prev
next
out of 20

Sbh -It is Security-V3 Policy

Embed Size (px)

Citation preview

Anti-virus Policy

IT Policy and IS Security Policy

Information Technology Policy

&

Information Systems Security Policy

(Version 3.0)CONFIDENTIALDocument Distribution

GM heading the Risk Management Function is the owner of this document. The primary recipients of this document are the members of the Managing Committee.Document Confidentiality

This document is confidential and intended only for the internal use of State Bank of Hyderabad. Primary recipients can circulate this document to controllers/ department heads/ branch managers of the bank within their jurisdiction.

The recipient should ensure that this document is not reproduced or circulated to external entities without prior approval of the document owner or the primary recipients of this document.

Policy Framework

Introduction

Access to, confidence in, and reliability of information is integral to our business processes and critical to the success of our mission. Our bank is progressively becoming more dependent upon information systems for both its normal day-to-day business activities as also the development and delivery of new products and services. It is therefore essential for the continued successful operation of the bank that the availability, integrity and confidentiality of its information systems and associated data are maintained, in a cost-effective manner and at a level that is appropriate to its business. The need for such protection arises because information systems are potentially vulnerable to two main categories of unwanted events, or threats. These are accidental threats (human error/equipment failure/ natural hazards) and deliberate or malicious threats (fraud/sabotage/vandalism/theft). There is also the threat of legal action if information systems are misused, which the bank and its employees should be aware of.

Banks IT Policy & IS Security Policy are aimed at enhancement of its ability to collect, store, transmit and process information electronically and to assure the confidentiality, integrity and availability of the banks information systems at all times.

Policy Objectives

There are five main policy objectives:

To ensure information and information systems are available to authorized users as per the business needs and information systems are used in an effective and efficient manner to promote banks mission.

To ensure that all of the banks information assets including data, intellectual property, computer systems, and IT equipment are adequately and consistently protected from damage, inappropriate alteration, loss, and unauthorized use or access. The level of protection should be commensurate to the level of information services required by the bank to conduct its business.

To meet all regulatory and statutory requirements pertaining to information collection, storage, processing, transmittal and disclosure those are applicable to the bank.

To create within the bank a level of awareness on information security as part of the day to day operations of the bank and to ensure that all employees understand their responsibilities for maintaining information security.

To establish detailed information security standards and procedures based on this policy and ensure compliance against such standards and procedures.

Scope

These policies are applicable to all locations of SBH within India including all IT assets, all information systems, all business processes supported by IT and all employees of the bank in India.

Responsibilities

The Board of SBH is responsible for approving the policies and approving any subsequent modification to the policies.

The General Manager heading the Risk Management function is responsible for ensuring that policies are current, reflecting the requirements of the bank and for ensuring development of underlying standards, procedures and roles for managing security.

Chief General Manager and General Managers of the Bank are responsible for disseminating the policies and ensuring compliance with the policies.

Controllers/ Department Heads/ Branch Managers are responsible for enforcing the policies within their jurisdiction.

Inspection Department is responsible for auditing the level of compliance with the policies.

All employees of the bank have the responsibility to understand and adhere to the policies.

Standards & Procedures

The policies are supported by standards and procedures, which detail the technology specific requirements and implementation process for complying with the policies. Specific Guidelines have also been prepared for some major applications based on the Standards and Procedures and customised for the respective applications. On approval of the overall IT Policy and IS Security Policy, the Board appointed Information Systems Security Standards Committee (ISSSC) is empowered to approve the Standards, Procedures and Guidelines for implementation. The policies would be applied in accordance with the Standards, Procedures and Guidelines approved by the ISSSC and disseminated by Information Security Department (ISD), which will be preferably staffed by personnel with qualifications in information security such as CISA/ISA certification etc.Compliance

The bank expects all employees to comply with the policies. Failure by any employee of the bank to abide by the policies may result in disciplinary action.

Exceptions

Approval for exceptions or deviations from the policies, wherever warranted, will be provided by the General Manger heading the Technology function.

Review

Policies will be formally reviewed by the Board annually. The review will evaluate the effectiveness of the policies and approve appropriate changes in the policies as required.

Date:- 18.02.2012

INFORMATION TECHNOLOGY POLICY

Policy Statements

1 Software Development

All software developed or customized for use by the bank should follow a standard development process to ensure it meets functional, security and performance requirements. Adequate controls in software development process should be built to address risks in meeting functional and security requirements of the bank, in regulatory compliance, in timely completion and in meeting performance requirements.

2 IT Outsourcing

The risks associated with outsourcing of IT services, software development & business processes must be assessed and managed to an acceptable level and adequate controls should be built to ensure that business requirements of the bank are met by the outsourced vendor. All outsourcing contracts will detail security requirements and vendor should be able to demonstrate compliance with such requirements.

3 IT Procurement

Procurement process for IT hardware, software and services should ensure that procurement is carried out on the best possible terms of business benefits, quality and cost in a transparent manner that make economic and efficient use of the banks resources. Information security requirements in hardware, software and services being procured, should be identified, and included in the specifications during procurement. Major procurements should be evaluated to determine the resultant extent of business benefits achieved from procurement.

4 SLA Management

Business critical IT services should have well defined service level agreements that specify performance requirements and establish accountability of service providers. Service levels should be monitored, recorded and reviewed against the defined performance requirements to ensure continuous availability of such services.

5 Third Party Access

Access by third parties to any IT asset must be strictly limited and controlled. An assessment of third party access risks must be made and controls appropriate to producing an acceptable level of residual risk should be put in place. Third party contracts should include specification of responsibilities and consequences for unauthorized access to information systems of the bank.

6 Data Centre Management

1 Data Centres will have adequate physical and logical protection for the IT assets housed within and secure processes must be followed for server deployment, administration and monitoring within the Data Centre.

2 Data Centre will have high availability to ensure continual and secure centralized access to all authorized users on their respective applications, through Central Data Centre (CDC) and Disaster Recovery Centre (DRC). 7 Configuration Management

Banks systems should be configured for high security, reliability and stability and all such configuration should be documented. Systems should follow standard naming conventions for efficient identification in configuring and in problem resolution.

8 Change Management

Changes to existing IT assets including applications, servers and network devices should be performed in a controlled manner to ensure that the risks associated with such changes are managed to an acceptable level. Critical changes should be tested in non-production environment before deployment and ineffective changes should be rolled back.

9 Anti-VirusAll servers, desktops and access points to banks network must be protected against malicious code with antivirus software and processes must ensure early detection, efficient containment and eradication of malicious code within the network of the bank.

10 Network Security Device Management

All critical applications should be protected by network security devices viz. Firewall, VPN, IDS, IPS from both external users and internal users of the bank. The network security devices should be protected by secure configuration and management practices to ensure access and availability to authorized users/applications/processes only. 11 Incident Management

All security breaches or attempts to breach and all discovered security weaknesses in information systems must be reported. Incident management process must ensure that all reported security breaches or weaknesses are responded to promptly and action taken to prevent recurrence.

12 Email

Email application will be protected against risks of malicious code, spam and unauthorized access and should be managed to ensure high availability. Email accounts will be provided to users with business requirement after due authorization.

13 Backup

Data and software essential to the continued operations of the bank will be backed up and periodically tested for recovery. The security controls over the backup data and media should be stringent.

14 Disaster Recovery

Information systems that are critical to the banks business should be planned for continuity of operations in the event of disasters. Disaster Recovery Plan (DRP) which is part of Business Continuity plan should be formulated, maintained, tested and updated for such systems. The Disaster Recovery Plan and recovery strategies should be derived from Business Continuity plan of respective units. The plan should provide for appropriate safeguards to minimize the risk, cost, and duration of disruption to business processes caused by disasters.

15 Physical Security All sites, which house banks IT infrastructure and critical IT assets, should be protected from unauthorized physical access and environmental threats. All physical access and movement of IT assets should be monitored and reviewed.

16 Acceptable Usage

IT assets of the bank are provided for business purposes and authorized users should adhere to safe and acceptable usage practices that do not disrupt business or bring disrepute to the bank. Standards should be defined for safe and acceptable usage of assigned IT resources and privileges including desktops, computer accounts, business applications, computer networks and for protection of information in physical or logical form and maintenance of Intellectual Property Rights by the users of information systems. 17 Personnel Security

All authorized users including employees, vendors, contractors, third-party users etc with access to information systems of the bank should be made aware of their responsibilities in protecting information systems of the bank. Authorized users should ensure adherence to information security responsibilities and any failure in this regard will entail appropriate actions by the Bank. Access to information systems will be provided based on job responsibilities and revoked or modified with changes in such responsibilities. 18 Segregation of Duties

Duties and areas of responsibilities shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the banks information system assets. This policy applies to SBH officials as well as all authorized users including vendors, third party service providers.

19 IT Media handling

Secure practices should be implemented for handling digital storage media throughout its lifecycle of acquisition, use, storage and disposal to prevent unauthorized disclosure of information stored on media.

20 IT Compliance

Bank should identify and assess the applicable legal requirements and regulatory directives issued from time to time, with respect to their IT operations supporting business initiatives. Bank should define specific procedures to comply with these requirements.

21 User Access and Password Management

Access to information and Information Systems including applications, operating systems, database, networking/security devices, should be provided to users only after proper identification and authentication. The allocation and use of privileges should be restricted and controlled. User access to information assets should be reviewed at regular intervals, to ensure that they are maintained in line with business requirements, and accounts which are no longer required should be disabled. Formal Procedures for User management should be documented and communicated by Application Owner.

22 Web Presence (Intranet & Internet) and Communications

Bank should have its web presence through its own websites and Social Networking Sites. Single domain name policy for own websites should be adopted and implemented. Bank should have a website content management processes to ensure that the information published on websites is accurate, consistent, and current. Employees having social networking sites user accounts should adhere to web browsing practices that do not bring Bank into disrepute. Bank should manage its IT resources to protect against incidents including Website defacement, Web Identity theft, Denial of Service; also Banks reputation is protected in all manners. Bank shall manage CIA and banks reputation is protected at all times.

INFORMATION SYSTEMS SECURITY POLICY

Policy Statements

23 Application Security

Applications deployed in the bank will have controls for secure input, processing, storage and output of data. Applications must be tested for security and performance before deployment and should be managed for high availability. Access to application must be restricted to authorized persons and rights provided on the principle of least privilege.

24 Network Security

Computer networks of the bank will be segregated from external networks and all connections to external networks including Internet, outsourced vendors and partners will be authorized and provided in a secure manner. All remote access to the banks network must be authenticated and provided based on business requirements. Network should be designed and maintained for security and high availability to meet the requirements of the users.

25 Operating System Security

The most secure implementation of the operating system should be selected at installation time and user access to operating system should be restricted and monitored. Operating system should be kept current against security patches released by the vendor.

26 Database Security

All database systems will be installed and configured to high security. Integrity and stability of databases must be maintained at all times. User access to database will be provided after authorization and authentication, based on job requirement.

27 Cryptographic Controls

Encryption should be used for the banks sensitive information that will be stored in systems, media/device or accessed/transmitted over external/untrusted networks. Transmission of sensitive and confidential data with external parties should be authenticated by use of electronic/digital certificates. Secure processes should be employed for key generation, distribution, revocation and storage wherever electronic/digital certificates are used. Management of critical servers or security devices should be done over secure channel using encryption techniques.

28 Monitoring

All access to critical IT systems and applications and the banks network should be monitored for performance level and suspicious activities or security breaches and adequate response mechanism should be setup for controlling security breaches.

29 Risk ManagementThe bank shall identify, analyze and mitigate risks which affect confidentiality, integrity and availability of information system assets.

30 Ethical Hacking

All critical IT resources including Applications, Databases, Operating Systems, Network & Security devices and architecture/design should be assessed and tested periodically for existing or newly discovered weaknesses by conducting Ethical Hacking/Security Testing including Vulnerability Assessments and internal & external Penetration Testing. The security testing activity should be performed by authorized officials or approved external consultants only. All discovered weaknesses should be reported and addressed appropriately within the specified timeline to mitigate the risks involved.

31 Data Protection

All identified data shall be protected in all phases of its life cycle including collection, processing, transmission, storage, exchange and retirement. Privacy of Personally Identified Information of the bank shall be ensured.

32 Website Development and Security

All Websites of the Bank should be developed and hosted in a controlled & secure environment. All Websites developed should be hosted as sub-domains of Banks official websites. IT Infrastructure related to websites should be protected. Websites should be regularly monitored & checked for any vulnerability. All incidents related to websites should be handled as per Incident Management Policy. 33 Wireless Security

Wireless Networks, both in Local Area Network (LAN) and Wide Area Network (WAN) environments should be configured and operated in a secure manner. Use of Wireless Network Technology in the Bank should be done only after ensuring all security requirements are met and approved by Head of IT. Wireless Network Setup should have controls to ensure confidentiality, integrity and availability of the information transmitted over the wireless network. Wireless Network should be protected against eavesdropping, man-in-the-middle attacks, data modification and resource misappropriation, denial of service etc. Wireless Network should be monitored to ensure the continuous availability to authorized users only.TWO NEW GUIDELINES

1 Internet Banking

Internet Banking is an on-line delivery channel for providing banking services to customers from remote environment through internet. Secure management of Internet Banking system should be ensured for continuity of Internet Banking services to customers. Confidentiality and integrity of customer data should be ensured with compliance of legal and regulatory requirements.

2 Mobile Banking

Mobile banking infrastructure should be adequately designed, managed and controlled such that Confidentiality, Integrity, Authenticity, Non-Reputability & Availability parameters of the mobile banking data is safeguarded during its entire lifecycle as per the regulatory guideline on the subject. Risks existent with the mobile banking network infrastructure should be identified and appropriate mitigation controls should be put in place by bank wherever applicable.

Glossary of Terms

AbbreviationsIT

:Information Technology

IS

:Information Systems

SBH:State Bank of Hyderabad, also referred to as bank

Policies:Refers to policies, standards and procedures or guidelines as applicable

CIA

:Confidentiality, Integrity & AvailabilityCDC

:Central Data CentreDRP

:Disaster Recovery PlanIDS

:Intrusion Detection SystemIPS

:Intrusion Prevention SystemVPN

:Virtual Private NetworkDRC

:Disaster Recovery CentreIPR

:Intellectual Property Rights

IS

:Information Systems

ISD

:Information Security Department

ITSD

:Information Technology Security Department

ISSSC

:Information Systems Security Standards Committee

IT

:Information Technology

LAN

:Local Area Network

NDA

:Non Disclosure Agreement

SLA

:Service Level Agreement

WAN

:Wide Area NetworkDefinitions

Authentication:To verify the identity of a user, device, or other entity in a system, often as a prerequisite to allowing access to resources in a system.

Availability:The ability to use or access IT resources by authorized users as required. The property relates to the concern that information systems are accessible when needed and without undue delay.

Branch:Includes IT processing centers like SOC, MICR, cheque processing centers etc.

Branch Manager:Denotes heads of branches irrespective of Grade

Business application:A software package designed to perform a specific set of functions that is relevant to business, such as accounting, transaction processing or communications.

Confidentiality:Confidentiality is defined as ensuring that information is accessible only to those authorized to have access

Digital certificate:The electronic equivalent of an ID card that authenticates the originator of an electronic message.

Environmental threats:Threats caused by environment including fire, humidity, dust or air borne particles, power fluctuations, temperature, flood, earthquake etc.

Firewall:A security software or hardware that sits between two networks and restricts data communication between the networks and thus protects one network against threats from the other network.

Functionality:Describes features of the IT asset that support the business processes.

Information security:Measures that protect information systems by ensuring their availability, integrity, and confidentiality.

Information systems:The entire IT assets, organization, personnel, and processes for the collection, processing, storage, transmission, display, dissemination, and disposition of information

Integrity:The property that information system has not been altered or destroyed or lost in an unauthorized or accidental manner.

IT asset:IT asset equates to any computerized system or component thereof and thus includes software, hardware, media, data, databases and associated communication networks.

IT Outsourcing:Provision of services by third party under contract which is of longer duration including maintenance, development, implementation, management or data processing services under the supervision of the bank.

IT services:The services provided by information systems to business users including the maintenance and provisioning of applications, network and data processing.

Malicious code:Software that is intentionally included or inserted in a system for a harmful purpose and includes virus, worm, or Trojan.

Performance :Relates to how well a product or service meets the stated needs including the functionality, capacity, quantity and quality of output

Policy:The set of rules and management intent that prescribe how information systems are managed, protected and distributed within the bank

Privilege:An authorization or set of authorizations provided on applications or network and governs the level of access of the user

Procedures:Detailed guidelines of how to implement the measures and who should be responsible for the implementation.

Regulatory requirement:Requirements prescribed by regulators of the bank - RBI, Government of India, SEBI etc.

Reliability:The extent to which a system can be expected to perform its intended function with required precision.

Remote access:Dial-up access by users through a modem for access to the computer network.

Security breach:Bypassing of security controls, which could result in disclosure or damage of information systems.

Spam:To indiscriminately send unsolicited messages, especially commercial advertising in large quantities.

Standards:Standards define the specific requirements for meeting the policy objectives and include both technical and non-technical measures

Statutory requirement:Requirements mandated under Banking Regulation Act, State Bank of India (Subsidiary Banks) Act 1959 and other legislative acts or laws of the land.

Third Party:Visitors, on-site and off-site contractors, hardware and software vendors, repair personnel, technical support staff, ex-employees, temporary workers, cleaning and facilities maintenance crew etc.

Threat:Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, or denial of service.

Trojan horse:A malicious program, such as a virus or a worm, hidden in an innocent-looking piece of software, usually for the purpose of unauthorized collection, alteration, or destruction of information.

Upgrade:The process of replacing a version of software or hardware with a newer product release designed to meet new requirements, or generally improve performance.

User department:Refers to the department that is the user of IT application and IT services.

User ID:Unique symbol or character string used by a system to recognize a specific user.

Vulnerability:A weakness in system security procedures, system design, implementation, internal controls, etc, that could be exploited to violate system security policy.

Worm:An independent program that replicates complete copies of itself from machine to machine across network connections, often clogging networks and information systems as it spreads.

EMBED Word.Picture.8

Confidential Document 5

_1124096899.doc


SBH KWARRAN AMBARAWA

SBH KWARRAN AMBARAWA

Documents
Abq sbh cover

Abq sbh cover

Documents
Cloud security alliance meeting presentation v3

Cloud security alliance meeting presentation v3

Technology
Sap Security Assessment V3 English

Sap Security Assessment V3 English

Business
150711 01 cns v3 1 security

150711 01 cns v3 1 security

Documents
SBH & KRIDA SBH

SBH & KRIDA SBH

Documents
SBH November 2012

SBH November 2012

Documents
Khawar Butt CCIE Security v3 0

Khawar Butt CCIE Security v3 0

Documents
sbh PROJECT

sbh PROJECT

Documents
Systematik Bücher Musikbibliothek - nuernberg.de · Sbh 401 Theorie und Didaktik der Schulmusik Sbh 403 Praxis des Schulmusikunterrichts Sbh 405 Schulbücher, Schulbuchreihen Sbh

Systematik Bücher Musikbibliothek - nuernberg.de · Sbh 401 Theorie und Didaktik der Schulmusik Sbh 403 Praxis des Schulmusikunterrichts Sbh 405 Schulbücher, Schulbuchreihen Sbh

Documents
62892175 CCNA Security V3 Workbook Demo

62892175 CCNA Security V3 Workbook Demo

Documents
AhnLab V3 Endpoint Security 9 - Dankook

AhnLab V3 Endpoint Security 9 - Dankook

Documents
CCNA Security V3 Workbook Demo

CCNA Security V3 Workbook Demo

Documents
MM2 Marking Sbh

MM2 Marking Sbh

Documents
Security Classification Guidance v3 Student Guide · Security Classification Guidance v3 Student Guide ... documents. DoD Instruction 5200.01, ... Security Classification Guidance

Security Classification Guidance v3 Student Guide · Security Classification Guidance v3 Student Guide ... documents. DoD Instruction 5200.01, ... Security Classification Guidance

Documents
SBH SindEnferméiro-DF

SBH SindEnferméiro-DF

Documents
SBH julho 2009

SBH julho 2009

Documents
Emids Morning Security Virtual India V3

Emids Morning Security Virtual India V3

Technology
STPM PA1 (Sbh)

STPM PA1 (Sbh)

Documents
Final Auto Sbh

Final Auto Sbh

Technology
Boletim info SBH

Boletim info SBH

Documents
IPv6 Security for ISPs v3

IPv6 Security for ISPs v3

Documents
SBH Engine May082013

SBH Engine May082013

Documents
Mod Security v3

Mod Security v3

Documents
Sbh Lecture 01

Sbh Lecture 01

Documents
SBH September 2012

SBH September 2012

Documents
sbh Annual Report

sbh Annual Report

Documents
Enterprise Application Security-V3

Enterprise Application Security-V3

Documents
IoT Security V3 - happiestminds.com

IoT Security V3 - happiestminds.com

Documents
Cyber security innovation_imho v3

Cyber security innovation_imho v3

Documents