Management

IT Policy of Shahjalal Islami Bank Limited

IT Policy of Shahjalal Islami Bank Limited

IT Policy of Shahjalal Islami Bank Limited

IT Policy is a systematic approach to policies required to formulate for ensuring manageability, confidentiality, integrity, availability and security of information and information systems. This Policy also covers all information that electronically generated, received, stored, printed, scanned, and typed. The provisions of this Policy are applicable for Shahjalal Islami Bank Limited. All activities and operations required to ensure data security including infrastructure, facility design, physical security, surveillance system, network security, disaster recovery and business continuity planning, use of hardware and software, data disposal, and protection of copyrights and other intellectual property rights.

Information Technology (IT) is the bedrock for the Bank’s survival and development in a rapidly changing global environment, and challenges us to devise bold and courageous initiatives to address a host of vital skilled human resources. In addition, an Information Technology Policy built on reliable human resources and infrastructure constitutes the fundamental tool and means of assessing, planning, managing development change and for achieving sustainable growth.

Every progressive Bank has its own IT Policy and an implementation strategy to respond to the emerging global reality and thus avert becoming a victim of the digital divide. Information Technology Security (ITS) achieved by implementing a suitable set of controls, including policies, procedures and standards. Specific Security Policy is required to establish for all information/computer users of the Bank. This approved IT Policy has been updated to reflect the rapidly changing Technologies within the Bank, to assist users of these facilities to ensure that the facilities are properly protected and those specific IT security objectives are met. Following the IT Policy, information system services of the Bank in accordance with

Information Technology standards, guidelines and best practices of the Bank can ensuring that its information technology and business systems may be protected and controlled.

IT Security Management Policy

IT Security Management ensures that the IT functions and operations of the Bank efficiently and effectively managed. IT Division ensures maintenance of appropriate systems documentations, particularly for systems, which support financial reporting. They have to participate in IT security planning to ensure that resources allocated consistent with business objectives. Also ensure sufficient and qualified technical officials are employed in the Bank; so, that continuance of the IT operation area is unlikely to be seriously at risk all times.

IT Security Management deals with IT Security Policy, Documentation, Internal Information System Audit, Training, and Insurance. IT security planner and/or management shall be responsible for overall IT security management.

IT Security Policy

This document provides the Policy for Information System and its secured usage for the Banks. It establishes general requirements and responsibilities for protecting Information and Information System. The policy covers common technologies such as computers & peripherals, data and network, web system, and other specialized IT resources. The Bank’s delivery of services depends on availability, reliability, and integrity of its information system. Therefore, Bank must adopt appropriate methods to protect its information system. The senior management of the Bank must express commitment to IT security by continuously increasing awareness and ensuring training of the Bank’s official.

The policy will require regular update to cope with the evolving changes in the IT environment in the Bank.

Policy Statement

  1. a) Security means protection of Data & Equipments from Internal and External threats.
  2. b) Data, the priceless assets of the Bank should be protected from any level of hackers.
  3. c) To avoid fraud and forgery data & equipments should be maintained in a secured manner.
  4. d) Priority should be given at the highest level for the security aspects of data and equipment.
  5. e) There should be 02 (two) types of Security like Physical & Logical.
  6. f) Security Policy includes data, data handling, user, & access control of users, external attack, hardware, and location & position of hardware.

Detail Policy:

Physical Security

  1. a) Entrance should be controlled & monitored in the Branches during banking hour/ peak hour and after banking hour/off peak hour in due course.
  2. b) Entrance should be controlled in the Data Center and Server/Computer Room.
  3. c) Modern CCTV system to be implemented with proper application.
  4. d) Log Book is to be maintained for entrance Data Center in Head office and Server/Computer Room in Branches.

Data Security Storage Device i.e. Data Safe should be procured for the preservation of Data Cartridges, CD/DVDs, License Copies, Agreements etc.

Security Devices to be used in the following manner:

  1. Router, Firewall etc. Security Devices should be used in the LAN and WAN.
  2. World-renowned Branded Security Devices should require for the Bank.
  3. There should be separate Servers for Database, Application, Exchange, Mails, & others
  4. and the Servers should be located in different places.
  5. Redundant Hardware storage e.g. PC Server, Workstations, Monitor, Scanner, &Printers
  6. should be procured for instant support.

Documentation Policy

IT division shall establish, document and maintain a security incident handling/ reporting procedure for their Information Systems.

  1. a) Documents are to be included with Notes, Memos, Minutes, Resolutions, Decisions, Circulars, Office Orders, Instructions, Letters, Applications, Mails, Agreements, Contracts, Bills and any other documents used in the Banking operations.
  2. b) Documents are to be preserved in two ways: Scanning physical documents into electronic format and documents to be prepared in electronic format.
  3. c) Manual documents are to be converted into electronic formats.
  4. d) Internal Memo/Circular should be generated through Intranet mail after completion of full automation.
  5. e) Board/EC/Audit/Shariah Memo are also to be submitted in electronic format.
  6. f) Documents are to be prepared manually in physical format until necessary rules and regulations are not modified for digital documentations and digital signature.
  7. g) All electronic/digital documents should be tagged with digital signature.

Segregation of duties for IT tasks.

Segregation of duties is a key concept of internal controls of an organization. Increased protection from fraud and errors the Bank must balanced with the increased of cost and effort required. Segregation of duties should be exists for IT tasks of all IT personnel.

Job description (JD) for each Team.

Job Description (or better known in short as JD) is a document that used to indicate scope of work for the employee. It is often used in hiring process as well as job design. This piece of document gives an employee a good picture of what his/her responsibility is, and a manager good picture of who does what in the team. Shahjalal Islami Bank Limited creates a flexible employee centric JD instead of a static organization structure centric one. The Bank looks very fundamental and simple following issues in Job Description:

Identify Goals, Share Goals with Team, Team to Build JDs, Analyze undesired task, Assign undesired task, Hiring Process, Keeping them high-level, Encourage employees to share and Goal Focused, not JD Focused.

Job description (JD) for each individual of IT department/division and Branch IT support unit with fallback support personnel should be documented.

Scheduled roster for shifting duties.

In the roster for shifting duties, the employer operates 24 hours in a day, seven days in a week, all year round. Scheduled roster for the personnel doing shifting duties should be documented. Payment will be made for duty on holydays.

Fallback plans for system support personnel.

Fallback plans for various levels of system support personnel should be documented.

Internal Information System Audit Policy

Internal Control and Compliance Division shall carry out internal Information System Audit. Internal Information System Audit Team should have sufficient IT Audit Expertise/Resources and should be capable of conducting Information System Audit.

Information Systems shall periodically evaluated by IT auditors to determine the minimum set of controls required to reducing risk to an acceptable level. An annual system audit plan shall be developed. Bank shall also ensure that audit issues are properly tracked out and in particular, completely recorded, adequately followed up and satisfactorily rectified.

Auditing of compliance of computer and network security policies shall be performed periodically.

Use of software and programs for security audit analysis shall be restricted and controlled. The Branch/Department/Division of Head Office shall respond appropriately to address the recommendations made in the last Audit Report. This must be documented and kept along with the Audit Report.

Training Policy

All officials should get proper training, education, updates, and awareness of the IT Security activities as relevant with their job function.

All IT Personnel should get the minimum level of Business Foundation Training.

IT has to provide necessary training when New system: IT through HR/ training branch/concerned users provide training.

Branch has to send request for required IT related training.

As a substitute of arrangement of training at ITD, Training material may be supplied in a central location as pdf and video CD with live training demo may be sent to branch end for necessary training.

Insurance or Risk Coverage Fund Policy

All IT assets should be under Insurance coverage to be maintained by Financial Administrative Division.

Adequate insurance coverage or risk coverage fund shall be maintained so that costs of loss and/or damage of the IT assets can be mitigated.

Problem Management Policy

Bank shall establish a process to log the information system related problems and incidents. IT division shall establish incident detection and monitoring mechanism to detect contain and ultimately prevent security incidents.

Process shall have the workflow to assign the issue to a concerned person to get a quick, effective, and orderly response., As for example,

  1. Workflow for Hardware team,
  2. Workflow for Network Team,
  3. Workflow for Database & Storage Team,
  4. Workflow for CBS Team,
  5. Workflow for software Team and
  6. Workflow for NOC/DC/DR
  7. Workflow for system administration.

Process shall be established to perform necessary corrective action within the period according to the problem’s severity.

Problem findings and action steps taken during the problem resolution process shall be documented.

Process shall be established to review and monitor the incidents.

IT division shall ensure that system logs and other supporting information are retained for the proof and tracing of security incidents.

Risk Management Policy

Information Systems security risk assessments for information systems and production applications shall be performed at least twice in every year. A security risk assessment shall also be performed prior to major enhancements and changes associated with these systems or applications. Effective risk management system shall be in place for any new processes and systems as well as a post-launch review.

Use of software and programs for security risk assessment analysis shall be restricted and controlled.

The risk management function shall ensure awareness of, and compliance with, the IT and IT Security Policy, and to provide support for investigation of any IT related frauds and incidents.

The risk management process shall include:

  1. a) A description and assessment of the risk being considered and accepted for acknowledgement by the owner of the risk;
  2. b) Identification of mitigation controls;
  3. c) Formulation of a remedial plan to reduce the risk;
  4. d) Approval of the risk acknowledgement from the owner of the risk and senior management.
  5. e) A Risk Management Team should be formed which can work jointly with RMU division of the Bank for compliance of Basel Accord.

Personnel Development & Security Policy

Manpower Recruitment Policy

  1. a) Educational Qualification of fresh recruitment for IT division must be minimum ICT related Graduate but in case experience personnel the qualification may be consider or relaxed.
  2. b) For the recruitment of IT Personnel a comprehensive test to be taken by the expertise.
  3. c) Internet media may be used for the total recruitment management operations.

Personnel Development Policy

  1. a) All the employees of the Bank should have sufficient IT knowledge in connection with banking operations with Information System.
  2. b) IT advancement, up gradation and the new released technology along with Bank’s own IT policies, functions, and planning to be informed/provided at all level of management and employees.
  3. c) IT personnel should strengthen their skill and knowledge on latest technology to guide and drive the Bank with the newer facilities and opportunities.
  4. d) Bank will arrange/provide advance training of the IT personnel in local and abroad.
  5. e) IT personnel to be attend in the Seminars/Workshops/Special Training Program on IT in local and abroad on importance and requirement basis.

Personnel Security Policy

Job definition/job assignment and resource allocation should be considered, which might reduce the risk of human error, theft, fraud, or misuse of facilities. Security should be addressed at the recruitment stage. Managers should ensure that job descriptions are addressed with all relevant security responsibilities and in confidentiality agreement.

To ensure the awareness of information security threats and concerns are equipped to support organizational security policy in course of their work. User should be trained about security procedures and the correct use of information processing facilities.

IT Operation Management Policy

IT Operation Management covers the dynamics of technology operation management including change management, asset management, operating procedures and request management. The objective is to achieve the highest levels of technology service quality by minimum operational risk.

Change Management Policy

Changes to information processing facilities and systems shall be controlled.

A formal documented process followed for change details, which must governed for all changes of business application implemented in the production environment. Audit logs of changes shall be maintained.

User Acceptance Test (UAT) for changes and upgrades in application shall be carried out before deployment.

As the business practices have been changing day-by-day, it is required quite often to change parameterization of existing products or to introduce new product. The Business Unit of the Bank will decide about such changes or will introduce such product. Before changing any parameterization or before launching any product, the business group must have confirmation from IT Division, whether the system supports the changes or incorporation. Banking Product Development of IT Policy of the Shahjalal Islami Bank Limited covers the procedures before launching any new product.

The activities will be as follows:

  1. a) Business Unit will ask the IT Division for parameterization of the changes or introduction of new product as per Change Request. All the detail information of the request, duly signed by the respective requester, must be attached in separate sheet along with the Change Request Form.
  2. b) IT Officers will check and test the required changes in the Test Server. The activities in the Test Server will be documented as Audit Log for future ready reference. The results or output in the Test Server will be formally referred back to Business Unit.
  3. c) Considering the output of the IT Division, the Business Group will finalize the product or changes and the final request will be placed to IT Division as per the same Change Request Form along with all the detail information of the products or request, duly signed by the respective Requested.
  4. d) IT Division will do the same changes in the Test Server, following the documents prepared earlier. If the desired output is derived, immediately will be put forward to the Business Unit for their acceptance. All of these activities will be documented, as a part of User Acceptance Testing.
  5. e) If success, the same changes or parameterization will be done in the Production Server after having the Approval from Head of IT.
  6. f) All the steps or activities done in the Production Server Should documented as Audit Log for future ready reference.
  7. g) After the completion, it will be referred to the Business Unit, who will then circulate to all the respective Branches, informing about the changes or parameterization done in the Production Server.

IT Asset Management Policy

IT Assets shall be clearly identified and an Inventory with significant details must be maintained.

All assets associated with the information facilities must be labeled with tag and name. Asset inventory must be reviewed at least once a year.

All data on equipment and associated storage media must be destroyed or overwritten before sale, disposal, or reissue.

Bank must comply with the terms of all software licenses and must not use any software that has not been legally purchased or otherwise legitimately obtained.

Software used in production environment must be subjected to a support agreement. Software used in any computer must be approved by the authority. Use of unauthorized or pirated software must be strictly prohibited throughout the Bank. Random checks shall be carried out to ensure compliance.

Hardware Inventory Management and Tracking Policy

Prior to distribution to the Division/department/Branch, IT Division shall require to entry data into hardware Inventory Management software.

A non-removable tracking sticker on a visible place of the hardware shall be stamped for tracking. After payment is made, FAD should update the Inventory through an application client provided by IT division to the person delegated by FAD.

Hardware Repairing & Troubleshooting Policy

Each member of Hardware and System Support Team of IT Division is individually responsible for Hardware repairing, maintaining, troubleshooting, and sending to respective Branch/Department/ Divisions. They are also responsible for Operating System, Application software, Antivirus, Banking Software (BankUltimus) etc. installation, maintenance, and troubleshooting.

If end user encounters any malfunction or dysfunction with desktop computer, s/he should immediately contact system support Team of IT Division over ticket management software, telephone, e-mail or through a forwarding letter. System Support Team members try to give solution over telephone. If it is not possible to solve the problem by IT Division over telephone then depending on nature of problem, one of the following two decisions could be taken:

  1. a) Sending one hardware engineer at Branch end or
  2. b) Sending PC to IT Division of Head Office for repairing of damaged component.

The former one is usually follows for branch LAN renovation, virus cleaning from the branch, providing training to the mass users and the latter one for Desktop, PC/Printer, UPS, network or other equipments.

Employees needing computer hardware other than what is stated above must request such hardware from the IT Division. Each request will be considered on a case-by-case basis in conjunction with the purchase committee of the Bank.

Disposal of IT Assets

Purpose

The purpose of this procedure is to establish and define standards and restrictions for the disposal of non-leased IT equipment in a legal, cost-effective manner. Shahjalal Islami Bank Limited (SJIBL) surplus or obsolete IT assets and resources (i.e. desktop computers, servers, databases, etc.) must be discarded according to legal requirements and environmental regulations through the appropriate personnel/unit and the SJIBL upgrade guidelines.

Therefore, all disposal procedures for retired IT assets must adhere to SJIBL-approved methods.

Scope

This procedure applies to the proper disposal of all non-leased SJIBL IT hardware, including PCs, printers, handheld devices, servers, databases, hubs, switches, bridges, routers, and so on. SJIBL-owned surplus hardware, obsolete machines, and any equipment beyond reasonable repair or reuse are covered by this procedure. Where applicable, it is desirable to achieve some residual value of the IT asset in question through reselling, auctioning, donation, or reassignment to a less-critical function.

Definitions

  1. “Non-leased” refers to any and all IT assets that are the sole property of the SJIBL; that is, equipment that is not rented, leased, or borrowed from a third-party supplier or Banks partner.
  2. “Disposal” refers to the reselling, reassignment, recycling, donating, or throwing out of IT equipment through responsible, ethical, and environmentally sound means.
  3. “Obsolete” refers to any and all equipment which no longer meets requisite functionality.
  4. “Surplus” refers to hardware that has been replaced by upgraded equipment or is superfluous to existing requirements.
  5. “Beyond reasonable repair” refers to any and all equipment whose condition requires fixing or refurbishing that will likely cost equal to or more than total replacement.

IT Asset Types

This section categorized the types of assets subject to disposal.

  1. Desktop workstations (CPU, Monitor, Key Board, Mouse)
  2. Laptop
  3. Printers, Multifunction machines, Projectors
  4. UPS
  5. Scanners
  6. Servers
  7. Storage
  8. Tape Library
  9. Firewalls
  10. Routers
  11. Switches
  12. Racks
  13. DC and DRS IT supporting equipment
  14. Memory devices

Guidelines

Disposal procedures of all IT assets and equipment will be centrally managed and coordinated by the Hardware Team of IT Division. The Hardware Team is also responsible for backing up and then wiping clean of SJIBL data all IT assets slated for disposal, as well as the removal of SJIBL tags and/or identifying labels. The Hardware Team is responsible for selecting and approving external agents through proper channel for recycling hardware and/or sanitizing hardware of harmful toxins before shipment to landfills.

Practices

Acceptable methods for the disposal of IT assets are as follows:

  1. a) Sold in a public forum.
  2. b) Auctioned online.
  3. c) Sold as scrap to a licensed dealer.
  4. d) Used as a trade-in against cost of replacement item.
  5. e) Reassigned to a less-critical business operation function.
  6. f) Donated to schools, charities, and other non-profit organizations.
  7. g) Recycled and/or refurbished to leverage further use (within limits of reasonable repair).
  8. h) Discarded as rubbish in a landfill after sanitization of toxic materials by an approved service provider as required by local regulations.

Operating Procedure Policy

Operating procedures shall be documented, maintained, and available for the users related to their job function.

Changes to operating procedures must be approved by management and documented.

Operating procedures shall cover the followings where appropriate:

  1. a) Documentation on handling of different processes;
  2. b) Documentation on scheduling processes, system start-up, close-down, End of Day, restart and recovery (centralized/decentralized);
  3. c) Documentation on handling of exception conditions;
  4. d) Schedule system maintenance.

Physical Security Policy

Shahjalal Islami Bank requires sound business and management practices to implement in the workplace to ensure that IT resources are properly protected. The responsibility of each department is to protect technology resources from unauthorized access in terms of both physical hardware and data perspectives. In fact, the effective security measure for assets in the workplace is a responsibility held jointly by both management and employees.

Access Control Policy

A list of persons who authorized to gain access to data center, server rooms, computer rooms or other areas supporting critical activities, where computer equipment and data are located or stored, shall be kept up-to-date and be reviewed periodically.

Access keys, cards, passwords, etc. for entry to any of the Information systems and networks shall be physically secured or subject to well-defined and strictly enforced security procedures.

Automatic protection features (e.g. password protected screen saver, keyboard lock) in servers, computer terminals, workstations should be activated if there has been no activity for a predefined period to prevent illegal system access attempt. Alternatively, the logon session and connection should be terminated. In addition, user workstation should be switched off, if appropriate, before leaving work for the day or before a prolonged period of inactivity.

Physical security involves providing environmental safeguards as well as controlling physical access to equipment and data. The following safeguard methods are believed to be practical, reasonable, and reflective of sound business practices.

Data Center Access Policy

  1. a) Physical security shall be applied to the information processing area or Data Center. Data Centre is the restricted area and unauthorized access prohibited.
  2. b) Number of entrance into the Data Centre will be limited, locked, and secured.
  3. c) Access Authorization procedures will exist and apply to all persons (e.g. employees and vendors). Unauthorized individuals and cleaning crews will be escorted during their stay in the Data Centre.
  4. d) Bank will maintain access authorization list, documenting individuals who authorized to access the data centre and that will reviewed and updated periodically.
  5. e) Access log with date and time, will be maintained documenting individuals who have accessed the data centre.
  6. f) Visitor Log will exist and need to be maintained.
  7. g) Security guard will be available for 24 hours.
  8. h) There will be Emergency exit door available.

Server Room Access Policy

  1. a) Server room has a glass enclosure with lock and key with a responsible person of the branch.
  2. b) Physical access shall be restricted, visitors log will be exist and maintained for server room.
  3. c) Access authorization list will be maintained and reviewed on regular basis.

Environmental Security Policy

Careful site selection and accommodation planning of a purpose-built computer installation shall be conducted.

Data centers and computer rooms shall have good physical security and strong protection from disaster and security threats, whether natural or caused by other reasons, in order to minimize the extent of loss and disruption.

Backup media containing business essential and/or mission critical information shall be sited at a safe distance from the main site in order to avoid damage arising from a disaster at the main site.

Data Center Environmental Safety Policy

  1. a) Protection of Data Center from the risk of damage due to fire, flood, explosion and other forms of disaster shall be designed and applied.
  2. b) Sufficient documentation is essential regarding the physical layout of the data centre.
  3. c) Documentation regarding the layout of power supplies of the data centers and network connectivity should be prepared.
  4. d) Floors to be raised with removable square blocks or channel alongside the wall to be prepared, which allow all the data and power cabling to be in neat and safe position.
  5. e) Water detection devices should be below the raised floor, if it is raised.
  6. f) Any accessories, not related to Data Center should not be allowed to store in the Data Centre.
  7. g) Existence of Closed Circuit Television (CCTVs) camera is must for DC and it should be monitor regularly.
  8. h) Data Centre must show the sign of “No eating, drinking or smoking”.
  9. i) Dedicated Office Vehicles for any emergency purpose should always be available on site. Availing of public transport should be avoided while carrying critical equipments outside the bank’s premises to avoid the risk of any causality.
  10. j) Address and telephone or mobile numbers of require emergency contact persons (e.g. Fire service, police station, service providers, vendor, and all IT personal) should be available to cope with any emergency.
  11. k) Proper attention must be given with regard to overloading of electrical outlets with too many devices. Proper and practical usage of extension cords should be reviewed annually in the office environment.
  12. l) Power supply system and other support units must be separated from production site and placed in secure area to reduce the risks from environmental threats.
  13. m) Power supply from source (Main Distribution Board or Generator) to Data Center must be dedicated. Electrical outlets from these power sources for any other devices must be restricted and monitored to avoid the risk of overloading.
  14. n) Development and test environment shall be separated from production.
  15. o) Data Center shall have dedicated fulltime supported telephone communication.

Data Center Security Maintenance

  1. a) Level 1: Physical Entrance
  2. b) Level 2: Operating System
  3. c) Level 3: Database

Fire Prevention Policy

  1. a) Wall, ceiling, Floor, and door of Data Center should be fire-resistant.
  2. b) Fire suppression equipments should be installed.
  3. c) Automatic fire alarming system shall be installed and tested periodically.
  4. d) There shall be fire detector below the raised floor, if it is raised.
  5. e) Electric and data cables in the Data Center must maintain industry standard quality and to be concealed.
  6. f) Any flammable items shall not be kept in the Data Center.

Physical Security for IT Assets

  1. a) All Information Systems shall be placed in a secure environment or attended by the officials to prevent unauthorized access.
  2. b) Users in possession of laptop, portable computer, personal digital assistant, or mobile computing devices for business purposes shall safeguard the equipment in his/her possession, and shall not leave the equipment unattended without proper security measures.
  3. c) IT equipment shall not be taken away from sites without proper control.

Network Policy

The Shahjalal Islami Bank Limited has the responsibility for securing its networking systems against unauthorized access, while making the systems accessible for legitimate and administrative usages. This responsibility includes informing persons who use the network systems of expected standards of conduct and encouraging their application. It is important for the user to practice ethical behavior in computing activities because the user has access to many valuable and sensitive resources and the user is computing practices can adversely affect the work of others. Improper use and abuse of networks will not be permitted. Presently SJIBL has two-fiber optic WAN connectivity into data center as well as Branches. Near future the Bank will be established another WAN connectivity through radio/VSAT.

Network Policy

Prior approval from the Head of IT and Manager, IT Security is required to connect one Information System with another Information System. The security level of the Information System being connected shall not be downgraded.

  1. a) Maintenance arrangement/agreement to be made with the supplier/vendor or any other third party at least one calendar month prior to the expiry of free service and warranty period.
  2. b) Preference to be given for the maintenance arrangement/agreement with the suppliers/ vendors
  3. c) Internal setup and arrangement to be ready for support, services, and maintenance.
  4. d) Sufficient Expertise/Professionals to be recruited/trained for the above.
  5. e) Necessary equipments/machineries to be procured/purchased for the above.
  6. f) Regional Offices/Branches may be allowed to complete/solve minor problems of

Network by any third party having permission from Head Office

  1. g) Electronic and manual Log book to be maintained by Head office, Regional Office and Branches for support service and maintenance record.
  2. h) Regional Offices/Branches should send all the equipments/machineries to Head Office, which are non-repairable/out of order
  3. i) Necessary support devices/items to be stocked/procured/purchased for immediate support of Head Office, Regional Office and Branches.
  4. j) Network installation configuration as per requirements and maintain documentation and standards

Scope:

  1. a) Network equipments (Router, Switch shall be configured) in a secure environment.
  2. b) Groups of information services, users, and information systems shall be segregated in networks, e.g. VLAN.
  3. c) Unauthorized access and electronic tampering shall be controlled strictly.
  4. d) Firewall shall be in place on the network for any external connectivity.
  5. e) Redundant communication links shall be used for WAN.
  6. f) There shall be a system to detect unauthorized intruder in the network.
  7. g) Connection of personal laptop to office LAN or any personal wireless modem with the office laptop/desktop must be secured.

Networking Hardware Procurement/Purchase Policy

  1. a) Requisitions/Requirements to be generated through proper channel.
  2. b) Requirement analysis to be carried by Information Technology Division and recommendation to be placed before the Procurement Committee/Competent authority.
  3. c) As per latest Procurement Regulation maintained by Procurement Committee of SJIBL and that will be proceed for publishing Tender Notice in the Daily Newspaper/collecting spot quotations as per approval of the Competent Authority.
  4. d) Purchase and Procurement Committee will evaluate the Tender Documents/Quotations submitted by vendors.
  5. e) Evaluation and Comparative statement with specific proposal to be placed before the appropriate level of management as per financial discretionary power for approval.
  6. f) Work Orders to be issued having approval of the competent authority.
  7. g) Items/components are to be received along with Challan/Delivery Memo.
  8. h) Data/information is to be entered in details into the Computerized Inventory Management System/Registers and transfer/locate the items/components accordingly.
  9. i) Certification/comments of the item/component’s status are to be collected before allowing payments of bills.
  10. j) Warranty coverage and follow-up for maintenance arrangement should be maintained.
  11. k) Service agreement where applicable to be arranged.

Network Systems Policy

  1. a) Systems are to be included with Network Equipments, Network, Firewall, Cryptography, Operating Systems, Utility software etc.
  2. b) For the standard setup of the network systems in the Bank, Cisco Switches, Cisco Routers, Radio Base Station etc. should be installed.
  3. c) Industry standard architecture should be installed in setting LAN and WAN.
  4. d) All systems should be open-standard.

Design, Planning, Approval, Implementation & Maintenance of LAN & WAN

  1. a) Designing the WAN setup in a ISO certification standard manner.
  2. b) Creating and Maintaining the design documentation in a secured manner.
  3. c) Core devices capabilities analysis and deployment planning.
  4. d) Branch devices capabilities analysis and deployment planning.
  5. e) Implementation planning.

Network Security Policy

  1. a) The Network Design and its security are implemented under a documented plan.
  2. b) Creating and maintaining the design documentation of the security area.
  3. c) Branch security area analysis and deployment of planning.

Network Design

Following a structured set of steps when developing and implementing network, security will help to address the varied concerns that play a part in security design. Many security strategies have been developed in a haphazard way and have failed to actually secure assets and to meet a customer’s primary goals for security. Breaking down the process of security design into the following steps will help effectively plan and execute a security strategy:

  1. a) Identify network assets.
  2. b) Analyze security risks.
  3. c) Analyze security requirements and tradeoffs.
  4. d) Design a security plan.
  5. e) Define a security policy.
  6. f) Develop procedures for applying security policies.
  7. g) Develop a technical implementation strategy.
  8. h) Achieve buy-in from users, managers, and technical staff.
  9. i) Train users, managers, and technical staff.
  10. j) Implement the technical strategy and security plan.
  11. k) Test the security and update if any problems are found.
  12. l) Maintain security.

Modularizing Security Design

Security experts promote the security defense in depth principle. This principle states that network security should be multilayered, with many different techniques used to protect the network and each mechanism should have a backup mechanism. This is sometimes called the beltand-suspenders approach. Both a belt and suspenders ensure that trousers stay up. A networking example is to use a dedicated firewall to limit access to resources and a packetfiltering router that adds another line of defense.

In general, using a modular approach to security design is a good way to gain an understanding of the types of solutions that must be selected to implement security defense in depth. The next few sections cover security for the following modules or components of an enterprise network:

  1. a) Internet connections
  2. b) Remote-access and virtual private networks (VPN)
  3. c) Network services and management
  4. d) Server farms
  5. e) User services
  6. f) Wireless networks

 

Physical Security

Security Devices to be used in the following manner:

  1. a) Router, Firewall etc. Security Devices should be used in the LAN and WAN.
  2. b) World-renowned Branded Security Devices should be setup for the Bank.
  3. c) There should be separate room for implementation of security devices, router, and other network devices.
  4. d) Redundant Hardware e.g. Router, Switch, Firewall, optical-converters etc. should be setup for instant support.

Bank requires that sound business and management practices must be implemented in the workplace to ensure that information and technology resources are properly protected. It is the responsibility of each department to protect technology resources from unauthorized access in terms of both physical hardware and data perspectives. In fact, the effective security measure of assets in the workplace is a responsibility held jointly by both management and employees.

Physical security involves providing environmental safeguards as well as controlling physical access to equipment and data. The safeguards methods are believed to be practical, reasonable, and reflective of sound business practices.

Supervision, Control, & Monitoring of Network Securities

  1. a) Controlling the Securities through Intrusion Prevention System (IPS) or Intrusion Detection System (IDS).
  2. b) The network team should properly monitor network. Monitoring software may be used for proper monitoring.
  3. c) Supervision and monitoring of Securities area at all level of HO and Branches.
  4. d) Internet threats protection.
  5. e) Integrations with system admin securities.

Password Control

  1. a) Access into the Network Equipments should strictly be controlled using Administrative Password.
  2. b) Access into the Network Equipment through Workstations to be controlled, and monitored by the Administrator.
  3. c) Access into the Network Equipment to be properly controlled.
  4. d) Password to be maintained as strictly confidential. System Administrative Password should be preserved in safe custody.
  5. e) Users should be liable to maintain his/her own password and the Password should not be maintained by a name or any likings.
  6. f) Password may be chosen with mixed characters (e.g. 32bQt_N) and to be of at least eight characters, which detail mention on password policy chapter 5.
  7. g) The maximum validity period of password should be 60 days.
  8. h) The maximum number of invalid logon attempts should be 03 (Three) consecutive times.
  9. i) Password history maintenance is enabled in the system to allow same passwords can be used again after at least 4 times.
  10. j) Password entries must be masked.
  11. k) The terminal inactive time allowable for users should be set where necessary.
  12. l) Sensitive passwords have to be preserved in a sealed envelope with movement records for usage in case of emergency.
  13. m) Audit trail should be available to review the user profile for maintenance purpose.

Policy Statement

  1. a) Network to be setup within the Head Office, Back Office, Disaster Recovery Center, Central Bank, Local & Foreign Banks, Branches, Remote sites, Valued Clients and other regulatory bodies to share the resources and to provide better services.
  2. b) Security measures should strictly be maintained before adding any node within the network.
  3. c) Security Policies of the Bank to be implemented for network.
  4. d) Network setup should be in international standard architecture and structured format.
  5. e) Network equipments/devices and accessories should be international standard.
  6. f) Network Management Software to be used for Network Monitoring and management.

Firewall Policy

  1. a) There should be a system to detect the unauthorized intruder for network.
  2. b) All ports except usable ones shall be blocked.
  3. c) Data rate per port per channel has to be limited.
  4. d) Ingress/Egress packets must be logged and stored.
  5. e) NAT shall be used as much as possible. Network Security Policy
  6. f) Security means protection of Data & Equipments from Internal and External threats.
  7. g) Data, the priceless assets of the Bank should be protected from any level of hackers.
  8. h) To avoid fraud and forgery data & equipments should be maintained in a secured manner.
  9. i) Priority should be given at the highest level for the security aspects of data and equipments.
  10. j) There should be 02 (two) types of Security like: Physical Security & Information Security.
  11. k) Security Policy includes data, data handling, user, & access control of users, externalattack, hardware, and location & position of hardware.
  12. l) There should be a team of ‘Network Administrator’ assigned by the competent authority for the Head Office to follow-up and maintain security of all networks.

Control & Monitoring of LAN & WAN functionalities

  1. a) Bandwidth consumption analysis.
  2. b) Bandwidth management
  3. c) Load Balancing management.
  4. d) NOC member functionalities formation.
  5. e) Network management software to be used for Network Management protocol (SNMP).

Local Area Networks (LAN) Policy

  1. a) Cabling should be structured. Fiber optic cable to be preferred for LAN cabling; initially Cat5/Cat6 cable may be used.
  2. b) Rack, Patch Panel, Cable Management Unit, Patch Cord, Drop Cable, Face Plate, RJ45 etc. are to be used in connection with LAN setup.
  3. c) Separate Domain (VLAN) for each Department/Division is to be setup in the Switch.
  4. d) IP based network to be setup for nodes and all IPs are to be maintained confidentially.
  5. e) Network policies to be determined in the server for each domain.

Wide Area Networks (WAN) Policy

  1. a) Physical Fiber optic cable connectivity should be preferred for WAN setup within HO and Branch LANs.
  2. b) Wireless connectivity may be set before having physical connectivity for WAN.
  3. c) For the full setup of on-line Banking primary connectivity should be physical and redundant may be wireless.
  4. d) Virtual Private Network should be setup in connection with WAN through Service Providers Bridge/Tunnel.
  5. e) Data should be transmitted through WAN using cryptography technology.
  6. f) Security measures should be taken into consideration in WAN connectivity and usage at a highest level of priority as per security policies of the Bank.

Upgrade design, setup, and security levels of LAN & WAN

  1. a) Upgrade of the WAN setup in an ISO certification standard manner.
  2. b) Upgrade of Core devices and deployment planning.
  3. c) Upgrade Branch devices and deployment planning.
  4. d) Security measures should strictly be analysis before adding any new node within the Network.

Maintain log records of LAN & WAN status.

  1. a) Design and approval of network monitoring software with log/report option
  2. b) Supervision and monitoring of network monitoring software with log/report option
  3. c) Archive planning of logs/reports

Router -Switch Data Backup & Restoration Policy

  1. a) Data means all sorts of information kept in printed or electronic format in The Shahjalal Islami Bank Limited.
  2. b) Data should be preserved in a secured manner in our designated FTP server (Hard Disk), PC for Network Administrator’s & removable disks (e.g. CD/DVD).
  3. c) Removable disks should be preserved under lock and key in safe custody outside Location (geographically Separate) of the related office (Head Office or Branchoffice).
  4. d) There should be at least one backup copy kept on-site for time critical delivery.
  5. e) Branches and Head Office should preserve Network related data such as router images & configurations in our FTP server as well as Network Administrator’s PC on weekly basis.
  6. f) The backup log sheet is maintained, checked, & signed by Team Leader.
  7. g) The backup inventory is maintained, checked, & signed by Team Leader.
  8. h) The ability to restore from backup media is tested at least quarterly.
  9. i) Backup Media must be labeled properly indicating contents, date etc.
  10. j) Backup CD/DVDs should be preserved at Head Office in a Fungus & Dust Free, Fireproof Data Safe/Vault.

Redundant Access Policy from Branch to Head Office

The Branch will consider a disaster branch if both of the link goes down & unable to restore more than 6 hours. Hence, in that situation the steps will be followed as guided by System Support Team.

VPN Policy

Purpose

The purpose of this policy is to provide guidelines for Remote Access Virtual Private Network (VPN) connections to SJIBL banking network

Scope

This policy applies to all SJIBL employees, Link Vendors, and others including all personnel affiliated with third parties utilizing VPNs to access the SJIBL network. This policy applies to implementations of VPN that allow direct access to SJIBL network from outside the SJIBL network.

VPN approval

  1. a) Approved SJIBL employees and authorized third parties (vendor support, etc.) may utilize the benefits of a VPN, which is a “user managed” service
  2. b) VPN profiles will be created only at the request of a user’s by submitting the appropriate VPN Access Request form. Additionally, the user must have read, understood, and acknowledged this policy before using the VPN service.

General Conditions for VPN

  1. a) It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to SJIBL internal networks.
  2. b) VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase.
  3. c) When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped.
  4. d) Dual (split) tunneling is NOT permitted; only one network connection is allowed.
  5. e) VPN gateways will be set up and managed by SJIBL network operational groups.
  6. f) All computers connected to SJIBL internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computer/Laptop.
  7. g) VPN users will be automatically disconnected from SJIBL’s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.
  8. h) The VPN concentrator is limited to an absolute connection time of 24 hours.

 

General Network Protections

Internal network addresses, configurations and related system or network information shall not be publicly disclosed.

All internal networks with connections to other networks or publicly accessible computer networks shall be properly protected.

Security measures shall be in place to prevent unauthorized remote access to the systems and data. Computer users are prohibited from connecting workstations to external network by means of communication device, such as dial-up modem, wireless interface, or broadband link, if the workstations are simultaneously connected to a local area network (LAN) or another internal communication network, unless with the approval of the Head of IT.

Computer users shall not connect any unauthorized Information System device to Bank’s Information System without prior approval of manager, IT security.

Proper configuration and administration of information / communication systems is required and shall be reviewed regularly.

Connections and links made to outside network shall not compromise the security of information system of the Bank.

Connecting privately owned computer resources to Bank’s internal network requires approval from Manager, IT security.

CONFIDENTIAL/RESTRICTED information shall be encrypted when transmitted over an untrusted communication network.

All network or systems software malfunctions, information security alerts, warnings, suspected vulnerabilities, and the like, and suspected network security problems, shall be reported immediately only to the responsible party according to the incident handling procedure.

Core Banking Software Policy

Core Banking Software BankUltimus should run smoothly in all the branches. For which a Data Center, a Disaster Recovery Site, Dual Network connectivity and operating policy has been prepared which are currently in operation. To support the users 24 hour support center called NOC (Network Operation Center) is in live. The officers perform their duty in shift, management of which is under Data Center team. Data Center Team circulates roster duty schedule as prepared by them and approved by Head of IT at the end of each month for the next month.

Operating Policy:

Maker checker request received by IT through proper channel. Initiated by user and approved by Branch Manager. Users are created by Valid admin user of IT Division. Certain limit is requested by the branch for execution of branch operation.

User permission is sanctioned as per request processed from branch. Operating time is open as there is no time restriction has yet been instructed by competent authority. The operating time schedule will be implemented as and when instructed by authority.

Operation Calendar for the year is set before start of the year. Other holidays are set as and when required.

Own branch operation, Remote operation, Head office operation all factors are permission based through BankUlitmus system.

New Parameter setting is done by Head Office users. IT users do it as per order circulated by FAD. New GL Account is opened by FAD users as and when required as per proper noting.

Day end operation is done by NOC users of IT division after day close of all the branches.

Dummy Month End operation is performed with the end of day of previous day of end of month before end of month in the UAT environment. During month end A team is formed with Business Team members, Network Team members and software team members for execution of proper support to the branches and head office.

Similarly dummy Year end is also processed in the UAT environment for anticipating the errors or flaws. Due to application of deployment for modification of any function of service charges/government duties, if bugs are found, it is fixed in the UAT. After successful day end and as per service providers recommendation live process is updated.

Ad branches SWIFT operation is done by SWIFT interface of BankUltmus. As per requirement of SWIFT authority at least one SAA user is required to send al the message of AD branches.

Some of the users of a branch must have to have training of BankUltimus. This training provided by IT has a nature TOT so that the trainees may train their other users of the branch. The A list of operation path/User manual soft copy centrally located in the followig address path:

IT users are not authorized to make or authorize any financial transaction.

User Support Policy:

As per working process of IT department. Ticket software, Schedule wise, NOC, Saturday, daily/month end/yearend, support type (by phone, e-mail, ticket, physical on spot). Cards Department for ATM card support.

Maintenance Policy :

 As per agreement service provider provide support. Agreement is duly renewed to ensure proper services. Database maintenance is under Database policy. After migration of all the branches the previous data of PcBANK2000 is preserved in three locations:

  • File Server in our DC,
  • In the Vault (DVD) of IT Division archive room
  • In a portable Hard disk in our DC
  • (DVD) In Dhaka Main Branch

We have redundant connectivity for every branches. There must be some risk to become down both the links, although SJIBL considered alternate E1 providers of the connectivity service providers for each branch. When two links become down at a time we seek support from up to top authority of the service providers. Branch may be advised as per the rise of severity level.

 

Level One. Day close operation time is very near and connectivity is still down:  The branch manager is acknowledged about the details of the matter.

Users are requested to wait patiently till next day before start of day at the worst situation.

Level Two: Next day branch operation start time is over still the link is down. Remote transaction and Card transaction status option upon the branch is made to disable. To keep the minimum level of customer service up, the latest customer balance with card transaction details from last day card transaction upon the branch is sent through e-mail. The e-mail is to be received by other source by smart phone/other source of e-mail services. Branch may provide customer services (only deposit and withdrawal) by validating the printed reports received from IT and Card Division.

Recommendation and Future Planning Policy

Cloud Computing

Overview

Cloud Computing is a recent revolution in the world of Information Technologies that enables a convenient way to share resources. It is model providing on-demand network access to configurable IT devices and services (e.g. Servers, Storage, and Applications) gathered as a network of computing resources located anywhere, being shared among its users. Cloud Computing can provide greater flexibility and improved levels of service, while making costs more transparent and increasing institutional efficiency. It is anticipated that the use of Cloud Computing services will grow significantly over the next generation.

This policy is intended to ensure that the use of these services is managed in accordance with existing IT requirements, and to provide a level of Head of IT oversight to address the possibility of a higher level of risk existing because of these new and still-evolving IT service models. The primary reason for this policy is to facilitate a well-managed and successful adoption of Cloud Computing by establishing a process that directs attention to IT related requirements, management processes, and risk factors.

Scope

Cloud Computing is a computing model in which technology resources are delivered over the network. Rather than implementing and maintaining, IT services locally, customers of cloud computing buy IT capabilities from providers that manage the hardware and software that operate those services. Resources including infrastructure, software, processing power, and storage are available from the cloud. However, migrated cloud platforms and services cost benefits as well as performances are neither clear nor summarized. Globalization and the recessionary economic times have not only raised the bar of a better IT delivery models but also have given access to technology-enabled services via internet.

However, in spite of the cost benefits, many IT professional believe that the latest model i.e. “Cloud Computing” has risks and security concerns. The following factors should be considered during cloud computing:

  1. a) Idea behind cloud computing.
  2. b) Monetary cost benefits of using cloud with respect to traditional premise computing.
  3. c) Security issues of cloud computing.

We have tried to find out the cost benefit by comparing the Microsoft Azure cloud cost with the prevalent premise cost.

Policy

Use of Cloud Computing services must be formally authorized in accordance with the IT Division.

Use of Cloud Computing services must comply with all current laws, IT security, management policies, and risk.

Use of Cloud Computing services must comply with all privacy laws and regulations, and appropriate language.

Cloud Computing services will not be avail without any writing approval of IT Division. The Head of IT division will certify that security, privacy, and other IT management requirements that adequately addressed prior to approving use of Cloud Computing services.

The Cloud Computing service may not be put into production use until IT Division has provided written approval.

The electronic signature

  1. The electronic will be uniquely linked to the signatory
  2. It will be capable of identifying the signatory
  3. It will be created using means under the sole control of the signatory
  4. It will be linked to data to which it relates in such a way that subsequent changes in the data are detectable.

Digital signature on a message:

  1. a) Data origin authentication of the signer: digital signature validates the message in the sense that assurance is provided about the integrity of the message and of the identity of the entity that signed the message.
  2. b) Non-repudiation: digital signature can be stored by anyone who receives the signed message as evidence that the message was sent and of who sent it. This evidence could later be presented to a third party who could use the evidence to resolve any dispute that relates to the contents and/or origin of the message.

Recommendation

  1. Two way verification system for internet Banking. After every login user will send a OTP (One Time password) to their email address and mobile number. This OTP will use for final verification.
  2. SMS Banking service should be improved.
  3. Now a day’s Mobile Banking is one of the popular form of banking, but Shahjalal Islami Bank still failed to introduce this service. Mobile Banking service should be introduced as early as possible.
  4. Still there are some bugs in Core Banking software which hamper EOD process of Bank, These Bugs should be solved as early as possible.
  5. Shahjalal Islami Bank has introduced Ticket Management System for giving quick support to branch user. Same can be introduced for our clients for giving quick support of SMS and Internet Banking.

Conclusion

The Banking Industry has changed the way they provide services to their customers and process information in recent years. Information Technology has brought about this momentous transformation. Security of Information for the Bank has therefore gained much importance, and it is vital for us to ensure that the risks are properly identified and managed.

Moreover, information and information technology systems are essential assets for the Banks as well as for the customers and stakeholders. Information assets are critical to the services provided by the Banks to the customers. Protection and maintenance of these assets are critical to the organizations’ sustainability. Shahjalal Islami Bank Limited takes the responsibility of protecting the information from unauthorized access, modification, disclosure, and destruction.

The Bank has prepared the IT Policy as a requirement and as appropriate to the use of Information Technology for their operations. It also sets forth the Code of Professional Ethics to guide the professional and personal conduct of employee’s.

Employees of the Bank shall:

  1. Support the implementation of, and encourage compliance with, appropriate standards, procedures, and controls set this policy for information systems.
  2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.
  3. Serve in the benefit of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
  4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
  5. Maintain competency in their respective fields and agree to undertake only those activities that they can reasonably expect to complete with professional competence.
  6. Inform appropriate parties of the results of work performed, revealing all significant facts known to them.
  7. Support the professional education of stakeholders in enhancing their understanding of IS security and control.

Failure to comply with this Code of professional Ethics can result in an investigation into an employee’s conduct and ultimately, in disciplinary measures.

All employees may share the Information Technology facilities of the Bank. The facilities provided to the employees for conducting Bank business. The Bank does permit of its employees to use of the facilities, including computers, printers, e-mail and internet access.

However, these facilities may used by every employee, since misuse by even a few individuals has the potential to negatively impact productivity, disrupt Bank business and interfere with the work or rights of others. Therefore, all employees expected to exercise  responsible and ethical behavior when using the Bank’s Information Technology facilities.

Any action that may expose the Bank to risks of unauthorized access to data, disclosure of information legal liability, or potential system failure is prohibited and may result in disciplinary action up to and including termination of employment and/or criminal prosecution.

The use of the Bank’s information technology facilities in connection with Bank business and limited personal use is a privilege but not a right, extended to other organizational employees. Users of the

Bank’s computing facilities are required to comply with all policies referred to in this document.

To protect the integrity of Bank’s computing facilities and its users against unauthorized or improper use of those facilities, Bank reserves the right, without notice, to limit or restrict any individual’s use, and to inspect, copy, remove, or otherwise alter any data, file, or system resource which may undermine the authorized use of any computing facility or which is used in violation of Banks rule or policy. Shahjalal Islami Bank Limited also reserves the right periodically to examine any system and other usage and authorization history as necessary to protect its computing facilities.