Cyber Crisis Management Plan

Cyber Crisis Management Plan (CCMP)
Cyber Crisis Management Plan
Document Details
Version 1.0
Year 2017-18
Number of Pages 43
Owner Punjab & Sind Bank
Page 1 of 43
Version History
Version Date Comments
This document describes the Cyber Crisis Management

1.0 January 2018
Plan for the Bank.
Page 2 of 43
CONTENT
Sr. No. Topic Page
1 Introduction 4
2 Overview 4
3 Objective/ Purpose 5
4 Applicability of the Plan 5
5 Plan Exceptions 5
6 Guidelines for formulating Cyber Crisis Management Plan 6
7 Maintenance & Review of CCMP 6
8 Cyber Crisis and Contingencies 7
9 Types of Cyber Crisis 7
10 Prevention Strategies and Plans 9
11 Crisis Recognition & Mitigation Plan 10
12 End-user Awareness and Training 12
Annexure - A (Components within the System and their mappings to

13
Controls)
Annexure - B (Threat levels and related conditions) 16
Annexure - C (Incidence Response Activities During The First Hour) 18
Annexure - D (Contact Details and Reporting Formats) 24
Annexure - E (Nature and Severity of Crisis And Steps For Mitigation) 38
Page 3 of 43
1. Introduction
1.1 Crisis is defined as a significant threat to the operations of the organization that can have negative
consequences, if not handled properly. Crisis can create financial and reputational loss by disrupting
operations.
1.2 Cyber crisis is coordinated large scale cyber events that result in or have the potential to result in a
wide spread outage or disrupt multiple infrastructures. Cyber-attack is any type of offensive maneuver
by individuals or whole organizations that targets computer information systems, infrastructures,
computer networks, and/or personal computer devices by various means of malicious acts usually
originating from an anonymous source that either steals, alters, or destroys a specified target by
hacking into a susceptible system. These can be labeled as either a cyber campaign, cyber warfare or
cyber terrorism in different context. Cyber-attacks can range from installing spyware on a PC to
attempts to destroy the infrastructure of the entire Bank.
1.3 Cyber Crisis Management is a critical organizational function. Failure can result in serious harm to
stakeholders, losses for the organization, or end its very existence. The cyber crisis management plan is
prepared in line with Business Continuity Plan.
1.4 RBI vide circular RBI/ 2015-16/ 418 DBS.CO/ CSITE/ BC.11/ 33.01.001/ 2015-16 dated 02.06.2016
mandates that Cyber Crisis Management Plan (CCMP) should be evolved and should be a part of the
overall Board approved strategy.
1.5 RBI guidelines lay down the guiding principles for formulation of an effective Cyber Crisis
Management Plan and its implementation. These guidelines mandates implementation of a CCMP. The
same shall be reviewed periodically. This document on Cyber Crisis Management Plan (CCMP) has been
formulated in compliance with the RBI guidelines.
2. Overview
This document on CCMP is designed to reduce the Bank's risk arising from an unexpected disruption of
the critical functions/ operations necessary for the business due to cyber attacks/ crisis. CCMP can be
defined as a statement of:
• Actions to be taken.
• Resources to be used.
• Procedures to be followed before, during and after a cyber crisis which renders a Business function
totally or partially unavailable.
Page 4 of 43
3. Objective/ Purpose
The objective of this Cyber Crisis Management Plan is to counter Cyber Attacks/ Cyber Terrorism by
outlining a framework for dealing with cyber related incidents for a coordinated, multi-disciplinary and
broad based approach for rapid identification, information exchange, swift response and remedial
actions to mitigate and recover from malicious cyber related incidents impacting critical business
functions and processes of the Bank.
The purpose of Cyber Crisis Management Plan (CCMP) is to enable Bank to continue operations in the
event of an interruption to the Business Functions. The plan addresses all business and systems
functions necessary to continue as a viable organization. Strong management support, extensive
planning and a commitment of resources are necessary to adequately plan for both manual and
automated interruptions.
Any serious disruption can cause critical information resources to be inoperative from few hours to
several days, depending upon the criticality of the information resources. The recovery of key business
processes, in a worst-case scenario, would probably involve the use of alternative processing facilities,
where the recovery of software and data files from offsite locations may be required. This CCMP take
into account of all events types that might impact both critical information systems processing facilities
and end-user business operational functions.
The main objective of CCMP is:-
1) To continue the service to customers and financial market participants.

2) To minimize financial loss to the bank.
3) To mitigate the negative effects that the disruptions can have on the bank‘s strategic plans,
reputation, operations, liquidity, credit quality and market position.
4) To remain in compliance with applicable laws and regulations.
5) To support systemic financial market business processes (e.g., inter-bank payment systems, key
market clearance and settlement activities).
4. Applicability of the Plan
This document applies to all activity owners, including Bank Employees, contractors, consultants,
temporary staff and other individuals even if, affiliated with Third Parties, who have access to Bank‘s
Information/ Information Processing Facilities and other resources to have CCMP‘s in place to be in
readiness to tackle serious business disruptions.
5. Plan Exceptions
Every care has been taken in formulating this CCMP. The Information Security Cell cannot possibly
foresee all possible circumstances or situations in which it might apply. It is conceivable that
Page 5 of 43
exceptional situations or emergencies may occur when practical considerations clearly override or
negate the statements made herein.
In case anyone identifies a situation in which these plan cannot apply for some reason, it is his/ her
responsibility to raise the matter with the respective GMs/ Head of Branch, Zone, or Department.
GMs/ Head of Branch, Zone, Department taking into consideration the relevant Information resources
Owners and other stakeholders, will take up with the GM-IT who will take decision on whether to
permit or deny such plan exceptions.
6. Guidelines for formulating Cyber Crisis Management Plan
Based on the broad guidelines issued by RBI, CCMP addresses the following four aspects:
i. Detection
ii. Response
iii. Recovery, and
iv. Containment
Bank need to take effective measures to prevent Cyber-Attacks and to promptly detect any cyber-
intrusions so as to respond/ recover/ contain the fall out. Bank is expected to be well prepared to face
emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among
other things, bank should take necessary preventive and corrective measures in addressing various
types of cyber threats including, but not limited to, Denial Of Service (DOS), Distributed Denial Of
Services (DDoS), Ransom-Ware/ Crypto Ware, Destructive Malware, Business Email Frauds including
Spam, Email Phishing, Spear Phishing, Whaling, Vishing Frauds, Drive-By Downloads, Browser Gateway
Fraud, Ghost Administrator Exploits, Identity Frauds, Memory Update Frauds, and Password Related
Frauds etc.
7. Maintenance & Review of CCMP
CCMP document shall be reviewed, at least, annually or as and when changes in the Bank’s
environment/ infrastructure or threat occur to keep pace with the changes within the Bank. Some of
the typical changes that may be identified and updated in the manual include:
a. The Critical assets, Nature of cyber crisis and possible targets and impact of particular type of
crisis on these targets.
b. Crisis due to focused cyber-attacks affecting the Bank.
c. Different Types of cyber crisis described include large-scale defacement and semantic attacks
on websites, Malicious code attacks, large scale SPAM attacks, Spoofing, Phishing attacks, Social
Engineering, Denial of Service (DoS) and Distributed DoS attacks, attacks on DNS, Applications,
Infrastructure and Routers, Compound attacks and High Energy RF attacks.
Page 6 of 43
d. Measures to be taken at organizational level for enhancement of security posture of

Information and Network including implementation of Information Security Best Practices
based on ISO 27001 standard, provisioning for Business Continuity Plan.
e. Incident handling and Management, Sharing of information pertaining to incidents and
participating in mock drills conducted by various external agencies such as Cert-In, NCIIPC,
CSITE, IDRBT etc. to test the preparedness of Critical Infrastructure of Bank to withstand cyber-
attacks.
8. Cyber Crisis and Contingencies
This section identifies different types of threats and crisis that affect specific targets. Impact of such
crisis on respective targets and critical business functions and services of Bank identified to determine
suitable response and mitigation actions. While preparing the CCMP the following actions are kept in
mind:
a) Identification of all critical units of Bank by concerned owner/ division.

b) Functions and services of all such units
c) Inventory of all Critical Information assets
d) Risk Assessment and risk management as per BCP of Bank
e) Business Impact Analysis as per BCP of Bank.
f) Contingency plan for IT systems
Cyber crisis has unique features that are different from a physical crisis. In some cases, the severity of
cyber crisis is high but confined to individuals or few departments within the Bank. In other cases the
severity may be low but widely spread to entire Bank.
9. Types of Cyber Crisis
There are various types of cyber security incidents that can trigger a crisis at organization level.
a) Targeted Scanning, Probing and Reconnaissance of Networks and IT Infrastructure: Publicly

available reconnaissance techniques, including web and newsgroup searches, WHOIS querying, and
Domain Name System (DNS) probing, are used to collect data about the structure of the target
network from the Internet without actually scanning the network or necessarily probing it directly.
b) Large scale defacement and semantic attacks on websites: A website defacement is when a
defacer breaks into a web server and alters the contents of the hosted website. Attackers change
the content of a web page subtly so that the alteration is not immediately apparent. As a result,
false information is disseminated.
c) Malicious Code attacks (virus/ worm/ Trojans/ Botnets): Malicious code or malware is software
designed to infiltrate or damage a computer system without the owner's informed consent.
Page 7 of 43
Malicious code is hostile, intrusive, or annoying software or program code. Commonly known
malware are virus, worms, Trojans, spyware, adware and Bots.
d) Malware Affecting Computing Devices: Malicious code and malicious applications (apps)
affecting operating systems/ platforms used for mobile devices such as Symbian, Android, iOS,
Windows Mobile, and Blackberry OS.
e) Large scale SPAM attacks: Spamming is the abuse of electronic messaging systems to
indiscriminately send unsolicited bulk messages. SPAM mails may also contain virus, worm and
other types of malicious software and are used to infect Information Technology systems.
f) Spoofing: Spoofing is an attack aimed at ‘Identity theft’. Spoofing is a situation in which one
person or program successfully masquerades as another by falsifying data and thereby gaining an
illegitimate advantage.
g) Phishing Attacks: Phishing is an attack aimed at stealing the ‘sensitive personal data that can
lead to committing online economic frauds. Phishers attempt to fraudulently acquire sensitive
information, such as usernames, passwords and credit card details etc., by masquerading as a
trustworthy entity in an electronic communication.
h) Social Engineering: Art of manipulating people into performing disclosure actions or divulging
confidential information for using the same for monetary or defacing an individual or corporate
image.
i) Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks: DoS is an
attempt to make a computer resource unavailable to its intended users. A distributed denial of
service attack (DDoS) occurs when multiple compromised computer systems flood the
communication link (called bandwidth) or resources of a targeted system.
j) Application Level Attacks: Exploitation of inherent vulnerabilities in the code of application

software such as web/ mail/ databases.
k) Infrastructure Attacks: Attacks such as DoS, DDoS, corruption of software ,Gateways of

ISPs and Data Networks, Infection of Programmable Logic Control (PLC) systems by sophisticated
malware.
l) Compound Attacks: By combining different attack methods, hackers could launch an even more
destructive attack. The Compound attacks magnify the destructiveness of a physical attack by
launching coordinated cyber-attack.
m) Router Level Attacks: Routers are the traffic controllers of the Internet to ensure the flow of
information (data packets) from source to destination. Routing disruption could lead to massive
routing errors resulting in disruption of Internet communication.
Page 8 of 43
n) Attacks on Trusted infrastructure: Trust infrastructure components such as Digital certificates

and cryptographic keys are used at various levels of cyber space ranging from products,
applications and networks.
o) High Energy Radio Frequency Attacks: Use of physical devices like Antennas to direct focused
beam which can be modulated from a distance to cause RF jamming of communication systems
including Wireless networks leading to attacks such as Denial of Service
p) Cyber Espionage and Advanced Persistent Threats: Targeted attack resulting in compromise of
computer systems through social engineering techniques and specially crafted malware.
The different types of cyber crisis/ attacks mentioned above are indicative but not exhaustive, and
may not include all types of cyber crisis/ attacks. However, the CCMP covers all types of cyber
attacks which may evolve in future also.
10. Prevention Strategies and Plans
10.1. Cyber resilience of Bank
Cyber resilience is defined as ability of organization or business process to anticipate, withstand cyber-
attacks and the capability to contain, recover rapidly and evolve to improved capabilities from any
disruptive impact of such cyber-attacks.
10.2. Protection and resilience of Bank’s infrastructure
To build cyber resiliency, Bank need to work for the following:
• Identification of key information and technology assets that support the services of the Bank by
the concerned divisional head.
• Implementation of controls to protect those assets from cyber attack.
• Implementation of controls to sustain the ability of those assets to operate under disruptive
events and recover rapidly from disruption.
• Development of processes to maintain and repeatedly carry out the protection and recovery
activities.
• Development of appropriate measures to drive these activities.
• Develop a plan for protection of Bank’s IT Infrastructure and its integration with business plan
and implement such plan. The plans shall include establishing mechanisms for secure
information flow (while in process, handling, storage & transit), guidelines and standards, crisis
management plan, proactive security posture assessment and forensically enabled information
infrastructure.
• Closely interact with 24x7 National Critical Information Infrastructure Protection Centre
(NCIIPC) by providing it the necessary and timely information.
Page 9 of 43
• To ensure identification, prioritization, assessment, remediation, and protection of Bank’s IT

infrastructure and key resources based on the plan for organization Information Infrastructure.
• To ensure compliance to global security best practices, business continuity management and
cyber crisis management plan by all entities within domain of Bank, to reduce the risk of
disruption and improve the security posture.
10.3. Cyber Resilience Components & Control Matrix
A matrix showing relation between each of the components within system and their mapping to these
controls, may be referred at Annexure - A.
11. Crisis Recognition & Mitigation Plan
11.1. Classification – Levels of Concern
The crisis arising out of cyber-attacks are categorized and prioritized from level 1 to Level 4.The levels
of concern are mentioned below:
Level 1 – Guarded
Scope: Individual user/ department /Branch
Level 2 – Elevated
Scope: Multiple Departments /Branches
Level 3 – Heightened
Scope: Complete Zone
Level 4 – Serious
Scope: Entire Bank
Refer Annexure - B for details on Levels of Concern
11.2. Reporting Mechanism
As and when a cyber-crisis situation develops, respective divisions will immediately convey to the
Information Security Cell and CISO through any quickest possible means. Further, all divisions will take
all necessary actions as given in Annexure - C of this document and Information Security Cell shall
report it to CERT-In, RBI and other agencies, as applicable time to time.
Page 10 of 43
11.3. Response System
Immediately on the occurrence of a crisis, the Contingency Plan would be put into effect. The response
action will be initiated in consultation with CISO/ CERT-In/ NCIIPC/CSITE if the situation has wider
ramifications and warrants response at the national level. During any cyber crisis, to maintain the
continuity of the Business, BCP (Business Continuity Plan) will be invoked.
11.4. Mitigation Strategy
General Guidelines on Crisis Management and security of Critical Infrastructure are outlined in
Annexure-E. The table outlines the nature of crisis/ contingency affecting the systems of individual
department, multiple departments within a Division, Various Divisions and the entire Bank leading to
crisis of different levels and authorities responsible for mitigation along with agencies that support
mitigation actions. The steps necessary to mitigate crisis will vary with respect to nature and severity of
crisis. Respective authorities responsible for mitigation of a crisis will report the incident to the
concerned authority and step-wise approach for mitigation vis-à-vis nature of crisis/ contingency as
given in the table in Annexure-D.
11.5. Closing the incident and Information Sharing
After successful mitigation and recovery from incident, the following need to be undertaken by
individual department (before closing the incident) for future reference/precaution:
• Perform a Root Cause Analysis (RCA) of the incident as well as the incident response adopted.
• Evaluate and perform assessment of the attack from the technical point of view in order to fine-
tune and optimize the eradication mechanism
• Document lessons learnt from the incident and prepare a incident report, including
infrastructure protection improvements from the post-mortem process
• Share incident report with CISO who will share it to CERT-In/ NCIIPC/CSITE and IB-CART for
future precaution and mitigation of similar attacks
• All critical departments/ Divisions shall implement infrastructure protection improvements
resulting from post-incident reviews or other protection improvement mechanisms.
11.6. Contact Information
Names, telephone numbers/ mobile numbers, e-mail IDs and addresses of Members and Alternate
Members of various stakeholders are given in the Annexure - D respectively.
11.7. Policy Review
Cyber Crisis Management Plan shall be reviewed atleast annually or whenever any major changes
required due to change in threat landscape or IT Infrastructure/ resources/ stakeholders of the Bank.
Page 11 of 43
12. End-user Awareness and Training
Bank may use following methods to create end user awareness:
• Classroom training programmes at the time of induction.
• Publication of newsletters on frauds covering various aspects of frauds and containing

important message for fraud prevention.
• Detailed ‘do’s and don’ts’ displayed on the intranet portal of the bank.
• Posters on various safety measures at the work place.
• Awareness session and quizzes through Video Conferencing/ Webinar to cover all end-user and
other stakeholders.
Page 12 of 43
Annexure - A
Components within the System and their mappings to Controls
Building cyber resilience begins with effective protection of five key components within any system
(i.e. key information and technology assets, user identity, system processes, data and hardware &
software platform along with network of connections between systems.
Achieving cyber resilience is about understanding the sensitivity and interdependency of critical assets
and selecting appropriate technical controls for protection, detection, containment and recovery from
cyber disruptive activities and assigning resilience rating for each system component by the Bank
depending on the services provided by them and their respective Service level Agreements (SLA).
User Identity Component
• Controlled access based on need-to- know.

• Enforce strong password policy.
Protect
• Multi factor authentication.
• Usages of digital certificates.
• Maintenance and analysis of complete security events and audit logs.

Detect
• Privilege escalation monitoring and alerting.
• Minimize the invalid logon counts.

• Revocation of digital certificate.
Contain
• Change access control on all devices.
• Continuous account monitoring and deactivating the dormant accounts.
• Offline recovery procedures for logging into accounts.

Recover
• Alternative indicators
System Processes Component
• Effective security patches updating Mechanism on applications etc.

• Follow best security practices during software development lifecycle.
Protect
• Secure configuration.
• Malware defenses.
• File integrity checking.

Detect
• Malware analysis.
Page 13 of 43
• Policy based restrictions on process actions.

Contain • Reconfiguration of settings.
• Usage of sandbox security mechanism.
• Assured data back-ups.

• Clustering.
Recover • Recovery time objectives for system and support.
• Manual/ Automated takeover to active alternative IT provision.
• Use of unstaffed sites as opposed to staffed sites.
Hardware and Software Platform Component
• Asset inventory (Asset classification and management).

Protect • Regular review of configuration files: OS/Middleware.
• Boot process integrity check.
• Continuous vulnerability testing and remediation.

• Tamper detection mechanism.
Detect • Platform Security Assessment (Review of system architecture/ operating
system configuration/ Security management controls/ System
configuration).
• Lockout Policies
Contain
• System isolation.
• Usage of virtual environment.

Recover • Assured back-up and replication.
• Replacing compromised missed files with clean versions.
Data Component
• Database access control: Regular review of access privileges to users of the

database.
Protect
• Role base access
• Need to Know based/ Least privilege based access
Page 14 of 43
• Monitoring access violations

Detect
• Monitoring remote access.
• Application restrictions monitoring.

• Data leakage prevention (system designed to detect potential data leakage
Contain
while in-process, handling, storage or transit).
• Access control on database.
• Assured data back-ups and physical segregation of back-up.

• Storage replication mirroring/ cloning.
Recover • Database reprocessing (going back to a known point of database activity
before the problem occurred and reprocessing work from that point
forward
Network Component
• Limitation and control of ports, protocols and services.

Protect • Wireless device control.
• Following best practices for secure configuration of network devices.
• Centralized network log analysis for wired and wireless networks.

Detect
• Network scanning and analysis.
• Isolation of trusted networks from untrusted networks.

• Denial of service offloads to ISP and cloud.
Contain • Reconfiguration of impacted network devices.
• Modify access control (all user/ root/ administrator passwords) in all
systems and network devices.
• Alternate network routing.

Recover • Alternate cloud communications.
• Usage of devices in cluster mode/load balancing mode.
Page 15 of 43
Annexure - B
Threat levels and related conditions
The table outlines the threat levels, spread of attack and related conditions that become the basis for
declaration of a crisis. The table also outlines the crisis/ contingency affecting the systems of individual
department within a division, multiple departments within a division, one division and entire bank
leading to crisis of different levels. The levels of crisis are interrelated. Each subsequent level will follow
preceding one. No level other than level 1 will come in isolation.
Threat Level Condition
Perceptible change/ variation in system performance and discovery of

critical/non critical vulnerabilities/ exploits and attacks that can affect normal
operation of network and IT systems of individual Department such as:
• Visible signs of viruses/ worms/ Bots/ malware/ Keyloggers/ Spyware
• Spam
• Identity theft (Phishing, spoofing, social engineering etc.)
Level - 1
• Web defacements
(Individual Department/
• Hacking of IT systems such as computers systems, Servers (Mail, Web,
single Branch)
Database etc) and Routers
• Application level attacks
• Denial of service attacks (DoS)
• Distributed Denial of Service (DDoS)
• Attempts for exploitation of zero-day vulnerabilities
• Detection of new and advanced malware infections
Page 16 of 43
Perceptible change/ variation in network/ system performance and abnormal

surge in network traffic affecting IT infrastructure of multiple departments
simultaneously due to:
• Large scale infection of Viruses/ Worms/ Bots/ Malware/ Key loggers /
Spyware for malicious and espionage activities.
Focused attempts of networks scanning and penetration

• DoS/ DDoS attacks
Level - 2
• Attacks on Domain Name Servers, Mail Servers, Databases, Routers
(Multiple Departments/
etc.
More than one Branch)
• Attacks on Web servers resulting in
• Defacement of websites on large scale
Attacks on Trusted infrastructure

• Attack on the IT infrastructure of a Critical Information System
• Infection of computer systems and/ or Programmable
Level - 3 Significant breakdown of working of the entire zone due to focused cyber
(One Zone) attacks on IT infrastructure related to that zone.
Level - 4 Significant breakdown of working of the entire Bank due to focused cyber
(Entire Bank) attacks on infrastructure.
Page 17 of 43
Annexure - C
Incident Response Activities During The First Hour
Introduction:
The primary objective of incident response actions during first hour is to contain the damage due to
the incident, notify appropriate authorities about the incident and ensure continuity of essential
activities and services of the Bank.
The following guidelines describe the actions to be taken within the Bank during the first hour of
incident. The guidelines also facilitate detailed incident analysis and determination of recovery and
response actions and possible escalation within and outside the Bank.
Triggers for first reaction
The reaction by the users or administrators within Bank could be triggered by observation of certain
symptoms and anomalies in the functioning of systems, networks and processes. The trigger for
response action could be infection, attack or intrusion or malfunctioning of a system or reported loss of
damage to information assets/systems etc. Further the actions could be triggered when alerts are
received from external organisations such as CERT-In, NCIIPC, IDRBT and other Incident Response
teams and security agencies.
Means of Detection
The means of detecting anomalies and abnormal conditions that require response actions are Users,
System/ Network Administrators, technical tools and external alerts from security agencies such as
CERT-In/ NCIIPC etc.
Symptoms of incidents and response actions
Table 1 outlines the general symptoms indicating occurrence of incident noticeable by all types of
users, source of detection, response actions required and persons responsible for the actions.
Table 2 outlines Indications of different types of Cyber Crisis generally noticeable by trained users,
System Administrators & tool based detection mechanisms and response actions required and
authorities responsible for the actions.
Page 18 of 43
Table 1 General symptoms of incidents noticeable by all types of users and related response actions.
Symptoms/ Alerts Source of Response Actions Who to

Detection Handle
Common Symptoms
Non-availability of computer User • Boot with alternate OS/ recovery User /

system (failure to start) media. IT Dept /
• Check the booting process for specific IT Personnel at concerned
errors. Location
• Report to IT Personnel at Concerned
Zonal Office/ Department
Frequent system crashes User • Scan system with updated Antivirus & User /
Unexplained, poor system Anti-spyware IT Dept /
performance, Presence of • Report to IT Dept/ IT Personnel at IT Personnel at concerned
new files, Presence of Concerned Division(HO) Location
unknown processes,
Changes in the file size or
dates
New suspicious user User, • Disable suspicious user account HO: IT Department
accounts Server Custodian • Do the log analysis
Failed or successful social User, • Collect all details such as email HO: Information Security
engineering attempts System Administrator content, header etc and examine. Cell
Failed log-in attempts by Technical tools/ SOC • Determine the timing, sources of HO: IT Department
unauthorized users. Supervisory review of activities (Application Team)
logs • Trace the attack sources from logs of
system/ directory server.
• Change of password
Unusual time of usage, Supervisory Review of • Correlate with physical access by users HO:IT Department
Unauthorized user accounts logs/ alerts • Correlate with logs of perimeter devices (Application Team)
to find external intrusion
Virus/worm infection User, • Disconnect system from network HO: IT Department

Security Operation • Boot with different OS and scan with Operation/ Network Team
Centre Antivirus & Anti-spyware
• Antivirus and Anti- spyware
should be updated
Suspicious Technical tools • Close the ports and services which are HO:IT Department
Probes (IPS/ IDS/ Firewall) not required. (Networking Team)/
• Sent the logs to incident response team HO: Information Security
Cell
Page 19 of 43
Abnormal surge in traffic Technical tools, • Trace the specific service/ protocol HO: IT Department
(inbound/outbound) Network Behaviour • Detect the source of (Networking Team)
Analysis, Router generation of abnormal traffic
• Correlate with alerts from
CERT-In/ NCIIPC/ CSITE etc.
Compromise of Sensitive Users/ • Block the affected cards and inform the HO: ATM Cell
Information of customers National Payment customers through SMS/ e-mail.
such as PIN, Card Number, Corporation of India
CVV etc. of Debit card (NPCI)/ Master Card
through various kind of
infections (Malware or
skimmer) within or outside
our infrastructure.
External Alerts
Alert for new CERT- In/ NCIIPC/ • Apply appropriate patches/updates HO: Information Security
vulnerability CSITE • Implement suggested workaround for Cell in consultation with
zero-day vulnerabilities CISO
Alert on propagation of CERT- In/ NCIIPC/ • Update the Antivirus signatures HO: Information Security
malicious code CSITE • Follow the countermeasures suggested Cell in consultation with
in the specific advisory CISO
Alert indicating attack CERT-In/ NCIIPC/ • Block the attack sources notified by HO: Information Security
sources CSITE/ CERT-In/ NCIIPC and other agencies. Cell in consultation with
Security agencies CISO
Note:- In case a user is unable to identify the symptoms/ alerts of any incident, he may contact HO Information
Security Cell for further assistance.
Page 20 of 43
Table 2 Indications of different types of Cyber Crises generally noticeable by trained users, System
Administrators & tool based detection mechanisms and Response actions
Symptoms/ Alerts Source of Response Actions Who to

Detection Handle
Common Symptoms
Detection of Users / • Disconnect the web server hosting defaced/ HO IT Department: Website
defacement/intrusion of Web Admin/ compromised website Manager
website External agencies • Examine the compromised system/ website
for specific unauthorized changes
• Restore the website content, Shift and run
website from a different trusted system by
making appropriate DNS changes at the new
system
• Collect relevant logs of server and
application and submit to HO: Information
Security Cell of the Bank.
• Report the incident t o HO: Information
Security Cell which along with logs report it
to CERT-In/ NCIIPC/ CSITE
Malicious Code attacks (virus/worm/ Trojans/ Botnets/ Spyware)
Unexplained poor system Users • Disconnect infected systems from network HO: Information Security
performance • Scan with updated Antivirus and Anti- Cell
HO: Information spyware
Presence of suspicious Security Cell • Apply appropriate countermeasures in
process/files on system consultation with CISO/ NCIIPC/ CERT-In /
Alerts from CSITE.
Surge in traffic on Antivirus, NIPS
ports/services used by
malware External agencies
Connections to suspicious
remote systems
Unusual ports open
SPAM attacks
Page 21 of 43
Abnormal surge in SMTP Users • Check the mail servers for open relays and HO: IT Department
traffic disable ports not required in the Mail server (Networking Team)
HO: IT Deptt • Identify possible sources of Spam from email
Bandwidth congestion Slow ( Networking Team) headers and invoke blacklists such as SBL,
response of mail servers XBL and PBL
• If attack persists report to NCIIPC/ CERT-In
Distributed Denial of Service (DDoS) Attacks
Non availability of services Users • Identify the type of attack such as flooding of HO: IT Deptt (Application
such as website, email etc particular types of packets/requests (TCP Team) /
SYN, ICMP etc) by examining logs of Router/ HO: IT Deptt (Networking
HO: Information IPS/IDS/ Firewall Team)
System crashes Security Cell
• Identify the attack sources
• Block the attack sources at Router/Packet
Bandwidth congestion Alerts from filtering device
Surge in traffic Antivirus, NIPS • Check Router configuration and implement
Egress and Ingress filtering to block spoofed
packets
External agencies • Disable the non-essential ports/services
• Report to CISO with relevant logs
Slow response or non- User • Change the Primary DNS Server HO: IT Deptt
Availability of web/ mail • Implement Source address validation ( Networking Team)
services HO: IT Deptt through ingress filtering (Implement IETF and
( Networking Team) BCP 38/RFC 2827 ) HO: Information Security
• Use Unicast Reverse Path Forwarding to Cell
mitigate problems that are caused by
malformed or forged IP source addresses
• Run separate DELEGATED and RESOLVING
name servers
• Disable Recursion on DNS server
authoritative for the zone
• Restrict zone transfers to Secondary name
servers only
• Block invalid DNS messages to an
authoritative name server at the network
edge. This includes blocking large IP packets
directed to an authoritative name server.
• Report to CISO
Phishing attacks
Page 22 of 43
Reporting of phishing Users • Report phishing incident to CISO HO: Information Security
email/website • Report phishing URL to phishing filters Cell
Anti-phishing/ fraud • Send phishing emails and details of phishing
detection services website to CISO
CERT- In/IB- Cart/

CSITE/ NCIIPC/
Other external
agencies.
Application Level attacks
Unauthorized changes to HO: IT Deptt • Disable suspected user accounts HO: IT Deptt
Data/ Suspicious user (Application Team) • Reduce the interactive features and run (Application Team)
activity/ Elevation of with minimum essential features And
Privileges HO: Information Security
Cell
Router level attacks
Unexplained packet loss/ Users • Replace the router with a securely HO: IT Deptt
Non availability of gateway/ configured standby router with Egress and (Networking Team)
Internet services HO:IT Deptt Ingress filtering
( Networking Team) • Check the logs and configuration files of
compromised router to identify attacks
Review of Router • Replace the configuration files with trusted
configurations backup
• Apply appropriate patches/ updates
• Block the attack source
• Report to CISO
Targeted Scanning, Probing and Reconnaissance of Networks and IT Infrastructure
Huge amount of IPS/IDS User • Identify the type of scans/ probes by HO: Information Security
alerts examining logs of Router/ IDS/ IPS/ Firewall Cell /
HO: Information • Identify the sources of scans HO: IT Deptt
High volume of dropped Security Cell • Block the sources of scanning (Networking Team)
packets by Firewalls • Report the incidents with relevant logs to
Logs of CISO
Surge in specific traffic relevant devices
Page 23 of 43
Annexure-D
Contact Details and Reporting Formats
1. Conditions for Escalation
Who Reports To Whom

The person who notices the incident (In branch) Branch Head
Branch Head Zonal Office or Respective Stakeholders at Head

Office
The person who notices the incident (In Zonal HO: Information Security Cell
Office)
HO: Information Security Cell CISO
The person who notices the incident (In Head In-charge of the department
Office)
In-charge of the Department CM/ AGM of HO: Information Security Cell
CM/ AGM of HO: Information Security Cell CISO and GM(IT)
GM (IT) ED (in- charge of IT)
CISO GM (RMD) or ED (in-charge of RMD)
CISO External agencies like IB-Cart, NCIIPC, Cert-In/

CSITE, RBI
2. Contact Details of CERT-In
Reporting of a Security Incident: A computer security incident is any adverse event whereby some
aspect of a computer system is threatened viz. loss of confidentiality, disruption of data or system
integrity, denial of service availability.
By reporting computer security incidents to CERT-In Bank shall receive technical assistance in resolving
these incidents. This will also help CERT-In to correlate the incidents thus reported and analyze them;
draw inference; disseminate up-to-date information and develop effective security guidelines to
prevent occurrence of the incidents in future.
Bank can report an adverse activity or unwanted behavior which they may feel as an incident to CERT-
In through following channels:
Page 24 of 43
Email : incident@cert-in.org.in
Helpdesk : +91-1800-11-4949
Fax : +91-1800-11-6969
Website : http://www.cert-in.org.in/
Reporting of a Vulnerability: A vulnerability can be defined as a feature or bug in a system or program

which enables an attacker to bypass security measures. A vulnerability discovered in a product,
operating system, or an Application Software can be reported to CERT-In. Following channels can be
used to report the vulnerability:
Email : info@cert-in.org.in
Helpdesk : +91-1800-11-4949
Fax : +91-1800-11-6969
Website : http://www.cert-in.org.in/
3. Contact Details of CSITE - RBI
Cyber Security and Information Technology Examination (CSITE) Cell

Reserve Bank of India, Department of Banking Supervision, Central Office
4th floor, B Wing, Centre-1, World Trade Centre, Cuffe Parade
Mumbai - 400 005
Email : csite@rbi.org.in
4. Contact details of NCIIPC
National Critical Information Infrastructure Protection Centre (NCIIPC)

Block III, Old JNU Campus
New Delhi - 110 067
Toll Free : 1800-11-4430

Banking Coordinator : coord.banking@nciipc.gov.in
Incident Reporting : ir@nciipc.gov.in
Vulnerability Disclosure : rvdp@nciipc.gov.in
Website : http://nciipc.gov.in/
5. Contact details of Internal Staff
Designation Contact Details

CISO (Chief Information Security Officer) Email id: ciso@psb.co.in
Landline: 011 - 25728171
Page 25 of 43
SRM/ CM: Information Security Cell Email id: psbsecurity@psb.co.in

Landline: 011 – 25861095
MGR/ SRM/ CM:

Networking Cell, IT Department Email id: operation.network@psb.co.in
Landline: 011 - 25861095, 011 - 25815512
Active Directory/ Antivirus Email id: operation.adav@psb.co.in
Landline: 011 - 25861095, 011 - 25815512
Web Master, IT Department Email: ho.it@psb.co.in

Landline: 011 – 25815512
MGR/ SRM/ CM/ AGM – ATM Cell (ATM/ Debit Email: atmcell@psb.co.in
Card, POS) Landline: 011 - 64780510, 011 - 25899872, 011 -
25782927
MGR/ SRM/ CM/ AGM – Mobile Banking Cell Email: psbmobile@psb.co.in

Landline: 011 - 64780516, 011 - 64780531
MGR/ SRM/ CM/ AGM – Internet Banking Cell Email: hoit_ibc@psb.co.in

Landline: 011-64780520/ 23
GM - IT Landline: 011 - 25782928
6. What needs to be reported to CERT-In/ NCIIPC
The following cyber security incidents should be reported to CERT-In/ NCIIPC/ CSITE in the format
prescribed in Annexure D, within one hour of occurrence of the incident or noticing the incident :
• Targeted scanning/probing of critical networks/systems

• Compromise of critical systems/information
• Unauthorized access of IT systems/data
• Defacement of website or intrusion into a website and unauthorized changes such as inserting
malicious code, links to external websites etc.
• Malicious code attacks such as spreading of virus/worm/Trojan/Botnets/Spyware
• Attacks on servers such as Database, Mail and DNS and network devices such as Routers
• Identity Theft, spoofing and phishing attacks
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Attacks on Critical infrastructure.
Page 26 of 43
The following information (as much as possible) may be given while reporting the incident:
• Time of occurrence of the incident

• Information regarding affected system/ network
• Symptoms observed
• Relevant technical information such as security systems deployed, actions taken to mitigate the
damage etc.
• For details please refer the incident reporting form.
• Verification
• HO: Information Security Cell will verify the authenticity of the report.
• Triage
HO Information Security Cell will then analyze the information provided by the reporting authority and
identify the existence of an incident. In case it is found that an incident has occurred, a tracking
number will be assigned to the incident. Accordingly, the report will be acknowledged and the
reporting authority will be informed of the assigned tracking number. HO: Information Security Cell will
designate a team as needed.
Incident Response: The designated team will assist the concerned System Administrator in following
broad aspects of incident handling:
Identification: to determine whether an incident has occurred, if so analyzing the nature of such
incident, identification and protection of evidence and reporting of the same.
Containment: to limit the scope of the incident quickly and minimize the damage.
Eradication: to remove the cause of the incident
Recovery: taking steps to restore normal operation
NCIIPC/ CERT-In will provide support to the CISO/ System Administrators in identification, containment,
eradication, and recovery during the incident handling in the form of advice.
7. Reporting Formats
A. CSITE, RBI: Cyber Security Incident reporting format is available online on the Data Collector
Portal (URL: https://datacollector.rbi.org.in) of Reserve of India (RBI).
B. IB-CART, IDRBT: Security incident reports are available online on the IB-CART Portal of IDRBT
(Institute for Development and Research in Banking Technology), Hyderabad.
C. CERT-In: Security Incident should be reported to CERT-In in the Incident Reporting form format
given below:
Page 27 of 43
Incident Reporting Form
Form to report Incidents to CERT-In
For official use only: Incident Tracking Number : CERTIn-xxxxxx
1. Contact Information for this Incident:
Name: Organization: Title:
Phone / Fax No: Mobile: Email:
Address:
2. Sector : (Please tick the appropriate choices)
Government Transportation Telecommunications InfoTech
Financial Manufacturing Academia Other ___________
Power Health Petroleum
3. Physical Location of Affected Computer/ Network and name of ISP.
4. Date and Time Incident Occurred:
Date: Time:
5. Is the affected system/network critical to the organization’s mission? (Yes / No). Details.
Page 28 of 43
6. Information of Affected System:
IP Address: Computer/ Operating System (incl. Last Patched/ Hardware
Host Name: Ver./ release No.) Updated Vendor/ Model
7. Type of Incident:
Phishing Spam Website Intrusion
Network scanning /Probing Bot/Botnet Social Engineering
Break-in/Root Compromise Email Spoofing Technical Vulnerability
Virus/Malicious Code Denial of Service(DoS) IP Spoofing
Website Defacement Distributed Denial of Service(DDoS) Other_______________
System Misuse User Account Compromise
8. Description of Incident:
9. Unusual behavior/symptoms (Tick the symptoms)
Anomalies
System crashes Suspicious probes
New user accounts/ Accounting discrepancies Suspicious browsing
Failed or successful social engineering attempts New files
Unexplained, poor system performance Changes in file lengths or dates
Unaccounted for changes in the DNS tables, Attempts to write to system
Page 29 of 43
router rules, or firewall rules Data modification or deletion
Unexplained elevation or use of privileges Denial of service
Operation of a program or sniffer device to Door knob rattling
capture network traffic; Unusual time of usage
An indicated last time of usage of a user account that Unusual usage patterns
does not correspond to the actual last time of usage Unusual log file entries
for that user Presence of new setuid or setgid files
A system alarm or similar indication from an Changes in system directories and files
intrusion detection tool Presence of cracking utilities
Altered home pages, which are usually the Activity during non-working hours or
intentional target for visibility, or other pages on holidays
the Web server Other (Please specify)
10. Has this problem been experienced earlier? If yes, details.
12. Agencies notified?
Law Enforcement Private Agency Affected Product Vendor Other_______________
11. When and How was the incident detected:
13. Additional Information: (Include any other details noticed, relevant to the Security Incident.)
Whether log being submitted Mode of submission:
OPTIONAL INFORMATION
Page 30 of 43
14. IP Address of Apparent or Suspected Source:
Source IP address: Other information available:
15. Security Infrastructure in place:
Name OS Version/Release Last Patched/Updated
Name OS Version/Release
Last Patched / Updated
Anti-Virus
Intrusion Detection/Prevention
Systems
Security Auditing Tools
Secure Remote
Access/Authorization Tools
Access Control List
Packet Filtering/Firewall
Others
16. How Many Host(s) are Affected
1 to 10 10 to 100 More than 100
Page 31 of 43
17. Actions taken to mitigate the intrusion/ attack:
No action taken Log Files examined
Restored with a good backup
System Binaries checked System(s) disconnected form
Other___________________
Network
Mail/Fax this Form to: CERT- In, Electronics Niketan, CGO Complex, New Delhi 110003 Fax:+91-11-
24368546 or email at: incident@cert-in.org.in
Page 32 of 43
D. NCIIPC: The NCIIPC Incident Report Form is given below:

Restricted/Confidenti
Type of Report Initial/Follow-up/Final Classification of Document
Section-A: General Information
1. Organisation Details
Name of CI
Address of CI
Name of CISO
Contact Details of CISO
Contact Details of Office handling the
incident
2. Date Incident Occurred Approximate Time
3. Type of Incident( Check mark)
Un-patched Vulnerable Software
Website Defacement
Exploitation
Patched Software Exploitation Unauthorised System Access
Exploitation of Weak Configuration Data Theft
Page 33 of 43
Account Compromise Malware Infection
Service Disruption Wireless Access point Exploitation
Social Engineering and Phishing
Exploitation of Weak Network Architecture
Attacks
Unintentional Information Exposure Network Penetration
Spoofing or DNS Poisoning Any other (Please describe below)
4. Brief description of the incident
5. Interface affected Public Network Internal Network Other
6. Incident Handling Steps taken
a) Immediate
Page 34 of 43
b) Long term
c) Was System backup plan

implemented successfully? If yes,
details of the Backup Plan applied
7. Whether other agencies such as CERT have also been informed? If yes, please mention here
(Use Separate Sheet for additional information)
8. CII assets affected
9. Impact of Incident on CIIs( Check mark)
Data theft Service Disruption (Downtime)
System (software/hardware)
Other (please explain)
Sabotage
10. Number of Users affected
11. Duration of Incident from (dd/mm/yyyy, hh:mm) to (dd/mm/yyyy, hh:mm)
12. Impact on dependent ICT
13. Threat Profile
Page 35 of 43
a) Attacking IP address
b) Source port of attacking machine
14. Type of attack( Check mark)
Denial of Service Unauthorised Access (internal or external)
Malware attack Website Defacement
Phishing attack Other
15. Root Cause Analysis (with following details)
a) Log analysis Report
b) Forensic Report
c) Audit Report
d) Network traffic Analysis Report
Details of Compromised Machine
a) Physical Location
b) Operating System
c) IP Address
d) MAC Address
e) DNS Entry
f) Domain/Workgroup
Page 36 of 43
g) Is the compromised machine connected to a network? Yes No
h) Is the compromised machine connected to a modem? Yes No
i) Physical Security details of the machine Yes No
j) Logical Security details of the machine Yes No
k) Was the compromised machine had to be removed from the Yes No
16. Current Status of the Incident
17. Was Crisis Management Plan Offered? Please explain the details
Page 37 of 43
Annexure - E
Nature and Severity of Crisis And Steps For Mitigation
Severity Nature of Crisis Steps for mitigation

Level of Crisis
Level 1 Steps to be taken

Response • Notify incidents to HO: Information
Security Cell and CISO.
(Impact : One
• Monitor and detect anomalous behaviour and
Branch/ One
Department) degradation of service in network and systems.
• Take all logs (system, application, security, access,
error etc.) of affected systems and data therein and
keep them separately for analysis and forensics.
• Forward a copy of all the logs of affected systems and
All attacks
network devices, suspicious files, data, traffic trends
wherever applicable to CERT-In/ NCIIPC through CISO.
• Consult incident reports or vulnerability reports for
specific advisories on the suspected behaviour as
published by CERT-In and implement those in the
affected networks and systems.
• Segregate networks (LAN/ WAN) and perimeter
security devices and systems. Check for configuration vis-
à-vis ongoing attack. Implement the appropriate
eradication process and recovery of system files and
data as prescribed against each attacks mentioned
below.
• Change all user/ root/ administrator passwords in all
• Install updated software patches on Operating System
and all other system software running on computer
servers and Personal computers in the network.
• Mitigation Steps- Specific to nature of cyber-attacks/
crisis.
Page 38 of 43
Virus/ Worm/ • Isolate affected systems/ network segments from LAN

Spyware/ Botnet and Internet
attacks • Scan all files in the suspected systems, including emails
for viruses.
• Clean the affected systems with the updated antivirus
software.
• Install updated Antivirus/ anti-spyware on all systems
(servers and Personal Computers)
DoS/ DDoS attacks • Take a copy of all the logs at the perimeter level (IDS/IPS,
firewall) and traffic trends
• Identify the type of attack such as flooding of particular
types of packets/requests
• Allocate traffic to unaffected available network paths, if
possible, to continue the services.
• Apply appropriate rate limiting strategies at the
local perimeter and if necessary consult ISP
• Implement Egress and Ingress filtering to block spoofed
packets
• Use appropriate DoS prevention tools
• Install updated software patches on all the network
devices such as Routers, Firewalls, IDS, IPS and switches.
High Energy RF- • Use a network management solution capable of alerting

based DoS Attacks on a degraded signal noise ratio or the increased noise
levels in the airwaves.
• Identify the other devices due to which RF interference
occurs and physically remove them.
• Deploy IPS/ IDS to detect rouge access points
Page 39 of 43
DNS Attack • Check for version updates at the DNS server and
install latest software patches
• Implement spoofing countermeasures
• Use Unicast Reverse Path Forwarding to mitigate
problems that are caused by malformed or forged IP
source addresses
• Adopt source IP address verification
• implement DNSSec
Attack attempts/ • Check for effectiveness of filtering rules in the routers,

scans on Servers, firewall and IPS and reconfigure if required.
Routers, Firewall etc. • Check the logs of these devices for source of attack.
Phishing attacks • Keep watch on phishing sites

• Alert customers regarding the known phishing sites
• Encourage customers to use anti-phishing enabled
browsers
• Shutdown phishing sites in coordination with concerned
ISP and CERT-In
Mail Server attacks • Deploy hot standby mail servers in physically separated
networks and places which can be made operational
when the main server is attacked
• Disable all other ports and services on mail servers
• Enforce strong password policy and encourage users to
change passwords periodically
Level 2 General
Response
• Monitor and detect anomalous behaviour and
(Impact : (One or
degradation of service in network and systems
More
Zone/Multiple • Take all logs (system, application, security, access, error
Department) etc) of affected systems and data therein and keep them
separately for analysis and forensics
• Forward a copy of all the logs of affected systems and
Page 40 of 43
network devices, suspicious files, data, traffic trends

wherever applicable to CERT-In through CISO.
• Consult incident reports or vulnerability reports for
specific advisories on the suspected behaviour as
published by CERT-In and implement those in the
All attacks affected networks and systems.
• Segregate networks (LAN/WAN) and perimeter security
devices and systems. Check for configuration vis-à-
vis ongoing attack. Implement the appropriate
eradication process and recovery of system files and data
as prescribed against each attacks mentioned below.
systems and network devices
• Mitigation Steps - Specific to nature of cyber-attacks/
crisis
Virus/ Worm/ • Isolate affected systems/ network segments from

Spyware/ Botnet LAN/Internet
attacks • Scan all files in the suspected systems, including emails
for viruses
• Install Antivirus/anti-spyware updates
• Clean the affected systems with the updated antivirus
software
• Block the infection/attack vectors through IPS/Firewall
DoS/ DDoS attacks • Shift critical services to alternate channels.

• In case of IP based attacks, shift hosting of affected
services to different ISPs.
• Apply appropriate rate limiting strategies at the local
perimeter and if necessary consult ISP
• Implement Egress and Ingress filtering to block spoofed
packets
• Use appropriate DoS prevention tools
• Take a copy of all the logs at the perimeter level (IDS/IPS,
firewall) and traffic trends
• Install updated patches on the network devices
Page 41 of 43
High Energy RF- • Use a network management solution capable of alerting

based DoS Attacks on a degraded signal noise ratio or the increased noise
levels in the airwaves.
• Identify the other devices due to which RF interference
occurs and physically remove them.
• Relocate the Access Points in case of Wireless Networks
DNS Attack • Change the preferred DNS server

• Implement Source address validation through ingress
filtering (Implement IETF BCP 38/RFC 2827 )
• Use Unicast Reverse Path Forwarding to mitigate
problems that are caused by malformed or forged IP
source addresses
• Run separate DELEGATED and RESOLVING name servers
• Disable Recursion on DNS server authoritative for the
zone
• Restrict zone transfers to slave name servers and other
authorized software
• Block invalid DNS messages to an authoritative name
server at the network edge. This includes blocking large
IP packets directed to an authoritative name server.
• Check for version updates at the DNS server and install
latest patches
• Implement split DNS architecture
• Implement any cast technology on DNS server
Attacks on Servers, • Check for the effectiveness of filtering rules in the

Routers, Firewall etc. routers, firewall and IPS and reconfigure if required.
• Replace compromised systems with trusted ones.
• Check for version updates/patches and install latest
patches for routers, firewall and IPS
• Check the logs of these devices for source of attack
Mail server attacks • Activate hot standby mail servers and direct mail traffic
appropriately.
Page 42 of 43
Level 3 Response All attacks • Notify incidents to respective Zone/ Department

(Impact Level : • Implement the Contingency Plan
Entire Bank) • Deploy onsite response team on 24X7 basis
• Limit the access to systems and networks from outside in
consultation with concerned ISPs.
• Enable hot stand-by systems/ servers with alternate
Traffic paths.
• Take all logs (system, application, security, access, error
etc) of affected systems and data therein and keep them
separately for analysis and forensics
• Segregate networks (LAN/ WAN) and perimeter security
devices and systems.
• Check for configuration vis-à-vis ongoing attack.
• Implement the appropriate eradication process and
recovery of system files and data as prescribed against
each attacks in level 1 & 2.
• Carry out file integrity checks on all the systems
• Restore systems from trusted back-ups and validate the
systems and networks before connecting to Internet.
Page 43 of 43

Cyber Crisis Management Plan

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Cyber Crisis Management Plan

Enviado por

Direitos autorais:

Formatos disponíveis

Cyber Crisis Management Plan (CCMP)

Cyber Crisis Management Plan

Owner Punjab & Sind Bank

Version Date Comments

This document describes the Cyber Crisis Management

Sr. No. Topic Page

4 Applicability of the Plan 5

6 Guidelines for formulating Cyber Crisis Management Plan 6

7 Maintenance & Review of CCMP 6

8 Cyber Crisis and Contingencies 7

9 Types of Cyber Crisis 7

10 Prevention Strategies and Plans 9

11 Crisis Recognition & Mitigation Plan 10

12 End-user Awareness and Training 12

Annexure - A (Components within the System and their mappings to

Annexure - B (Threat levels and related conditions) 16

Annexure - C (Incidence Response Activities During The First Hour) 18

Annexure - D (Contact Details and Reporting Formats) 24

Annexure - E (Nature and Severity of Crisis And Steps For Mitigation) 38

The main objective of CCMP is:-

1) To continue the service to customers and financial market participants.

4. Applicability of the Plan

6. Guidelines for formulating Cyber Crisis Management Plan

7. Maintenance & Review of CCMP

d. Measures to be taken at organizational level for enhancement of security posture of

8. Cyber Crisis and Contingencies

a) Identification of all critical units of Bank by concerned owner/ division.

9. Types of Cyber Crisis

a) Targeted Scanning, Probing and Reconnaissance of Networks and IT Infrastructure: Publicly

j) Application Level Attacks: Exploitation of inherent vulnerabilities in the code of application

k) Infrastructure Attacks: Attacks such as DoS, DDoS, corruption of software ,Gateways of

n) Attacks on Trusted infrastructure: Trust infrastructure components such as Digital certificates

10. Prevention Strategies and Plans

10.1. Cyber resilience of Bank

10.2. Protection and resilience of Bank’s infrastructure

To build cyber resiliency, Bank need to work for the following:

• To ensure identification, prioritization, assessment, remediation, and protection of Bank’s IT

10.3. Cyber Resilience Components & Control Matrix

11. Crisis Recognition & Mitigation Plan

11.1. Classification – Levels of Concern

Refer Annexure - B for details on Levels of Concern

11.2. Reporting Mechanism

11.3. Response System

11.4. Mitigation Strategy

11.5. Closing the incident and Information Sharing

11.6. Contact Information

11.7. Policy Review

12. End-user Awareness and Training

Bank may use following methods to create end user awareness:

• Classroom training programmes at the time of induction.

• Publication of newsletters on frauds covering various aspects of frauds and containing

• Posters on various safety measures at the work place.

Components within the System and their mappings to Controls

User Identity Component

• Controlled access based on need-to- know.

• Maintenance and analysis of complete security events and audit logs.

• Minimize the invalid logon counts.

• Offline recovery procedures for logging into accounts.

System Processes Component

• Effective security patches updating Mechanism on applications etc.

• File integrity checking.

• Policy based restrictions on process actions.

• Assured data back-ups.

Hardware and Software Platform Component