on the information security aspects in consultation with DIT, CO

nSoftware installation by end-user  - 10.13 - Bank’s employee and non-employee users shall be responsible for ensuring that only the software authorized by DIT, CO are installed on their systems

Operations security

nVulnerability management - periodic threat analysis and reports by CISO office

nAnti-virus – put to use only after installation, keep it updated

nBusiness Continuity – RTO and RPO

Operations security

nRTO: Recovery Time Objective - duration of time in which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in business continuity.

nRPO is Recovery Point Objective - often defined as the maximum targeted period in which data might be lost from a disaster. How frequently you take backups

Operations security

nSystem Administrator - application and network administration roles, wherever required, with the specific documented approval of HOD/RD, after considering the risks and role-conflict involved

Cryptography

nCryptographic controls – using digital signatures, SSL certificates, authentication tokens, dual factor authentication, document and system encryption

nSecure key management - key generation, distribution, revocation and storage

nPhysical security of the endpoint computing equipment - 12.11 - Loss of Laptop and other moveable information assets and systems including but not limited to mobile devices (owned by the Bank) should be reported immediately to the Bank, File FIR

Network and communication security

n13.12- Utilise the network and system facilities for official purpose only.

n13.13- Connectivity of desktops, laptops etc. to unauthorised/private networks is not permitted.

n13.18- Only the officially provided internet services shall be used on the internal devices

Network and communication policy

n13.19- Storage of sensitive official information in private/free cloud facilities is not permitted.

n13.22- Posting of content on social media platforms on behalf of the Bank is permitted only after proper approvals.

n13.28- All official electronic communication with internal and external parties will be done through official channels.

Network and communication policy

n13.29- Email communication should be used only for official purposes.

n13.30- Encrypt the sensitive emails and its attachments before sending it.

n13.31- Email system shall not to be used for the creation or distribution of any offensive messages.

n13.38- Access Bank’s information systems from internet only using the laptops/devices issued officially to them by the Bank.

Information security incident management

n16.04- Report suspected, actual or near miss information security incidents to appropriate authorities.

Compliance

n17.04-All staff and external vendors/contractors should comply with the Bank’s IS Policy.

n17.16- Any violation of IS policies will be dealt as per RBI (Staff) Regulations, 1948 and any other extant procedures of the Bank.

"Use your password like your toothbrush. Dont give it to anyone. Keep changing it regularly"