‘“INFORMATION SECURITY RISK

MANAGEMENT IN BANKS”

Presented to TASMAC & University of Wales

On

9th FEBRUARY, 2007

By

KAUSTUBH D. GONDHALEKAR
WM/JO5/004

MBA III
(Information Management Specialisation)

Total Number of Words: 19,897 WORDS

 DECLARATION

This work has not previously been accepted in substance for any degree and is not being
concurrently submitted in candidature for any degree.
Signed___________________________________________ (candidate)
Date ____________________________________________

STATEMENT 1
This dissertation is being submitted in partial fulfillment of the requirements for the
degree of _________________________________________ (i.e. MA, MSc, MBA etc.)
Signed____________________________________________
Date _____________________________________________

STATEMENT 2
This dissertation is the result of my own independent work and investigation, except
where otherwise treated. Other sources are acknowledged footnotes giving explicit
references. A bibliography is appended.
Signed____________________________________________
Date _____________________________________________

STATEMENT 3
I hereby give consent for my dissertation, if accepted, to be available for photocopying
and for inter-library loan, and for the title and summary to be made available to outside
organizations.
Signed____________________________________________
Date _____________________________________________
 TABLE OF CONTENTS

SR.NO. CONTENTS PAGE (S)

DECLARATION i

LIST OF TABLES ii

LIST OF FIGURES iii

EXECUTIVE SUMMARY 1

1 CHAPTER:1 – INTRODUCTION 3 – 11

1.1 Background 3

1.2 Purpose Of The Study 5

1.3 Importance Of The Study 6

1.4 Statement Of The Problem 9

1.5 Research Questions 9

1.6 Hypotheses 9

1.7 Research Methodology 10

1.8 Limitations 10

1.9 Overview of the Study 11

2 CHAPTER : 2 - LITERATURE REVIEW 12 – 46

2.1 History of Information Security and Risk Management 13

2.2 Scope of IS 14

2.3 How is IS applicable in Banks 15

2.4 The IS Scenario in India 37

2.5 Understanding Information Security (IS) 42

2.6 Spending Patterns (Technologically and Financially) 43

2.7 CTO / CIO’s view point 45

2.8 Summary 47

3 Chapter : 3 – METHODOLOGY 48 – 54

3.1 Introduction 48

3.2 Research Questions and Research Hypotheses 48 – 49

3.3 Data Collection / Collected 49

3.4 Location of the Data 52

3.5 Pilot Test 53

3.6 Method of Inquiry 54

3.7 Analysis performed on the data 55

3.8 Summary 55

4 Chapter : 4 – ANALYSIS 56 – 73

4.1 Introduction 56

4.2 Key Findings 57

4.3 Detailed Survey Results 58

5 Chapter : 5 – CONCLUSION 75 – 93

5.1 General Password Guidelines 84

5.2 Password Protection 86

5.3 Changing Passwords 87

5.4 Security Breach Examples 87

5.5 Bank Procedures 88

5.6 Downloading Software 88

5.7 Laptop Security 89

5.8 Fax Machines 89

5.9 Internet Security Concerns 90

5.10 Physical Security 90

5.11 Monitoring and Inspections 90

6 Chapter : 6 – BIBLIOGRAPHY 94

Appendix I 104

Appendix II 119

Appendix III 124

Appendix IV 125
 List of Figures

SR.NO. CONTENTS PAGE (S)

CHAPTER:1 – INTRODUCTION

1.3 Figure No. 1 – IS Risks 7

CHAPTER : 2 - LITERATURE REVIEW

2.2 Figure No. 2: Security Management process 14

2.3 Figure No. 3 Occupations of Computer Crime 23

Defendants

2.3 Figure No. 4 Types of Computer Crimes 24

2.3 Figure No. 5 Average Computer Crime Losses 24

2.3 Figure No. 6 Victims of Computer Crimes 25

2.3 Figure No. 7 Computer Crime Cases in Courts 26

2.3 Figure No.8: TCO Analysis 31

2.6 Figure No. 9: IT Spending Patterns 43

Chapter : 3 – METHODOLOGY

3.3 Figure No.10: Selection of Data Collection Method 50

Chapter : 4 – ANALYSIS

4.3 Figure No.11:- Respondents based on the type of organisation 58

4.3 Figure No.12:- Respondents based on the location of the 59

organisation

4.3 Figure No.13:- Respondents by Job Description 60

4.3 Figure No.14:- IT spending as a part of budget 61

4.3 Figure No.15:-Percentage of IS functions outsourced 63

4.3 Figure No.16:-Risk Mitigation Policies 64

4.3 Figure No.17:-Unauthorised access in the recent past 65

4.3 Figure No.18:-Security Technologies used 66

4.3 Figure No.19:-Security Audits 68

4.3 Figure No.19:- IS Awareness Training 69

4.3 Figure No.20:- Critical Issues 71

4.3 Figure No.21:- Responses based on the Age Groups 73

4.3 Figure No.22:- Respondents based on Income group. 74

Chapter : 5 – CONCLUSION

5.1 Figure No.23:- Suspicious Activity Investigation Report 81

5.1 Figure No.23:- ATM / Debit card Fraud Claim Format 83

 List of Tables

SR.NO. CONTENTS PAGE (S)

CHAPTER : 2 - LITERATURE REVIEW

2.3 Table No.1: Types of Attacks 16

2.7 Table No.2: Risk Mitigation Strategy 45

 Executive Summary

The Environmental Challenges

Most organisations recognize the critical role that information technology (IT)
plays in supporting their business objectives. But today's highly connected IT
infrastructures exist in an environment that is increasingly hostile—attacks are being
mounted with increasing frequency and are demanding ever shorter reaction times. Often,
organisations are unable to react to new security threats before their business is impacted.
Managing the security of their infrastructures—and the business value that those
infrastructures deliver—has become a primary concern for IT departments.
Furthermore, new legislation that stems from privacy concerns, financial obligations, and
corporate governance is forcing organisations to manage their IT infrastructures more
closely and effectively than in the past. Many government agencies and organisations that
do business with those agencies are mandated by law to maintain a minimum level of
security oversight. Failure to proactively manage security may put executives and whole
organisations at risk due to breaches in fiduciary and legal responsibilities.

A Better Way
The holistic roadmap to security risk management provides a proactive approach
that can assist organisations of all sizes with their response to the requirements presented
by these environmental and legal challenges. A formal security risk management process
enables enterprises to operate in the most cost efficient manner with a known and
acceptable level of business risk. It also gives organisations a consistent, clear path to
organise and prioritise limited resources in order to manage risk. The benefits of using
security risk management would be realised when the cost-effective controls that lower
risk to an acceptable level are implemented.
The definition of acceptable risk, and the approach to manage risk, varies for every
organisation. There is no right or wrong answer; there are many risk management models
in use today. Each model has tradeoffs that balance accuracy, resources, time,
complexity, and subjectivity. Investing in a risk management process—with a solid
framework and clearly defined roles and responsibilities—prepares the organisation to
articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to
the business. Additionally, an effective risk management program will help the
organisation to make significant progress toward meeting new legislative requirements.
During a risk assessment process, qualitative steps identify the most important risks
quickly. A quantitative process based on carefully defined roles and responsibilities
follows next. Together, the qualitative and quantitative steps in the risk assessment
process provide the basis on which you can make solid decisions about risk and
mitigation, following an intelligent business process.

Critical Success Factors

There are many keys to successful implementation of a security risk management
program throughout an organization.
First, security risk management will fail without executive support and
commitment. When security risk management is led from the top, organizations can
articulate security in terms of value to the business. Next, a clear definition of roles and
responsibilities is fundamental to success. The Information Security Group owns
identifying the probability that the risk will occur by taking current and proposed controls
into account. The Information Technology group is responsible for implementing
controls that the Security Steering Committee has selected when the probability of an
exploit presents an unacceptable risk.
Investing in a security risk management program—with a solid, achievable
process and defined roles and responsibilities—prepares an organization to
articulate priorities, plan to mitigate threats, and address critical business threats
and vulnerabilities.
 Executive Summary

The Environmental Challenges

Most organisations recognise the critical role that Information Technology (IT)
plays in supporting their business objectives. But today's highly connected IT
infrastructures exist in an environment that is increasingly hostile where attacks are being
mounted with increasing frequency and are demanding ever shorter reaction times. Often,
organisations are unable to react to new security threats prior to their business being
impacted. Managing the security of their infrastructures and the business value that those
infrastructures deliver, has become a primary concern for IT departments.
Furthermore, new legislation that stems from privacy concerns, financial obligations, and
corporate governance is forcing organisations to manage their IT infrastructures more
closely and more effectively than in the past. Many government agencies and
organisations that do business with those agencies are mandated by law to maintain a
minimum level of security oversight. Failure to proactively manage security may put
executives and entire organisations at risk due to breaches in fiduciary and legal
responsibilities.

A Better Way
The holistic roadmap to security risk management provides a proactive approach
that can assist organisations of all sizes with their response to the requirements presented
by these environmental and legal challenges. A formal security risk management process
enables enterprises to operate in the most cost efficient manner with a known and
acceptable level of business risk. It also gives organisations a consistent, clear path to
organise and prioritise limited resources in order to manage risk. The benefits of using
security risk management would be realised when the cost-effective controls that lower
risk to an acceptable level are implemented.
The definition of acceptable risk, and the approach to manage risk, varies for every
organisation. Even so, there is no absolute right or wrong answers, inspite of the various
risk management models in use today. Each model has tradeoffs that balance accuracy,
resources, time, complexity, and subjectivity. Investing in a risk management process,
with a solid framework and clearly defined roles and responsibilities, prepares the
organisation to articulate priorities, mitigate threats, and address the next threat or
vulnerability to the business. Additionally, an effective risk management program will
help the organisation to make significant progress toward meeting new legislative
requirements. During a risk assessment process, qualitative steps identify the most
important risks quickly. A quantitative process based on carefully defined roles and
responsibilities follows next. Together, the qualitative and quantitative steps in the risk
assessment process provide the basis on which you can make solid decisions regarding
risk and its mitigation, following an intelligent business process.

Critical Success Factors

There are many keys to the successful implementation of a security risk
management program throughout an organisation.
First, security risk management will fail without executive support and
commitment. When security risk management is led from the top, organizations can
articulate security in terms of value to the business. Next, a clear definition of roles and
responsibilities is fundamental to its success. The IS Group acknowledges and identifies
the ‘risk - probability factor’ that the risk will occur by taking into account the current
and proposed controls. The Information Technology group is responsible for
implementing controls that the Security Steering Committee has selected when the
probability of an exploit presents an unacceptable risk.
Investing in a security risk management program that translates into a solid,
achievable process with defined roles and responsibilities prepares an organisation to
articulate priorities, mitigate threats, and address critical business threats and
vulnerabilities.
 CHAPTER 1
INTRODUCTION

1.1 Background
Information is an asset that, like other important business assets, is essential to an
organisation’s business and therefore needs to be updated regularly and suitably
protected. Since most of the businesses in the present and recent past have been
electronically connected in networks, the IS and its management plays a major
role. As a result of this existing and ever-increasing interconnectivity, information
is now exposed to a growing number and a wide variety of threats and
vulnerabilities.
Businesses are vulnerable to various kinds of information risks inflicting
varied damage and resulting in significant losses. This damage can range from
errors harming database integrity to fires destroying entire computer centers or
facilities. To control IS risks, the management needs to anticipate and be aware of
the potential threats, risks and resultant loss and accordingly deploy the necessary
controls across the environment.
IS is the protection of information from a wide range of threats in order to
ensure business continuity, minimise business risk, and maximise the return on
investment (ROI) and thereby extend the business opportunities.

“Security is like oxygen; when you have it, you take it for granted,
But when you don’t, getting it becomes the immediate and pressing priority”
----- Joseph Nye, Harvard University.
An IS Risk can be defined as any activity or event which threatens the
achievement of identified business objectives by compromising
‘Confidentiality’, ‘Integrity’, ‘Availability’ of the business information1.

1: NASSCOM – KPMG IS GUIDE BOOK- http://www.nasscom.org/download/Nasscom_Cover.pdf

Access date: January 07, 2006.
 It is essential for the organisations to observe, review and analyse their
electronic systems, due to the advent of the Internet era, such that any malicious
activity which occurs becomes predictable. Keeping this in mind, ‘IS Risk
Management’ in large corporations such as Banks is essential since they are
reliant on Information Technology (IT) and IT systems in the processing, storage
and transmission of company and customer data. As a consequence, in the event
of an IT System failure, be it through the malicious or technical event of system
failure or information loss, it would not be feasible to use manual processing as an
alternative or solution to the problems. There are also a number of security issues
surrounding IS like the increased mobility of banks has resulted in remote access
from wireless and through the internet. Access to a bank’s information assets are
no longer limited to its internal employees, working from a fixed known location
or fixed environment. The value of the computers and hardware may be valued in
thousands of dollars, however the information which may be contained as data,
could be more in value.
There's probably not a business owner out there who doesn't make sure
with some regularity that the locks intended to keep intruders off the premises are
doing their job. But owners of small and medium-size businesses tend to be much
less vigilant when it comes to IS Management— even though the potential risks
of an IS breach can be far more staggering than those posed by a burglar.
Destructive viruses, worms and hackers don't discriminate by the size of an
organisation. Data loss, lost productivity, decreased profits, opportunity costs,
privacy concerns and corporate liability are some of the areas where companies
are vulnerable. Publicly held companies have an additional accountability for the
integrity of their financial reporting data and systems under laws and acts such as
the Sarbanes-Oxley Act, etc.
1.2 Purpose of the Study

IS is a continual imperative for banks as vulnerabilities in IS / Information

Availability are continuously being exploited in new ways. Security of new
technologies / channels need to be focused, for e.g., E-commerce, online banking
and debit cards. This becomes even more essential in the light of increase in fraud
related losses in these areas along with the existing technologies and manual
transaction processing risks.

Banks have always been and are one of the most important targets for hackers,
crackers and cyber criminals, as IS breach may lead to potential losses. These
losses may lead to downfall of the banking industry and thus have its impact on
the economy.

The actual losses on account of IS issues are difficult to estimate. However, 639
companies that responded to the 2005 CSI/FBI Computer Crime and Security
Comment [s1]: Was it a country
Survey ,reported total losses of $130 million with viruses, unauthorised access specific survey? If so, please mention
country
and theft of proprietary information accounting for 80% of it. Given the risks, IS
should be a top priority of any organisation — and not just for its IT department.
That's where a formal IS Management Program comes in.
 Case Study: Newspaper clipping – Banks notify customers of data theft.2
Placed below is a news item that appeared in the money and business section of the
website http://home.netscape.com. The summary of the news item is presented below:
Summary:
• More than 100,000 customers of Wachovia Corp. and Bank of America Corp.
have been notified that their financial records may have been stolen by bank
employees and sold to collection agencies.
• So far, Bank of America has alerted about 60,000 customers whose names
were discovered by police, while Wachovia has identified 48,000 current and
former account holders whose accounts may have been breached.
• Both banks are providing the affected customers with free credit reporting
services.
• In a separate case with a potential for identity theft, laptop containing the
names and Social Security numbers of 16,500 current and former MCI Inc.
employees was stolen last month from the car of an MCI financial analyst.
MCI would not comment on whether the data was encrypted.
• The bank record theft was exposed last month when police in Hackensack,
N.J., charged 9 people, including 7 bank workers in an alleged plot to steal
financial records of thousands of bank customers.

Money and Business: http://channels.netscape.com/ns/pf/story.jsp?floc. Access Date: July 07, 2006.

1.3 Importance of the Study

All organisations today face a certain level of security risk. In fact, the
deployment of technologies such as ‘Intrusion Detection and Monitoring’
acknowledges that a certain level of suspicious or malicious activity is likely to
get through. It also acknowledges that there are internal threats (maybe from
disgruntled employees, or simply human error) which have to be countered with
skill and imagination.
 It is important to recognise that all organisations accept some level of risk.
Risk is, after all, a trade off between the amount of money you wish to spend on
counter-measures, against the perceived level of threat and vulnerability, to
protect the estimated value of your assets. The important thing is that risk is
identified, and either a) mitigated, b) transferred, c) insured, or d) clearly
documented as a risk acceptance.

Figure No. 1 – IS Risks

2: http://channels.netscape.com/ns/pf/story.jsp? Access date: March 20, 2006.

 Security risk is also heavily influenced by time. For example, if a new
virus is released, for which no patch is available, then the rate of infection is
critical. All organisations are subject to security threats, as these expose their
vulnerabilities. For this increases significantly with factors, such as their need to
do business over the Internet, the profile of the organisation, and the value of their
assets. High profile corporations are under constant threat because of the possible
infamy associated with security breaches.

Some of the key threats to organisations include:

• Virus, Trojans and Worms
• Phishing
• Pharming
• Email SPAM
• Web Site Defacements
• Denial of Service Attacks (DoS)
• Spoofing
• Identity theft
• War walking, War driving, etc., (Wireless Network Threats)
• Theft of information (e.g. credit card details, source code, biotechnology
secrets), etc.,
Hence, this study may prove important and extremely significant as it
would provide better in-sights with regards to updating security personnel. This
would definitely enable them to handle any kind of security issues at any given
point of time.
1.4 Statement of the Problem
Based on the problem definition, the objectives of the research will be:
• To identify and examine the current IS landscape prevailing in various
Banks.
• To identify the information risks and security concerns threatening the
Banks.
Comment [R2]: Kindly suggest what
• To determine the loss of revenue because of the information loss due to can be done here. Are there any metric
for the same?
various reasons such as virus attacks, unauthorised access, theft, pilferage, Comment [s3]: Will you quantify
this is amount? If not, what is the metric
security breach or by calamity / disaster. used to measure loss?

• To determine the cost in the IRSMS implementation.

Comment [s4]: In my opinion, these

1.5 Research Questions should b
Comment [R5]: Would it ok if we don
not include questions 2 and 8 … …
marked in red. OR kindly suggest what
The research will address the questions such as: amendments can be done?

• What are the information risks and security threats involved in the Banks?
• What benefits will be derived by implementing these systems in the
existing scenario?
• What should be the ideal characteristics of the IRSMS?
• What functions in security and risk management must be accomplished by
an IRSMS to support Banks?
• What would be the Total Cost of Ownership (TCO) for the institution?

1.6 Hypotheses
• The security policies in the same organisation (Bank) may differ based on
the geographic location.
• Many Banks prefer accepting the security risk rather than mitigating,
transferring or avoiding it.
• IRSMS policies show wide variations across all types of financial
institutions (here the type of bank would be considered, i.e. Apex / Public
 Sector Commercial / Private Commercial / Co-operative / Foreign bank.)

1.7 Research Methodology

The method of inquiry involved both primary as well as secondary data

collection. Questionnaire was prepared taking into account the necessity of
qualitative as well as quantitative analysis. Primary data collection is done by
inviting responses through means of a questionnaire, from the IS Officers/ IT
officers, Certified Information Systems Auditors, Certified Information Systems
Managers, Compliance officers, etc., with a minimum of 1-3 years of experience
in the ‘IS Risk Management’ field. Secondary data was gathered from various
published sources, authentic journals, past research papers, newspapers,
magazines and articles.

1.8 Limitations
• The findings are based entirely upon the research conducted in India and
hence may not be applicable to other countries of the world on counts of
technological diversity and contextual forces.
• These kind of researches need to be done periodically to gauge the
authenticity of the security risk management program designed in an
organisation such as banks, due to the constant changing technology and
its vulnerabilities.
• To prove the hypotheses “The security policies in the same organisation
(Bank) may differ based on the geographic location”, the research may
not have considered several banks of similar type. It may be limited to
same bank with different locations.
• The research may not be able to provide the exact financial figures or the
financial impact due to the occurrence of the IS Threats and the Risk that
is followed because of the reputation risk involved in it. The respondents
might not provide complete, incomplete, partial or authentic information
regarding the questions posed for the survey.
1.9 Overview of the Paper
An introduction to the topic of research “IS Risk Management” is provided in
Chapter 1. The introduction focuses on aspects such as:
• Background of the Research Study,
• Purpose and Importance of the Study,
• Problem Statement,
• Research Questions With Certain Assumptions,
• Research Methodology.
It also throws light on the limitations of the study research.
In the Literature Review, the research provides a close look and feel of the
similar incidents in the past and in the present amongst various banks across the
country and the globe. The basic intention of this academic report is to spread
awareness regarding IS Threats and the Risk which follows them. The researcher
has tried to collect several examples from within the country or across the globe
which are on similar lines.
Chapter 3 is dedicated to the methodology of the research. It points
towards to sources of the data and information collection through surveys,
questionnaires, personal interviews, authentic articles on the web, magazines, etc.
This chapter re-visits the research questions, research hypotheses, etc. mentioned
in Chapter 1. This chapter also highlights the method of inquiry and the method of
analysis when the data is collected.
Chapter 4 illustrates the analysis performed on the data to obtain the
desired results. The analysis also throws more light on the key findings which I
came across while performing the analysis.
Chapter 5 provides the overall findings and the conclusions based on the
survey, the analysis and also from the management perspective. This chapter also
mentions, what needs to be done in order to prevent the IS Threats from recurring
and the steps taken to prevent them. Infact, the steps need to be incorporated in
the initial procedures of both, personnel management, and sourcing and change
management decisions. The bottom-line being “Prevention is always better than
cure”.
 CHAPTER 2
LITERATURE REVIEW

Introduction
The chapter provides further insights regarding the traditional definition of
IS and Risk Management along with its historical background. This also puts light
on the makeover or the phase shift which has occurred in the field of IT. The
chapter also defines the scope of Information Systems and IS.
The literature review shows how the IS and Risk Management is applicable to the
banks. Why is it essential to take the responsibility and subdue the threats causing
the financial losses to the business sector as well as to the national and world
economies? In order to achieve this feat it becomes even more important to
understand what kinds of attacks are possible and the manner in which they
should be dealt with? Due to the scope and limited constraint, this academic
research is unable to throw light on all the threats or mention the remedies for
them. But, even so, a wide range of threats have been mentioned below with some
actual facts.
The literature review also attempts to focus on the computer frauds that
have occurred and their repercussions. It also points out the reason why computer
crimes are difficult to prove in a court of law. The types of computer crimes, their
impacts or effects and the victims are explained in the review. The review also
focuses on drawing the readers’ attention towards the understanding of IS at
length. The focus area for all the organisations, including banks, is the IT
spending pattern, which is already considered and explained in the review.
2.1 History of IS and Risk Management

• IS Management – A Concept

IS Management is the process used to identify and understand risks

to the Confidentiality, Integrity, and Availability of Information and
Information Systems.

• Phase Shift of IS

The role of IS has changed during the past few years. ‘The
Traditional definition of protecting networks and the datacenters has
undergone a shift in focus resulting in the enablement of the businesses
with security solutions actually moving the business forward or even to
the next step. Security is now a way of life and a must-do for businesses in
order to survive. Hence, it has become obvious that, wherever the
information goes, security follows.’

No longer can IS be an afterthought. An increased need for

efficiency and productivity, reducing costs, reaching multiple markets and
faster time- to- market are few business benefits which are driving
organisations to make IS a part of the organisational DNA.
2.2 Scope of IS

“IS Management defines the controls we must implement to ensure

we sensibly manage computer related risk”3

‰ Not just technology, but people and

processes too – “defense in depth”.

‰ An ongoing, continuous activity ~ you

don’t just “do” security as a one-off
event.

© Source: Deloitte Touche Tohmatsu

Figure No. 2: Security Management process

IS is the protection of information from a wide range of threats in

order to ensure business continuity, minimise business risk, and maximise
return on investments and business opportunities.

3: Driving an IS Program in the Tertiary Environment; www.auckland.ac.nz/security; access date: November 28, 2005.

4: http://www.keyitsolutions.com/information_security_management.htm ; access date: November 28, 2005

 A basic IS model should encompass Confidentiality, Integrity and
Availability; however there are also additions such as Accountability and
Auditability.2

In other words, “The objective and focus of the IS Management is

to protect and manage the Information assets”.

2.3 How is IS Applicable to Banks?

"IS is definitely a journey, not a destination--there are always new challenges

to meet."
-- Chief IS officer at a major financial services corporation

Banking Institutions have become ‘critical centers of gravity’. A collapse

in the banking institution can lead to collapse in the banking sector and cause a
huge setback to economy of the nation, which would also concern world at large.
This makes them more attractive targets for potential adversaries.
Potential adversaries could be either malicious or non-malicious. Among the
malicious adversaries would be hackers (including phreakers, crackers, trashers
and pirates), terrorists/ cyber terrorists, organised crime, other criminal elements,
competitors and disgruntled employees. On the other hand, careless or poorly
trained employees would be non-malicious adversaries, who, either through lack
of training, lack of concern, or lack of attentiveness, poses a threat to the
Information Systems.
Adversaries would employ attack techniques that could be classified as
passive or active, insider, close-in or distribution attacks. Some of them explained
below. ‘Passive attacks’ involve passive monitoring of communications sent over
public media and include monitoring plaintext, decrypting weakly encrypted
traffic, and password sniffing and traffic analysis.

5 : Source: http://www.securesynergy.com/library/artcles/125-2003.php;

6: Defining Information Threats, Felix Mohan, CEO - Secure synergy; access date: May 05, 2006.
 Active attacks would include attempts to:
Serial No. Type of attack

1 Circumvent or break security features

2 Introduce malicious code (such as computer viruses, trojans or worms)
3 Subvert data or system integrity
4 Modify data in transit
5 Replay (insertion of data)
6 Hijack sessions
7 Masquerade as authorised user
8 Exploit vulnerabilities in software that runs with system privileges
9 Exploit network trust
10 Set in denial of service

Table No.1: Type of Attacks

In ‘Close-in attacks’ an unauthorised individual gains close physical

proximity to the networks, systems, or facilities for the purpose of modifying,
gathering, or denying access to, information. Gaining such proximity is
accomplished through surreptitious entry, open access, or both. Close-in attacks
include modification of data, information gathering, system tampering, and
physical destruction of the local system. A person who is either authorised to
be within the physical boundaries of the IS processing system or has direct access
to the IS processing system can be responsible for the insider attacks. Insider
attacks are usually difficult to detect and to defend against.
‘Distribution attacks’ maliciously modify hardware or software between
the time of its production by a developer and its installation, or when it is in
transit from one site to another.
The risks of serious IS failures are all around us. Breaches, such as teenage
hackers and e-mail viruses which were once a nuisance only for information
technology professionals now pose a significant risk for executives and can
threaten intellectual property and brand equity. Each new lapse in security is
highlighted by glaring media coverage, amplifies consumer awareness and
concern.
The disclosure by Master-Card that 40million of its credit and debit card
account details had been exposed is yet another more indication of the magnitude
scale of the problem. Certainly, the growing fear of identity theft is a matter of
concern for executives in industries that interact directly with consumers. A recent
survey conducted in conjunction with the Merchant Risk Council, in the US,
revealed that over 90 per cent of retailers agreed that consumers make purchasing
or transaction decisions based on their trust in the company’s ability to secure
their data. Also, almost 90 per cent felt that IS is or will become a point of
competition in the retail sector. IS is not just an issue for retailers and banks – all
companies face new risks, ranging from industrial espionage to sabotage.
Compounding these concerns, compliance fears generated by Sarbanes- Oxley
and the forthcoming Basel II accord have fostered an environment of risk aversion
inside many organisations. Of course, there are plenty of risks to fear. The process
of opening companies to the internet has exposed a multitude of software
vulnerabilities, especially as many older systems were not developed with this
security in mind. Building stronger walls around enterprise systems can help to
keep out some unwanted visitors, but those clever invaders or disloyal insiders
who find their way into the fortress discover a treasure trove of information once
they have gained access.
To make matters worse, many risks lie deeply hidden within the extended
enterprise. While most large companies have taken significant actions to beef up
their own internal security, their smaller partners often harbour risks that open the
entire enterprise to vulnerability. Every day, business partner’s take unseen risks
and, when partners experience security failures, it has the same devastating
impact. In the case of MasterCard, the loss arose out of a security breach at the
Card Systems Solutions – a small, private payment processor with only about 100
employees. Card Systems quickly felt the pain of the mistake as both Visa and
American Express promptly withdrew their business, pushing Card Systems into a
financial crisis. Yet the fact that the problem was not within Visa or MasterCard
made little difference to consumers, who rightly saw the problem as the
responsibility of the credit card companies.
The escalation of security breaches and the painful surprise many
executives feel when a failure occurs in their business have brewed a culture of
fear within many organisations. Vendors within the security industry have quickly
capitalised on this fear along with the confusion around new compliance
measures, such as Sarbanes-Oxley. But before tossing money at a cure in the hope
that it will eliminate these new risks, managers should first work to incorporate
information risk into an overall enterprise risk management strategy. Like any
other risk within the company, security risks must be identified and balanced
against the benefits and costs of mitigation. Unfortunately, in contrast to many
other business risks, the discussion about IS risk has focused solely on the
negative experiences. Of course, no one likes a bad outcome. A hurricane, like a
security failure that exposes sensitive customer information, results in damage
and cost. However, in other areas of business, risk is associated with return –
higher risks yield higher returns. This is also true for IS risk. Very often, IT risks
arise from sloppiness or corner-cutting, such as the failure to follow best software
development practice or to test and audit new systems. In some instances, this
notion is true. However, many IT risks occur within the context of a larger
business strategy with associated rewards.

For example:
• Working with a small innovative start-up company whose promising
software solution could generate significant returns, but could also
harbour the associated risk of the small company’s IT environment
• Starting or acquiring operations in low-cost countries where the
infrastructure is less secure
• Outsourcing business processes to suppliers with lower-cost structures
but unknown or hard-to-monitor security practices
 • Exposing internal business data to customers and partners to help with
the creation of new services or reduce operating costs.
All of these create security risk, even with the best practices. Becoming
aware of the risks is just the first step in building an effective management
strategy. In our survey of retailers, over 85 per cent said that the level of IS
offered by their suppliers was important to them. Yet we find that companies in
each industry are struggling to develop effective ways to measure and manage
security risks across their extended enterprise.
A simple way to reduce security risk is to limit business innovation – to
avoid partnering, pull systems offline and lock down the fort. This is a serious
mistake. Instead, risk should be balanced with reward. Embedding IT risk into
your overall enterprise risk management strategy implies establishing a risk
posture that does not seek to eliminate security risk, but rather manages it. The
key is first to understand the vulnerabilities, threats and consequences.
Vulnerabilities are areas that can be exploited by malicious individuals or
organisations.
Examples could include poorly maintained software (such as failing to
patch known security holes), poor security practices (such as inadequate password
and identity management), or the exposure of older systems with an unknown
security to the internet. Given these vulnerabilities, what are the threats? Are there
outsiders who are motivated and capable of exploiting the vulnerability? Or are
there insiders who may be tempted to steal intellectual property? Finally, if the
security was breached, what are the consequences? Would they be primarily
internally observed or would they impact external groups, such as customers or
business partners?
Internal failures, like viruses, generate real operational costs for the IT
department but rarely put the company into a catastrophic tailspin. On the other
hand, external failures, such as a breach of customer information, can be much
more painful, warranting far greater attention. To manage risk in the most
effective way possible, companies should include IS in the broader perspective of
business risk management, where the board of directors governs the company’s
overall risk posture. This same perspective must also be applied to business
partners. For many companies, measuring supplier risk will require new tools for
supplier security qualification. Like those tools used to assess a supplier’s product
quality, supply chain reliability, or its long-term financial viability, suppliers
should be qualified using a technical assessment of security and an assessment of
the supplier’s information risk management practices. Risks of working with a
new partner can then be balanced against the benefit that the partner delivers.
Most importantly, managing information risk is everyone’s responsibility
– not simply the job of IT executives. Rather than viewing IT executives as
security guards, technology- savvy executives – from corporate directors to line
managers – should act as consultants to the entire organisation. CIO’s with strong
business and technical skills are uniquely qualified to help educate the
organisation and chart a course to bring IT risk into the overall risk management
strategy. Bringing IT into the enterprise risk management strategy will not only
protect against catastrophic operational surprises, but will empower managers to
seize the exciting opportunities before them.
Computers have been in existence in European and American countries for
a long time. Consequently, frauds associated with the computer environment have
also been in existence for a long time. The American Institute of Certified Public
Accountants (AICPA) was commissioned to conduct a study of EDP- related
frauds in the banking and insurance sectors. The study, Report on the Study of
EDP-Related Fraud in the Banking and Insurance Industries, revealed many
shocking findings, the more significant of which are:
• In some cases, fraud occurred during normal transaction process
cycle;
• Many took advantage of the weaknesses in the system of internal
controls;
• Most frauds were in input area;
• Input was either unauthorised or proper input was manipulated;
• File maintenance was common method;
 • Manipulation involved extending due dates on loans / or changing
names and addresses;
• Loss from reported cases worked up to several million US dollars;
• In all cases, perpetrators were employees.

Dawn P. Parker, Senior Management Systems Consultant and

Researcher on computer crime and security in a report for the National
Institute of Justice, US Department of Justice, identified 17 crime
techniques, the more significant of which are
• Eavesdropping or Spying: This involves wire-tapping and
monitoring radio frequency emissions.
• Scanning: Scanning prevents sequential change of information to
automated system to identify those items that receive a positive
response, such as:
• Telephone Numbers
• User IDs
• Passwords
• Credit Cards
• Masquerading: In this, the perpetrator assumes the identity of an
authorised computer user.
• Piggy - backing: This can occur when the user signs off or a
session terminates improperly. The terminal is left in an active
state or in a state where it is assumed that the user is still active.
• Data Diddling: It involves changing data before or during their
input into the computer.
• Trojan horse: It is a convert placement or alteration of computer
instructions or data in a program so that the computer performs
unauthorised functions. It is primary method for inserting abusive
acts, as in salami techniques.
 • Logic Bomb: It is an unauthorised act of program instructions
inserted into a regular program such that an unauthorised or
malicious act is perpetrated at a predetermined time.
• Data Leakage: It involves removal of data from a computer system
or facility.
The National Center for Computer Crime Data, a Los Angeles-based
research organisation, has been providing information on computer
crimes.
The statistics relate to:
• Average computer crime losses;
• Victims of the computer crimes;
• Occupations of the computer crime defendants;
• Types of computer crime;
• Computer crime cases in courts.
 Occupations of Computer Crime Defendants

30

26 26
25

20 19

No. of Cases 15

10
10

6 6 6
5

1
0
Ex-employees of

Unemployeed or

Employees (Acc. To
Miscellaneous

Law Enforcers

Students
Professionals
Accomplices

Computer

Criminals
Victims

Comp.)
Sources of Crimes

Figure No. 3 Occupations of Computer Crime Defendants

 Damage to
Theft of
softwareExtortion
information
Harrasment
Alternation of
Data Theft of services

Damage of
Hardware

Theft of money

Figure No. 4 Types of Computer Crimes

It was seen that computer crime losses were very high, with theft of
services and money contributing the maximum. Commercial users topped the list
of computer crime victims.

$100,000 $93,600

$80,000

$60,000 $55,166

$40,000

$20,000 $10,517
$0
Theft of money Theft of Damage to
program / data system /data

Figure No. 5 Average Computer Crime Losses

 40
36
35

30

25

20
17 17
15
% of cases 12 12
10

5 4
2
0

Banks
Miscellaneous

Individuals

Commercial users
Universities

Government

Telecommunications
Victims of Computer Crimes

Figure No. 6 Victims of Computer Crimes

Technology improvements provide greater sophistication for users.

However, they also create significant security and control concerns. It is also of
great concern that a computer criminal is less likely to be caught than a bank
robber. Parker conducted two studies on general and computer bank frauds and
embezzlement respectively in 1976. The two studies revealed that average losses
from computer bank frauds and embezzlement were approximately six times
higher than those from general bank frauds.

• Computer crimes in India

In India, although computers made an entry much later, we are catching up
fast in the area of computer frauds, too. However, most of the crimes do not
get reported as the organisations are hesitant to file a report as it might affect
their credibility.
Found not guilty,
16% Found Guilty, 8%

Pleaded Guilty,
76%

Figure No. 7 Computer Crime Cases in Courts

Few of the reported cases in the press are mentioned below

• The Hindu, on March 7, 1996 carried a report,

‘Quantum jump in the number of bank frauds, according to which Mr. R
Janakiraman, former deputy governor, Reserve Bank of India, while
addressing a session on frauds in banks and other financial institutions –
prevention and detection organised by the Institute of Criminological
Research, Education and Services (ICRES), observed that the frauds
committed by the bank employees in collusion with outsiders accounted for
the largest number of frauds rather than those committed single-handedly
either by the bank employees or outsiders’.
• India today, in its February 28, 1999 issue carried a report,
‘High-tech frauds – Thieving with technology’
• The Economic Times report,
‘Banks feel techno-crime byte’ dated December 19, 1996 – mentioned how
Sanjay Subharwal and his accomplice who cracked the Automatic Teller
Machine (ATM) code of his sister-in-law’s account after 99 attempts and
siphoned off Rs. 1.52 lakh.

• The Economic Times dated January 12, 1997 stated

“The days of Nagarwallas using VVIP names to withdraw millions from a
bank are old hat.”

• India Today in one of its issues reported, “Hacking New Frontiers” wrote
“R. Srinivasan’s employers, a stock broking firm in Chennai, were very happy
with him and his proficiency in their new computers. He brought in new
clients and increased the volume of shares traded. But the company was losing
heavily on share transactions. A few months later, the managers found out
why: Srinivasan’s “clients” were no more than electronic entities, existing
only on the pathways of their computers. Losses: Rs. 50 lakh.”

Giving another example, the report says:

“No one knew when account no. 20456 became active. The Bank of India’s
computer at Mumbai’s Mulund branch only recorded that its owner Ganesh
Rao had drawn Rs. 76,700 since February. So when Rao was overdrawing on
April 3, they took a second look at him. Before them was Sanjay Rajbhar, a
computer professional who ran a network controlling accounts. In a bank that
still maintains huge, yellowing ledgers. Rajbhar had found a defunct account
and resurrected it with a few key-strokes.
 Technology is a strategic resource available at a cost albeit with an altered
risk-benefit matrix.
--- Ashok Bhattacharya
General Manager – Technology, State Bank of Mysore.

Technology has become the backbone of human civilisation. Technology,

its concepts, gadgets and formulations are matters of common use spanning
drawing rooms of our residences to board rooms of corporates, to halls of
deliberations at the United Nations (UN). Though technology and its applications
have remained the subject of debates from time to time, contribution of
technology in the field of business, health, education, entertainment, information
and communication and , of course, banking are growing day by day. For most of
us, it is no more a question of whether to use technology or not, it is more a
question of how to exercise our options in using technology. Which, when and
what-if are some of the major questions that banks and financial services industry
have to consider to roll out technology, maintain it and upgrade the same. Indeed,
strategic use of IT is the vital part of business intelligence that banks are relying
upon for growth and viability to face the competition, and this reliance will be
sharpened in the days to come in order to handle Customer Relationship
Management (CRM) issues effectively.

Public Sector Banks (PSBs), which have large portfolios in terms of

business and employment, are in various stages of migrating to new systems. As a
matter of fact, this new strategic system may generally be identified with “Core
Banking” aided by ATM networks and other e-process. Some of the important
features of such migration / upgradation are:
• From distributed / stand alone banking to core baking / anywhere banking.
• Alternative delivery channels like ATMs, Internet Banking, Credit Cards,
Smart Cards and Kiosks.
• Cross-selling products like insurance, money market and other financial
products.
 • Use of multimedia, online help and assistance.
• Electronic Fund Transfers (EFT).
• Digitisation of data, online encryption and straight-through processing.
• Business Continuity and Risk Mitigation including KYC (Know Your
Customers) and AML (Anti-Money Laundering) implementation.
• Online trading, settlement, treasury, domestic and cross-border
transactions.
• Data Warehousing, MIS and Business Intelligence – Decision Support
System.
• Intra-Bank email systems, which incidentally revolutionised banks’
internal communications, introducing online knowledge repository, training /
applicable instructions / job cards, etc.
• Considering that technology is a risk multiplier both in operations and
business, properly manned, and a sophisticated disaster recovery process are
in place.

These quanta jump in technology, envelopes the whole organisational

entity, its activities, interfaces and all stakeholders. For a large organisation like a
PSB, on the backdrop of which the present article is based, having about 650
retail branches, business transactions exceeding Rs. 30,000 cr., providing direct
employment to about 10,000 persons, automation decisions are size-oriented.
Sizes of operations have a critical bearing on choice, cost and consequences of the
IT projects.

The general method adopted by PSBs is to make a preliminary survey of

actual functional systems in various other banks, appoint consultants and arrive at
desired specifications of the system to be procured and then go for tendering for a
suitable software/ hardware and related services. All PSBs follow Central
Vigilance Commission’s (CVC) guidelines in selecting the final vendor for
software, hardware accessories and maintenance thereof. It may be mentioned
here that a precise cost benefit analysis may not be always feasible as
technological upgradation, new technology, etc. are mostly required to remain in
the market and / or to retain the market share.
Notwithstanding the same, while selecting technology and finalizing roll
out plan, PSBs do take care of the following factors
• New technology will bring in new risks and accordingly, the cost
benefit and risks of the new technology need to be considered and
optimised for maximum productivity,
• The life of the technology is also becoming shorter and shorter. For
this reason banks / financial institutions also need to be ready with
resources and plough back of revenue enhancements so that systems
can be replaced before they become totally obsolete,
• The agreement to purchase / hire services level agreements; each must
be legal besides technologically feasible so that buyers can use the
system as required by them and vendor failures are avoided.
• At this stage, banks / financial institutions may also finalise the
process of User Acceptance Test (UAT) that they would like to follow
before commercial roll out of the system at the branches / offices. This
is very important and must be developed with a professional approach
as otherwise banks will suffer avoidable pangs and costs of
customisation with high risk situations.
• If the system purchased is on a turnkey basis, then confidence level of
such UAT should be very high.
• It would also be appropriately pragmatic for the bank to prepare an
action plan of converting fixed costs to take full advantage of new
technology / upgradation. Suitable steps to remove road blocks which
prevent such conversion / replacement be tackled.

Based on the above components, below are the schematic triangles of

concerns that bankers / financial institutions would do well to keep in mind while
selecting / rolling out expensive and all encompassing technologies.
 Figure No. 8: - TCO Analysis

Figure No.8: TCO Analysis

No doubt, the implementation of a new system, say, Core Banking

Solutions (CBS), that is now being set up in most of the banks will enhance
banking services in a visible manner. The customers of a branch now become the
customers of the whole bank. Speed and accuracy of the transaction processing,
money transfers, remittances, local and national clearing, all get enhanced
enabling the bank to handle more transactions with the cost of transactions with
the cost of transaction coming down to a great extent. Thus, CBS coupled with
ATM network and Internet Banking and Real Time Gross Settlement (RTGS)
gives the customer the facility of doing business with the bank round the clock
without visiting the bank’s branch. Internet Banking is very popular with young
clientele as utility payments, travel arrangements, bill payments and even
purchase of cinema tickets can be done sitting at home or at office.
 As RTGS has also been enabled in many commercial bank branches, the
reach of Electronic Funds Transfers System (EFTS) now stand highly enhanced.
It is clearly visible that technology is a strategic resource available at a cost, albeit
with an altered risk – benefit matrix. As a matter of fact, every upgradation of
technology may become a risk multiplier if appropriate risk mitigation steps have
not been embedded in the system and provided in the handling procedure itself.
One of the risk areas is “outsourcing”, in which because of consideration of core
competency and costs, outsourcing all technological inputs including hiring of
hardware, software livewire are resorted. Business Process Outsourcing (BPO)
has become a mantra in most of the private enterprises, which have high
adaptability to new technologies. Even there, appropriate levels of agreement are
reached and roadblocks set up to prevent control of the business passing on from
hands of management to hands of BPO.

In commercial banks, outsourcing is mainly done to obtain assistance

wherever they lack core competency to handle highly technological jobs including
troubleshooting of IT systems. Here also, many banks have tried to use in-house
people to maintain their systems, but this mostly resulted in legacy of problems
creating handicaps for the bank to move speedily to new technology platforms.
Outsourcings of technological services, at least to launch an IT project, are quite
common in today’s banking industry. Banks have asked by regulators to finalise a
policy of outsourcing so that risks of outsourcing critical basic applications are
managed properly.

Further, the salary structures of PSBs also do not permit employment of

highly qualified experts in the area of technology. Recently, SBI and TCS have
joined hands to float a separate company, which presumably will not have such
salary and perquisites / constraints and would, therefore, be able to retain the
technical experts for a reasonable time. It may also be noted that new technologies
invariably give rise to new opportunities, which can be harnessed under the
general expression of Business Process Re-engineering (BPR). The CBS, which is
operating on a centralized data and information reservoir, has the ability to
convert a branch customer into a bank customer and, thereby, make it possible to
process many hitherto distributed banking activities into centralized activity.
Banks are coming up with outlets, Centralised Processing Units (CPUs), where all
loan processing, renewal, and documentation for all branches are done, leaving
branches free for marketing and business of cross-selling. Banks that have rolled
out CBS find a grand by product opportunity to take such B2C initiatives, which
have vastly improved credit appraisal, disbursement, documentation, deposit
mobilization, cheque and customer instruction processing.

As an example, it may be elaborated that, previously, all cheques in

clearing would come to the branches for verification of signature, balances and
payment thereof. But now, service branches are having all this information on the
screen itself and cheques need out travel to the branches, thus, eliminating time
and ensuring quality. This new technology or new system is highly successful
when it meets the following criteria:
• Increase in revenue / volume of business
• Reduction of cost of operations
• Reduction in delivery time for most B2C transactions.
• Improving general customer service and loyalty of customers.
Most of the banks and financial institutions and even insurance companies
that are using high level of IT are endeavoring to measure success of their
investment decisions by actual movement of the above factors. The beneficial
impact of modern day technology has ushered in a new era in services available to
bank customers. Some such features are: Transacting from any branch;
specialised collections, remittances and fund transfers; 24 / 7; banking through
ATMs and Internet banking; Automated payments; Automated Standing
Instructions (ASIs); Using bank’s Web portals for latest rates, new products and
terms; Submission of stock and other statements for loan account customers; with
RTGS facility, funds transfer to accounts with other banks has also become
possible.
 While technology (to be more precise information and Internet
technology) has brought in metamorphic changes in the area of banking and
financial services, problems do persist in various areas – some are new, some also
suffer from aggregation of risk owing to change in technology. Having rolled out
CBS – latest in banking technology – in 100% of our branches along with a
network of ATMs, Internet Banking, RTGS, etc., we find many problems, if
handled either before installation or immediately on roll out, would strengthen the
banks delivery, customer satisfaction and bottom line. Some such problem areas
are as under:
• Biometric Access Control
In spite of decades of history of full computerisation in banks even under
CBS, most banks’ internal access control is based on individual ID and password.
Abuse of this system in a large organisation is well- known and difficult to
combat; thus, it needs to replace the system by biometric system – preferably, the
ID of individual employee of the bank should be replaced by his / her fingerprints.
It would then be easier to track and eliminate all possible abuses or mistakes.
• UAT
We have mentioned the importance of UAT earlier. It is reiterated that
through PSBs know fully well their inputs and the required outputs, data for
testing comprehensively new systems are not generally available. Banks are
depending on the vendor’s expertise in these matters and generally mistakes are
rectified through trial and error. In this context, Auditability of systems assumes
considerable importance.
• MIS Data Warehousing
Generally, CBS available in the market may not come with a full blow
MIS or data warehousing capability. These need to be developed or the existing
one has to be integrated.
• Input Control / Output Reports
The CBS is a platform mainly for handling Bank to Customer (B2C)
transactions. Normally, no problem is envisaged from transactions to reporting
level which has gone through a proper UAT. But large banks always find it quite
difficult to ensure full accuracy at the input levels. An error of input, mapping and
legacy problems at the granular level creates data integrity problems.
• Variability of Cost
The success of new technology lies in harnessing its ability to cut down
transaction cost, as also replacing fixed cost b variable cost. But this is not
happening at the required place and time and often new technology represent
additional cost without reduction of fixed cost already existing.
• Captive users
Some of the major problems have come up in the fact that banks that have
selected, and installed new technology have become captive users of the vendors.
This problem may further accentuate in the absence of proper service level
agreements.
• Attrition
Many of the bank staff members who have adopted and quickly master
new technology may be leaving the bank with better offers, creating gaps for day
- to - day management.
• Service Level Agreements (SLAs)
However, many of these problems are not insurmountable, but definitely
controllable. With appropriate planning and consultation they can be managed,
subject to the existence of appropriate agreement of hiring / purchasing /
outsourcing and SLAs. A professional arrangement in this area will ensure
continuity of vendor’s stake, which is important.
• Systems and operation, Documentation / Manuals
In the new system, fully developed documentation should be available.
Online help generally does not meet the requirement of users. Sometimes, these
are not available and vendors themselves suffer from the attrition, thus creating a
somewhat a chaotic situation during commercial run of the system, which may
degenerate unless appropriate control and administration is exercised. Prevention
is always better than cure.
 • B2B / Government Business, etc.
A large part of a bank’s business is treasury management, and bank to
bank transactions, including multi- currency transactions. Some of the PSBs are
also entrusted to do government business. Most of these core banking systems do
not have proper modules where such transactions and transactional MIS can be
processed simultaneously. The additional requirements need to be anticipated and
negotiated with the vendors at the opportune time. Suitable middleware can be
used in this regard.

“India is a software powerhouse. But its IT security practices are

pathetic and consumers should beware”
--- Sucheta Dalal – Consulting Editor of MONEYLIFE

Last June an employee with Hong Kong Bank in Bangalore was arrested
following an investigation into a theft of pound sterling 230,000 from a British
customer’s account. Earlier this month, Channel 4 of London controversially
claimed that “credit card data, along with the passport and driving license
numbers, are being stolen from call centers in India and sold to the highest
bidder”.
A survey on the Global State of the IS 2006, by
www.CSOonline.com says: “Most executives with security responsibilities have
made little or no progress
in implementing strategic measures that could have prevented many of the
security mishaps reported this year. Only 37% of respondents said they have an
overall security strategy”. Worse, “a large proportion of security executives
admitted they are not in compliance with regulations that specifically dictate
security measures their organisation must undertake” even though the
consequences were stiff penalties, including prison sentences, for the executives.
The study by CSO, CIO and PricewaterhouseCoopers (PwC) covered 7,791
respondents in 50 countries.
 While things are pretty bad on the global IT security front, things are
worse in India. The study says: “Our of the most unsettling findings in this year’s
study is the sad state of security in India, by a wide margin the world’s primary
locus for IT outsourcing. India lags far behind the rest of the biggest IT
powerhouses in the world; these findings should cause considerable concern.
Many survey respondents in India admitted to not adhering to the most routine
security practices. Extortion, fraud and intellectual property theft occurred last
year are double and even quadruple those of the rest of the world. Nearly one in
three Indian organisations suffered some financial loss because of a cyber attack
last year, compared with one of five worldwide and one out of eight in the United
States.”
According to CSOonline.com, “The problem is obvious, but right now it’s
apparently easier to ignore than to address. Harder to ignore is the constant news
of large organisations losing laptops packed with unencrypted personal data on
millions of customers. Every report that such incidents should motivate
companies to tighten security, but every year the survey indicates that’s not
happening.”

2.4 The IS Scenario in India

Banking institutions are getting more and more conscious about the IS
taking into consideration the scams that have occurred in the past and continued
to do so even today. A flood of new security attacks targeting banking customers
over the last twelve months has forced organisation or regulatory bodies to
introduce new directives and methodologies such as the recommended use of two-
factor authentication by online banks by the end of 2006. These groups believe
that single-factor authentication (the use of a username and password) is now
inadequate to protect users against recent internet scams such as Phishing,
Pharming and RAT attacks. By the end of 2006, many Asian online banks will be
required to implement the new directives covering two-factor authentication,
which relies on something the consumer has, such as a token or smartcard. This
would help identify the individual more specifically. Introducing the methodology
in relatively short span of time would be the next big challenge faced by the
banks. This would also have to ensure that the chosen method is convenient
enough for broad consumer adoption while keeping costs down.
Banks in India need to be complimented on the inculcation of technology
in a large way in their day-to-day operations. In a short span of less than two
decades, customers of the banks have felt the positive impact of technological
solutions implemented by banks. The customer in a bank has a virtual menu of
options as far as delivery channels are concerned and all these are the benefits of
technology, with the most visible benefits happening in the areas of payments for
retail transactions. A variety of Cards, Automated Teller Machines (ATM’s),
Electronic Based Fund Transfers (EFT), Internet Banking, Mobile Banking are all
some of the latest technology based payment solutions, which have gained large
acceptance amongst Indian Banking arena.
While addressing a critical topic such as technology which has today
become a basic necessity rather than a luxury in the banking sector, the various
components must be examined which comprise the building blocks on which the
banking would be functioning in the morrow. I would, therefore, enlist some of the
major aspects which appear to be the corner stones in the road that we are
paving so that the highway would ensure free, safe and secure conduct of the
banking services and business.
Technology implementation comes with its attendant requirements too. A
few major aspects which need to be reckoned relate to the
• Need for standardization – across hardware, operating systems,
system software and application software to facilitate inter-
connectivity of systems across branches.
• Need for high levels of security – in an environment which requires
high levels of confidentiality; IS is an important requirement.
• Need for a technology plan which has to be periodically monitored
and also upgraded consequent upon changes in the technology
itself.
 • Need for business process re-engineering with a large scale usage
of computers – the objective is not merely mechanise activities but
to result in holistic benefits of computerization for both the
customer and the staff at the branches.
• Sharing of technology experiences and expertise so as to reap the
benefits of the technology implementation across a wider
community.

With technological solutions rapidly evolving, more new products and

services may soon become the order of the day. This technology evolution needs
to be thoroughly supported by the IS practices and procedures in order to avoid
the chaotic situation otherwise.
Prominent among the attendant challenges is the paradigm shift in the
concept of security. With the delivery of channels relating to funds based services,
such as, movement of funds electronically between different accounts of
customers taking place with the use of technology, the requirements relating to
security also need to undergo metamorphosis at a rapid pace.
Various concepts, such as, digital signatures, certification, storage of
information in a secure and tamper- proof manner all assume significance and
have to be a futuristic part of the practices and procedures in the day-to-day
functioning of banks of tomorrow.
Security requirements have to be provided from a two pronged perspective
- first for the internal requirements of the banks themselves and the second
relating to the legal precincts of the laws of the land. It is indeed a matter of
satisfaction that the ‘INFINET’ (Indian Financial Network) is a safe, secure and
efficient communications network for the exclusive use of the banking sector,
which provides for the inter-bank communication.

7: Abstract from the Address by Shri. V. Leeladhar, Deputy Governor, Reserve Bank of India at the IT@BFSI- 200 Conclave,

Bangalore, on June 9, 2005.

 The key advantage of ‘INFINET’ is its own security framework in the
form of the ‘PUBLIC KEY INFRASTRUCTURE’ (PKI), which is in conformity to
the provisions of the Information Technology Act, 2000. Several large financial
institutions are now starting to implement two-factor authentication, to re-
establish trust with their users, fearing that if nothing is done profits will be lost,
customer confidence will drop, and the leading to a loss of brand image in a long
run.
“At YES BANK, our priority is delivering solutions that take into account
present and future customer needs,” said H. Srikrishnan, CIO and Executive
Director, YES BANK. “We identified that current and prospective customers have
access to a PC with a reliable bandwidth connection, but a key concern was the
ability for us to guarantee a high level of security, giving them the confidence to
use Internet banking without the worry of fraud or theft. Thus, our priority was
addressing this issue and identifying a solution, which would improve customer
confidence and provide a reliable and user-friendly experience.”
According to recent surveys conducted by various IS organisations,
identity theft has seen looms over any other kind of crime worldwide.

Currently the IS implementation in banks suffers from deficiencies such as:

• A comprehensive Security Risk Assessment is not being
conducted before drafting a security policy for the bank.
• The Acceptable Usage Policy (AUP) is not communicated to all
staff of the bank.
• The scope of Information Systems Audit at branches is restricted
to checklist audits.
• Defined Vulnerability Assessment Policy has not been set out for
the data centers of banks.

8: http://www.securitypark.co.uk/article.asp?articleid=25068andCategoryID=1; access date: August 26, 2006

 ICICI Bank Phishing scam targets customers in India
Phishing is a relatively new phenomenon in India, though united States, South
America and Europe have reeling under its impact for years now. The new scam mail
targeting the rather soft Indian customer who in terms of awareness on such activities,
goes ahead and tries a contemporary trend in international online arena. It tells users
that a popular bank is updating their online security mechanism, so the user should
key – in his information in the website that fake email leads them to!
Security Analysts at (name undisclosed) an Internet Security company warn
that a Phishing mail in the name of one of India’s leading Banks, ICICI, has been
found to be spammed to targeted user groups for the last couple of weeks, aiming
sensitive financial Information.
The mail reads that the ICICI bank is upgrading to a new SSL Server to
insulate customers against online theft and other related criminal activities. Users are
told to confirm their personal banking information following the given mail. It also
warns that if the user does not complete the form, the online bank account will be
suspended till further notification. Once the user clicks on the link, he is taken to a
bogus website that looks identical to the original one, where he is made to part with
his account number, password and PIN number.
Phishing is the cyber form of ‘Identity Theft’ using fake spam emails and fake
websites of reputed financial organisations. You receive an email that seems to be
coming from a reputed bank, credit card firm, Auction website or any other financial
institution. The message tries one of the several tricks to induce you to click on the link
provided in the email and gets you to reveal your personal information. This stolen
information is used for sophisticated Online Robbery, Identity theft and other Internet
related crimes.
The Anti-Phishing Working Group, an industry consortium formed to fight this
mode of crime, says the attacks in recent months where double that of what were
reported in the same months last year. With commerce growing rapidly, Phishing
attempts may grow multifold this year, faking more brands and institutional loot more
victims around the globe.
2.5 Understanding Information Security (IS)
In view of the critical implications of Information Security (IS) for banks
and financial institutions, it is necessary to emphasise that the management of the
bank should have a good understanding of the IS risks.

• IS is not only the concern of the Information Technology Department

but for the entire organisation. It is said that “Security in an
organisation is as strong as its weakest link”. Hence, each and every
user of information, right from the senior management to the clerk in
the branch has to be involved in any security initiative taken by the
bank. This will mean that they have to be aware of the security threats
and should practice the laid down policies and procedures.

• IS Policy has to be aligned to the business objectives by a proper IS

Risk Assessment. This means that the risks identified and measured
during structured IS Risk Assessment should be mitigated with
effective security policy and procedures.

• IS Policy cannot be the same for all banks despite there being
similarities in their business function. This is due to the reason that
each bank has its unique risks which might be multidimensional
considering their locations, their services, their business goals and
their technical infrastructure.

• Banks can optimize their resource spending in IS by strategising their

security spending to mitigate their high impact risks identified during
there IS Risk Assessment. Hence, IS should be seen as an investment.

• Security Audits at branches need to be conducted by qualified

personnel as it needs to encompass an audit through the computer.
 • IS consists of CIA principle. Hence in every decision, the security
requirement of CIA has to be observed.

• IS Risk Assessment is not only restricted to Vulnerability Assessment

of technical infrastructure but extends to identifying critical assets,
their threats and organisational vulnerabilities. It also includes
Business Impact Analysis (BIA), measuring risks and suggesting
appropriate controls.

2.6 Spending patterns (Technologically and Financially)

According to the Gartner report on IT spending of financial services, the
worldwide financial sector spends about US$ 129 billion annually on IT services.

The Worldwide Financial Services Industry Spends

about $129 billion Annually on IT Services

WORLDWIDE FINANCIAL SERVICES IT SERVICES

SPENDING ($ Billion)

CAGR 154
6 3% 145
136
129
123
114

Financial Services IT Services –

Key Facts

FY 02 FY 03 FY 04 FY 05 FY 06 FY 07

Source – Gartner

Figure No. 9: IT Spending Patterns

 According to a report from Indian Institute of Information Technology -
The application of Information and Communication technology to the banking
sector has been growing in the recent past. IT spending by the BFSI segment,
jumped by a healthy 18 percent during 2002-03 to touch Rs. 60 billion (US $1.24
billion).
Indian Banks on an average spend an estimated amount of Rs. 1.5 billion
on software and hardware for core and internet banking services, on an average.
According to industry estimates, the BFSI segment accounts for around 10
percent of the total IT industry and about 28 percent of the domestic IT market.
Spending by the BFSI segment is expected to jump to Rs. 98 billion during 2004-
05 fiscal. The main driver for the increasing use of IT in banking is the need to
cater to the growing and changing expectations of the customers who relentlessly
demand continuous improvement in the quality of services offered, reduction in
charges and access to new products. In the context of global competition, the
banks have to use other factors to facilitate the increasing IT investments. The
Centre Vigilance Commission lays down certain statutory requirements for banks
in this regard i.e. achieve 100% branch computerization, availability of
certification services for ensuring the security of electronic transactions with an
eye on the growing size, complexity and integrity of the financial markets.
Technological advancements bring along concerns on the privacy,
confidentiality and integrity of information. It is being seen that such concerns
have a major impact on the functioning and existence of banks and financial
institutions. While many banks in India have taken steps to improve their IS much
still remains to be achieved
It is often perceived by the management of banks that IS is technical and
complex. Contrary to this is that IS is similar to any other area of managerial
decision. Further, IS investment should also have a return on investment. This is
to be achieved by an effective IS Risk Assessment.

9: Implementing IS in Banks---- http://www.sisa.co.in/images/PDF/WhitePaper_ImplementingISinBanks.pdf

2.7 CTO/ CIO’s viewpoint
“The best way to approach IS is from the business side – ask what the business
need is, assess the risk and fashion a risk mitigation strategy that fits”.
-- S Krishna Kumar, GM (IT) and CISO, SBI.

The devising of an appropriate and suitable security strategy depends upon

several aspects such as breadth of the organisations business, volume of
transactions per day/ month, scale of operation, (no. of years in the current
business) necessity of data migration, competition in the sector, etc.

Processes
• Upper management buy – in
• Concept of six pillars of safety: governance, structure, risk assessment,
risk management, communication and compliance.
• Policy approval at board level
• Risk mitigation processes
• Documented standards and procedures
• Management overview for controllers
• Service Level Agreement (SLA) monitoring
Technology
• Firewall
• Anti-virus
• IDS (Intrusion Detection Systems)
• Management Tools

Table No.2: Risk Mitigation Strategy

The security strategy must be in-line with the business needs and the
complexities, so as to prove holistic in approach and should include all the
components needed for the IS program.
 “IS has commitment and support at the highest level in the organisation.
The state of IS is periodically reviewed by the top management.”

All the pillars are equally critical in providing IS assurance, rather than
merely focusing on the security products and penetration tests. IS derives its
strength from the highest authority, the board, which has approved the bank’s IS
policies and provided direction and support mechanisms to evolve the required
standards and procedures.
“Risk mitigation is not a one-size-fits-all process, and takes different
routes depending on the risk and business imperatives. This needs to be devised
after considering business needs vis-à-vis security controls. Being a financial
organisation, the banks are subject to a number of regulations, both internal and
external in nature. These are considered an integral part of the Security
Architecture.
“It is necessary that all the personnel across the business understand the
underlying philosophy and basis of the security policy. Merely writing a security
policy and sending it to the different departments will never succeed.”
“It is not good enough to have just the performance levels specified in a
Service Level Agreement (SLA). The organisation should also be able to measure
service levels, use appropriate measurement metrics, build adequate deterrents
against under-performance and monitor the performance of all the outsourcing
agreements.”
Business Continuity and Disaster planning bear a lot of importance in the
IS Strategy or Program. On this, Mr. Kumar observes “that a Disaster Recovery
(DR) system has been set up for critical applications in a different city and
periodic mock drills are conducted.”
“An important but often neglected aspect of the DR plan is to shuffle a
core team of operations personnel between production and DR sites periodically.
This ensures the availability of skilled resources at the DR site. They are current
with the latest state of the production application”, says Kumar.
2.8 Summary
The basic IS needs of banks and financial institutions are very similar to
those of most large organisations. The problem in the banks is that they are fairly
high value targets. Gaining unauthorised access to a bank’s customer records can
make identity theft easy on a large scale. Unauthorised access to customer records
creates operational, legal and reputational risks for banks.
Currently banks are spending approx 5-6% of their total IT Budget on
security and this amount of money may prove to be inadequate to ensure effective
ISRM considering the threats existing in the e-world today. Not only should the
banks spend more on IS but also ensure that their IS risks are mitigated. A
structured IS Risk Assessment will enable banks to accomplish this objective. A
Return on Investment (ROI) in IS should be demanded by the management.
Further banks should approach IS in a structured manner.
 CHAPTER 3
METHODOLOGY

3.1 Introduction
This chapter elaborately discusses the methodology of this study. The
research questions and assumptions (hypotheses) proposed in Chapter 1 are
presented here. All phases of the research design, data collection, location of the
research performed, method of inquiry and statistical analysis are reviewed.
Finally, summary of the whole chapter is done. The research can be categorised as
a combination of exploratory and descriptive study seeking insights into the IS
and Risk Management in banks in India.

3.2 Research Questions and Research Hypotheses

The research assumptions (hypotheses) framed in the study posses a strong
background of the literature review. The combination of the research assumptions
(hypotheses) and the literature review prove their importance in the study for
answering the research questions. The answers to the research questions would
provide a good in-sight for the IS professionals and executives regarding various
scenarios and complexities posed prior to designing an IS and Risk Management
System.

• Research Questions

The research will address the questions as mentioned below

• What are the information risks and security threats involved in the
Banks?
• What benefits will be derived by implementing these systems in the
existing scenario?
• What should be the ideal characteristics of the Information Risk and
Security Management Systems?
 • What functions in security and risk management must be
accomplished by an IRSMS to support Banks?
• What would be the Total Cost of Ownership (TCO) for the institution?

• Hypotheses

• The security policies in the same organization (Bank) may differ based
on the geographic location.
• Many Banks prefer accepting the security risk rather than mitigating,
transferring or avoiding it.
• IRSMS policies show wide variations across all types of financial
institutions (here the type of bank would be considered, i.e. Apex/
Public Sector Commercial/ Private Sector Commercial/ Co-operative/
Foreign bank, etc.

3.3 Data Collection / Collected

Primary data collection is done on the basis of personal interviews along
with responses based on the questionnaire filled by the IS / Management
personnel, Information Systems Auditors, Information Systems Inspection
Personnel, Network Security Professional, Network Administrators, Information
Systems Administrators, etc. The data is also collected from the customers’ of the
banks in order to understand the awareness among them, which might instigate
quick development, deployment and improvement in the IS and Management
methodologies and techniques in the respective banks. The data collected from the
customers is a value addition to the research in order to achieve certain insights
regarding the IS threats which might have been overlooked as they might not have
been informed or not registered. These customer inputs would also help us
analyse the overall success of the banks in terms of IS and Risk Management.
The choice of an adequate data collection method should mainly be based
on the type of research problem investigated (Kiplinger 1986). Figure 3.1
indicates which choices were made at various decision levels related to the data
collection method. At each level, the option selected is shaded.
 Data Collection

Longitudinal research Cross-Sectional

Experimental research Non-experimental

Observation Survey

Personal Telephone Mail Internet

Figure No.10: Selection of Data Collection Method

• Cross-Sectional Research

Research can either be cross-sectional or longitudinal. In this study, a

cross-sectional design research has been applied. Cross-sectional research

involves the collection of information from any given sample of population

elements. Longitudinal research on the other hand provides an in-depth view of

the situation and the changes that take place over time. Scholars recognise that

representative sampling and response biases are serious problems of

longitudinal research. In longitudinal research, the cooperation of panels is

required. Respondents’ refusal to co-operate, panel mortality, and payment of

panel members increase the lack of representative sampling. Furthermore,

response bias is increased as a result of the fact that panel members more

consciously perform the investigated behaviors and that new panel members

tend to increase the investigated behavior. Finally, longitudinal research

implicitly requires long data collection periods. Based on these arguments and
 the objective of this study, a cross-sectional research is considered to be

adequate in order to provide the required information in a valid and

representative way.

• Non-Experimental Research

In this study, a non-experimental method as opposed to an experimental

research method is used. Non-experimental research is generally defined as

“systematic, empirical inquiry in which the scientist does not have direct control

of independent variables because their manifestations have already occurred or

because they are inherently not manipulable”. While experimental research

generally allows obtaining high levels of internal validity as a result of the

possibility to control, randomly assign, and manipulate, its lower external

validity and artificiality are considered to be weaker elements. As this study

aims at generating generalizable results for a wide range of IS and Risk

Management situations, external validity is an important, additional evaluation

criterion. Consequently, the use of non-experimental research is suitable for the

purpose of this study.

• Survey Research

Survey methods are generally classified into mail, internet, telephone,

and personal surveys. Non-experimental research designs can consist of

observation as well as survey methods of data collection. In this study, survey

research design was chosen, which is defined as “interviews with a large

number of respondents using a pre-designed questionnaire”.

 • Personal Interviewing

In this study, personal surveys were conducted in order to gather the

required data. A personal interview is generally defined as “a questionnaire

administration method in which the interviewer and respondent have a face-to-

face contact”. According to many experts, the personal interview “far

overshadows the others as perhaps the most powerful and useful tool of social

scientific survey research”. Personal interviews outperform mail, internet, and

telephone surveys on nearly all criteria, except for interviewer control and bias,

cost, and social desirability. Several efforts were made in order to overcome

these potential weaknesses. The use of structured questionnaires that included

detailed respondent instructions automatically diminished the risk of interviewer

bias. Further, interviewers were not aware of the underlying hypotheses of the

study and could therefore not consciously influence the responses.

Thus the data collection involved in this study used non-experimental

research based personal surveys and telephonic interviews on a cross-sectional

basis.

3.4 Location of the Data

The data was collected with relative difficultly from Inspection

Departments of various banks, IS and Risk Management cells, Information

Systems Auditors, Network administrators, Information Systems Administrators,

IS Specialist (Project Managers, Quality Assurance, Development Head for any IS

software or hardware solutions), etc., Apart from this the data is also collected

from the customers regarding their awareness about the IS threats in banks. With a
 responsible and critical team of intellectuals forming the basis of this research, the

remaining part of the questionnaires was filled by a large number of customers

(common man) of the banks. It was based on the domicile status of the customer,

to his staying in Mumbai or having moved into the city recently. This research

gave further insights regarding the depth of IS awareness in other parts of the

country. The data collected was obtained from a fair mix of gender, age groups,

educational background and income class.

3.5 Pilot Test

Pilot tests are often conducted to improve the content of questionnaires.

Respondents helped to evaluate the structure, wording, difficulty or ease of

answering questions as well as the time necessary to complete the questionnaire.

Feedback regarding the format and structure of the questionnaire was considered

and changes were made to the questionnaire. Suggestions were taken to clarify the

survey instructions, using less technical words.

A preliminary study was conducted to test the questionnaire. With respect

to the topic of research the pilot test was done with people from varied

backgrounds. The respondents gave their valuable suggestions during the personal

meetings or discussions regarding the questionnaires and also regarding the

technique of mining more information with tactful personal interviews. These

interactions have really helped in shaping up the actual questionnaire. Participants

of the pilot study were not included in the main study.

3.6 Method of Inquiry

A self-administered survey was utilised to collect data. The questions were

developed in a manner, which would help in analysing the various IS threats and

the Risk Management methodologies used to mitigate, transfer, avoid or accept

the risks. Based on past researches, the data was gathered from both primary as

well as secondary sources. The questionnaire was a blend of open and closed

ended questions, which provided a range of possible responses to almost all

questions, which made it easy for the respondent to select from a range of

possible answers. The questionnaires were distributed to a convenience sample of

150 in various banks in India, with varied locations and to a sample of 100

customers of various banks in India, but limited only to the Mumbai region.

Among the 150 respondents few of them had less than 1 year of experience in the

IS and Risk Management area, and hence those who had not managed these kinds

of responsibilities were removed for a usable sample size of 133. Among the 133

respondents, 8 respondents did not fill all the details asked in the questionnaire,

and hence were not considered for the study and thus a usable sample of 125 was

used for evaluation. Among the 100 customer respondents few of them did not

have any inclination towards the IS nor were they interested in the new things.

They were really satisfied with all the traditional means of transactions with the

banks.
3.7 Analysis Performed on the Data

Different statistical methods were used for the data analysis using

Microsoft Excel and Statistical Package for the Social Sciences (SPSS). Descriptive

statistics were generated to evaluate the distribution of variables and appropriate

statistical techniques were used to study the data collected.

3.8 Summary

This methodology chapter has provided a discussion related to the

methods and procedures applied in this dissertation. The chapter has discussed the

objectives of this dissertation, research questions in order to fulfill the objectives,

and methods used to collect and analyse the data required by the research

questions.

Survey respondents were delineated by appropriate sampling process. To

analyse the data collected, a set of data analysis methods were used. The results

from all of the analysis methods have been discussed in detail in the following

chapter.
 CHAPTER 4

ANALYSIS

4.1 Introduction

The questionnaires from the respondents surveyed has been analysed in

two parts, the first part contains the responses of the Security Professionals,
Certified Information Systems Auditors / Managers and the personnel who are
directly responsible for drafting, evaluating, maintaining and enhancing the IS. A
fair percentage of the respondents are actually involved in the day – to – day
activities pertaining to the IS policy implementation and the remaining are the
third party individuals who have contributed their views on the IS
implementation. The second part contains the responses from the customers of the
banks from Mumbai region.
4.2 Key Findings
Some of the key findings from the participants in the survey are summarized below:
• Virus attacks continue to be the
source of greatest financial losses.
Unauthorised access, hacking, etc.,
are the second greatest threat /
source of financial losses. The third
greatest source of the financial loss
are considered to be the ones related
to laptops (or mobile hardware) and
the theft of proprietary information.
• The fourth source of the financial
losses these days is being the social
engineering (e.g. Phishing,
Pharming, etc.)
• These four categories amount to
more than 50% of financial losses.
• The losses due to the lack of
physical security have decreased
considerably in the recent past.
• The use of PKI infrastructure and
encryption methodologies is
increasing and being promoted
widely, according to most of the
respondents.
• The annual investment done by the
BFSI segment should be focused and
have to be marginally increased in
order to have much more secured
environment for operations. In other
words, if the financial losses are
minimised, then effectively it will
account in the increase in the profit
of the banks.
• According to respondents, the
management in the banks is still
not very much keen on
outsourcing the IS procedures.
They prefer to have in-house IS
Officer for handling the
procedures or many a times it is
preferred to accept the risk. At the
most an external consultant to
advise the policies is appointed to
assist the in-house IS Officer.
• The no. of IS Audits is increasing
in the recent past. Co-operative
banks are also trying to get
themselves certified from the
Quality, Audit and Compliance
institutions such as DNV, BVQI,
etc.
4.3 Detailed Survey Results

• Respondents’ Area (Banks)

Information on the organisations and the individuals representing those

organisations that responded to this survey are summarised below. To encourage
respondents to share information about occasions when their defences were
overrun and, in particular, to provide data regarding financial damages, the
survey was conducted anonymously. A necessary result of this is that direct
longitudinal analyses are not possible.

• Respondents based on the type of organisation

Apex Body – 13%
Nationalised Banks – 16%
Co – operative Banks – 19%
Private Banks – 10%
Foreign Banks operating in India – 13%
Third Party Views (CISA, CISM, Network Administrators, etc.) – 29%
(Rounded off to the nearest %)

30

25

20

15

10

0
Apex Body Nationalised Co-op Private Foreign Third Party

Figure No.11:- Respondents based on the type of organisation

 As shown in the figure above, the type of organisations covered by the
survey include many areas from both the private and public sectors. The largest
no. of responses came from the third party viewers (CISA, CISM, Network
Administrators, external Auditors, etc.). It accounted for almost a one – third of
the entire responses received through the questionnaire. The second largest
responses were achieved medium and small co-operative banks which totaled to
almost one – fifth of the total responses. The third largest no. of responses was
from the public sector Nationalised banks which accounted for almost 16% of the
responses. Private Banks were the lowest respondents. It may be because of the
cut – throat competition existing in the BFSI sector among all the private banks.

• Respondents based on the location of the organisation

Metro Cities – 45%
B – Class Cities – 22%
C – Class Cities – 13%
Rural Areas – 6%
Branches across the country – 14% (Also considered foreign banks
operating in India)
(Rounded off to the nearest whole %)

45
40
35
30
25
20
15
10
5
0
Metro Cities B-class C-Class Rural Areas Branches
across the
country

Figure No.12:- Respondents based on the location of the organisation

 The figure above shows the responses of organisations having their
presence in various parts of the country. The largest no. of responses came from
the Metro Cities which was evident and expected. It accounted for almost a one –
half of the entire responses received through the questionnaire. The second largest
responses were achieved from the B – Class Cities which totaled to more than one
– fifth of the total responses. The third largest no. of responses was from the
banks (Indian + Foreign) having their branch offices all over India which
accounted for almost 14% of the responses. Banks in the rural areas were the
lowest respondents. The primary reason behind this was the scarce use of
technology for the day – to – day transactions, might be due to the heavy
investments which are required or due to less acceptance by the rural customers.

• Respondents by Job Description

Internal IS Officers – 5%
Certified Information Systems Auditors – 29%
Certified Information Systems Managers – 12%
Network Administrators – 21%
Project Managers (IS Sectors) – 7%
Systems Administrators – 18%
Others – 8%

30
25
20
15
10
5
0
taff CIS
A M
CIS istrato
rs ger
s
tors er s
r na
lS ana tra Oth
in M i nis
Inte m in
jec
t
Ad
m
Ad Pro tems
tw ork y s
Ne S

Figure No.13:- Respondents by Job Description

 The figure above shows the responses obtained by the survey based on the
job descriptions / designations of the respondents in various organisations having
their presence in various parts of the country. The largest no. of responses came
from the Certified Information Systems Auditors, which accounted for almost one
– third of the total responses. The second largest responses were achieved from
the Network Administrators, which totaled to more than one – fifth of the total
responses. The third largest no. of responses was from the Systems
Administrators, who are responsible for maintaining and proper functioning of the
Information Systems in the banks (Indian + Foreign) having their branch offices
all over India which accounted for almost 18% of the responses. Internal IS
Officers in the banks were the lowest respondents. The primary reason behind this
was the confidentiality of the information. The information leakage to the outside
world might be a source of reputation loss and would attract the malicious threats
which would in turn be a source of financial loss. The other respondents included
a few Chief IS Officers (CISO’s), Quality Assurance personnel, external auditors,
etc.

• Percentage of IT Budget Spent on the IS

Not Aware

10%

5-6%

3-4%

1-2%

0 5 10 15 20 25 30 35 40 45 50

Figure No.14:- IT spending as a part of budget

The budgeting and financial issues are the concerns most of the times,
when it comes to the IS Risk Management as it is an on going process and needs
continuous updating. The respondents very hesitantly provided the information on
the IT expenditure on the IS Risk Management as apart of the IT Budget. As
illustrated in the figure above, a 46% of the respondents indicated that their
organisation allocated only 1 - 2% for the IS Risk Management from the total IT
budget. Around 10% indicated a figure ranging from 3 - 4% as the amount spent
on the IS. A 5 – 6% budget was indicated by 4% of the respondents. A major
portion of the respondent community claimed that their organisation spent a
relatively huge amount on the IS Risk Management. This portion amounted to
almost 23% who claimed of spending around 10% of the IT budget on the IS
issue. The remaining (17%) group of respondents was either not aware of the
expenditure on IS or preferred not to answer the question. They amounted for
almost 1/5th of the total respondents.

• Percentage of IS Functions Outsourced

IT outsourcing has become a trend in BFSI as well as some other
sectors. Along with the generic IT outsourcing, responsibility of Information
Management and Security has also seen its future into outsourced
environment. Off-late, it has been noticed that many banks have outsourced
these jobs to IT giants, in order to cut down on the operating costs and the
resources required for handling them. The Service Level Agreements (SLA’s)
are signed among the outsourcing company and the outsourced company for a
specific period and based on the minimum service criteria. The result of the
survey makes it evident.
 0%, 40%
40%
35% 50-75%, 26%
30%
25% 100%, 20%
20% 25-50%, 14%
15%
10%
5%
0%
100% 50-75% 25-50% 0%

Figure No.15:-Percentage of IS functions outsourced

Among the results, 20% respondents have indicated that the IT and IS
functions are completely (100%) outsourced to the third party vendors by
entering into the SLA’s. Around 26% of the respondents have mentioned that
partial agreement is in place for the IT outsourcing and external auditing of
the Information Systems. The Information Systems Management and the
Security is internally taken care off, and only third party auditors (external
auditors) are appointed to verify genuine operations, claimed 14% of the
respondents. The remaining group (40%) of the respondents mentioned that
no outsourcing is done and have a team of internal auditors for verifying
genuine operations.

• Policies to mitigate the risks externally

Regardless of the measures an organisation may take to protect its
systems using technical computer security measures such as the use of
passwords, biometrics, antivirus software and the like, there will be risks of
financial loss that still remain. As mentioned in the earlier chapters, that the IS
Risks can be identified, and either a) mitigated, b) transferred, c) insured, or d)
clearly documented as a risk acceptance. Insuring the Physical Assets as well
as Information Assets is a method of mitigating the risk, externally. Hence,
purchasing Cyber Insurance, the organisations might reduce the remaining
 risks. As per the survey conducted, 40% respondents claim that their
organisations have purchased the Cyber Insurance Cover, while remaining
60% lack this cover. There is a phenomenal increase in the Cyber Insurance
Cover subscription, since past few years, added some of the respondents.

70 Not Insured, 60
60
50 Insured , 40
40
30
20
10
0
Insured Not Insured

Figure No.16:-Risk Mitigation Policies

• Unauthorised access to the Information Systems in the recent past (last 5

years)
The figure below shows that there has been a decline of the overall
frequency of successful attacks on the computer systems. Furthermore, the
percentage of respondents answering that there was no unauthorised use of
their organisation’s computer systems was around 1/3rd of the total
respondents. The percentage of respondents who indicated not knowing if
such unauthorised use occurred, was a small amount, which also indicates that
employees are aware of these kinds of attacks. The managements have taken
up this issue seriously in several organisations and are providing in-house as
well as external training to the employees to understand the importance and
necessity of IS and Risk Management, according to various respondents. The
data reported in the table below, also paints the picture of a slow decline in the
frequency of attacks on the computer systems.
2006 34
2005 35
2004 24
2003 27
2002 23
2001 26

0 10 20 30 40 50

Figure No.17:-Unauthorised access in the recent past

• Security Technologies used

Respondents were asked to identity the types of security technology
used by their organisations. The reports were similar to the observation done
before getting the responses from the respondents. Almost all the
organisations use the Anti- Virus software’s for the protection of their
Information Systems and the much valued Information, from the viruses,
trojans or similar malicious content, etc. The second most used solution was
Firewalls. Although, the Firewall solution is used in a mixed pattern i.e. as
software solution as well as a hardware appliance, it has not been segregated
taking into consideration that this is an academic research. This also amounted
for almost 98% of the organisations. The category of anti-spy ware showed up
as the third most used security technology with more than 4/5th of the
respondents reporting its use. Intrusion Detection Systems (IDS) were being
used by almost 70% of the organisations.
The emerging technologies like the Biometrics had fewer acceptances
comparatively, at this point in time because of several reasons such as
installation and maintenance and the cost to implement it. But it would really
interesting to see that if the use of biometrics will continue to grow at a rapid
rate in years to come. The other technologies / policies such as reusable
 account / login passwords, encryption for data (transit and storage), RFID,
public key infrastructure (PKI), Forensic tools, log management software,
application- level firewalls, intrusion prevention systems (IPS), specialised
wireless security systems, etc., had a considerable usage in various
organisations all around the country.
There were many limitations in finding this data as the respondents are
either not aware of what technologies are being used or they were reluctant in
expressing their views about the same.

Anti - Virus

Firewall

Anti - Spyware

Intrusion Detection System

Encryption

Reusable password

Intrusion Prevention System

Application Level firewall

Smart cards

Forensics tools

Public key Infrastructure

Specialised wireless security system

Biometrics

Other

0 20 40 60 80 100 120

Figure No.18:-Security Technologies used

 • Security Audits
Traditional security metrics are haphazard at best; at worst they give a
false impression of security that leads to inefficient or unsafe implementation
of security measures.
It is very important to evaluate the effectiveness of the IS done in the
organisations. To evaluate the same, the respondents were asked a question,

“What techniques are used by your organisation to assist in the evaluation

of the effectiveness of its IS”? The respondents were comfortable answering this
question and indicated that there are many techniques such as Security Audits
(Internal or External), Penetration Testing, etc. which are being used by their
organisations. The details are illustrated in the figure below. Approx. 75% of the
respondents mentioned that their organisations use Security Audits conducted by
their internal staff, making Security Audits the most popular technique in the
evaluation of IS. The Security Audits extensively done by the external
organisations were indicated as about 55%. Some other techniques – Penetration
Testing (45%), Automated Tools (40%), email Monitoring software (48%) or the
Web Activity Monitoring software (50%) are also used, but comparatively less,
for the evaluation of the effectiveness of the IS activities. These activities range
from 40 - 50% in different organisations.

10: FBI 2006 --- http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf, access date: October 12, 2006.
 Penetration Testing 45
Security Audits (Internal) 75
Automated tools 40
Security Audits (External) 55
E-Mail Monitoring Software 48
Web Activity Monitoring Software 50

0 10 20 30 40 50 60 70 80

Figure No.19:-Security Audits

• IS Awareness Training
The participants in the survey were also asked to rate the importance of
the security awareness training to their organisations in each of the several areas.
The percentages of the respondents indicating that security awareness was very
important are shown in the figure below.

The top five rated areas in IS Awareness Training were:

• Understanding the Security Policy (82%)
• Understanding the IS Management Systems (70%)
• Understanding the IS related threats (66%)
• Understanding the Business Continuity and Disaster Recovery Planning
and implementations (68%)
• Understanding of the IS softwares and appliances (55%)
Apart from these five, there are many other areas where the IS Awareness
Training is required, so that every user ensures that the malicious threats do not
attack the most valued Information Systems.
 Forensics 23

Investigation 38

Cryptography 34

Information Security
55
softwares & appliances
Information Security related
66
threats

BCP / DRP 68

Information Security
70
Managements Systems

Security Policy 82

0 10 20 30 40 50 60 70 80 90

Figure No.19:- IS Awareness Training

• Most Critical Issues in next two years

Finally, the participants were asked to put across their views on the emerging
IS threats which would be affecting the smooth functioning of Information
Systems and would challenge the CIA concept. The respondents really came
ahead to give their views open heartedly since, this was a generic question which
was not a point for the reputation risk, business risk, or financial risk.
• Data Protection and application software – 100%
• Identity theft and leakage of private and confidential information –
98%
• Virus, Trojans and Worms – 100%
• Access Control (e.g.: passwords) – 75%
• User education, training and awareness – 85%
• Wireless Infrastructure Security – 64%
• Ad ware and Spy ware – 66%
• Key loggers and Root kits – 59%
• Social Engineering (e.g. Phishing and Pharming) – 89%
• Mobile (handheld) computing devices – 67%
• Patch Management – 45%
• Intrusion Detection Systems – 51%
• E-mail attacks (e.g. spam) – 95%
• Employee misuse – 34%
• Physical security – 78%
• Two- factor authentication – 32%
• DoS – Denial of Service – 23%
• PKI implementation – 47%
 Data protection 100

Identity Theft 98

Virus, Trojans & Worms 100

Access Control 75

User Awareness 85

Wireless Security 64

Adware & Spyware 66

Key loggers & Roott kits 59

Social Engineering 89

Mobile Devices 67

Patch Management 45

Intrusion Detection 51

Email Attacks 95

Employee Misuse 34

Physical Security 78

Two Factor Authentication 32

DoS 23

PKI Implementation 47

0 20 40 60 80 100 120

Figure No.20:- Critical Issues

• Respondents’ Area (Customers)

Responses were also invited from 100 customers of the various banks
having at least one branch office in the Mumbai region. The 100 customers
were also from the Mumbai region. These were done to enhance the study and
to understand in depth, whether are the customers aware about IS or they do
not bear any relation with IS.
The study included the responses from the customers into
consideration since; IS Risk Management is a new concept as far as Indian
banks are concerned. More over, IS Risk Management should be a joint effort.
Not only the banks and their employees are responsible for maintaining the
Information Systems and providing IS, but the customers are also a integral
part of the entire process.
e.g.: A bank has taken due care to prevent / protect against social
engineering threats such as Phishing and Pharming, but the customer is not
aware of these concepts and reveals his passwords / login names to third party,
might be unintentionally, unawareness, etc., even then his account can be
hacked.
The responses were as per the expectation as far as Mumbai region
was concerned. Most of the customers are at least aware regarding the concept
named IS. The responses were a mixed bag on the basis of the age group,
income levels, education, gender, etc.
Out of 100 responses invited the usable were only a sample of 50,
since the 40 of the total did not answer all the required questions, and 10 of
the total completely not aware of IS Risk Management. Out of the remaining
50 responses 50% fall in the age group of 16 – 35 years. 30% of 50 fall in the
age group of 35 – 55 years. 20% of 50 fall in the age group of above 55 years.
The figure below illustrates the above break up of the responses based
on the age group factor. This trend was observed since the respondents in the
16 – 35 years age group are more inquisitive regarding the Information
Technology and use the ATM centers, Internet Banking, Phone banking,
Kiosks, Credit cards, debit cards, etc more frequently than the other age group
respondents do. A part of these age group respondents are highly educated,
well informed business executives or highly salaried employees, who have
broad exposure and inclination towards usage of Internet. Hence, they are
aware and concerned regarding the IS, at least for their bank or account.

10

25

15

Total of 50
respondents

Figure No.21:- Responses based on the Age Groups

Out of the remaining 50 responses, 20% fall in the income level

of less than Rs. 2, 00,000 p.a. 45% of 50 fall in the income level of more
than Rs. 2, 00,000 p.a. – Rs. 5, 00,000 p.a. 30% of 50 fall in the income
level of Rs. 5, 00, 000 – Rs. 15, 00,000 p.a. and the remaining 5% of the
50 responses fall in the income level of more than Rs. 15, 00,000 p.a.
 5
20

30

Total of 50
respondents.
45 All figures in
%

Figure No.22:- Respondents based on Income group.

Here, the responses are high from the respondents from the income
group of Rs. 2, 00,000 p.a. – Rs. 5, 00, 000 p.a. These respondents are normally
from the working class or salaried employees. Due to the hectic schedule of the
jobs, they prefer using Internet banking, Phone Banking, etc., and hence are
more used to and aware about IS. The second highest respondents were the
again salaried employees at good positions or owners of small businesses. They
also use Internet banking for their transactions for credit card bill payment,
EFT, share trading, etc. Hence, they are also quite concerned regarding the IS.

The educational factor was also taken into consideration during the
invitation of responses to the questionnaires. It was more than obvious that more
the education level, more was the respondent aware of concepts such as
Information Systems, IS Risk Management, etc. as he had an exposure of the new
technologies emerging world wide.
 CHAPTER 5
CONCLUSION AND RECOMMENDATIONS

Information related to the Bank and its customers is a highly valuable

asset. IS helps in protecting these assets from unauthorised use, disclosure,
modification or destruction, whether accidental or intentional. Protecting Bank
and customer information is a responsibility of all employees that requires
awareness and diligence.

The ultimate responsibility for safeguarding Bank and customer

information lies with each individual employee. Therefore, all employees who
have access to systems that store and/or access such information are required to
understand and comply with any and all specific policies, procedures, standards
and guidelines established in support of the IS Program.

Taking into consideration the all the analysis in the previous chapter, it is
evident that many things have to be taken care off on a continual basis. The IS is a
continual process which needs to be specifically monitored and enhanced time
and again. In order to implement the IS Risk Management successfully there are
many attributes that need to be considered in terms of IT / IS Governance. These
attributes include Implementation of ISO 17799 / BS 7799, CobiT, etc., physical
security, logical security, access controls, Business Continuity and Disaster
Recovery Planning, etc.

Within the scope of the academic research, there has an attempt to analyse
the varied situations that actually occur in various banks at different security
levels.
 While this topics can be related to various facets, yet on the basis of this
research the following conclusion emerge:

• Based on the Survey Findings

The survey has provided the results regarding the IS awareness based on
the type of the organisation, location of the organisation and job description. The
responses give us better in-sights regarding the currently existing IS landscape
prevailing in various banks, with relation to kind of systems or policies are in
place to cater to the ever - increasing demands of the IS sector.

The survey has also tried to get in-depth information regarding the
currently existing threats and the malicious contents in the cyber world as on date.
As an academic research, there were some limitations in this study. The study has
revealed that there is an intense need for the banks to have a close watch on the IS
threats that concern the bank and its reputation in an attempt to find better ways to
transfer, mitigate, prevent or accept the risk involved in the same.

The research has been successful to an extent in determining the losses

borne by the banks due to the various reasons such as malicious attacks due to
virus, trojans, worms, identity theft, unauthorised access, security breach or by
un-intentional misuse or mistake due to lack of technical know–how, expertise or
awareness. As mentioned above, there are some limitations to this report. The
report has not been able to include any instances regarding the losses which
caused due to natural disaster / calamities within the Indian context.

The exact cost factor could not be calculated for the implementation of the
IS Systems. Most of the security software solutions or appliances are implemented
in an assorted manner. There is no standardisation for the IS Systems
implemented till date. The entire implementation depends upon several factors
like spending pattern or the IT budget for IS, location of the organisation, the
intellectual resources available to those banks, etc. The views of all the banks or
the branches or the customers of the bank are too varied to reach at a certain
conclusion. Infact, it can be said that all banks do take steps that they feel
appropriate for preventing, mitigating, transferring or accepting risks.
 On the basis of this, it is essential that there should be correctly drafted
policies and procedures to face the IS issues. The IS policy must essentially
include factors relating to the physical, logical security, access control, Business
Continuity Planning (BCP) and Disaster Recovery Planning (DRP). All these
factors are very essential as far as the IS threats are concerned. The physical
logical security, access control, etc. are the factors generally implemented in order
to prevent the risk while the BCP and DRP are implemented after the risk is
accepted or after the threats have made their impact. The BCP /DRP concept is
used to restart the business’ mission critical applications within a very short span
of time by allowing the organisation to bear the minimum losses.

• Based on the Information Systems Management Practices

Since, IS is the most important attribute of the Information Systems Risk

Management Systems, the policies / procedures should be followed and
implemented even as the employees are hired.

Every organisation (banks in the case of this academic research) needs to

have an appropriate Information Systems Management Practices. Since, the
Information Systems Management Practices reflect the implementation of the
policies and procedures developed for various IS- related management activities.
In most organisations, the IS department is a service department and its role is to
help other customer centric departments for their effective and efficient
operations.

IS Management provides the lead role to assure that the organisation’s

information and the information processing resources under its control are
properly protected. This would include leading and facilitating the
implementation of an organisation- wide IT Security program, which should
include the development of the BCP and DRP related to IS department functions
in support of the organisation’s critical business processes. A major component in
establishing such programmes is the application of risk management principles to
assess the risk to IT assets, mitigate these risks to an appropriate level as
determined by the management and monitor the residual risks.
 Management activities to review the policy / procedure formulations and
their effectiveness within the IS department should include practices such as
personnel management, sourcing and IT change management, etc.

• Personnel Management

Personnel management relates to the organisational policies and

procedures for hiring, promotion, retention and termination. The effectiveness of
these activities, as they relate to the IS function, impacts the quality of staff and
the performance of the IS duties.

• Hiring

An organisation’s hiring practices are important to ensure that the most

effective and efficient staff is chosen and that the bank is in compliance with the
legal recruitment process. Some of the common controls should include:

• Back ground Checks

• Confidential Agreements

• Employee Bonding to protect against losses due to theft, mistakes and

neglect

• Conflict of Interest Agreements

• Non Compete Agreements

Control risks include

• Staff may not be suitable for the position they are recruited to fill

• Reference checks may not be carried out

• Temporary staff and third party contracts may introduce uncontrolled risks

• Lack of awareness of confidentiality requirements may lead to the

compromise of the overall security environment.

The above mentioned control risks need to be taken care off / mitigated /
accepted / transferred before drafting the hiring policies / procedures for the bank.
 • Employee Handbook

• Security policies and procedures

• Bank’s expectations

• Employee benefits

• Vacation (Holiday policies)

• Overtime rules

• Performance Evaluations

• Emergency procedures

• Disciplinary actions for:

• Excessive absence

• Breach of confidentiality and/ or security

• Non Compliance with policies

In general, there should be a published code of conduct for the bank that
specifies all employees’ responsibilities towards the bank.

• Education and Training: Training should be provided on a regular basis to all

employees based on the concerned areas where employee expertise is lacking.
This should particularly be so for IS professionals, given the rapid rate of
change of technology and products. Training not only assures more effective
and efficient use of IS resources, but also strengthens employee morale.
Training must be provided when new hardware and / or software is being
implemented. Training should also include relevant management training,
project management and technical training, so as to avoid the mistakes which
occur because of lack of knowledge or ignorance.

Cross training should involve more than one individual being properly
trained to perform a specific job or a procedure. This practice would have the
advantage of decreasing dependence on one employee and can be a part of
succession planning. It also provides a backup for personnel in the event of their
absence for any reason and, thereby, providing for continuity of operations.
However, in using this approach, it would be prudent to first assess the risks
regarding employee handling the system.

Sourcing

Sourcing practices relate to the way in which the organisation will obtain
the IS functions required to support the business. Organisations can perform all
the IS functions in-house (in sourcing) in a centralised manner, or outsource all
functions across the globe. The sourcing strategy should consider each IS function
and determine which approach allows the IS function to meet the enterprise’s
goals.

Delivery of IS functions should include:

• In-sourced – Fully performed by the organisation’s staff.

• Out sourced – Fully performed by the vendor’s staff

• Hybrid – performed by a mix of organisation’s and vendor’s staff, can

include joint ventures / supplement staff.

Organisational Change Management

Change Management is managing IT changes for the organisation, where

a defined and documented process exists to identify and apply technology
improvements at the infrastructure and application(s) level that are beneficial to
the organisation thereby involving all levels of the organisation that are impacted
by these changes.
Apart from all these activities the banks need to have a properly
documented, implemented and followed reporting format for each of the
Information Systems. Some of the formats have been mentioned below as
samples:
• Suspicious Activity Investigation Report

Figure No.23:- Suspicious Activity Investigation Report

In the event that an employee discovers a breach of customer information,

the following procedures must be completed to report the breach to the senior
management.

• Employee that discovers breach must immediately notify his/her

manager.
• Manager must contact the Bank’s IS Officer and provide a full report
of the incident.
 • IS Officer will commence a preliminary investigation. The
investigation will include an interview of all individuals with
knowledge of the breach. The IS Officer will coordinate the
investigation with the Bank’s Director of Information Technology and
the Director of Security.
• If the investigation determines that a breach has occurred, the IS
Officer will inform the Executive Management Committee.
• Through consultation with the Director of Security and the Executive
Management Committee, the IS Officer will determine whether to
inform law enforcement authorities.
• The IS Officer will provide a detailed incident report to the Board of
Directors at the following Board meeting, including a risk assessment
related to the breach that includes an assessment of actual damages as
well as potential damages.
• Prompt reporting of a breach allows the Bank to:
• Prevent future similar breaches;
• Determine the source of the breach; and,
• Involve law enforcement at an early stage, if applicable.

• Reporting Suspicious Transactions

The Bank places significant responsibility on employees regarding the
identification of potential identity theft transactions. This responsibility is placed
on employees; particularly branch and customer service employees, because
employees are the Bank’s first and most effective line of defense against fraudulent
transactions stemming from identity theft.
Through use of the Bank’s procedures, employees will generally resolve
most transactions that may initially appear suspicious. However, on occasion it will
not be possible to resolve the suspicious nature of a transaction. Under these
circumstances employees must refer these suspicious transactions to the Bank’s
Loss Prevention Officer.
 The Bank should develop procedures for reporting suspicious activity. It
is important that each employee be familiar with these procedures. Reporting of
suspicious transactions is required not only by policy but also by federal regulation.
The Bank is subject to punitive actions if the Bank is found negligent in its
reporting responsibilities.

• Release of ATM or Debit Card Fraud Claim

Figure No.23:- ATM / Debit card Fraud Claim Format

• Branch Security Review Checklist (Provided in Appendix – I)

• Night Inspection Evaluation Form
• Record Retention Policy
• Monitoring Chart for InfoSec Contract Provisions to Service providers
• Risk Assessment Matrix
• Risk Analysis Worksheet
• Bomb Call Warning Form
 The nationwide increase in computer and identity theft crimes makes it
likely that customer service employees of the Bank will encounter the customers
who have been victimised. If a customer requests assistance in resolving a case of
identity theft, employees should provide the following information:
• Suggest that the customer contact the fraud departments of credit
bureaus and request that the credit bureaus place a “fraud alert” and a
“victim’s statement” in the customer’s credit file. The fraud alert puts
creditors on notice that the customer has been the victim of fraud and
the victim’s statement asks creditors not to open additional accounts
without first contacting the customer. Suggest that the customer
requests a free credit report from the credit bureaus .
• Suggest that the customer review the credit reports in detail to
determine if any fraudulent accounts have been established. The
customer should also determine if any unknown inquiries have been
made. Unknown inquiries may be indicators of someone attempting to
establish a fraudulent account;
• Suggest that the customer contact all financial institutions and
creditors where the customer has accounts. The customer should
request that they restrict access to the customer’s account, change any
password or close the account altogether, if there is evidence that the
account has been the target of identity theft.
• Suggest that the customer file a police report to document the crime

5.1 General Password Guidelines

Bank employees use passwords to access various resources. These
resources include access to personal computers, the network, voicemail, the
Internet, etc. User IDs and passwords are used to authenticate employees to the
particular resource and are used to track user activity while using that resource.
Temporary passwords are usually assigned to employees when access is initially
granted to a resource. It then becomes the employee’s responsibility to establish a
strong secure password.
 Employees must be aware of the characteristics of strong and weak
passwords in order to ensure adequate protection of Bank and customer
information. If someone obtains an employee’s User ID and password, that
individual can imitate the employee without the system being aware. Any
damage created by the intruder will appear to have been created by the employee.
Poor, weak passwords have the following characteristics:
• The password contains less than eight characters;
• The password is a word found in a dictionary;
• The password is a common usage word such as:
• Names of family, pets, friends, co-workers, sports, teams, movies,
shows, license plate number, birth dates, etc.;
• Computer terms and names, commands, sites, companies,
hardware, software;
• Birthdays, User ID and other personal information such as
addresses and phone numbers;
• Word, number or keyboard patterns like “aaabbb,” “qwerty,”
“123321;”
• Any of the above spelled backwards; or,
• All the same characters or digits, or other commonly used or easily
guessed formats.

Strong passwords have the following characteristics:

• Contain both upper and lower case letters;
• Have digits and punctuation characters as well as letters;
• Are at least eight characters long;
• Are not a word in any language, slang, dialect, jargon, etc.; and,
• Are not based on personal information, names of family, etc.
 Employees should refrain from writing down the password. Instead,
employees should create passwords that can be easily remembered. One way to
accomplish this is to create a password based on a song title, affirmation or other
phrase. For example, the phrase might be “Everyday I sing one song” and the
password could be “EDIs1s@@g” or some other variation.

5.2 Password Protection

Refrain from using the same password for Bank accounts as for other non-
Bank accounts (i.e., personal email account, etc.). When possible, refrain from
using the same password for multiple Bank accounts. For example, use a
different password for network and email access. Do not share passwords with
anyone, including Bank personnel. All passwords must be treated as highly
sensitive information.

List of DON’Ts for the employees

• Don’t reveal your password over the phone to anyone – not even
individuals who claim to be calling from the IT Department;
• Don’t reveal your password in an email message;
• Don’t reveal your password to your manager or any other Bank
employee;
• Don’t talk about your password in front of others;
• Don’t hint at the format of a password (i.e., “my family name”);
• Don’t reveal your password on questionnaires or security forms;
• Don’t share your password with family members;
• Don’t reveal your password to co-workers while on vacation;
• Don’t leave your password anywhere on or near your workstation (i.e.,
post-it notes, under mouse pads, etc.); and,
• Don’t create passwords for group use or shared passwords. Passwords
should be unique to each person.
• Do not provide your password to anyone who requests or demands it.
Refer the incident to the Bank’s IS Officer. Call the IT Department
 immediately to change your password if you suspect that your
password has been compromised.

5.3 Changing Passwords

Bank policy requires passwords to be changed regularly, but an employee
may change a password at any time if there is a possibility that the password has
been compromised. Generally, the Bank’s various computer systems do not
permit employees to reuse a previously used password for a minimum period of
time, as defined by the system. For example, a system may prevent employees
from using the same password in a six-month period. Systems prompt for
password changes when change is required. To save time and effort, passwords
should be changed before they expire.
If a password has been compromised or forgotten, the user may obtain a
new password or have their password reset by contacting the appropriate
department (i.e., IT Department, Training Department, etc.).

5.4 Security Breach Examples

The following are some examples of security breaches:

• A person gains access to a computer terminal and is able to obtain the

“personal information” of a Bank customer(s);
• Employee emails a file containing “personal information” to an
individual outside the Bank for purposes other than official Bank
business;
• Employee takes home and subsequently loses a CD containing
customer loan information;
• Employee loses a laptop containing customer loan write-ups and other
loan application information;
• Diskette containing “personal information” is stolen; and,
• Employee copies customer “personal information” to a diskette and
uses information for unauthorised purposes.
5.5 Bank Procedures
The most effective means of complying with the Privacy Law is to
prevent the breach of any customer information. Breaches are prevented by
exercising due care when working with customer data or computer systems that
access such data.

Examples of due care:

• Logging off the network when leaving a computer/workstation for an
extended period of time;
• Using password protected screensavers;
• Refraining from copying customers’ personal information on disks
or CDs;
• Keeping disks and CDs that contain personal information in a secure
location;
• Never emailing outside the Bank any documents/files that contain
confidential information;
• Ensure your workstation (PC) is positioned in a manner that prevents
someone from viewing confidential information;
• Protecting passwords; and,
• Being alert to suspicious activity related to the theft/compromise of
personal information.

5.6 Downloading Software

Downloading unlicensed software is a violation of copyright laws, and
downloading any software from the Internet, including screensavers, without
appropriate controls and testing puts the Bank at risk. No software should be
downloaded from the Internet without the written approval from the Director of
Information Technology. The purchase and installation of any software on Bank
computers must be approved by the Director of Information Technology.
5.7Laptop Security
The following are some basic techniques to protect laptop computers and
to secure information on laptop computers:
• Do not disable or alter the anti-virus software that is installed on
laptop computers;
• Do not program passwords, User IDs, private encryption keys or
personal information on a laptop;
• Store back up diskettes or CD’s separately from the laptop device;
• Do not leave the laptop unattended, whether in an unlocked,
unattended vehicle, in plain view in hotel rooms, or overnight at
your workstation in the office;
• Exercise caution with laptops in airports, especially at security
screening checkpoints; and,
• Immediately report lost or stolen laptops to the Director of
Information Technology.

5.8Fax Machines
Fax machines present a potential IS risk. It is important to ensure that no
confidential information is left unattended on a fax machine. Further, fax
machines generally print the first page of any communication sent as the delivery
confirmation. If a cover page is not used then the confirmation page may include
confidential information that may be forgotten or discarded inappropriately.
Confidential messages sent by FAX must be clearly marked with a confidentiality
disclaimer.
5.9Internet Security Concerns
Viruses and hackers are active on the Internet and try to create and exploit
security vulnerabilities. Security services ensuring confidentiality, integrity and
authenticity are not automatically provided when using the Internet or Web. In
addition, information from Internet sites cannot be relied upon to be authentic or
accurate. As such, employees must exercise common sense and due care when
using the Internet.

5.10 Physical Security

The Bank should implement physical security procedures to protect the
security of its people and assets. Examples of security measures include the use
of keypad access to protected areas, visitor badges for non-employees and keys
for entry into secure areas.
Secured doors must NEVER be left open or unattended. All visitors to the
corporate offices must be sent to the receptionist to obtain a “visitor” badge.
Further, all visitors must be escorted within secured areas.
Bank employees should remain diligent at all times in order to identify and
report suspicious individuals.

5.11 Monitoring and Inspections

To help ensure that Bank employees work in a safe and secure
environment, the Bank reserves the right to take certain actions to protect the
safety and security of employees, customers, agents, vendors, and the company’s
property and premises. These actions, in accordance with applicable law, include
recording, monitoring, conducting surveillance, inspecting and/or reviewing:

• Company premises and property, or Bank resources, including work

areas, lockers, interoffice/business mail, e-mail, computers,
 telephones, voice mail, internet, intranet, or any other communication
system established for business purpose;
• Employees’ personal property located on company premises and
employees’ personal banking transactions at the Bank; and,
• Employees are expected to cooperate in company inspections,
monitoring, and recording.
To summarise and conclude the research, the IS threats are revisited below:

• Data Protection and application software

• Identity theft and leakage of private and confidential information
• Virus, Trojans and Worms
• Access Control (e.g.: passwords)
• User education, training and awareness
• Wireless Infrastructure Security
• Ad ware and Spy ware
• Key loggers and Root kits
• Social Engineering (e.g. Phishing and Pharming)
• Mobile (handheld) computing devices
• Patch Management
• Intrusion Detection Systems
• E-mail attacks (e.g. spam)
• Employee misuse
• Physical security
• Two- factor authentication
• DoS – Denial of Service
• PKI implementation, etc.,

There are several benefits which can be derived from the implementation of
the IS Systems in the existing scenario. They would be as mentioned below:
• The Information Systems would be protected from the malicious
threats existing in the cyber world as on date.
 • The setup of the IS Systems would prevent or minimise the losses of
the valuable information assets of the bank.
• Would prevent reputation losses.
• Would provide a secure environment to perform all essential functions,
etc.

The research claims to disprove the hypotheses mentioned in Chapter 1.

• The security policies in the same organisation (Bank) may differ based on the
geographic location.

There was no indication or hint from the responses invited from the
customers or the employees regarding the difference in the policies, in the same
organisation, at different locations. The respondents mentioned that there were
some differences in the roles / job descriptions of the employees or the procedures
used to implement and follow the policies, but the policies were same throughout
the organisation.

• Many Banks prefer accepting the security risk rather than mitigating,
transferring or avoiding it.

The research survey as well as the observation has shown that the banks
are still ready to accept the risk, instead of transferring, preventing or avoiding it.
The analysis in Chapter 4 also shows that, when it comes to transferring the risk
only 40% of the banks (organisations) are insured and the rest are still not insured.
The IT spending pattern also indicates that when it comes to preventing or
avoiding risk, most of the banks or organisations lack the funds or focus and
hence cannot work on the residual risks. This may also occur because of lack of
expertise and awareness regarding IS and the repercussions due to its breach. This
is normally observed in the rural branches or branches located in small towns.
Then, the banks are left with no option but to accept the risk.
• ISMS policies show wide variations across all types of financial institutions
(here the type of bank would be considered, i.e. Apex/ Public Sector
Commercial/ Private Sector Commercial/ Co-operative/ Foreign bank, etc.

The ISMS policies do not change at large, even though the type of the
bank is different. The policies are more or less the same, but the mode of
implementation might be different.
Since the RBI does not have any transactions with the common public, so
the policies might differ here. The only difference between all other banks and the
APEX body (Reserve Bank of India) policies would be due to the mode of
operation
 CHAPTER 6
BIBLIOGRPHY

Offline Reference Articles (Magazines)

• E-Wallet lost in Rules, Current Account, MONEYLIFE, August 31, 2006,

Volume 1, Issue 13, page no. 8.
• Target e-scammers, Personal Business, Techlife, MONEYLIFE, August 31, 2006,
Volume 1, Issue 13, page no.56.
• Phishers Target e-payment Users – Personal Business, Techlife, MONEYLIFE,
August 31, 2006, Volume 1, Issue 13, page no. 56.
• Banking with Technology – The Road Ahead, RBI Newsletter, Volume 31, No.2,
July 31, 2005.
• Pandey S., July 22, 2006, Email Worms of World Cup 2006: Dos and Don’ts,
MONEYLIFE, Volume 1, Issue 10, page no. 56.
• Dalal S, October 26, 2006, Personal Vigil Pays, Sucheta’s Solutions,
MONEYLIFE, Volume 1, Issue 17, page no. 40.
• Dalal S, October 26, 2006, Beware of Insecure IT Networks , Sucheta’s Solutions,
MONEYLIFE, Volume 1, Issue 17, page no. 42 - 43
• Of Tracers and Strings, October 26, 2006, Personal Business, Techlife,
MONEYLIFE, Volume 1, Issue 17, page no.56.
• Pandey S., July 07, 2006, While Browsing in a Cyber Cafe, MONEYLIFE,
Volume 1, Issue 9, page no. 58.
• Target You, September 28, 2006, Personal Business, Techlife, MONEYLIFE,
Volume 1, Issue 15, page no.56.
• Bhattacharya A, October 2006, A Strategic Resource, Technology in Banks,
Chartered Financial Analyst, page no. 41 – 43.
• D’Souza S, April 2004, ‘Biometrics’ The Future is now, TRENDS, NEWSWIRE,
CHIP, Volume 1, Issue 6, page no. 26 – 27.
• D’Souza M, April 2004, The Truth about Wireless, NETWORK UNWIRED,
COVER STORY, CHIP, Volume 1, Issue 6, page no. 28 – 34
• Brooks and Lanza, 2006, Why Companies Are Not Implementing Audit,
Antifraud and Assurance Software… and How to Fix It, Commentary,
Information Systems Control Journal, Volume 1, page no. 30 – 31.
• Smith M, 2006, Overview of Mobile Technology, Feature, Information Systems
Control Journal, Volume 1, page no. 48 – 54.
• Singleton Tommie, 2006, What Every IT Auditor Should Know About Wireless
Telecommunication, IT Audit Basics, Information Systems Control Journal,
Volume 4, page no. 19 – 21.
• Pironti John, 2006, Information Security Governance: Motivations, Benefits and
Outcomes, Feature, Information Systems Control Journal, Volume 4, page no. 45
– 48.
• Musaji Yusuf, 2006, A Holistic Definition of IT Security – Part 1, Feature,
Information Systems Control Journal, Volume 3, page no. 43 – 46.
• Musaji Yusuf, 2006, A Holistic Definition of IT Security – Part 2, Feature,
Information Systems Control Journal, Volume 4, page no. 51 – 56.
• Singleton Tommie, 2006, What Every IT Auditor Should Know About Wireless
Cyber forensics, IT Audit Basics, Information Systems Control Journal, Volume
3, page no. 17 - 19.
• Sriram Revathy M., Systems Audit, Tata McGraw – Hill Publishing Company
Ltd., New Delhi, ISBN 0-07-463888-2, page no. 20 – 25.
 Online Reference Articles (Websites)

• Information Security Management Best Practice Based on ISO/IEC 17799,

http://web10.epnet.com/externalframe.asp?tb=1and_ug=sid+CF486055%2DDFE
6%2D4133%2D9895%2D43D853AA7F23%40sessionmgr6+dbs+aph+cp+3+1B
BCand_us=frn+1+hd+False+hs+True+cst+0%3B1%3B2+or+Date+fh+False+ss+
SO+sm+ES+sl+0+dstb+ES+mh+1+ri+KAAACB5A00052317+89FCand_uso=%
5F0andfi=aph_17554308_ANandlpdf=trueandpdfs=537Kandbk=Randtn=2andtp=
CPandes=cs%5Fclient%2Easp%3FT%3DP%26P%3DAN%26K%3D17554308%
26rn%3D1%26db%3Daph%26is%3D15352897%26sc%3DR%26S%3DR%26D
%3Daph%26title%3DInformation%2BManagement%2BJournal%26year%3D200
5%26bk%3Dandfn=1andrn=1, access date: January 06, 2006.
• Strategies and Financial Instruments for Disaster Risk Management in Latin
America and the Caribbean, http://www.iadb.org/sds/doc/ENV145-
StratFinanciaInstruments-E.pdf, access date: January 06, 2006.
• Disaster Risk Management Programme,
http://www.ndmindia.nic.in/EQProjects/goiundp2.0.pdf, access date: January 06,
2006.
• Put IT security at top of biz to-do list,
http://web30.epnet.com/citation.asp?tb=1and_ug=sid+22A6C4C7%2D8455%2D4
718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2Cbwh
%2Cc1h+cp+3+ECEDand_us=frn+1+hd+False+hs+False+or+Date+fh+False+ss
+SO+sm+ES+sl+%2D1+dstb+ES+mh+1+ri+KAAACB1C00000789+2B8Fand_u
so=%5F3andfn=1andrn=1, access date: January 06, 2006.
• Put IT security at top of biz to-do list1,
http://web30.epnet.com/citation.asp?tb=1and_ug=sid+22A6C4C7%2D8455%2D4
718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2Cbwh
%2Cc1h+cp+3+ECEDand_us=frn+1+hd+False+hs+False+or+Date+fh+False+ss
+SO+sm+ES+sl+%2D1+dstb+ES+mh+1+ri+KAAACB1C00000789+2B8Fand_u
so=%5F3andcf=1andfn=1andrn=1, access date: January 06, 2006.
• Bottom-Up InfoSec Trumps Top-Down,
http://web30.epnet.com/externalframe.asp?tb=1and_ug=sid+22A6C4C7%2D8455
%2D4718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2
Cbwh%2Cc1h+cp+3+ECEDand_us=hd+False+hs+False+or+Date+fh+False+ss+
SO+sm+ES+sl+%2D1+ri+KAAACB1C00000789+dstb+ES+mh+1+frn+1+6513a
nd_uso=%5F3andfi=aph_18686588_ANandlpdf=trueandpdfs=175Kandbk=Candt
n=102andtp=CPandes=cs%5Fclient%2Easp%3FT%3DP%26P%3DAN%26K%3
D18686588%26rn%3D3%26db%3Daph%26is%3D00104841%26sc%3DR%26S
%3DR%26D%3Daph%26title%3DComputerworld%26year%3D2005%26bk%3
DCandfn=1andrn=3and, access date: January 06, 2006.
• Feds Make Security a Priority in IT Purchases,
http://web30.epnet.com/externalframe.asp?tb=1and_ug=sid+22A6C4C7%2D8455
%2D4718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2
Cbwh%2Cc1h+cp+3+ECEDand_us=hd+False+hs+False+or+Date+fh+False+ss+
SO+sm+ES+sl+%2D1+ri+KAAACB1C00000789+dstb+ES+mh+1+frn+1+6513a
nd_uso=%5F3andfi=aph_18458078_ANandlpdf=trueandpdfs=861Kandbk=Candt
n=102andtp=CPandes=cs%5Fclient%2Easp%3FT%3DP%26P%3DAN%26K%3
D18458078%26rn%3D6%26db%3Daph%26is%3D00104841%26sc%3DR%26S
%3DR%26D%3Daph%26title%3DComputerworld%26year%3D2005%26bk%3
DCandfn=1andrn=6and, access date: January 06, 2006.
• Playing Nice With Physical Security,
http://web30.epnet.com/externalframe.asp?tb=1and_ug=sid+22A6C4C7%2D8455
%2D4718%2D8ADC%2DC89ED6189820%40sessionmgr5+dbs+aph%2Cbuh%2
Cbwh%2Cc1h+cp+3+ECEDand_us=hd+False+hs+False+or+Date+fh+False+ss+
SO+sm+ES+sl+%2D1+ri+KAAACB1C00000789+dstb+ES+mh+1+frn+1+6513a
nd_uso=%5F3andfi=aph_18458521_ANandlpdf=trueandpdfs=174Kandbk=Candt
n=102andtp=CPandes=cs%5Fclient%2Easp%3FT%3DP%26P%3DAN%26K%3
D18458521%26rn%3D7%26db%3Daph%26is%3D00104841%26sc%3DR%26S
%3DR%26D%3Daph%26title%3DComputerworld%26year%3D2005%26bk%3
DCandfn=1andrn=7and, access date: January 06, 2006.
• Investment Banking and Security Market Development: Does Finance Follow
Industry, http://www.people.hbs.edu/banand/investmentbanking.pdf, access date:
April 04, 2006.
• (Goldman Sachs) Conference of Electronic Security in the Payments System,
http://www.newyorkfed.org/newsevents/events/banking/1997/confelec/managsec.
html, access date: April 04, 2006.
• DENY ALL AND NET2S HIGHLIGHT SECURITY THREAT TO
INVESTMENT BANKING COMMUNITY,
http://www.net2s.com/majic/sites/1/doc/CP_2005/Deny_All_and_Net2S_release_
FINAL_FINAL.pdf, access date: April 04, 2006.
• Managed Security Services,
http://www.btglobalservices.com/business/ie/en/products/docs/mss_singles.pdf,
access date: April 04, 2006.
• Security and Privacy:
http://newsroom.cisco.com/dlls/tln/tlsummit/pdf/Security_and_Privacy_Summit_
Overview.pdf?sid=ETL_200_HP_MPC4, access date: April 04, 2006.
• An IT security manager’s checklist,
http://www.expresscomputeronline.com/20051226/bestdefence03.shtml, access
date: April 04, 2006.
• VoIP vs. the good old telephone,
http://www.expresscomputeronline.com/20060410/management02.shtml, access
date: April 04, 2006.
• Information Security Research Center,
http://www.csoonline.com/research/infosec/networks.html, access date: April 04,
2006.
• http://www.csoonline.com/research/infosec/response.html, access date: April 04,
2006.
• Information Security Risk Assessment,
http://www.ffiec.gov/ffiecinfobase/booklets/information_security/02_info_securit
y_%20risk_asst.htm, access date: April 04, 2006.
• Understanding and Influencing Attackers’ Decisions: Implications for Security
Investment Strategies, http://weis2006.econinfosec.org/prog.html, access date:
August 22, 2006.
• IS THERE A COST TO PRIVACY BREACHES? AN EVENT STUDY,
http://weis2006.econinfosec.org/docs/40.pdf , access date: August 22, 2006.
• Bootstrapping the Adoption of Internet Security Protocols,
http://weis2006.econinfosec.org/docs/46.pdf, access date: August 22, 2006.
• Justifying Spam and E-mail Virus Security Investments: A Case Study
http://weis2006.econinfosec.org/docs/13.pdf, access date: August 22, 2006.
• 2004 Global Risk Management,
http://www.deloitte.com/dtt/cda/doc/content/dtt_financialservices_GlobalRiskMa
nagementSurvey2005_061204.pdf, access date: August 22, 2006.
• Top five imperatives for Banks in 2005,
http://www.infosys.com/finacle/pdf/Top_Five_Imperatives_for_Banks_in_2005.p
df, access date: August 22, 2006.
• A broader context for information security,
http://mba.tuck.dartmouth.edu/digital/PressHits/FTSecurity.pdf, access date:
August 22, 2006.
• Spotlight on Operational risk management,
http://www.kpmg.com/Rut2000_prod/Documents/4/OperationalRisk.pdf, access
date: August 22, 2006.
• Spotlight on Credit risk management,
http://www.kpmg.com/Rut2000_prod/Documents/4/CreditRiskManagement.pdf,
access date: August 22, 2006.
• Customer Case Study: Thomas Weisel Partners,
http://www.ncircle.com/pdf/weisel_final.pdf, access date: August 22, 2006.
• Bank Outsourcing Management,
http://www.fwfinancial.org/documents/BOMFall05.pdf, access date: August 22,
2006.
• (31032006)The Records Compliance Management Company,
http://www.axsone.com/pdf/ILM_for_Investment_Banking.pdf, access date:
March 31, 2006.
• DENY ALL AND NET2S HIGHLIGHT SECURITY THREAT TO
NVESTMENT
• BANKING COMMUNITY,
http://www.net2s.com/majic/sites/1/doc/CP_2005/Deny_All_and_Net2S_release_
FINAL_FINAL.pdf, March 31, 2006.
• Security Solutions to Support Compliance with the Gramm-Leach-Bliley Act,
http://www.verisign.com/static/005563.pdf, access date: August 22, 2006.
• The Place of Risk Management in Financial Institutions,
http://fic.wharton.upenn.edu/fic/papers/95/9505.pdf, access date: August 22,
2006.
• A Few Good Metrics --- http://www.csoonline.com/read/070105/metrics.html,
access date: October 12, 2006
• How Can Security Be Measured?
http://www.isaca.org/Template.cfm?Section=HomeandCONTENTID=24174andT
EMPLATE=/ContentManagement/ContentDisplay.cfm, access date: October 12,
2006
• IS RISK ASSESSMENT MEASUREMENT ---
http://www.isaca.org/Template.cfm?Section=Downloads6andCONTENTID=187
43andTEMPLATE=/ContentManagement/ContentDisplay.cfm, access date:
October 12, 2006
• FBI 2006, http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf, access date:
October 12, 2006.
• ASP SECURITY
http://infosecuritymag.techtarget.com/articles/october01/features_ASP_security.s
html#t1, access date: November 04, 2006.
• http://www.tcs.com/0_media_room/releases/200209sept/20020917_riskscan.htm,
access date: November 04, 2006.
• Checklist for Information Security Steps,
http://www.bankersonline.com/tools/infosec_newchecklist.pdf , access date:
November 04, 2006.
• Know Thy Firewall,
http://www.bankersonline.com/technology/rm_knowthyfirewall.html, access date:
November 04, 2006.
• Access Controls and User Permissions,
http://www.bankersonline.com/tools/infosec_newchecklist.doc, access date:
November 04, 2006.
• Sample risk analysis,
http://www.bankersonline.com/tools/security/rm_sampleriskanalysis.xls, access
date: November 04, 2006.
• Employee Guide to Information Security,
http://www.bankersonline.com/tools/infosecguide_jt.doc, access date: November
04, 2006.
• InfoSec Service Provider Risk Assessment Matrix,
http://www.bankersonline.com/tools/serviceprovider_matrix.doc, access date:
November 04, 2006.
• InfoSec Contract Provisions Monitoring Chart,
http://www.bankersonline.com/tools/sp_contractmonitoring.doc, access date:
November 04, 2006.
• Branch Security Review Checklist,
http://www.bankersonline.com/tools/branchsecurity2.doc, access date: November
04, 2006.
• Night Inspection Evaluation Form,
http://www.bankersonline.com/tools/nightinspecform.doc, access date: November
04, 2006.
• Suspicious Activity Investigation Report,
http://www.bankersonline.com/tools/operational/suspiciousactivityinvestigationre
port.doc, access date: November 04, 2006.
• Sample Investigative Report,
http://www.bankersonline.com/tools/sampinvrept.html, access date: November
04, 2006.
• RECORD RETENTION POLICY,
http://www.bankersonline.com/tools/RecordRetention2.doc, access date:
November 04, 2006.
• Bomb Warning form, http://www.bankersonline.com/security/warningform.doc,
access date: November 04, 2006.
• http://www.bankersonline.com/tools/tools_security.html#newchecklist, access
date: November 04, 2006.
• http://www.bankersonline.com/tools/tools_ppp.html#1c, access date: November
04, 2006.
• IT Security Challenges,
http://www.networkmagazineindia.com/200304/20030406cov1.jpg, access date:
November 04, 2006.
• Current and Planned use of Technologies,
http://www.networkmagazineindia.com/200304/20030407cov1.jpg, access date:
November 04, 2006.
• Causes of unavailability of critical business systems,
http://www.networkmagazineindia.com/200304/20030408cov1.jpg, access date:
November 04, 2006.
• What are the current access control measures used?,
http://www.networkmagazineindia.com/200304/20030410cov1.jpg, access date:
November 04, 2006.
• What are the encryption tools being used?,
http://www.networkmagazineindia.com/200304/20030409cov1.jpg, access date:
November 04, 2006.
• Network Magazine (Information Security : A new approach),
http://www.networkmagazineindia.com/200304/cover1.shtml, access date:
November 04, 2006.
• What are the prevalent security tools and practices?
http://www.networkmagazineindia.com/200304/20030411cov1.jpg, access date:
November 04, 2006.
• How effective is your Security Policy,
http://www.networkmagazineindia.com/200211/cover1.shtml, access date:
November 04, 2006.
• The ROI of Security, http://www.sei.cmu.edu/news-at
ei/columns/security_matters/2006/05/security-matters-2006-05.htm, access date:
November 04, 2006.
• Information Technology Examination Officer's Questionnaire,
http://www.fdic.gov/regulations/examinations/questionnaire/index.html, access
date: November 04, 2006.
• Positioning and Basic Structure of the Security Policy,
http://www.kantei.go.jp/foreign/it/security/2001/g3.html, access date: November
04, 2006.
• Information Security Management BS 7799.2:2002 - Audit Check List,
http://www.sans.org/score/checklists/ISO_17799_checklist.pdf#search=%22quest
ionnaire%20for%20Information%20security%20%26%20risk%20management%
22, access date: November 04, 2006
• Largest Public sector bank, http://www.alliedindia.com/casestudies.html, access
date: November 04, 2006.
• Largest Private Bank, http://www.alliedindia.com/case_bank.html, access date:
November 04, 2006.
• Security concerns of banking IT systems should be guarded,
http://www.banknetindia.com/banking/6911.htm, access date: November 04,
2006.
 APPENDIX – I

QUESTIONNAIRE

General Information

ƒ Name of the organization…

ƒ Type of Organization:
™ (Apex Body) Central Bank
™ (Public Sector Commercial Bank) Nationalised Bank
™ Private Sector Commercial Bank
™ Co-operative Bank
™ Foreign Banks in operating in India
ƒ Location:
™ Metro Cities
™ B- Class Cities
™ C- Class Cities
™ Rural Areas
ƒ Name & Designation of the respondent:
 Risk Assessment Questions

The answers to the following questions would help in understanding and evaluating
the threats to the information resources in the organizations.

A. Physical Security
Sr. Criterion Risk Criterion Total Risk
X
Value Weight
1 Are physical access controls (like
identity badges, security cards, etc.)
available? Are they fully adequate and
effective?
(a) Yes, fully adequate and
effective.
(b) Yes, reasonably adequate and
effective.
(c) Totally ineffective.
2 Status of environmental controls (air
conditioners, smoke detectors, etc)
(a) Always up to the standards.
(b) Not always up to the
standards.
(c) Not monitored.
3 Are good house keeping procedures
distributed?
(a) Yes, strictly followed and kept
up-to-date.
(b) Yes, mostly followed and
reasonably up-to-date.
(c) No procedure available.
4 Have physical security aspects been
audited?
(a) Yes, less than a year ago.
(b) Yes, more than a year ago.
 (c) Never.
5 Are mission critical systems in a
location to which access is restricted
to authorised personnel only?
(a) Yes, adequately.
(b) Yes, reasonably.
(c) No.
6 Are all desktops and notebooks
equipped with anti-theft devices?
(a) Yes, adequately.
(b) Yes, reasonably
(c) No.
7 Are power protection devices installed
to protect the systems from any
power disruptions?
(a) Yes, adequately.
(b) Yes, reasonably.
(c) No.
8 Are hacker attempts on desktops,
laptops and servers reported to
abuse@bank.com?
(a) Yes, always
(b) Yes, in some cases
(c) Never.
9 Are any devices such as Smoke
Detectors, Water detectors, Fire
Suppression systems, temperature
sensors, etc., installed to safeguard
the systems/ servers from such
unforeseen incidents?
(a) Yes, are checked regularly.
(b) Yes, checked whenever
required.
(c) Not installed.
B. Personnel Security

Sr. Criterion Risk Criterion Total Risk

X
Value Weight
1 Are employment verifications performed
prior to hiring?
(a) Yes
(b) Yes, sometimes.
(c) Never.
2 Are employees required to sign conflict
of interest or code of conduct
statements at the time of hiring?
(a) Yes, always.
(b) Yes, sometimes.
(c) Never.
3 Are all the concerned employees
handed over a copy of the security
procedures at the time of hiring?
(a) Yes, always.
(b) Yes, but not regularly.
(c) Never.
4 Are all employees often reminded about
the importance of computer security?
(d) Yes, always.
(e) Not regularly.
(f) Never.
5 Has personnel security aspects been
audited?
(a) Yes, less than a year ago.
(b) Yes, more than a year ago.
(c) No.
C. Data Security

Sr. Criterion Risk Criterion Total Risk

X
Value Weight
1 Are security standards, policies and
guidelines about data security
distributed to all the employees?
(a) Yes, fully adequate and up-to-
date?
(b) Yes, reasonably adequate but
needs improvement.
(c) Never, not available.
2 Are the security aspects of the
operating systems adequate and used
effectively to control access to the data
files?
(a) Yes, used effectively.
(b) Not used effectively.
(c) Security features not adequate.
3 Are access rules and privileges for
gathering data files always in line with
employee’s job duties?
(a) Yes, always.
(b) Mostly.
(c) No.
4 Are data / system owners custodians
established for all critical and sensitive
data?
(a) Yes, always.
(b) Yes, mostly.
(c) No.
5 Are data / system user established for
all important data files?
(a) Yes, always.
 (b) Yes, but not always.
(c) Never.
6 Do data /system users need permission
from the data system owners before
making the changes to all critical and
sensitive data files and programs?
(a) Yes.
(b) Yes, permission is delegated.
(c) No permission needed.
7 Have data security aspects been
audited?
(a) Yes, less than a year ago.
(b) Yes, more than a year ago.
(c) Never.
D. Data Backup and Recovery.

Sr. Criterion Risk Criterion Total Risk

X
Value Weight
1 Does the bank regularly take the server
back-up? Does the server backup
procedure include secure off-site
storage?
(a) Yes, once in a week.
(b) Yes, once in a quarter.
(c) Never.
2 Does the bank periodically test
restoration of server files?
(a) Yes, regularly.
(b) Yes, whenever required.
(c) Never.
3 Do all users store the local data in a
single directory to simplify backup and
ensure all data is captured?
(a) Yes, always.
(b) Yes, whenever required.
(c) Never.
4 Are backup needs periodically reviewed?
(a) Yes, less than a year ago.
(b) Yes, more than a year ago.
(c) Never.
E. Applications Software Security

Sr. Criterion Risk Criterion Total Risk

X
Value Weight
1 Are security standards, policies and
guidelines about application software
security distributed to all the
employees?
(a) Yes, fully adequate and up-to-
date?
(b) Yes, reasonably adequate but
needs improvement.
(c) Never, not available.
2 Do functional users and auditors
participate in systems development and
maintenance?
(a) Yes, users and auditors
participate.
(b) Yes, sometimes the users do but
not the auditors.
(c) Neither users nor auditors
participate.
3 Is there a standard system development
and maintenance methodology and is it
followed?
(a) Yes, always.
(b) Not always.
(c) No methodology exists.
4 Are software packages purchased and
used?
(a) Used with major changes.
(b) With minor changes.
(c) Used but with major changes and
combined with the in-house
 developments.
5 Are appropriate application software
updates and security patches being
applied in a timely manner to all bank
computers and servers?
(a) Yes, regularly.
(b) Yes, when required.
(c) No, done only during the
maintenance stage.
6 Does the staff have the appropriate level
of access to applications based on their
current responsibilities?
(a) Yes, it is verified.
(b) Yes, it is provided to all.
(c) No such policy in place.
7 Is application access promptly removed
for employees who have left the
department?
(a) Yes, promptly.
(b) Yes, when identified.
(c) No such policy in place.
F. Systems Software Security

Sr. Criterion Risk Criterion Total Risk

X
Value Weight
1 Are security standards, policies and
guidelines about systems software
security distributed to all the employees
and are they adequate?
(a) Yes, fully adequate and up-to-
date.
(b) Yes, reasonably adequate but
needs improvement.
(c) Never, not available.
2 Are proper files for monitoring security
violations listed and reviewed?
(a) Listed & reviewed.
(b) Listed but not reviewed.
(c) Neither listed nor reviewed.
3 Are powerful utility programs prescribed
and controlled properly?
(a) Yes.
(b) Normally, yes.
(c) Never.
4 Have systems software security aspects
been audited?
(a) Yes, less than a year ago.
(b) Yes, more than a year ago.
(c) Never.
G. Telecommunications Security

Sr. Criterion Risk Criterion Total Risk

X
Value Weight
1 Are security standards, policies and
guidelines about telecommunications
security distributed to all the employees
and are they adequate?
(a) Yes, fully adequate and up-to-
date.
(b) Yes, reasonably adequate but
needs improvement.
(c) Never, not available.
2 Are there any special features to
effectively control access to the
telecommunication programs and data
files and are they being used
effectively?
(a) Yes, used effectively.
(b) Yes, but not used effectively.
(c) Not in place.
3 Are terminal IDs parts of the user
identification and authentication
process?
(a) Yes, always.
(b) Yes, but not always.
(c) Never.
4 Are security related controls over the
program, data and message
transmission activities adequate and
effective?
(a) Yes, fully adequate and
effective.
(b) Yes, fairly adequate but needs
 improvement.
(c) Not at all adequate or effective.
5 Have telecommunications security
aspects been audited?
(a) Yes, less than a year ago
(b) Yes, more than a year ago.
(c) Never.
6 Does the bank allow modems attached
to servers/ systems that can receive
calls?
(a) Not allowed at all.
(b) Allowed sometimes.
(c) Always allowed.
H. Computer Operations Security

Sr. Criterion Risk Criterion Total Risk

X
Value Weight
1 Are updated and acceptable
standards, policies and guidelines
about computer operations
security distributed to employees?
(a) Yes, adequate and up-to-
date.
(b) Yes, reasonably adequate
but needs improvement.
(c) Not in existence.

2 Are access control systems built

into the operating systems
adequate, and are they used
effectively to control operations
staff’s access to applications and
systems software and data files?
(a) Yes, used effectively.
(b) Yes, not used effectively.
(c) No, not enable.
3 Are backup procedures for data
and software adequate and well-
documented and are the
procedures being followed?
(a) Yes, being followed rigidly.
(b) Procedures are not
followed regularly.
(c) No procedures.
4 Are all sensitive data used for
authenticating a user, such as
passwords, stored in protected
 files?
(a) Yes, up-to-date.
(b) Yes, but not up-to-date.
(c) No
5 Does the bank deactivate accounts
for terminated or transferred
employees in a timely manner?
(a) Yes, handled very
promptly.
(b) Yes, during mass
deactivation.
(c) No.
6 Does the bank periodically review
current employee accounts that
have not been used in a long time
and consider deactivating them?
(a) Yes, carried out regularly.
(b) Yes, some times.
(c) Never.
7 Does the bank log and review
multiple tries to enter a password
for a given account? (e.g.: locking
out a user after three unsuccessful
log-in attempts.)
(a) Yes, followed rigidly.
(b) Yes, not followed rigidly.
(c) No policy in existence.
J. Review and Response

Sr. Criterion Risk Criterion Total Risk

X
Value Weight
1 Is there a documented procedure for
handling exceptions to security policies
and standards? Does this procedure
include higher management level too?
(a) Yes
(b) No
2 Are particularly sensitive systems and
infrastructures formally identified on a
periodic basis?
(a) Yes
(b) No
3 Are all the Information Systems in the
premises insured for risk?
(a) Yes
(b) No
4 Is there an alternate way for
transferring the risk?
(a) Yes
(b) No
 APPENDIX – II

GLOSSARY

Authorized User: A University employee, student or other individual affiliated with the
University who has been granted authorization by the Electronic Information Resource
Proprietor, or his or her designee, to access an Electronic Information Resource and who
invokes or accesses an Electronic Information Resource for the purpose of performing his
or her job duties or other functions directly related to his or her affiliation with the
University. The authorization granted is for a specific level of access to the Electronic
Information Resource as designated by the Electronic Information Resource Proprietor,
unless otherwise defined by University policy. An example of an Authorized User
includes someone who handles business transactions and performs data entry into a
business application, or someone who gathers information from an application or data
source for the purposes of analysis and management reporting.

Business Continuity Plan: A plan for the continued operation of critical business
administration in the case of a disaster affecting normal functioning. A Business
Continuity Plan is more all-inclusive than a Disaster Recovery Plan, which normally
relates to information systems only. Overall business continuity planning is not within the
scope of these Guidelines.

Computer Virus: An example of Intrusive Computer Software (see definition below).

Disaster: Any event or occurrence that prevents the normal operation of Electronic
Information Resource(s) for a period of time, such that the resulting disruption and/or
losses exceed the acceptable limits established consistent with these Guidelines. A
disaster may occur as a result of a natural disaster (such as a flood, fire or earthquake),
employee error or other accidents, long-term system failures, and criminal or malicious
action.
Disaster Recovery Plan: A written plan including provisions for implementing and
running Essential Electronic Information Resources at an alternate site or provisions for
equivalent alternate processing (possibly manual) in the event of a disaster.

Intrusive Computer Software: Intrusive computer software (such as a computer virus)

is an unauthorized program designed to embed copies of itself in other programs, to
modify programs or data, or to self-replicate. Intrusive computer software may be spread
via removable storage media or via a network. The term "intrusive computer software" as
it is used in these Guidelines is intended to encompass the variety of such unauthorized
programs, including viruses, bacteria, worms, Trojan Horses, etc.

Security: Measures taken to reduce the risk of 1) unauthorized access to or modification

of Electronic Information Resources, via logical, physical or managerial means; and 2)
damage to or loss of Electronic Information Resources through any type of disaster (such
as employee error or other accidents, long-term system failures, natural disasters, and
criminal or malicious action). Security also encompasses measures taken to reduce the
impact of any violation of security or a disaster that occurs despite preventive measures.

Server: A multi-user computer, including mainframes, servers, and personal computers

providing services to multiple users. A computer employed as a single-user workstation
is not considered a server.

Annual Loss Expectancy (ALE): The total amount of money that an organization will
lose in one year if nothing is done to mitigate a risk.

Annual Rate of Occurrence (ARO): The number of times that a risk is expected to
occur during one year.

Asset: Anything of value to an organization, such as hardware and software components,

data, people, and documentation.
Availability: The property of a system or a system resource that ensures that it is
accessible and usable upon demand by an authorized system user. Availability is one of
the core characteristics of a secure system.

CIA: Confidentiality, Integrity, and Availability.

Confidentiality: The property that information is not made available or disclosed to

unauthorized individuals, entities, or processes (ISO 7498-2).

Control: An organizational, procedural, or technological means of managing risk; a

synonym for safeguard or countermeasure.

Cost-benefit analysis: An estimate and comparison of the relative value and cost
associated with each proposed control so that the most effective are implemented.

Decision support: Prioritization of risk based on a cost-benefit analysis. The cost for the
security solution to mitigate a risk is weighed against the business benefit of mitigating
the risk.

Impact: The overall business loss expected when a threat exploits a vulnerability against
an asset.

Integrity: The property that data has not been altered or destroyed in an unauthorized
manner.

Mitigation: Addressing a risk by taking actions designed to counter the underlying

threat.
Mitigation solution: The implementation of a control, which is the organizational,
procedural, or technological control put into place to manage a security risk.

Probability: The likelihood that an event will occur.

Qualitative risk management: An approach to risk management in which the

participants assign relative values to the assets, risks, controls, and impacts.

Quantitative risk management: An approach to risk management in which participants

attempt to assign objective numeric values (for example, monetary values) to the assets,
risks, controls, and impacts.

Reputation: The opinion that people hold about an organization; most organizations'
reputations have real value even though they are intangible and difficult to calculate.

Return On Security Investment (ROSI): The total amount of money that an

organization is expected to save in a year by implementing a security control.

Risk: The combination of the probability of an event and its consequence.

Risk assessment: The process by which risks are identified and the impact of those risks
determined.

Risk management: The process of determining an acceptable level of risk, assessing the
current level of risk, taking steps to reduce risk to the acceptable level, and maintaining
that level of risk.

Single Loss Expectancy (SLE): The total amount of revenue that is lost from a single
occurrence of a risk.
Threat: A potential cause of an unwanted impact to a system or organization.

Vulnerability: Any weakness, administrative process, or act or physical exposure that

makes an information asset susceptible to exploit by a threat.
 APPENDIX – III

POCKET MATERIAL

• FLASH FILMS INCLUDED IN THE CD

• FLASH SCREEN SAVERS INCLUDED IN THE CD
 APPENDIX – IV

BRANCH SECURITY REVIEW CHECKLIST

BRANCH: Date:

Section 1

Physical Vulnerability
YES NO N/A

1. Do all office windows permit an unobstructed view of the bank’s

interior?

2. Are all exterior doors and windows equipped with tamper-

resistant locks?

3. If the office is located in a mall or a multi-tenant office building,

is the ceiling crawl space separated from the crawl space over
the adjacent stores offices?

4. Are entrances from the basement, corridors, and upper floors

secured?

5. Are all non-public entrances secured during business hours?

6. Is the area surrounding the office free of visual obstructions

such as architectural and landscaping features which could
provide cover for would be robbers?

Recommended Corrective Action and Date of

Implementation:

General Comment Section:

Supporting Documentation:
 Section 2

Lighting Systems
YES NO
1. Do all lights illuminate all areas surrounding the building including ATM’s,
night depositories, walkways and parking lots?

2. Does branch have an independent power source (battery or generator

power) for emergency lighting?

Recommended Corrective Action and Date of Implementation:

General Comment Section:

Supporting Documentation:
 Section 3

Vaults
YES NO
1. Is the vault equipped with a ventilator to provide air to an employee in
the event of a lock in?

2. Is the vault equipped with an alarm or a telephone so an employee can

signal for help if locked in?

3. Are all employees trained in procedures to follow if locked in the vault?

Recommended Corrective Action and Date of Implementation:

General Comment Section:

Supporting Documentation:
 Section 4

Alarm Systems - General

YES NO
1. Is the alarm control panel located inside the vault or in another secured
area?

2. Is the telephone junction box located in a secured area?

3. Are the alarm terminals in the telephone junction box unmarked and known
only to selected bank officials?

4. Are preventive maintenance inspections of the alarm system and

independent power source conducted by a qualified service contractor at
least once every six months?

Recommended Corrective Action and Date of Implementation:

General Comment Section:

Supporting Documentation:
 Section 5

Point or Burglar Alarms

YES NO
1. Are burglar alarms installed on all vaults, night depositories, ATM’s, and safes?

2. Is there an emergency power supply to assure continuous operation of the burglar

alarm system for at least 80 hours in the event of a power failure?

3. Has a burglar alarm response procedure (including all clear) been developed that
conforms with local police response procedures?

4. Are procedures for operating, testing, and maintaining the burglar system in place
and rigorously followed?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 6

Silent Robbery Alarms

YES NO N/A
1. Is the office protected by a silent alarm system?

2. When triggered does the alarm report directly to police or an

intermediate or proprietary monitoring station?

3. Has a robbery response plan been established and implemented which

conforms to local police alarm response procedures?

4. Are alarm actuators located at each teller station, inside the vault, and at
all other workstations where currency is handled or customers are
served?

5. Can all alarm actuators be operated covertly?

6. Do all employees receive initial training on how to actuate the alarm

system and under what circumstances they should do so?

7. Do all employees test their alarm actuators at least once a month?

8. Are silent alarm annunciation lights installed in the employee lounge and
back offices to alert employees when a robbery is in progress?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 7

Closed-Circuit Television Surveillance Systems

YES NO
1. Is the VCR working properly and are the camera angles appropriate?

2. Do cameras provide surveillance of all office entrances?

3. Do cameras provide surveillance of all teller stations?

4. Are CCTV pictures periodically monitored by branch or security personnel during

business hours?

5. Is video from each camera continuously recorded?

6. Are recorded videocassettes properly labeled and retained for at least one month
before being erased and re-recorded?

7. Is test video periodically reviewed by the security officer for coverage and clarity?

8. Are all VCR heads cleaned routinely according to an established schedule?

9. Is the system inspected by a qualified service technician at least twice a year?

10. Are the video tapes changed on a regular schedule, i.e. each day, every Monday …..?
(review tape log and copy current page)

11. Is the camera coverage and VCR recording checked on a daily basis, to ensure quality
pictures and that the system is working correctly?

Recommended Corrective Action and Date of Implementation:

General Comment Section:

Supporting Documentation:
 Section 8

Night Depository
YES NO
1. Is the area surrounding the night depository properly illuminated?

2. If state or local ordinances specify lighting requirements, does your lighting

system comply?

3. Is the bag depository door equipped with a tamper resistant lock?

4. If the unit designed to prevent “fishing” and “trapping” of deposits?

5. Is the depository located so any activity around the unit is visible from a
public area?

6. Are architectural and landscaping features around the night depository

designed to deprive would be robbers of concealed positions to await
customers making deposits?

Recommended Corrective Action and Date of Implementation:

General Comment Section:

Supporting Documentation:
Section 9

Automatic Teller Machines

YES NO
1. Does the ATM have dual control?

2. Are the cash dispenser and depository chute designed to prevent “fishing” and
“trapping”?

3. Is the surveillance camera positioned to record criminal activity at and around the
ATM?

4. Is the ATM located so any activity around the ATM is visible from a public area?

5. Are architectural and landscaping features around the ATM designed to deprive
would be robbers of concealed positions to await customers making deposits or
withdrawals?

6. If a remote ATM, is the service equipped with a silent robbery alarm, telephone, or
other means of communication with law enforcement officials?

7. If a remote ATM, is the service entrance equipped with a viewing port or closed-
circuit television system that allows personnel inside the service room to view
activity outside?

8. Does the ATM provide customers with adequate privacy to prevent bystanders from
observing details of their transactions (e.g., entry of their pin numbers)?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 10

Teller Stations
YES NO
1. Are teller counters of sufficient height to discourage a bandit from
vaulting them or are they otherwise protected (e.g., by bullet-resistant
windows)?

2. Are teller counters manufactured with bullet-resistant materials or

equipped with under-counter steel?

3. Are access gates to teller areas kept secured during banking hours?

4. Are all tellers equipped and trained to use bait money, dyepacks or
electronic homing devices in the event of a robbery?

5. If teller nameplates or badges are used, are only first names used?

Recommended Corrective Action and Date of Implementation:

General Comment Section:

Supporting Documentation:

Section 11

Safe Deposit Operations

YES NO
1. Are renters positively identified before granting access?

2. Is each coupon booth checks immediately after the customer leaves?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:
Supporting
Documentation:
 Section 12

Opening Procedures
YES NO
1. Is the all clear signal changes at least once every quarter?

2. Are employees instructed to contact the security officer or the police if the all clear
signal is not displayed within the allotted time?

3. Are the employees instructed not to gather at the bank entrance while awaiting
entry?

4. Are all persons except office employees refused entry to the office before opening?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 13

Closing Procedures
YES NO
1. Are all employees instructed to look for strangers and suspicious customer behavior
at the end of the business day and to actuate surveillance cameras and notify the
security officer or branch managers if their suspicions are aroused?

2. Is the banking office inspected to ensure all valuables have been secured, all
customers have left, all exterior windows and doors are securely locked, and all
alarms, lighting, and security devices intended for use during nonbusiness hours are
operating?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 14

Key and Combination Control

YES NO
1. Is the number of keys assigned to employees kept to a minimum?

2. Is a log maintained listing all employees who have received office keys?

3. If a terminated employee fails to return a key, or is otherwise suspect, are the locks
changed on all exterior doors?

4. Are excess keys kept in a locked box in a secure area?

5. Is dual control maintained over vault and safe combinations so that no single employee
is capable of accessing the vault or safe alone?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 15

Bait Money, Dye Packs and Electronic Homing

Devices
YES NO
1. If the bait money, dyepack or electronic device is disguised as strapped currency, is
it banned with a fresh band and does it appear identical to regular strapped
currency?

2. Is bait money, dyepack or electronic homing device kept in an accessible place in each
teller’s top drawer?

3. Is bait money, dyepack or electronic homing device also kept with cash reserves in
the vault or safe?

4. Does bait money consist of used Federal Reserve Notes?

5. Are bait money forms initialed, dated and filed with the security officer or his
designee?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 16

Height Markers
YES NO
1. Are height reference markers or visible strips of tape installed at a six foot height
on the door frames at all entrances to the office?

2. Are height reference markers indicating counter height installed at each teller
station?

3. Are all employees trained to use height reference markers to estimate a suspect’s
height?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 17

Visitor Identification Procedures

YES NO
1. Is access to non-public areas within the banking office by doors and gates that are
locked at all times?

2. Is a log book maintained to document all visitors entering restricted areas of the
banking office?

3. Is the visitors identity and authorization verified by telephone to the visitor’s

company or office unless both the visitor and the reason for the visit is known to
office personnel?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 18

Rubbish Retention
YES NO
1. Is rubbish from the lobby, teller areas and other locations where transactions are
conducted, collected on a daily basis?

2. After the retention period has expired are all documents (e.g., deposit or withdrawal
slips, voided checks, application forms, etc.) shredded, incinerated or disposed of by
bonded recycling company which guarantees their destruction?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:

Section 19

Evidence Protection
YES NO
1. Are employees trained to follow established procedures for handling and protecting
evidence?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:
 Section 20

Fire Security
YES NO
1. Is the office protected by smoke detectors and fire alarms?

2. Are an adequate number of multi-purpose fire extinguishers located in accessible

locations?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:

Section 21

Training
YES NO
1. Do branch personnel know what to do if they receive a bomb threat or extortion /
kidnap call?

2. Do branch personnel know the importance of maintaining confidentiality of security

and operations procedures?

Recommended Corrective Action and Date of

Implementation:

General Comment
Section:

Supporting
Documentation:

Branch Security Review Checklist - http://www.bankersonline.com/tools/branchsecurity2.doc access date: November 04, 2006.