It Security 1

INFORMATION SYSTEM SECURITY – FAQs IT SERVICES DEPARTMENT
Frequently Asked Questions
(FAQs) on Information System Security
S.No. Contents __________ Page No.
1. Passwords 2
2. Anti-Virus 5
3. E-Mail Security 8
4. Internet Usage 10
5. Desktop Security 12
6. Network Security 14
7. Core Banking Security 19
8. ATM Security 24
9. Internet Banking Security 28
10. Phishing 31
11. Card Skimming 33
12. Incident Reporting 35
13. Disaster Recovery & Business Continuity Plan 36
14. Backups 38
15. Miscellaneous 40
**********
STATE BANK OF INDORE Page : 1

Frequently Asked Questions (FAQs)
I. Passwords
Why are passwords important?
Users are responsible for all activities originating from their computer accounts. Access
is allowed to computers only after authentication through valid passwords. Passwords,
therefore, serve as the first line of defense against attacks on computer systems. Users
should, therefore, protect the confidentiality of their accounts by using strong
passwords, by not sharing their passwords with others and by changing their passwords
regularly.
How do I create a strong password?
Users should choose passwords that are easy to remember but difficult to guess.
What you should do?
Make you password at least eight characters long; the longer the better. Use a
combination of numerals (1,2,3 etc.), alphabets (A,B,C etc.) and special characters
(!,@,#,$ etc.). Core Banking Application security guidelines stipulate that password
will be of minimum 8 characters comprising of minimum one Capital alphabet,
minimum one numeral and minimum one special character.
Try using a mnemonic. A mnemonic is a formula or rhyme to help you remember.

Examples of passwords using mnemonics are:
• This May Be One Way To Remember (TmB1w2R!);
• My Wedding anniversary is June 6 remember (MWaiJ6r*);
• Ali Baba had forty thieves (ABh40t*!).
What you shouldn't do?
• Write down the password on a sticky note placed on or near your computer.
• Use a word found in a dictionary as password.
• Use a word from a dictionary preceded or followed by one/ two numbers.
• Use own name, short form of own name, own initials, names of family, friends,
co-workers, company or popular characters as passwords.

• Use personal information like date-of-birth, address, telephone numbers etc. as

password
• Use the default password.
Should I change my password regularly?
It is important to remember that any password can be guessed if given enough time.
Therefore, it is important to change your password within a reasonable period of time. In
terms of our IS Security Policy, password should be changed every 90 days.
When should I change my password ?
Users must change their passwords under any of the following circumstances-
1. At least once in 90 days.
2. As enforced by the system (applications and operating system).
3. If password has been shared with someone else under unavoidable

circumstances.
4. As soon as possible after a password has been compromised or after you

suspect that a password has been compromised.
What if I forget my password?
Contact the Branch Manager/ Officer overseeing the system operations and request for
reset of password. (Note: Always change your password immediately after it has been
reset.)
Should I keep a written copy of my password?
User should not keep a written copy (in paper or electronic form) of password in easily
locatable places. If the password needs to be written down, ensure that these are
stored securely and are masked or scrambled (e.g. by changing one or more characters
of the password).
What if I suspect someone knows my password?
Immediately change your password.

What precautions should I take regarding my user-id when I go on leave?
Request the Branch Manager/ Officer overseeing the system operations that your user
status be made inactive for the period of leave. After you return, request for reactivation
of your account.
What do I do with my computer when I know I will be away from my desk for a
while?
Never remain logged on to a system when you are away from your computer. Logoff
from all sessions you are currently working on. In core banking environment, lock the
desktop if inactive for short periods. Before you go home, log off completely.
Is it okay to share a password ?
Users should not share their passwords with anyone including colleagues and IT staff.
Users should also not ask others for their passwords. All passwords are to be treated as
sensitive, confidential information. If the password needs to be shared under
unavoidable circumstances, care should be taken to change it at the next login by the
owner of the password.
********

II. Anti-Virus
What is a virus?
A virus is a piece of software that can copy itself and infect a computer without
permission or knowledge of the user. A virus can spread from one computer to another
when its host is taken to the uninfected computer, for instance by a user sending it over
a network or the Internet, or by carrying it on a removable medium such as a floppy
disk, CD or USB drive. Most computer systems are now networked facilitating the
spread of virus.
Viruses can:
• Delete or alter files

• Reformat your disk drive
• Install software programs that allow hackers to remotely access your computer
It is therefore essential that computer systems are protected with anti-virus software.
Please note that virus protection is a necessity, not an option.
How do I protect my computer from viruses?
Anti-virus software is the best protection. Contact IT Services Deptt Head Office/ IT
Centres at Zonal Office/ Regional Office for Symantec anti-virus software if not already
installed on your computer system. You would be aware that State Bank of India has
procured Corporate license for Symantec Anti-Virus Software for use across the State
Bank Group.
Make sure that the anti-virus software on your computer system is updated regularly.
Avoid downloading unknown attachments from emails and Internet web sites. Always
scan the email or Internet attachment with antivirus software before downloading the
attachment.
How are viruses passed from computer to computer?
Viruses are transmitted by infected software or files over a network or through

removable media such as a floppy disk, CD or USB drive. Major source of virus is
Internet.
How do I know if my computer has been infected with a virus?
There are many possible symptoms of a virus. Some viruses cause your machine to
slow down, alter your display to show a game, a message, or picture, others simply
erase your files causing programs to crash regularly. If you suspect your machine has
been infected by a virus, contact IT Services Deptt Head Office/ IT Centres at Zonal
Office/ Regional Office immediately for assistance in removal of the virus.

What are the roles and responsibilities of user / branch / system officers for
preventing a virus attack?
Role of the user : A user can prevent a virus from infecting the bank’s systems by
following few simple steps.
1. Users should not disable the installed anti-virus agent or change its settings
defined during installation. This includes settings for daily virus scan, anti-virus
server address and signature update schedules.
2. Users should not disrupt the auto virus scan scheduled on their desktop.
3. All files received from external sources – floppies, CDs, pen drives, internet
downloads, e-mail attachments, etc – should be scanned for virus before
opening.
4. User should immediately report to the Branch Manager any virus detected in the
system and not cleaned by the anti-virus software.
5. User should also verify that after hard disk change/ OS reinstall, the Anti-Virus
software is installed and is getting updated regularly.
6. Users should use only Corporate Screensaver as screensavers downloaded from

internet are a potential source of virus.
Role of the System Officers : System Officers at ZO/RO/HO should ensure that all
existing computer systems in the bank have anti-virus software installed. They should
also ensure that all new computer systems have anti-virus software installed and
configured as soon as they are connected to the SBI-Connect network. The ‘new
systems’ includes, any new machines introduced in the network OR new hard disk drive
installed in a system OR operating system reinstalled in a system due to software
issues. Anti-virus software should also be installed on new standalone computer
systems at the time of installation.
Role of the Branch : The branch should verify that all the systems in the branch/ office
have the anti-virus software installed and have latest anti-virus definition files. If any of
the systems is found not to have an anti- virus installed or have an old definition file, the
matter should be urgently resolved in consultation with ZO/RO IT Centres. To check if a
system has the recent anti-virus definition files :
a. Double click and open the Symantec Anti-Virus icon in the system tray.
Check the date under the ‘Virus Definition File’
b. If the date shown is not a recent one, the Anti-Virus software is not
updated and this needs to be examined and resolved.

In case of virus incidents/ virus outbreak, the branches/ offices should report such
incidents to Regional IT Centre/Zonal IT Centre/IT Services Department HO for follow
up with Datacraft in event of non-resolution of the problem.
Is Symantec Antivirus software able to clean all the infected files?
If a file is infected, Symantec Antivirus software is configured to clean the virus from the
file. If this fails, the file will be 'Quarantined' in a holding area where you can attempt to
repair or delete it later. To view Quarantined files, click Quarantine from the View menu.
From here you can clean, delete or repair the file. Symantec Antivirus may be able to
repair or clean Quarantined files when new virus definition files have been updated on
your machine.
********

III. E-Mail Security ( pertaining to sbindore.co.in domain)
How do I get an e-mail account?
E-mail ids (…….@sbindore.co.in) are provided from IT Services Deptt, Head Office to
users having a business need for the same. The request for an e-mail id has to reach
the department in the specified format which can be downloaded from the Bank’s
intranet site.
How do I secure my e-mail account ?
You should protect your email account with a strong password for preventing
unauthorized access.
Employees owning the email account are fully responsible for the content of email
originated, replied or forwarded from their account to other users inside or outside the
bank. The bank is in no way responsible for the content of the email, be it body of mail
or the attachment. You should, therefore, secure your email account through a strong
password and should not share your password or account with anyone else.
How do I change my email account password ?
Users can change their email account password on sbindore.co.in domain by using the
option ‘Change Email Password’ on home page on bank’s intranet.
Should I save important old emails on my machine ?
Yes. Users have been provided with a fixed amount of storage space in their mailboxes
on the Email Server. Emails may be deleted if the storage space is exceeded. All Email
users should, therefore, keep a copy of their important mails in a separate backup folder
on their computer system so that in the event of archiving of emails on the central Email
Server, they are able to view their old important mails on their computer system in case
of need.
I am unable to send large attachments with email. Is there any restriction on the
size of attachments which can be sent with email ?
As per the IS Security Policy of our Bank, the email message including all attached files
are limited to fixed size for transmission. Any over-sized email message is, thus,
restricted from transmission by the Email Server.
Can incoming e-mails harm my computer system and bank’s network ?
Yes. Emails are a common source of virus. By opening emails received from unknown
source, viruses and malicious programmes get installed in the user's desktop damaging
the system and Bank's network. Therefore, avoid downloading unknown attachments
with emails. Always scan the e-mail attachments with anti-virus software before
opening. This will protect both the user's system as well as the Bank's network.

What is my responsibility as an Email user ?
All users of Corporate E-mail (i.e. having E-mail Id as. ….@sbindore.co.in) have the
responsibility to use the E-mail facility provided to them in a professional, ethical and
lawful manner. They should not send or forwards following categories of emails within
or outside the bank –
• Emails with any defamatory, offensive, racist or obscene remarks.
• Emails containing messages that may damage the reputation of the bank.
• Emails that contain viruses or worms.
• Chain mails like mails forwarded from a chain of people usually containing
charitable fund raising campaigns, political advocacy efforts, religious efforts and
others.
• Unsolicited emails to large number of users which can be considered as mail

spamming.
• Emails containing any document, software, or other information protected by

copyright, privacy or disclosure regulation.
In case misuse of the Email system is detected, Bank can terminate the user Email
account and take other disciplinary action.
What precautions should I take for safe email usage ?
The following precautions should be taken for safe email usage:
• Keep your official email address private. Do not provide it on websites and other
interactive forums such as chat rooms. There is a chance of your email ID getting
into wrong hands resulting in flooding of your email account with mails.
• Never open an attachment received from unknown source. Because attachments

are the carriers of viruses, trojans or worms which can adversely affect your
system and the network.
• Never respond to a spam mail (chain mails / junk mail). Responding to spam mail
will encourage spammers to send more junk / unwanted mails which will not only
flood the network but also use up your system resources.
• Do not open/ respond to an email received from an unknown person / source.

Just delete it.

IV. Internet Usage
How do I secure my Internet account ?
You should keep your internet account secure by maintaining confidentiality of your
internet account password. Users are responsible for any misuse of Internet access
originating from their account.
What are the best practices for Internet usage ?
Internet is widely used in banking today. However, one has to keep in mind that when
one's system is connected to internet, the entire bank’s network is connected to the net;
and there is a great amount of risk involved in case the internet is not used cautiously.
To minimize the risks involved in transacting or communicating using internet, the user
has to observe best practices for internet usage as given below:
• Limit use of web browser for business purposes only.
• Do not download free utilities - Free downloads like Program files, screensavers,
music, games, PC utilities, office utilities can be dangerous. It is virus prone.
• Indiscriminate visit to unknown and objectionable sites can cause virus attacks to
internal systems and the entire network may be affected. Do not visit
objectionable sites.
• Ensure that downloads, if any, are scanned for virus before opening them.
• While visiting web sites for banking transactions / confidential information etc
ensure that sites use SSL technology. Look for the lock symbol on web pages
seeking critical information - like user-id/password, credit card number etc
• Always type the URL in the address bar manually to access a site. Do not click
any link provided in emails to visit a site.
• Do not access streaming audio or video files creating unnecessary loads on

network traffic.
In case misuse of the Internet access is detected, the Bank can terminate the user
Internet account and take disciplinary action.
What is meant by URL used for accessing websites?
URL or Uniform Resource Locator, is basically an address (e.g.

http://www.onlinesbindore.com) designed to enable computers on the net "talk" to one
another and for locating the resource computer on the net. The first part of the address
identifies the protocol (such as the hypertext transfer protocol) used for handshaking
among the computers while the second part specifies the domain name/ the IP address
where the resource is located.

What are Cookies in Internet terminology ? Are they harmful ?
Web Cookies, or more commonly referred to as cookies, are parcels of text sent by a
server to a web client (usually a browser) and then sent back by the client each time it
accesses that server. Cookies are used for authenticating, session tracking and
maintaining specific information about users, such as site preferences. Every time a
user accesses that particular server, the cookie enables automatic logging to the server
without the need for a laborious authentication process.
Cookies have been of concern for Internet privacy, since they can be used for tracking
browsing behavior and user information by malicious persons for fraudulent gains.
Cookies can be deleted in Internet Explorer as under :
1. Open the <Tools> menu .

2. Select <Internet Options>.
3. Click the <Delete Cookies> button.
4. Click the <OK> button.
********

V. Desktop Security
Am I responsible for the security of my desktop ?
Yes. Users are responsible for the security of their desktops and should take adequate
measures to prevent unauthorized access to their desktops.
How do I ensure security of my desktop ?
You should take the following precautions for ensuring the security of your desktop :
1. Use a boot level password/power-on password on your desktop and keep it

confidential. This ensures that unauthorized users do not have access to
your system.
2. Use strong password. Change password regularly to prevent misuse.
3. Do not leave your system unattended. Log out of all applications or turn off
the system if leaving the desktop unattended for extended period of time.
4. Enable the screensaver password for preventing unauthorized access while

desktop is unattended for short duration.
5. Take care not to leave the terminal in the middle of a transaction.
6. Ensure that anti-virus software is installed and anti-virus signatures are

getting updated regularly on your system.
7. Do not disable the anti-virus /secure configuration settings in your system
8. Always take backup of the system / critical files and store it securely. In
case a disaster occurs, this will help in quick restoration of the system.
I do not have an Internet access on my desktop on SBIConnect. Can I use a dial

up modem with my machine for internet connectivity ?
Dial up modems are prohibited to be used with machines on SBIConnect as accessing

Internet using dial-up modems exposes the entire network to several risks. Besides, as
per Bank’s Internet Access policy, Internet access is provided by the Bank for business
purposes only after due authorization from the competent authority.
A number of utilities/ softwares (freeware) / games etc. are available on Internet.

Is it safe to download them on my desktop ?
Users should not install any softwares or applications on their desktop that are not
authorized or not essential to bank’s business. Downloading of free utilities, softwares,

music, videos, games, screensavers etc. is risky and can lead to flooding of your
system with viruses leading to system crash and data loss.
How will I know if the security of my computer has been compromised?
Any misuse of your password or change of your password without your knowledge
would indicate that the security of your computer has been compromised. Another way
to identify compromise of security of your computer is to look for unauthorized files
and/or programs that you did not install, or for other behavior that is unexpected and out
of the ordinary, for example if a program runs or opens by itself (which did not happen
before), your system may be infected with a virus.
If you suspect that the security of your computer has been compromised, immediately
bring it to the notice of your Branch Manager/ HOD/ IT Services Department Head
Office.
Regarding a computer, what constitutes security violations?
Certain categories of activities, which have potential to harm, or actually harm

information assets of the bank are defined as security violations and are strictly
prohibited. All security violations entail disciplinary action. Impersonation, unauthorized
connectivity, introducing virus, exploiting system vulnerability, unauthorized access,
unauthorized modification or tampering of the data, downloading or transmitting
objectionable content, disabling of security features etc. are some examples of security
violations. Any employee who indulges in security violations, thereby, committing
breach of computer security would be subject to disciplinary action.
********

VI. Network Security
The SBIConnect network has become the nerve center for the State Bank Group
running all the key applications including core banking, trade finance, ATM, treasury
solutions etc. The network comprises of servers, desktops, dedicated leased lines, ISDN
lines, VSATs and networking equipments like routers, switches etc. While technological
measures like access control mechanisms, firewalls and intrusion detection systems
have already been implemented, users also play an important role in network security.
What type of security threats could be faced by bank’s network ?
Bank’s network could face a number of attacks from hackers and malicious intruders.
These are not special to State Bank Group or State Bank of Indore. Across the world, all
banks’ networks face similar security threats as given below :
(i) Password Attacks : In this type of attack, malicious person tries to guess
the password of a system or user by methods like dictionary based attack,
brute force attack, social engineering etc.
(ii) Denial-of-Service (DoS) Attack : Denial of Service (DoS) is an attack

designed to render a computer or network incapable of providing normal
services by flooding the network with high volume of traffic so that all
available network resources are consumed and legitimate user requests can
not get through Or by flooding a computer with high volume of connection
requests so that all available operating system resources are consumed, and
the computer can no longer process legitimate user requests.
(iii) Packet Sniffing : It is enabled through a software called the “sniffer” that
captures all the packets that flow through that particular network segment.
The user of this sniffer becomes privy to such information which could include
usernames, passwords, account numbers etc.
(iv) IP address# Spoofing : In this method, the attacker tries to trick his victim by
pretending to be some trusted entity by spoofing the address of that trusted
entity. Once the victim is under the impression that he is communicating with
the trusted entity, which is actually not the case, the attacker starts receiving
information from the victim which can be misused. IP address spoofing is
very useful especially in the case of denial of service (DoS) attacks.
# IP addresses are analogous to telephone numbers – when you want

to call someone on the telephone, you must first know his/ her telephone
number. Similarly, when a computer on the Internet needs to send data
to another computer, it must first know its IP address. IP addresses are
typically shown as four numbers separated by decimal points, or “dots”.
For example, 10.24.254.3 and 192.168.62.231 are IP addresses. The
computer fetches IP address of the concerned website from the DNS
server. DNS (Domain Name System) is akin to a telephone directory.

(v) Virus Attacks : commonly use to disrupt computer operations.
(vi) Man-in-the Middle Attack : In this type of attack, a malicious third party
intercepts an ongoing legitimate communication between two trusted parties
for fraudulent gains.
What controls have been put in place by SBI / our Bank for ensuring network
security ?
The following important controls have been put in place by SBI / our Bank to address
network security :
(i) Perimeter security : Perimeter Security has been ensured by installing

Firewalls* and by Router **Controls.
* A firewall is a system that is used to protect a trusted network from untrusted
systems/ networks. It filters data packets based on specific types of network
traffic or addresses. It, thus, blocks certain types of data traffic, thereby,
protecting the network.
** Router is a device that is used to connect different networks. It uses routing

protocols and/ or static routes to provide connectivity to different networks. It
uses “metric” to choose best path to reach the target network/ system. Routers,
when configured, perform packet filtering i.e. permitting or denying access based
on the address and port number on the packet, thereby, providing perimeter
security to the network.
***
(ii) Intrusion Detection system (IDS) have been installed for detection of
malicious intrusions into the network.
*** An Intrusion Detection System (IDS) is a monitoring and detecting system

that has the capability of alerting the administrator of the network (or system) of
an impending attack.
(iii) Logical Access Control : Logical Access Controls have been built in various
applications to prevent unauthorized access. In Core Banking, passwords,
capability levels, posting restrictions etc. have been used for providing logical
access security.
(iv) Anti-Virus Solution : SBI has procured Corporate license for Symantec Anti-
Virus Software for use across the State Bank Group. Installation of anti-virus
software and regular updation of anti-virus signatures on all computer systems on
SBIConnect and incident handling of virus outbreaks have also been outsourced
to Network Integrator M/s Datacraft India Limited.

(v) Disaster Recovery and Backup Procedures : Disaster Recovery & Business
Continuity Plan and backup procedures have been laid down to ensure that
critical systems remain up/ are restored expeditiously in crisis situations. DR
sites have been set up, and operationalised for fall back in case of disasters. For
example, Disaster Recovery site for core banking and ATM applications for State
Bank Group, set up at Chennai, is operational and is regularly tested by DR drills.
(vi) Incident Handling procedures : Procedures have been laid down for reporting
of actual or attempted security breaches for ensuring that they are responded to
promptly, damage contained and reoccurrence prevented.
What is the role of the branch in ensuring network security ?
The branch should adhere to the following measures for ensuring network security:
(i) Verify that secure server settings have been installed on the branch server.
(ii) Ensure that in case of any breakdown in branch server due to disk crash,
upgradation of hard disk etc, the secure server settings are re-configured on the
branch server at the time of restoration of the server with the assistance of Zonal
Office/ Regional Office system officers.
(iii) Maintain secrecy of the administrator password of the server.
(iv) Keep the administrator password of the server in a sealed envelope duly entered
in the Branch Document Register with the Branch Manager.
(v) Ensure that all the systems in the branch/ office, including systems after hard disk
change/ OS reinstall, have anti-virus software installed and have latest anti-virus
definition files at all times.
(vi) In case of virus incidents/ virus outbreak, report such incidents to Regional IT
Centre/Zonal IT Centre/IT Services HO urgently for follow up with Datacraft in
event of non-resolution of the problem.
(vii) Do not permit use of dial up modems at the branch for accessing Internet as it
exposes the entire network to several risks.
What are secure server settings implemented at the branches ?
Branch servers are important service points in the Core Banking architecture. To
enhance the security of core banking operations, the secure server settings have been
implemented at all branches of our Bank as per advices of SBI Corporate Centre.
The secure server settings were identified by SBI after completing vulnerability
assessment of CBS branch server keeping in view known security flaws of Windows
Operating System and Oracle database. Implementation of secure server settings
reduces the vulnerability of the branch servers to attacks from intruders/ hackers,
thereby, strengthening the security of branch operations.

Complete list of secure server configuration settings implemented at the branches is

given in the Secure Configuration Document (SCD) hosted on bank’s intranet (please
see Circular No. ITSD/11/07-08 dated 14.02.08).
The security settings configured at the branch should not be disturbed for maintaining
security of the branch computer systems.
How do I keep my desktop on the Network secure?"
(i) Use a strong password and change it regularly to prevent misuse.

(ii) Make sure that the anti-virus software is installed on your computer system
and is updated regularly
(iii) Do not disable the installed anti-virus agent or change its settings defined
during installation.
(iv) Avoid downloading unknown attachments from emails and Internet web sites.
(v) Scan all files received from external sources – floppies, CDs, pen drives,
internet downloads, e-mail attachments, etc for virus before opening.
(vi) Immediately report to the Branch Manager any virus detected in the system
and not cleaned by the anti-virus software.
(vii) Do not attach dial-up modem to your computer for internet connectivity.
What precautions should be taken by the branch before permitting third party
access to the bank’s network?
The following precautions should be taken by the branch before permitting bank’s
network access to third parties :
(i) Access to information or other system resources of the bank is to be provided to

only those third parties having a business need for the same.
(ii) All access to third party personnel is to be provided only after approval by the
competent authority. Access privileges will be provided based on the approval. Officers
overlooking system operations are responsible for disabling the access after the
specified time period.
(iii) Access to third party should be permitted only after recording the same in Hardware
Access Register.
(iv) If existing user-id/password has to be shared with the third-party personnel for
troubleshooting, these should be changed by respective users soon after use.
(v) All Media brought by third parties should be scanned for virus before being put to
use.

Whether external systems may be connected to the bank’s network?
External users (including consultants, vendors and service providers) who bring their
laptops/ computer systems into the Branch premises should not be allowed to connect
to the Bank's Network.
In case of any requirement of providing connectivity to our bank’s network to external

computing devices, the Branch Manager/ Head of Deptt should seek approval from IT
Services Deptt Head Office.
********

VII. Core Banking Security
What are the important security issues in core banking ?
Important security issues in core banking are :
• Virus outbreak at a branch bringing down the bank’s network.

• User control across the bank.
• Posting of fraudulent transactions.
• Sniffing of data/ transactions traveling from branches to CDC Belapur
• Unauthorized users.
• Unauthorized connections.
How can virus outbreak in the branch be controlled ?
The virus outbreak in the branch can be controlled by :
(i) Ensuring that all the systems in the branch, including systems after hard disk
change/ OS reinstall, have anti-virus software installed and have latest anti-virus
definition files at all times.
(ii) Scanning all files received from external sources – floppies, CDs, pen drives,
(iii) By reporting virus incidents/ virus outbreak to Regional IT Centre/Zonal IT

Centre/IT Services HO urgently for follow up with Datacraft in event of non-
resolution of the problem.
How is user access to CBS software-Bancs24 controlled by the system ?
The user access to CBS software-Bancs24 is permitted based on the rights assigned to
a user. The rights are assigned to users in Bancs24 by a combination of three settings
namely :
- User capability
- Group number
- User type
What is User Capability ?
Each user is assigned a capability level at the time of creation. The capability levels
are from 1 to 16 with 1 being the lowest level and 16 being the highest capability
level. The branch level capabilities are from 1 to 9. Transactions on the system can
be performed by users having the defined or higher capability. For example,
transactions requiring a capability level of 5, can be accessed by users with a
capability of 5 or higher.

What is Group Number ?
The user is also attached to a group which further defines the capability of the user in
respect of certain transactions. For example, a user of capability 5 may be required
to be given user administration functions, while another user of same capability may
have to be restricted from doing these functions. Users are, accordingly, attached to
different groups for achieving the desired objectives. The group is just a number and
there is no hierarchy. For example, it does not mean a user attached to group 16 has
higher capability than a user attached to group 9.
What is User Type ?
Each user is assigned a user type. The user type determines the menus available to
the user. A general user is User type 1. User type 50 is for Vault Teller, 60 for Cash
Officer and 40 for officer with user administration rights.
How is user administration controlled in core banking ?
(i) The user creation is done at CDC Belapur based on the written request
received from the branch.
(ii) The user-id is based on the employee's Provident Fund (PF) number, which
ensures its uniqueness. The User-ids are linked to the specific branch code to
which the user (staff member) is attached.
(iii) The Ids allotted by CDC to the officials / staff at the branch are duly advised
to them and acknowledgement obtained from them in the User-Id Allocation
Register.
(iv) The branch can change the user capability and group only temporarily (till the
next EOD at the CDC). Permanent change of user capability and group can
be done only at CDC.
(v) Only the branch to which the user is attached (home branch) can perform
user-setting changes.
(vi) All the user administration changes go through the maker checker route.
(vii) Record of user administration changes like changes in capability/ group, user
type, user reset, home branch etc. should be maintained by the branch as per
CPP Circular No. 15/06 dated 29.07.06.
What is User forced closure ?
User forced closure is required when the user is shown as signed on, while is actually
not. This can occur in cases like UPS failure at the branch, computer of the user
rebooting etc. Forced closure does not change the password of the user and will permit
the user to log on again. This transaction does not go for authorization.

What is User signon reset ?
When the user forgets his password, or has made 3 unsuccessful attempts to login with
invalid password, the system ‘suspends’ the user. Hence his password has to be reset.
The option ‘User signon reset’ is used for this purpose. In view of security implications,
the transaction has to be authorized by another official. The password gets reset to
default password. The user is prompted to change his password on logging on again.
When should the user status be made inactive ?
The user status should be made inactive when the user goes on leave/ is relieved on
transfer/ deputation. This is important as the user can sign on from any branch in case
his user-id remains active during the period of leave/ joining period.
The user status should also be made inactive in the system whenever the concerned
person ceases to be a user i.e. retires/resigns/ is suspended/ removed from
service/dismissed.
When should the home branch of a user be changed in case of transfer/

deputation?
Change of Home branch of the transferred employee (to be done by the old branch)
should be done only after the transferred / deputed employee has joined at the new
branch.
How should server security be maintained at the branch ?
(i) Restrict access to the server room.
(ii) Maintain secrecy of the ‘administrator’ password of the server.
(iii) Keep the ‘administrator’ password of the server in a sealed envelope duly
entered in the Branch Document Register with the Branch Manager.
(iv) Do not disturb secure server settings implemented at the branch.
(v) Ensure that in case of any breakdown in branch server due to disk crash,
upgradation of hard disk etc, the secure server settings are re-configured on
the branch server at the time of restoration of the server with the assistance
of Zonal Office/ Regional Office system officers.
How do I keep my core banking terminal secure and prevent fraudulent

transactions to be posted from my terminal ?
(i) Use a strong password and change it regularly to prevent misuse.
(ii) Do not leave your system unattended. Log out of all applications or turn off
the system if leaving the desktop unattended for extended period of time.

(iii) If away from the terminal only for a brief period of time, lock your system by
accessing the icon provided on the screen.
(iv) Take care not to leave the terminal in the middle of a transaction.
(v) Use a screensaver password
(vi) Make sure that the anti-virus software is installed on your computer system
and is updated regularly
(vii) Do not disable the installed anti-virus agent or change its settings defined
during installation.
(viii) Avoid downloading unknown attachments from emails and Internet web sites.
(ix) Scan all files received from external sources – floppies, CDs, pen drives,
(x) Immediately report to the Branch Manager any virus detected in the system
and not cleaned by the anti-virus software.
(xi) Do not attach dial-up modem to your computer for internet connectivity.
How transaction security is maintained by the system in core banking ?
(i) The capability of the user must be equal to or greater than the transaction
being done.
(ii) The system generates Trace No. / Journal No. for all the committed
transactions to enable identification of all transactions uniquely.
(iii) Maker-Checker Concept - Transactions put through by the users, are sent for
authorization in Queue as per defined rules. The concerned official(s)
authorize the queue items from their systems.
(iv) For supervisory over-ride in respect of exception conditions, system provides

options to send the transaction to a specific supervisor or a group of
supervisors or for ‘local supervisor' to record such over-ride by giving his/her
password.
(v) All transactions are logged.
How data security is ensured during transmission from the branch to

CDC (Central Data Centre) Belapur ?
The SBIConnect network serves as the communication backbone for core banking
application. All transactions travel on SBIConnect from the branches to CDC Belapur.
The entire SBIConnect network is protected using DES and IPSec for end-to-end

security. All data transmitted over the network is encrypted using encryption algorithm
called DES (Data Encryption Standard) and travels in an IPSec secure tunnel from the
branch to CDC, thereby, providing adequate security from malicious intruders.
How secure are data centre operations at CDC Belapur ?
Data Centre operations at CDC Belapur are fully secure. Firewall and IDS Logs are
monitored and periodic Vulnerability Assessment and Penetration Tests are carried out
by SBI for ongoing detection of any intrusions/ attacks and weaknesses in the system
for further strengthening of the security systems. BS 7799 Certificate has been
obtained by SBI for CDC Belapur and DR site at Chennai. ISO 27001 certification has
also been obtained for ATM and Internet Banking operations at CDC Belapur. The
certifications provide information security assurance of international standards.
What steps have been taken to prevent modification of reports on the branch
server ?
Reports folder at all the branches have been made ‘Read only’ to prevent modification
and misuse at the branch level.
What steps should be taken for ensuring safety of server and networking
equipment in the server room ?
(i) Access to the server room should be restricted. Entry of service provider
personnel/ vendors etc. in the server room should be permitted only after
entering in the System Room Access Register.
(ii) Two Air-conditioners with Timer should be installed in the Server room as per
extant instructions.
(iii) Carbon dioxide (CO2) gas type fire extinguishers should be installed at easily
accessible places for protecting computers and networking equipment in case
of fire.
(iv) Fire/Smoke detectors and alarms should be installed in the server room.
(v) Important telephone numbers of service providers/ fire brigade, police control
room, Branch Manager’s residence telephone no. etc. should be prominently
displayed for ready reference in case of need/ emergencies.
(vi) Combustible materials like computer stationery should not be stored in the
server room.
********

VIII. ATM Security
How do I protect my ATM Card and PIN ?
(i) Treat your card like cash. Keep it in a safe place.

(ii) Sign on the backside of the card in the space provided for, as soon as you
receive it.
(iii) Protect your card's magnetic stripe. Do not expose the magnetic stripe to
heat, direct sunlight, scratches, or a continuous magnetic field like TV.
(iv) Choose a PIN (Personal Identification Number), which is difficult to guess.
Avoid selecting a PIN, which can be easily associated with you. eg:
telephone number, account number, date of birth etc.
(v) Protect your privacy and security by never giving out your PIN to any one.
(vi) Do not write down the PIN where it can be discovered. For example, do
not write down the PIN on your card or on a note in your wallet or purse. It
is better to remember and memorize the PIN.
(vii) Do not give the ATM card to anyone including your dear ones / employees
to transact on your behalf.
(viii) Change the PIN immediately if it is accidentally divulged or you suspect
that it might have been compromised. Even otherwise, change the PIN at
frequent intervals.
(ix) While using the ATM Card for the first time, change the PIN number
printed in the PIN Mailer without fail.
What precautions should I observe at ATM kiosk ?
(i) If you are using the ATM for the first time, take the guidance / assistance
from Bank’s personnel.
(ii) Close the door while you operate the ATM.
(iii) Be sure that you are the only person in the ATM kiosk at the time of
transaction.
(iv) Do not let anyone enter the ATM kiosk until you leave.
(v) Beware of foreign objects attached on an ATM.
(vi) Make sure that your PIN (Personal Identification Number) is not visible
when you enter it at an ATM machine. Use your body to “shield” the ATM
keypad as you enter your PIN. Ensure that the person standing in the
queue does not have a peek as you enter your PIN.
(vii) If the ATM says “ INCORRECT PIN No.” try to feed correct PIN No. If the
ATM again says “INCORRECT PIN No.” please reconfirm the PIN No.
before trying again. If 3 consecutive incorrect PIN Nos. are entered, your
PIN No. will be disabled for 24 hours as a safety measure.

(viii) Do not accept assistance from any strangers while using an ATM.
(ix) Do not leave behind the card in the ATM slot or in the ATM kiosk.
(x) Do not leave behind the receipt / statement of the account because it
contains your account information. Instead, retain the receipts till you
check it with your account statement for correctness.
(xi) For your protection, do not count or display money you received from the
ATM. Immediately pocket the cash and count it later when you reach a
safe place.
(xii) For your safety, consider having someone accompany you at night.
What precautions should I observe while using an ATM-cum-debit card at

merchant establishments ?
(i) Restrict the use of ATM-cum-debit card to reputed merchant outlets.

(ii) Ensure that the card is swiped in front of you.
(iii) If you find anybody watching you at the time of entering your PIN, cover
with the other hand while entering the PIN.
When should I change my ATM PIN ?
You should change your PIN :
1. When you suspect that it might have been compromised.

2. Periodically, to reduce the risk of fraud.
How often can I change the PIN ?
You can change the PIN as and when required.
Does the PIN remain secure during transmission from ATM machine to ATM
Switch Centre ?
Yes. When you enter your PIN in the ATM, the PIN is encrypted using an encryption
algorithm called DES (Data Encryption Standard) and sent to the Host Security Module
(HSM), an accessory to the ATM Switch, for verification of PIN. Encryption of PIN by
DES ensures that in the unlikely event of an intruder gaining access to the packets of
information traveling between the ATM and ATM Switch Centre, he has virtually no
chance of finding the one right key to decrypt the PIN.
What should the customer do if he forgets his PIN ?

PIN can be regenerated at a nominal charge. The customer has to request the branch
for regeneration of PIN. The branch, in turn, has to send a written request to ATM
Switch Centre for PIN regeneration.

If customer advises about loss of card over phone, should the branch act upon
telephonic advice of the customer ?
Yes. The branch should take steps to make the card HOT and also advise the customer
(i) to make written request in this regard; and also (ii) to report the loss of card on 1800-
11-2211 or 080-26599990 (Toll free numbers).
What steps should be taken by the branch for detection of misuse of stolen
cards?
VSS (Video Surveillance System)/ Digital Surveillance Systems (DSS) records activity
inside the ATM room. The footage recorded by the VSS/ DSS helps in identification of
fraudsters who misuse or attempt to misuse stolen cards. The branches should ensure
that VSS/ DVSS, wherever installed, is functional and cassettes of Video Surveillance
System are changed once a month. The branches should also ensure that they are
conversant with replay of the recorded footage in case of need.
How to keep ATM Safe Combination Keys/ Passwords at the branch secure ?
ATM Safe Combination Keys/ Passwords, consisting of two parts, should be held in the
custody of two different officials. Both parts should be kept in two separate sealed
envelopes with the Branch Manager entered in Branch Document Register.
What is the utility of ATM Terminal Master Keys at the branch and how to keep
them secure ?
ATM Terminal Master Keys, comprising of two parts, are required in case of major
change in ATM settings or software changes. Both parts should be kept in two separate
sealed envelopes with the Branch Manager entered in Branch Document Register.
Custody of ATM Terminal Master Keys should be with two different officials.
What precautions should be taken regarding undelivered ATM cards returned to

the branch?
PIN mailers and ATM Cards (returned to the branch undelivered) should be held
separately by two officers. The details of these items should be recorded as per extant
instructions. If a request is made by a customer for delivery of returned ATM card, such
delivery should be made only after proper verification of the customer’s identity/
address/ reasons for non-delivery.
ATM cards, which have been re-directed to the branch by SBI Cards (since they could
not be delivered at the customer’s recorded address), and have been lying un-delivered
at the branch for 3 months or more should be destroyed. Before destroying any ATM
Card, the same must be got “hot listed.” Proper record of all ATM Cards, thus,
destroyed must be maintained at the branch.

What precautions should be taken in delivery of PIN Mailers to customers ?
It should be ensured that PIN Mailers are issued to ATM card holder after proper
identification against acknowledgement only to the account holder and not to third
person.
PIN mailers, which have been lying undelivered at branches for more than 45 days,
should be destroyed. Proper record of all PIN Mailers, thus, destroyed must be
maintained at the branch.
What should I do if my ATM card is lost or stolen?
Promptly report your lost or stolen ATM card by calling 1800-11-2211 or 080-26599990.
********

IX. Internet Banking Security
How do I protect my Internet Banking account ?
(i) Check the date and time you last logged in for identifying possible
unauthorized logins and fraudulent activity.
(ii) When you access your bank’s internet banking website, it is advisable to
type the address in the URL as http://www.onlinesbindore.com/ and not
copy paste from any email, another web page or other source.
(iii) After clicking on the ‘Personal Banking’ or ‘Corporate Banking’, verify:
· URL address starts with “https” and not “http”.
· Padlock sign appears on the taskbar.
· ‘Verisign logo’ appears on the screen.
(iv) Use a secure password which cannot be easily guessed. As a precaution,
avoid using passwords like your name, surname, address, telephone
number, driving license, date of birth, etc.
(v) Do not write down the password where it can be discovered; for example,
do not write down the password in your pocket diary or on a note in your
wallet or purse. Do not store the password in an unprotected computer
system. It is better to remember and memorize the password.
(vi) User name and password allow entry to the internet banking site. Smart
users avoid typing these on the keyboard while someone is close by or
watching them.
(vii) Do not reveal your user-id and password to anyone including bank
employees.
(viii) Avoid using the same password that you use for other services like your
email.
(ix) Do not leave your computer unattended while you're connected to
www.onlinesbindore.com.
(x) After using the internet banking, logout completely by clicking on logout
button and then close all the browser windows.
(xi) It is advisable to change your password if you believe that someone has
managed to get access to it. Even otherwise, change the password at
frequent intervals.
(xii) Maintain different Login and Profile passwords.
(xiii) Monitor your account regularly. If you notice any irregular transaction, it is
important to report it as quickly as possible.

What is the significance of ‘Verisign logo’ on our Internet Banking website ?
Verisign logo implies that our Internet Banking site has been certified by Verisign as an
authentic site for secure online transactions by encryption of data entered on the site as
per international standards before transmission on the Internet. Verisign is the trusted
provider of secure Internet infrastructure in the world. Clicking on the closed padlock
lock at the bottom of the Internet banking screen displays the Verisign Certificate
authenticating the site.
What is High Security Feature in our Internet Banking application ?
High Security feature provides SMS based security for your Internet banking
transactions. By enabling this feature, for every transaction you make, you will receive a
high security password on your mobile. You need to enter this password to complete the
transaction.
Can I restrict the amount of fund transfers through Internet Banking ?
Yes. You can fix the limits on the monetary value of transactions, which you desire to
carry out on your accounts, by making changes in your ‘Profile’ on our Internet banking
site. You alone can modify these limits.
What happens in case repeated incorrect login attempts are made ?
If a customer gives wrong username and/or password, he gets an error message

“Invalid Username or password”. If customer keys in wrong username/password thrice
(consecutively), then he will be locked out for the day. The lock is automatically
released at 00:00 hrs IST.
Is it safe to conduct Internet Banking transactions from cyber café ?
No. It is best to avoid using untrusted systems like. systems in cyber cafe for banking
transactions. Account information can be retrieved from browser cache memory and
can be misused by malicious persons after you leave cyber café. Key loggers, which
keep a record of keys used, thereby revealing user id and password, are easily
deployable at cyber café, posing a threat to the security of your internet banking
account.
What are Phony websites and how do I secure myself from such websites ?
Phony websites are fraudulent websites created to look identical to those of a legitimate
bank or trusted company. Phony websites, use an organization’s website graphics and
logos, but are actually set up in an attempt to steal sensitive personal and financial
information. Phishing mail, seemingly from a legitimate Internet address, invites the
customer to click on a hyperlink provided in the mail. Click on the hyperlink directs the
customer to a phony website that looks similar to the genuine site. Information provided
on this webpage is used to conduct fraudulent transactions.

In case you receive any email from an address appearing to be sent by State Bank of
Indore, advising you to enter information like your personal details, account details or
information on your user id and password of your internet banking facilities, PLEASE
DO NOT RESPOND. This may be a ‘Phishing Attack’. YOUR BANK NEVER SENDS
SUCH MAILS.
How can browser be configured not to remember passwords for secure Internet
Banking transactions ?
The browser can be configured in Internet Explorer not to remember passwords by

disabling ‘AutoComplete’ function as under :
1. Click on <Tools>
2. Click on <Internet Options>
3. Click on “Content” button.
4. Under “Personal Information”, click on “AutoComplete”.
5. Uncheck “User names and passwords on forms” and click on “Clear
Passwords”
6. Click “OK”.
********

X. Phishing
What is Phishing ?
Phishing is a term used to describe the action of e-mail fraudsters who "phish" (fish) for
web users' identities. Their objective is to convince consumers to share their User-Id,
Password, PIN number, Credit Card number etc. which the phishers then use to commit
frauds.
How are phishing attacks done ?
Phishing attacks are committed by sending fraudulent e-mail seemingly from a

legitimate Internet address to customers. The email invites the customer to click on a
hyperlink provided in the mail. Click on the hyperlink directs the customer to a fake web
site that looks similar to the genuine site. Usually the email warns of an impending
penalty on non-compliance. The forged web pages usually contain a form to capture
personal information that the phishers want to use to commit fraud. The information is
then used to conduct fraudulent ATM, debit / credit card / Internet banking transactions.
What is the nature of phishing emails ?
Phishing mails generally exhibit the following characteristics :
1. Phisher emails are typically NOT personalized. Typically phisher e-mails

start with ‘ Dear Valued customer ………….’ / ‘Dear customer ………..’
instead of starting by name.
2. Phishers typically include disturbing (but false) statements in their emails
to make people react immediately. For example, phisher mail may include
“Dear valued customer, your account information needs to be updated due
to few fraudulent activities noticed in the recent past. Failure to update
your records will result in account suspension. Once you have updated
your account records, your account service will not be disrupted and will
continue as normal.”
3. Phisher mail typically asks for information such as user-id, password,
credit/ debit card numbers, PIN etc. Please note that banks would never
ask for personal information like passwords, credit card/ debit card
numbers via e-mail.
How can I avoid phishing attacks ?
Phishing attacks can be avoided by taking the following precautions :
(i) Never respond to requests for personal information via e-mail. If in doubt, call
the institution that claims to have sent you the e-mail.
(ii) Do not use the links in an email to go to a web page. Instead type proper
URL in the address bar.

(iii) Verify to make sure that the website uses encryption during transmission of
data before submitting account number, password, credit card/ debit card
number or other sensitive information via Web browser. Verify that the site is
secure by checking the SSL lock at the bottom of the browser; and the
beginning of the Web address in your browser’s address bar is "https://"
rather than "http://".
(iv) Regularly check your Credit Card and bank statements to ensure that all
transactions are legitimate.
Phishing attacks can be launched via SMS messages and through telephone calls
also. The technique used is simple – an SMS message is sent to a customer. The
SMS message is designed to scare the customer enough to get him to dial the
number given in the SMS thinking that he is calling his bank or credit card company.
He is asked on the telephone to give his internet banking user-id or credit card/ debit
card number and password for further identification which he does resulting in
financial losses. On receiving such messages, exercise caution and verify from the
bank/ institution the genuineness of such SMS messages.
Where should I report suspected phishing emails received?
An exclusive e-mail id viz. “ealert@sbindore.co.in” has been created by the bank for
reporting of suspicious e-mails/ SMS messages. This e-mail is monitored regularly to
check for any incoming message. Immediately report any incident of "Phishing" e-mails
/ SMS messages to this e-mail address and also to the Branch Manager. It would
enable the Bank take prompt remedial measures to block phishing attempts.
What should I do if I have accidentally revealed sensitive personal information

like passwords in response to a phishing mail?
Change your passwords immediately. Block your ATM Card/ Credit Card / enable High
Security feature for securing Internet banking transactions (as the case may be). Check
your statements and report any erroneous entries to the Bank.
********

XI. Card Skimming
What is Card Skimming ?
‘Card Skimming’ is the illegal copying of information from the magnetic strip of a credit
card or ATM card by swiping the card through a special device called the skimmer. The
skimmers copy your card details so that they can access your accounts. Once
skimmers have skimmed your card, they can create a fake or ‘cloned’ card with your
card details on it. The fake card is as good as the original card and can be misused for
fraudulent gains.
What are the warning signs for recognizing skimming attacks ?
The warning signs for skimming attacks are :
(i) A shop assistant takes your card out of your sight in order to process
your transaction.
(ii) You are asked to swipe your card through more than one machine.
(iii) You see a shop assistant swipe the card through a different machine to
the one you used.
(iv) You notice something suspicious about the card slot on an ATM (e.g.
an attached device).
(v) You notice unusual or unauthorized transactions on your account or

credit card statement.
Where is card skimming likely to happen ?
Card skimming can occur at retail outlets, restaurants, petrol stations etc. where an
extra swipe of customer’s credit card / ATM-cum-debit card is made by a corrupt
employee through a special device called the skimmer before handing back the card.
The information is then sold to an organized group for making counterfeit cards which
are later used for defrauding the customers.
How do I protect myself from skimming attacks ?
(i) Keep your credit card and ATM cards safe. Treat them in the same
way as cash.
(ii) Do not share your ATM’s PIN with anyone.
(iii) Choose PIN that is difficult for anyone else to guess.
(iv) Do not keep written copy of your PIN with the card.

(v) If you are using an ATM, take time to check that there is nothing
strange or suspicious about the machine or in its vicinity including
signs of tampering or attachment of additional fixtures like tiny cameras
overlooking the keyboard etc. and suspicious looking people or
somebody trying to look over the shoulder to see the PIN number etc..
If an ATM looks suspicious, do not use it and alert the bank.
(vi) Ensure that the Credit card / ATM-cum-debit card is swiped in your
presence. If you are in a shop and the assistant wants to swipe your
card out of your sight, or on a second machine, you may decide to take
your card back and either pay with a cheque or cash, or not make the
purchase.
(vii) Check your bank account and credit card statements as soon as you
receive them. If you see a transaction you cannot explain, report it
immediately to your bank.
********

XII. Incident Reporting
What is an information system security incident ?
An information system security incident is the act or attempted act of violating any
explicit or implicit provisions of Bank’s IS Security Policy.
All actual or attempted security breaches should be reported. This is necessary to

ensure that they are responded to promptly, damage contained and reoccurrence
prevented.
What are the indications of a possible breach of security ?
Some of the indications of a possible breach of security are given below :
• Any change in user-id and / or password without knowledge of concerned user

may be an indication that the user account may have been compromised.
• Existence of unknown user accounts.
• Any attempt to gain unauthorized access to a system or data, identity/
impersonation.
• An unwanted disruption or denial of service (DoS).
• Changes to data or system hardware, operating system configuration or software
characteristics without proper authorization.
• Unauthorized activation of suspended user accounts.
• Increase in system resource usage to abnormal levels. Unusually high levels of
CPU and memory utilization are an indication that the system may have been
compromised. In order to detect abnormally high levels of resource utilization,
officer overlooking system operations should keep track of system utilization
levels and reasons for fluctuations.
• Corruption of data, unauthorized modification or deletion of data.
How do I report a security incident ?
For reporting any computer security related issues or concerns, use the 'Incident
Reporting' format on bank’s website.
While reporting incidents, users are required to furnish their identity and contact details
for effective follow up. All data relating to the incident should be secured and preserved
to facilitate investigation.

XIII. Disaster Recovery & Business Continuity Plan
What is Disaster Recovery & Business Continuity Plan ?
A Disaster Recovery & Business Continuity Plan defines the activities to be performed
to bring back the business operations back to normal, after the disaster strikes within a
pre-determined timeframe following disruption.
Why is Disaster Recovery & Business Continuity Plan necessary for branches/
critical operations ?
The Disaster Recovery & Business Continuity Plan is necessary for strengthening the
preparedness of the branches/ offices handling critical operations in fighting disasters
like fire, electrical disruptions and Server/ Network failures. Besides, having approved
DRP is a necessary requirement for internal audit compliance.
What is the time schedule for preparing Disaster Recovery and Business
Continuity Plan by the branches ?
As per extant instructions, the branches should prepare Disaster Recovery & Business
Continuity Plan taking into account branch specific risk assessment during the 1st week
of January every year and send the Disaster Recovery & Business Continuity Plan to
their controlling authority (in duplicate) for approval by 10th January of every year. The
duplicate copy of the plan, duly approved by the Controlling Authority, should be
recorded at the branches as ‘Branch Document.’
What factors should be taken into account while preparing Disaster Recovery &
Business Continuity Plan ?
The Disaster Recovery & Business Continuity Plan should be based on :
(a) Risk Analysis.
(b) Existing Control Mechanisms at the branch related to fire prevention,

provision for uninterrupted power supply to computer systems, physical
access etc.
(c) Required Control Mechanisms at the branch for meeting the plan
objectives.
An Action Plan based upon the required control mechanisms should be drawn with
specific responsibilities assigned to staff members for carrying out the disaster recovery
and business continuity operations in the wake of a disaster.

What is Risk Analysis?
It is a technique to identify threats faced by the branch from external / internal

environment that may disrupt business operations. It also helps to define preventive
measures to reduce the probability of these factors from occurring and identify
countermeasures to successfully deal with these risks to avert breakdown in operations
/ restore critical functions in event of breakdown within an acceptable time period.
What is Recovery Time Objective (RTO) ?
The Recovery Time Objective (RTO) is the duration of time within which critical
processes must be restored after a disaster in order to avoid unacceptable
consequences associated with a break in business continuity. The RTO provides the
basis for identifying and analyzing viable strategies for inclusion in the business
continuity plan.
How do I know the plan will work?
The plan has to be tested against simulated crisis situations to verify its effectiveness.
Changes in the plan should be made based on the problems faced during mock drills
conducted on an ongoing basis. It has to be appreciated that testing is important for
determining the efficacy of the plan and for it to be really useful in live crisis situations.
When should testing of DRP/BCP be done by the branches ?
The Disaster Recovery & Business Continuity Plan should be tested by the branches at
quarterly intervals with the involvement of the staff members. Interruptions caused by
potential threats surrounding the branch environment including link failure, server
failure, power failure should be simulated and testing done and results documented.
Shortcomings observed in the plan during testing should be noted for making suitable
changes in the plan for increased effectiveness.
When should DRP/ BCP be reviewed by the branches ?
As per extant instructions, the Disaster Recovery & Business Continuity Plan should be
reviewed by the branches at the beginning of April, July and October of every year. The
review report, including the problems faced during mock drills and changes that are
envisaged, if any, should be advised to respective Controllers by 10th of April, July and
October, the duplicate of which, duly approved by the Controller, should be retained
alongwith the original plan.
********

XIV. Backups
A. At branches
What is the importance of taking backups in branches ?
Backup of front-end database and B@ncslink, taken on DAT, is required in case the
server crashes and has to be restored. The DAT backup contains teller details,
B@ncslink configuration, signatures of branch customers etc. It helps in restoration of
the server setup in the event of server hard disk crash or whenever due to technical
problems the server hard disk has to be formatted.
Who is responsible for taking backups in a branch ?
Officer, who has been entrusted with the responsibility of EOD operations by the Branch
Manager, is responsible for taking the backups.
At what frequency should the backups be taken at the branch ?
Backup should be taken on DAT on a daily basis. Two sets of backup must be taken.
The backup DAT is recycled on the next working day.
Why should two sets of backups are recommended ?
Two sets of backups are recommended so that one set can be stored offsite, for use in
case the first set is non-readable/ damaged. As per extant instructions, the second
backup DAT should be kept overnight with the Branch Manager / Officer overlooking
EOD operations at the branch. It should be ensured that when backup media is kept
overnight offsite, the backup media is properly packaged to prevent damage in transit.
When should DAT tapes be replaced in a branch ?
As per extant instructions, the DAT tapes should be replaced after 75 writings to ensure
that there is no deterioration in the media (DAT) and data is captured effectively so that
at the time of data restoration, the restoration process is ensured without any difficulty.
Besides, the DAT tape should be replaced immediately if found defective at the time of
writing of data.
What precautions should be taken for safe keep of backups ?
Data on backup media should be secured against environmental and physical threats.
In branches/ offices, the backup media should be kept in a fire proof safe/ almirah, kept
outside and away from the system room. Proper labeling of media should be ensured
for easy handling.

Why is recovery testing necessary ?
Recovery testing of data backups is necessary to verify that the data on the backup
media is readable and can be used for restoration purpose when required. Periodic
recovery testing of backups is, accordingly, required to be done by the branches at
respective RO/ZO IT Centre once every year.
What precautions should be taken while disposing off the media ?
Backup media should be disposed when (i) media life has expired; and (ii) storage
media has become unreliable. But before discarding it, one must ensure that all the
sensitive data on the storage media has been removed and rendered unrecoverable by
erasing, overwriting, degaussing, physical destruction.
B. At Offices other than branches
Why should I take backup of my computer system ?
Backups should be taken on removable media on a regular basis so as to enable

restoration of system in case of disk crash/ data corruption.
If you don't back up your data, you run the risk of losing it. Your files could become
unreadable due to a virus, computer crash, accidental/ malicious deletion, or external
disaster. Backups help you to tide over such crisis situations.
What precautions should be followed regarding safe keep of backups ?
Take backups in two sets, one set for off-site storage.
Store your backup media in a safe and secure place away from your computer.
Periodically test the capability to restore from the backup media. It's of little value to
have a backup that is unreadable.
********

XV. Miscellaneous
What are Digital Signatures ?
A Digital Signature is an electronic equivalent of an individual's signature. It

authenticates the message to which it is attached and validates the authenticity of the
sender. In addition, it also provides confirmation that the contents of the message to
which it is attached, have not been tampered with, enroute from the sender to the
receiver.
A message 'signed' with a digital signature cannot normally be repudiated; i.e. the
sender is not able to deny the sending and the contents of the message; plus it provides
a digital time stamp to confirm the time and date of transmission.
A digital signature is provided by a Certifying Authority which in the case of banks is

IDRBT.
What is a Digital Certificate ?
A Digital Certificate is the electronic equivalent of an ID card that authenticates the

originator of a digital signature. Digital certificate, digitally signed by the issuing
Certifying Authority (CA), establishes user’s credentials and authenticates the sender to
a receiver when performing transactions over the Internet, using the World Wide Web.
What precautions should be taken for maintaining the security of Digital

Certificates ?
(i) Users who have been authorized to use the smart cards or e-tokens should
safeguard them carefully as compromising the same can have wide
ramifications. In case of loss of smart card or e-token, the procedure for
suspension / revocation of digital certificates should be immediately followed
by the user.
(ii) Users of applications requiring digital signing of the messages should keep
their passwords associated with use of digital certificates secure. The
passwords should also be changed frequently.
(iii) In case of smart card/ e-token based digital signatures, the Branch Manager /
Head of Deptt should ensure that the employees return the smart card/
e-token containing digital certificate at the time of retirement / resignation /
suspension / transfer/ dismissal.
What are Digital Certificate Users obligations ?
Digital Certificate Users obligations are :
i) Request for issue, renewal and if, necessary revocation of their digital
certificates.

ii) Generate the key pair (except in the case of Encryption Certificate) on a
secure medium.
iii) Ensure the safety and integrity of their private keys, including:
(a) Controlling access to the computer containing their private keys.
(b) Protecting the access control mechanism used to access their private
keys.
iv) Use certificates in accordance with the purpose for which they are issued.
v) Report to RA or IDRBT CA of any errors or defects in their Digital
Certificate.
vi) Inform the RA or IDRBT CA immediately, if a key pair is compromised, by a
paper document (fax) and seek immediate acknowledgement for the same.
vii) Inform the RA or IDRBT CA immediately, if case of transfer, to cancel the
Digital Certificate.
viii) Apply for renewal of Digital Certificate in time before expiry on their own, if
required.
What are biometric access controls ?
Biometric access control systems are security systems which authenticate (verify the
identity of) users based on their physical or behavioral characteristics, e.g. fingerprints,
voice, retina pattern etc. Financial Inclusion initiatives use biometric access controls for
identification of beneficiaries.
What is Data Integrity ?
The property that data has not been altered or destroyed or lost in an unauthorized or
accidental manner.
What is data encryption ?
Data encryption is a means of scrambling data into unintelligible form so that it can only
be read by the person(s) holding the 'key'. Without the 'key', the cipher cannot be
broken and the data remains secure. Using the key, the cipher is decrypted and the
data is returned to its original value or state. e.g. ATM PIN is encrypted before
transmission from ATM machine to ATM Switch Centre for ensuring its secrecy.
What is decryption ?
The process by which encrypted data is restored to its original form in order to be
understood/ usable by another computer or person.
What is Steganography ?
Steganography is the technique whereby a message is concealed within another
medium. It means that a seemingly innocuous graphic or sound file (say) can conceal

malicious code/ messages. E-mails with seemingly innocuous image attachments can,
therefore, have hidden malicious code which when opened can corrupt the system.
What is malicious code ?
Software that is intentionally included or inserted in a system for harmful purpose e.g. a
virus, worm, Trojan horse, or other code-based entity that infects a host computer
system.
What is Trojan Horse ?
A malicious program, such as a virus or a worm, hidden in an innocent-looking piece of

software, usually for the purpose of unauthorized collection, alteration, or destruction of
information.
What is a Keylogger ?
A device or program that records a user's keystrokes, usually used to steal usernames
and passwords. Financial transactions should not be done at cyber café or on non-
trusted systems as user-id and passwords can easily be hacked at such places by use
of Keyloggers.
What is Identity Theft ?
Identity Theft is the act of stealing and assuming another person’s identity in order to
commit fraud or other crimes.
What is Shoulder surfing ?
Shoulder surfing is looking over a user's shoulder as they enter a password. This is one
of the easiest ways of obtaining a password to breach system security. The practice is
not restricted to office computers, it is used wherever passwords / PINs are used (for eg
in ATMs).
What are audit logs ?
Audit logs are computer files containing details of amendments to records by different
users. Enabling this feature incurs some system overhead, but it does permit
subsequent review of system activity in case of the need for providing details of which
user id performed which action, to which files, when etc.
What is Penetration Testing ?
It is a form of security testing in which evaluators attempt to circumvent the security

features of an information system, based on an understanding of system design. It is
used to develop system controls against intrusion or hacking.

How proper earthing can be ensured for safety of computers and networking
equipment at the branches ?
With Core Banking in place and use of multiple delivery channels like Internet Banking
and ATMs, banking operations have become critically dependent on technology. It is,
therefore, important that computer systems and networking equipments function
properly for preventing any disruption in normal business operations. These equipments
are sensitive to voltage level and voltage fluctuations and require proper earthing for
safety and long life. Following guidelines should be followed for ensuing proper
earthing :
(i) Earth pit should be prepared and maintained as per detailed specifications
contained in bank’s e-Circular 205/08-09 (ITSD/1/08-09) dated 13.08.08.
(ii) Earthing should ensure that a ground-to-neutral voltage of less than 2 volts
and an earth resistance less than 3 ohms is provided at all power points
meant for networking and computer equipment.
(iii) The generator set should be connected to earth wire.
What is the role of employees in safeguarding bank’s IT assets ?
All employees of the bank should protect the information assets as part of their job
responsibilities. Specifically, all employees should adhere to the following guidelines :
(i) Keep all relevant data of the bank as confidential.
(ii) Access only the relevant data which is required for the job.
(iii) Follow Best Practices on Information System Security of the bank.
(iv) Report all incidents of security breaches or attempts to breach security of IT

applications, networks, customer data etc. irrespective of the fact whether or
not such activity resulted in actual damage or financial loss.
(v) Not indulge in any activity which has been classified as a security violation by
the Bank such as connecting modems to machines without approval,
introducing virus, password guessing, computer impersonation, erasing or
modifying data without authority, downloading or transmitting objectionable
content through Internet or E-Mail, bypassing access control mechanisms,
exploiting any system vulnerability, installing or distributing unlicensed
software, vandalism, computer theft or fraud.
Remember : Computer Security is Everyone’s Responsibility

It Security 1

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

It Security 1

Transféré par

Droits d'auteur :

Formats disponibles

INFORMATION SYSTEM SECURITY – FAQs IT SERVICES DEPARTMENT

Frequently Asked Questions

(FAQs) on Information System Security

S.No. Contents __________ Page No.

7. Core Banking Security 19

9. Internet Banking Security 28

11. Card Skimming 33

12. Incident Reporting 35

13. Disaster Recovery & Business Continuity Plan 36

STATE BANK OF INDORE Page : 1

Frequently Asked Questions (FAQs)

Why are passwords important?

How do I create a strong password?

What you should do?

Try using a mnemonic. A mnemonic is a formula or rhyme to help you remember.

• This May Be One Way To Remember (TmB1w2R!);

• My Wedding anniversary is June 6 remember (MWaiJ6r*);

• Ali Baba had forty thieves (ABh40t*!).

What you shouldn't do?

• Use a word found in a dictionary as password.

• Use a word from a dictionary preceded or followed by one/ two numbers.

STATE BANK OF INDORE Page : 2

• Use personal information like date-of-birth, address, telephone numbers etc. as

• Use the default password.

Should I change my password regularly?

When should I change my password ?

1. At least once in 90 days.

2. As enforced by the system (applications and operating system).

3. If password has been shared with someone else under unavoidable

4. As soon as possible after a password has been compromised or after you

What if I forget my password?

Should I keep a written copy of my password?

What if I suspect someone knows my password?

Immediately change your password.

STATE BANK OF INDORE Page : 3

What precautions should I take regarding my user-id when I go on leave?

Is it okay to share a password ?

STATE BANK OF INDORE Page : 4

• Delete or alter files

How do I protect my computer from viruses?

How are viruses passed from computer to computer?

Viruses are transmitted by infected software or files over a network or through

How do I know if my computer has been infected with a virus?

STATE BANK OF INDORE Page : 5

6. Users should use only Corporate Screensaver as screensavers downloaded from

STATE BANK OF INDORE Page : 6

Is Symantec Antivirus software able to clean all the infected files?

STATE BANK OF INDORE Page : 7

III. E-Mail Security ( pertaining to sbindore.co.in domain)

How do I get an e-mail account?

How do I secure my e-mail account ?

How do I change my email account password ?

Should I save important old emails on my machine ?

Can incoming e-mails harm my computer system and bank’s network ?

STATE BANK OF INDORE Page : 8

What is my responsibility as an Email user ?

• Emails that contain viruses or worms.

• Unsolicited emails to large number of users which can be considered as mail

• Emails containing any document, software, or other information protected by

What precautions should I take for safe email usage ?

The following precautions should be taken for safe email usage:

• Never open an attachment received from unknown source. Because attachments

• Do not open/ respond to an email received from an unknown person / source.