rnfiqp,R sflril*qfo,rsfu
Transcription
rnfiqp,R sflril*qfo,rsfu
rnfiqp,R sflril*qfo,rsfu E+cvcTicrddRffiqitljlffifuffi qqnorqicrq : {i&rfi, qrq ($, gq{ - 400 0s1 tfr: +91 222653 002+ . fr-w :+91 222653 O150 t-td : dfi bt@nabard.org . iE-qrfe : www.nabard.org Ref No..NB.DFlBT/ 5413- 58L4 National Bank for Agriculture and Rural Development Dept. of Financial Inclusion & Banking Technology Head Office : BKC, Bandra (Ef Mumbai - 400 051 Tel. : +91 2226530024. Fax: +91 22 2653 0150 E-mail : dfibt@nabard.org . Website : www.nabard.org / c9s-36/ zot4-ts 30 March 2015 Circular ruo. 49 /DF|BTO+/zltg The Chairman and Managing Director/ Chief Executive officers State Cooperative Banks District Central Cooperative Banks Madam/Dear Sir Security measures in CBS environment -Credit Information Company Membership (ClC), tnformation Technotogy Policy (lT Policy), Information Security Policy (lS policy), SMS Alerts Facility and FIU-lND Registration to CBS platform and there are many requirements in the changed environment' where banks now require to adopt appropriate governance framework, technology The co-operative sector has migrated management methodologies and fool proof security mechanisms. RBI has issued instructions to banks for adopting security and risk mitigation measures , taking up membership of Credit Information Companies and introducing SMS Alerts facility to custome,rs on all financial tra nsactions. /435 dated 15 January 2015 requires that the banks obtain membership of all fourCredit Information Companies , viz, Credit information Bureau(lndia) Limited, Equifax Credit Information Services Limited, Experian Credit Information Company of lndia Private Limited and CRIF High Mark Credit Services private Limited by t5 April 2015. Unfortunately many of the Banks under co-operative structure are not complying with these three regulatory requirements making them vulnerable in the new environment. A reference is also invited to NABARD CircularNo.160/ DOS-13/ 20LL dated 25 august 201L.. (Copy enclosed) RBI circular No. RBI/ 2Ot4-L5 to put in place an lT and lS Policy approved by the Board, SMS alert facility for financial transactions without any further delay, but not later than 30 June 2015. Regarding becoming We therefore advise you members of ClCs, RBt has already given a timeline of 15 April 2015 which should be adhered to. Banks should also get themselves registered with FIU-lND for sending necessary reports. Compliance to these requirements would also form part of supervisory observation of the bank. (Chief General Manager) rii{rtH}tvrqt Taking Rural India >> Forward L NB.DoS.HO.POL.CFMC /.1884.1 P.80 / 2011-12 25 August 201 1 Circular No..160....../ DoS -13..... I 2011 1. The Chairman Allthe Regional Rural Banks in the Country 2. The Managing Directors / Chief Executive Officers Allthe State Cooperative Banks / Central Cooperative Banks in the Country Dear Sir Frauds in the computerised environment As you are aware, application of information technology has already been recognised as an effective tool to run the systems efficiently and securely. lt helps in creating new opportunities for the organisation and help it in moving ahead of its competitors. At present, when all the RRBs in our country are set to become CBS compliant as on 30 September 2011, a few Cooperative Banks had also gone ahead in this direction. Although,mosi of the Cooperative Banks have introduced computerisation for their front office operation, only a few have done back office computerisation. 2. As banks are investing in technologies to ensure secure and efficient banking channels, it is necessary for them to adopt appropriate Governance framework, technology management methodologies and foolproof security methanisms. However, it is observed that a majority of the Cooperative Banks and RRBs have not employed qualified computer personnel. They have not taken suitable steps for human resource development in the area of information technology by providing training to existing staff. There is lack of awareness among staff on security system available with the technology especially maintaining secrecy of Passwords. There is lack of awareness at management level for adoption of technology, governance, risks, controls, etc. Some of the banks depend fully on service providers for managing the system without entering into comprehensive agreement on ethical aspects of the company and personnel employed by the company. Some of the banks even have allowed the persons working for the computer agency to transact entire operation of the bank. 3. In past two years some incidences of cyber fraud have come to our notice. In one case fraud was perpetrated by the employee of the service provider in collusion with some of the account holders by making fraudulent credit entries in the SB accounts of the depositors which were subsequently withdrawn by them. In another case the BM in collusion with the service provider had defrauded the bank. In one case the junior officer misused the password of the BM and defrauded the bank. &, 4. Vulnerability in lT arises as creation and authentication of financial transactions on computer system is done electronically. Unless sufficient control and security features are incorporated in computer system, fraudulent transactions can enter into the system. Two basic principles on which such controls will be established are i) the principle of least privilege means every individual is given access to the sensitive information / data or programme strictly required for his job nothing more ii) the principle of maker and checker means for each transaction, there must be at least two individuals, one individual may create the transaction and other should confirm or authenticate the same. Some of the suggestions for prevention of frauds in computerised environment are given as under: A) General measures (i) Systems and equipment needs of the bank should be planned for at least three to five years. lt should be subject to annual review by Top Management. (ii) The hardware and software purchase standards need to be standardised. (iii) Hardware should be tested and proven one with adequate warranty. (iv) The software acquired from outside should be ensured to conform to bank's requirements with adequate controls and should be tested and audited before acceptanOe. (v) ln-house software development should be standardised and periodical systems audit/review should be conducted. (vi) Systems in banks should be well documented and kept upto-date and secure. Changes to the system need to be controlled. (vii) Data processing procedures, backup procedures etc., should be evolved covering all computer systems of the bank and made known to all concerned. (viii) System administration procedures and duties of personnel should be clearly spelt out for every computer installation and made known to the employees. (ix) Confidentiality of information should be categorised and access rights must be specified. (x) Customer complaints relating to computer areas should be looked at from the computer systems point of view. Computer Planning and Policy Departments (CPPDs) should be associated with this exercise. (xi) Security procedures covering hardware, software backup, storage of both computer records and reports, stationery etc., should be standardised. (xii) Computer audit should be made a meaningful exercise by involving the auditors at the system development stage itself. The officers trained in systems audit by Indian banks' Association (lBA) in their long term training programmes can be utilised for this purp9se. 7) (xiii) Operational auditors should be trained for audit around the computer, as part of internal audit of branches. (xiv) Quarterly snap inspections of the branches should be made by the branch level senior officers and/or by Zonal Office/Regional Office officers, to especially verify whether drawing power/limit, interest rates etc., are correctly entered. B) Administrative measures (i) Banks must add relevant paragraphs covering computerised aspects, while issuing general Administrative instructions. To this extent there is need for awareness of various systems in the banks in non-computer departments, e.9., credit, deposits, development, general operations department, systems and procedures department, etc. (ii) Training of operational level officers needs to be streamlined to include the computer aspects of each topic in each session. (iii) Standards should be evolved as regards a. On line storage periodicity. b. Storage of historical data. c. Procedures regarding old records. d. Appiication-wise back up procedures and off-site storage of backups, etc. e. Uninterrupted power supply should be ensured. f" Back up of files should be taken up at periodical intervals and kept at a nearby office. g. Employees in EDP Cells, computer areas should be screened and should be carefully selected. At their unwillingness to work, they should be replaced. C) Preventive Vigilance measures (i) In every computer installation at least two persons should be charged with the duties of a) System administration b) Data based administration and processing. Their duties should be spelt out. Necessary back up officers should be trained and kept ready. (ii) Rotation of duties across computerised offices/branches should be ensured in such a way that while the acquired skills are not wasted, access to those applications whose programmes have been developed by concerned persons, is denied to them. Also, it should be ensured that this segregation is observed in subsequent rotations/postings. (iii) Every bank should have at their Head Office, CPPD, a library containing authenticated manuals and documentation for system software and application software programmes with their source codes and hardware manuals u (iv) Procedures should be established for conveying sensitive control information, such as, limits, drawing power, interest rates, charges, forex rates etc., by the concerned divisions to computer section. D) Insurance It id prudent to obtain insurance cover in respect of particular risks within the bank, e.9., some of the risks such as cost of replacing data, software and equipment. lt may also be possible to insure the consequential losses to a bank following damage to computer resources and consequent business interruptions. However, insurance should not be regarded as substitute for a good control mechanism. lt may also be prudent to identify types of losses that are not covered by insurance and lay greater emphasis on control mechanism in respect of such areas as a matter of policy. 5. In view of above, you are requested to review the lT system of your bank afresh and incorporate proper control measure for uninterrupted functioning of the bank. 6. A note containing problems with passwords and password management principles is enclosed in the Annexure for your reference. 7, Please acknowledge receipt of this circular to our concerned Regional Office. Yours faithfully sd/(G.C.Panigrahi) Chief General Manager Y. Annexure Some Problems with Passwords 1. To remember passwords, user write them down. 2. Users choose easy-to-guess passwords, such as the name of a family member or the month in which their birthday occurs. 3. Users do not change passwords for prolonged periods. 4. Users failto appreciate the importance of passwords. 5. Users disclose their passwords to friends or work colleagues. 6. Some access control mechanisms require users to remember multiple passwords. 7. Some access control mechanisms do not store passwords in encrypted form. 8. Passwords are not changed when a person leaves an organisation. 9. Passwords are transmitted over communications lines in clear text form. Some Password Management Principles 1. A large set of passwords should be acceptable to an access control mechanism. 2. An access control mechanism should not permit passwords to be chosen that are below a minimum length. 3. An access control mechanism should not permit users to choose weak passwords - for example, words that are found in a dictionary or words containing minimum variation in the letters chosen. 4. Users should be forced to change their passwords periodically. 5. Users should not be permitted to reuse passwords that they have used during, say, the past 12 months. 6. Passwords should be encrypted via a one-way function whenever they are stored or transmitted. 7. Users should be educated about the importance of password security, the procedures they can use to choose secure passwords, and the procedures they should follow to keep passwords secure. 8. Passwords should be changed immediately if there is a possibility they have been compromised. 9. An access control mechanism should limit the number of password entry attempts. Source : Information Systems Control and Audit - Ron Weber