Network Security Policy

Purpose:
The network security policy is intended to protect the integrity of Bank networks and to mitigate the risks and losses associated with security threats to Bank networks and network resources.

Goals:
The goals of this network security policy are: Provide a reliable Bank network and Internet connection to conduct the Banks business. Provide only authorized access to institutional, research or personal data and information. Protect computer system and network integrity at the Bank.

Network Security Policy

Network Security
Head Office, IT Division shall identify the appropriate network security level for Bank systems, in collaboration with branches, divisions and departments. Head Office, IT Division will investigate any unauthorized access of Bank computer systems.

Head Office, IT Division will work with administrative departments when appropriate
Systems on the network must have adequate security installed and maintained.

If security problems are observed, it is the responsibility of all the Bank network users to report problems to the appropriate system administrators or Head Office, IT Division for investigation.

Network Security Policy

Monitoring and Auditing:

Head Office, IT Division will maintain traffic logs of the firewall for security auditing purposes Head Office, IT Division reserves the right to monitor, access, retrieve, read and/or disclose data communications when there is reasonable cause to suspect a Bank policy violation, criminal activity, monitoring required by law or at management request. Head Office, IT Division may perform a security audit of any computer system attached to the Banks network with the permission of the IT In-charge/ Manager or his superior. Head Office, IT Division will provide a report after the audit is completed.

Software Installation Policy

Purpose:
The purpose of this policy is to address all issues relevant to software installation and deployment on Banks computer systems.

Policy Statement:
Banks, IT Division is exclusively responsible for installing and supporting all software on all its branch, division and department computers. This responsibility set includes: Head Office Division and Department computers.

Branch computers

Software Installation Policy

Software Licensing:
Bank should use only licensed software for its offices and must not use pirated copies of software..

Software requests:
As per the software installation policy of Bank, no user will install or attempt to install any software on their computers without having the prior permission from the Head Office, IT Division. In case of need of installation of any software a user is to request the Head Office, IT Division to install the software.

Backup Policy
Purpose:
The primary purpose for file backup is for disaster recovery of mission critical data due to either system failure or a catastrophic failure such as fire, quake etc.

Policy Statement:
The purpose of the systems and data backup is to provide a means to: restore the integrity of the computer systems in the event of a hardware/software failure or physical disaster, and

provide a measure of protection against human error or the inadvertent deletion of important files.

Backup Policy

Backup Period:
Database Backups are performed approximately at the end of business day.
The Bank also uses other servers for its corporate needs. Incremental data backups are performed approximately at the end of every week on these servers.

Backup Media:
Tapes, Hard Disks, Portable External Hard Disks, DVDs, Data Storage Devices will be used for backup media. A set of (2x6 days)=12 (twelve) Data Cartridge tapes, each pair of which will contain daily backups for weekdays. Daily backups will also be copied to another PC as well as Backup Server for the Central Server.

Backup Policy

Preservation Location:
All backups will be stored at the Head Office IT Division for quick restoration in case of system failure. Besides, backup medias will also be stored in a secure, off-site location with a view to safeguard the data for disaster recovery. Proper environment controls, temperature, humidity and fire protection, shall be maintained at the storage location.

Preservation Life Time:

The data backups of 6(six) working days will be stored in a set 12(twelve) tapes. Monthly data backups will be saved for 6 (six) months, at which time the media will be recycled or destroyed. Backups of every Half yearly and Yearly data will be preserved for good for archiving purpose.

Backup Policy

Archiving Policy:
Archives are normally made once a year or every 6 (six) months, usually at the end of June that is at the end of Half Yearly Process or December that is at the end of Year Ending Process.
These historical data will be archived in tapes as well as in DVDs for future use.

Restoration:
Periodic tests of the data backups will be performed daily on to the backup server to determine if files are error free and can be restored. In failure of the restoration a new backup has to be taken until the restoration is performed successfully.

Backup Policy

Monitoring and evaluation:

A daily backup register will be maintained at the Head Office, IT Division to keep track as well as ensure the regular backup procedure. The register will log the name, designation, signature, backup time, status and remarks of the personnel responsible for performing the backup procedure.

The register will be checked and verified daily or weekly by the In-charge or the Head of IT.

Destruction of damaged media

All backup media that is not re-usable shall be thoroughly destroyed in an approved manner. Backup media that is used for other purposes shall be thoroughly erased.

IT Audit Policy
Purpose:
This policy defines the authority and responsibility for auditing the security configuration of Information Technology resources managed by bank users.

Scope and Definition:

This policy covers auditing of all computer and communication devices owned, operated by, or located at the Bank premises. Auditing is a scheduled duty to review data on or about network devices or computers for the following purposes: Ensure integrity, confidentiality information and resources; and availability of

Ensure conformance to Banks security policies; Monitor user or system activity where appropriate

IT Audit Policy

Responsibility
Anyone who is authorized to conduct security auditing will prepare a written audit plan at least once a year for review and approval by the Head of IT and Infrastructure that addresses the following elements: Resources to be audited; Tools to be used in the audit; Risks created by the audit and steps to be taken to minimize them;

Communication with resource managers before the audit;

Final disposition of results.

IT Audit Policy

Accessibility
Branches, divisions and departments will provide authorized auditors any access needed for the purpose of performing an audit upon receipt of a request for such access from the audit staff. This access may include: User level and/or system communications device level access to any computing or

Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on. Access to work areas (offices, storage areas, etc.).

Fields of Audit Planning to look in:

Environment and Physical Security
Temperature / humidity controls

Neat and orderly computing rooms

Fire suppression equipment UPS (Uninterruptible power supply)

Network Security
Documentation of the network IP addresses Routers, firewalls, VPNs, wireless, all other devices Account Management

Creating/Disabling Accounts
Password Protocols Identification of redundant network connection

Fields of Audit Planning to look in:

Change Management
Temperature / humidity controls Neat and orderly computing rooms Fire suppression equipmentSystem software upgrades Application software modifications New hardware rollouts Change notification Testing and acceptance Change approvals UPS (Uninterruptible power supply)

Fields of Audit Planning to look in:

Backup and Recovery of data

Backup processes

Critical backup files stored on-site and off-site

Data backup/restore plans developed and periodically tested

Backup and Recovery of data

Disaster Recovery Planning Redundant Communication Redundant peripherals

Software Licensing and Compliance

Sampling of PCs and software licenses

Fields of Audit Planning to look in:

Backup and Recovery of data

Backup processes

Critical backup files stored on-site and off-site

Data backup/restore plans developed and periodically tested

Backup and Recovery of data

Disaster Recovery Planning Redundant Communication Redundant peripherals

Software Licensing and Compliance

Sampling of PCs and software licenses