e/; izns'k xzkeh.

k cSad
Madhya Pradesh Gramin Bank

Cyber Security Policy

(Reviewed on 18th Board Meeting dated 24.12.2021)
Our Vision:

To become the bank of choice for Farmers, Salaried / Self Employed persons,
Students and different segment of services.

Our Mission:

To become people’s own Bank, by fulfilling customer’s Banking needs of the day with
human touch.

Introduction:

Cyberspace is a complex environment consisting of interactions between people,

software and services, supported by worldwide distribution of information and
communication technology (ICT) devices and networks.

Use of Information Technology by banks and their constituents has grown rapidly
and is now an integral part of the-operational strategies of banks. The Reserve Bank of
India/ NABARD, had, provided guidelines on Information Security, Electronic Banking,
Technology Risk Management and cyber Frauds. The measures suggested for
implementation cannot be static and banks need to proactively create/fine-tune/modify their
policies, procedures and technologies based on new developments and emerging concerns.

Since then, the use of technology by banks has gained further momentum. On the
other hand, the number, frequency and impact of cyber incidents / attacks have increased
manifold in the recent past, more so in the case of financial sector including banks,
underlining the urgent need to put in place a robust cyber security/ resilience framework at
bank and to ensure adequate cyber security preparedness among banks on a continuous
basis. In view of the low barriers to entry, evolving nature, growing scale/velocity,
motivation and resourcefulness of cyber-threats to the banking system, it is essential to
enhance the resilience of the banking system by improving the current defenses in
addressing cyber risks. These would include, but not limited to, putting in place an adaptive
Incident Response, Management and Recovery framework to deal with adverse
incidents/disruptions, if and when they occur.

The Cyber Security Policy is to safeguard the interest of organization’s stakeholders,

customers, business partners and employees and also to comply with the statutory &
regulatory requirements as well as guidelines and various provisions of National Cyber
Security Policy 2013 [NCSP – 2013].

Page 1 of 23
 For matters, wherever there is no policy guidelines explicitly mentioned in this
document, the industry level best practice guidance would be followed by the Bank.
This policy applies to:

 This Cyber Security Policy (CSP) is a formal set of rules by which those people who
are given access to Bank’s technology and information assets must abide.
 The CSP serves several purposes. The main purpose is to inform the customers,
employees, vendors and other authorized users of their obligatory requirements for
protecting the technology and information assets of the bank. The CSP describes the
technology and information assets that we must protect and identifies many of the threats to
those assets.
 The CSP also describes the user’s responsibilities and privileges. The policy describes
user limitations and informs users there will be penalties for violation of the policy. This
document also contains procedures for responding to incidents that threaten the security of
the Bank computer systems and network.

Our Objectives:

The objectives of Cyber Security policy is to ensure:

 Confidentiality, Integrity and Availability of all information assets are protected

adequately and maintained uniformly across the Bank.
 Protect bank’s business information and customer information
 Relevant regulatory and statutory requirements with respect to different business
units are complied.
 Establish responsibility and accountability for cyber security in the bank.
 Security related incidents are managed appropriately.
 To create a secure cyber ecosystem in the Bank, generate adequate trust &
confidence in IT systems and transactions in cyberspace and thereby enhance adoption of IT
in all sphere of the Bank.
 To provide financial benefits to Bank’s businesses for adoption of standard security
practices and processes.
 To enable protection of information while in process, handling, storage & transit so
as to safeguard privacy of customers’ data and for reducing economic losses due to cyber-
crime or data theft.

IT Sub-Committee (ITSC)

The IT Sub-Committee will be chaired by the Chairman of Madhya Pradesh Gramin

Bank (MPGB). The meeting of ITSC will be held bi-monthly and Convener will be Chief
Manager/ Senior Manager, IT Department. The Members are GM of MPGB, Chief
Manager/Senior Manager Planning and Chief Manager/Senior Manager, Investment. The
minimum quorum of the meeting will be four, the presence of chairman or General Manager,
MPGB and Chief/Senior Manager- IT in any meeting of Sub Committee is mandatory.

The Role of IT Sub-Committee will be to:

 Devise strategies and policies for protection of all assets of the Bank (including
information, application, infrastructure and people).
 Develop and facilitate implementation of Cyber Security Policies and procedures.
 Initiate discussion of security concerns and issues arising from the Branches/ Regions
and ensure that appropriate advice is imparted and effective procedures implemented.

Page 2 of 23
  Provide direction and advice to the Cyber Security Team (IT Cell at HO and Data
Centre) on security implication of Business Continuity and Disaster Recovery Plans.
 Provide direction and advice to Human Resource Department to ensure that Human
Resources are provided with appropriate training.
 Review the position of cyber security incidents and various information security
assessments and monitoring activities across the Bank.
 Monitor the implementation of CSP in all Branches/Regions and Administrative
Offices. Monitoring compliance of CSP shall be a continuous process that shall be carried out
by the designated officials at the grass root level (branches/ admin offices) with exception
reporting to their respective Branch/ Regional Head.
 Initiate appropriate security reviews (internally or with the assistance of an
independent third party) and monitor the implementation of recommended changes derived
out of reviews.
 Responsible for providing adequate resources and necessary approvals for
implementing the required controls aligned to the policies, procedures, regulatory guidelines
and changing business requirements on a continued basis.
 Approve exceptions on a case-by-case basis when the requirements of the Cyber
Security Policy cannot be met, provide a timeline for the exception and follow-up the
exception condition till the security policy requirements are met.

The broad responsibilities of the ITSC include the following:

 ITSC will be responsible for bringing to the notice of the Board about the
vulnerabilities and cyber security risk the bank is exposed to.
 Conducting cyber security risk assessment exercises and bringing the vulnerabilities,
risks and cyber threats, Bank’s preparedness to face the security challenges, associated and
allied information to the notice of the authorities at appropriate forums.
 Taking commensurate measures adequately to mitigate the cyber risks and protect
the Bank.
 Managing the Security Operation Centre and Cyber security related projects.
 Develop cyber security Key Risk Indicators (KRIs) and Key Performance Indicators
(KPIs) and its assessment.
 Liaising with various cyber security governance bodies and regulators
 Inspection & Audit Department is responsible for auditing the level of compliance
with the Cyber Security Policy & supporting policies.
 All employees of the bank have the responsibility to understand and adhere to the
Cyber Security Policy & supporting policies.
 All employees, external contractors/ third parties and others (Internal & External
auditors, concurrent auditors-in-house including their audit assistants/ articled clerks,
RBI/NABARD Inspectors, etc.) who require access to the Bank’s information assets, shall
adhere to Cyber Security Policy & supporting procedures and guidelines issued by the
Information Technology (IT) Department from time to time to ensure the security of the
Bank’s information assets. Management at all levels is responsible for ensuring that staff are
aware of, and adhere to Cyber Security Policy & supporting procedures and guidelines issued
by the IT Department from time to time.

Page 3 of 23
Monitoring and Review:
The CSP & Supporting procedures shall be reviewed annually. Apart from the routine review,
the CSP & supporting procedures shall also be reviewed immediately in response to
significant changes due to security incidents and / or major changes to organizational or
technical infrastructure. The CSP shall be effective from the date of approval by the Board of
the Bank. However, if any amendments are made to this policy through Addendum/s,
keeping in view of the business and technology requirement of the Bank, the same shall be
effective with immediate effect upon approval of the Chairman/General Manager.
Violations:
All violations of CSP & supporting policies and/or standards are subject to disciplinary action.
The specific disciplinary action depends upon the nature of the violation, the impact of the
violation on Madhya Pradesh Gramin Bank’s information assets and related facilities, etc.
This action could range from a verbal reprimand, to termination of employment / contract or
legal action.
Exceptions:
Exceptions to the Madhya Pradesh Gramin Bank Cyber Security Policy will be permitted only
after the approvals from Chairman, in his absence General Manager, MPGB. All exceptions
shall be requested in writing by the head of Business Unit and the associated risks shall be
documented. If an exception is granted, the requesting division/department acknowledges
and accepts the risk associated with the exception. Residual risks shall be documented and
mitigating controls shall be applied. Exceptions shall be reviewed on periodic basis.
Chief Information Security Officer (CISO):
The Bank shall designate a senior level officer of the rank of Chief Manager/IT In-Charge
as the CISO. He will report to the Chairman through General Manager. He should have
the requisite technical background and expertise.

Roles and Responsibilities of CISO:

CISO is responsible for articulating and enforcing the CSP & supporting policies.
The broad responsibilities of the CISO include the following:
 CISO will be responsible for bringing to the notice of the Board / IT Sub-Committee
(ITSC) about the vulnerabilities and cyber security risk the bank is exposed to.
 Conducting cyber security risk assessment exercises and bringing the vulnerabilities,
risks and cyber threats, Bank’s preparedness to face the security challenges, associated and
allied information to the notice of the authorities at appropriate forums.
 Taking commensurate measures adequately to mitigate the cyber risks and protect
the Bank.
 Managing the Security Operation Centre and Cyber security related projects.
 Develop cyber security Key Risk Indicators (KRIs) and Key Performance Indicators
(KPIs) and its assessment.
 Sign-off of new IT related projects / products at the time of release. CISO is to be
involved in the process since inception.
 Coordinating for Cyber Security Incident Management within and outside the Bank.
 Liaising with various cyber security governance bodies and regulators.
 Owning and sponsoring all security programs in the bank
 Monitoring security logs of applications, operating systems, databases, networks etc.
 Business Continuity and Disaster Recovery Planning and Monitoring

Page 4 of 23
  Facilitating Periodic Risk assessment related to Information Technology as part of
operational Risk Management process. Ensuring that the systems deployed in Bank’s Data
Centre/ DR are configured as per the secured configuration policy of the bank.
 Ensure that before issuing NOC (No Objection Certificate) to the employee, who has
resigned or has been terminated or is leaving organization, all equipment have been taken
back and all his accounts either have been deleted or their passwords have been changed.
 Maintain an information and communication technology (ICT) as set register
containing details of asset, its owner and its security classification.
 Ensure that all storage media, when no longer required, are disposed security and
safely as per laid down procedures.
 Ensure safety and security of portable computing devices/storage media when they
are taken outside of the organization.
 Ensure all information systems with organization are adequately patched and
updated.
 Ensure reporting of Cyber Incidents to RBI/NABARD/ other Government Agencies

Baseline Controls

1. Inventory Management of Business IT Assets

1.1 Bank’s assets shall be listed in a central Asset inventory Register maintained by IT
Department. Individual Asset Owners / departments shall be responsible for maintaining
records of all assets under their scoped area.
1.2 All asset on-boarding would be done after pre-requisites are fulfilled and proper risk
assessment is done.
1.3 Each Asset shall be clearly identified and grouped in combination with other assets to
form an identifiable asset inventory.
1.4 The asset inventory shall include all information necessary in order to recover from a
disaster.
1.5 The Asset Inventory shall contain the following information at a minimum:
1.5.1 Identification
1.5.2 Description
1.5.3 Location
1.5.4 Owner
1.5.5 Custodian
1.5.6 Business value of the Asset
1.5.7 Asset Classification

1.6 Examples of Assets include:

1.6.1 Information: Information in the databases and configuration files, contracts and
agreements, system documentation, user manuals, training material,
operational or support procedures, business continuity plans, fall-back
arrangements, audit trails, and archived information;
1.6.2 Software: Application software, system software, Database, IOS, development
tools, and utilities;
1.6.3 Services: Computing and communications services, general utilities, e.g.
heating, lighting, power, and air-conditioning;
1.6.4 People: Key people required for day to day operations.
1.6.5 Hardware: Servers, routers, information security devices, etc.

Page 5 of 23
2.0 Acceptable Use of Assets

2.1 The Bank shall ensure that there shall be rules defined for the acceptable
usage of all the assets of the Bank.

3.0 IT asset repair and servicing

3.1 All critical or sensitive data on the asset shall be backed up before sending the
asset for any servicing/repairs.
3.2 A record shall be maintained of all such IT assets being sent for servicing.

4.0 Information Labelling and Handling

4.1 Information labelling and handling procedures shall be developed commensurate

with the level of classification.

5.0 Media handling and security

5.1 All media shall be stored in a safe, secure environment, in accordance with Data
Center (DC) procedure/process.

6.0 Disposal Guidelines

6.1 The disposal of sensitive documents and data storage media shall be guided by:

6.1.1 Checking that the data embedded in storage media has been erased prior to
disposal
6.1.2 Ensuring secure means of disposal
6.1.3 Recording the disposal details
6.1.4 Assets which are not in use would be isolated from the network and should
not remain open for access beyond its utility period.

7.0 Information Classification

Classification Guidelines
7.1 The Bank shall develop an information classification scheme to ensure that
confidentiality, integrity and availability of information is maintained.
7.2 The Bank shall classify information into one of the following categories:
Private
Public
Internal
Confidential
7.3 The Bank shall develop guidelines to ensure adequate security measure for each of
the information classification categories.
7.4 All information possessed by or used by a particular business unit within the Bank
shall have a designated information owner.

8.0 Risk Assessment

8.1 Bank shall adopt an approach of identifying information system risks, assessing
them and taking the mitigation steps to reduce the risk to an acceptable level
8.2 The asset owners responsible for information systems risk management shall be
provided with adequate training to carry out risk assessment exercise.
8.3 Such Risk assessment exercises shall at a minimum include the following aspects:
8.3.1 Asset Identification and Classification
8.3.2 Compliance to Information Security Policy
8.3.3 Threat and Vulnerability Assessment
8.3.4 Penetration Testing

Page 6 of 23
8.4 Ethical Hacking shall also be considered as part of the entire Information systems
risk management exercise. Frequency and scope of ethical hacking exercise shall
be defined and documented.
8.5 Information systems risk assessment shall be performed at regular intervals and the
risks found shall undergo an efficient risk treatment plan to ensure risks are
reduced to an acceptable level.
8.6 Decision on residual risks after the risk assessment exercise shall be taken in
consultation with Chairman or GM in absence of Chairman, application owners and
members of the Cyber Security Cell (CS Cell).
8.7 The Bank shall ensure that the approach for Risk Assessment is reviewed
periodically, to accommodate emerging threats and changes in the technical
infrastructure.
8.8 The Vulnerability Assessment / Penetration Test (VA / PT) exercises would be
performed as per regulatory requirement. However, the frequency would not be
less than quarterly for critical assets and half yearly for other assets.
8.9 Compliance and Reporting: The observations related to Risk Assessment and VA /
PT exercises will be sent to the asset owners for compliance within 7 days of
receipt of the report. The asset owners are required to submit the compliance
status within a month of receipt of the report.
8.10 The compliance status would be submitted to the ITSC for review, guidance and
closure.
8.11 Compliance status of long pending [more than three months] with High Risk
Vulnerabilities should be submitted to ITSC and/or Audit Committee of Executives.

2. Preventing execution of unauthorised software

2.1 The Bank shall maintain an up-to-date and preferably centralised inventory of
authorised/ unauthorised software/s. Consider implementing whitelisting of
authorised applications/ software/libraries, etc. (Refer Inventory Management
of Business IT Assets Policy)
2.2 The bank shall have mechanism to centrally/otherwise control installation of
software/applications on end-user PCs, laptops, workstations, servers, mobile
devices, etc. and mechanism to block /prevent and identify installation and
running of unauthorised software/applications on such devices/systems. (Refer
Inventory Management of Business IT Assets Policy)
2.3 The Bank shall continuously monitor the release of patches by various vendors /
OEMs, advisories issued by CERT-In and other similar agencies and
expeditiously apply the security patches as per the patch management policy of
the bank. If a patch/series of patches is/are released by the
OEM/manufacturer/vendor for protection against well-known/well
publicised/reported attacks exploiting the vulnerability patched, the banks must
have a mechanism to apply them expeditiously following an emergency patch
management process. (Refer Patch/Vulnerability & Change Management Policy)
2.4 The Bank shall have a clearly defined framework including requirements
justifying the exception(s), duration of exception(s), process of granting
exceptions, and authority for approving, authority for review of exceptions
granted on a periodic basis by officer(s) preferably at senior levels who are well
equipped to understand the business and technical context of the exception(s).
(Refer Patch/Vulnerability & Change Management Policy).

Page 7 of 23
3. Environmental Controls

The Banks is exposed to a wide range of physical and environmental threats which can
cause harm to the security systems and resources of the Bank. These threats can cause
disruption to security systems and resources and thus it is important for the Bank to
safeguard its assets from any damage.

The objective of this Policy is to establish a set of guidelines for securing Bank’s premises
and information assets and to build security controls to prevent damage from physical
security threats and environmental hazards.

The Physical and Environmental Security Policy of the Bank is applicable to all the
employees, third parties, contractors, information systems and resources, and all the
facilities of the Bank.

The Bank shall ensure that alternate arrangements for supporting utilities such as air
conditioning, firefighting equipment, uninterrupted power supply, etc. are made to ensure
continuity of business operations.

Protecting against External and Environmental Threats

The Bank shall ensure that the information processing facilities are fitted with appropriate
firefighting devices in order to detect the fire at the incipient stage, arrest the fire spread
and to avoid damage to the various resources of the Bank.

The Bank shall ensure adequate physical protection against damage from natural or man-
made disasters such as temperature, water, smoke, access alarms, service availability alerts
(power supply, telecommunication, servers), access logs, etc..

4. Network Management and Security

Networking systems are the backbone of the entire infrastructure deployed in the Bank.
Securing these systems is of utmost importance for the Bank to safeguard the
information being stored, transmitted and processed using the applications and
computing resources residing on the network.

The objective of this Policy is to establish a set of guidelines to protect the Bank’s
network against multitude of attacks.

The Network Security Management policy is applicable to all the networking devices
[e.g. routers, switches, hubs, firewalls, and IPS/IDS (Intrusion detection/prevention
systems)] deployed in the Bank’s infrastructure.
1.0 Network Access Management

1.1 The Bank shall implement appropriate network security measures to protect the
network and system infrastructure.
1.2 The Bank shall ensure that adequate technical controls are implemented to protect
connected systems, and to safeguard the confidentiality, integrity and availability of
critical business information that passes over public networks. The Bank shall ensure
that network services agreement is defined for network services provided in-house or
through third parties and include security features, management requirements and
service levels.

Page 8 of 23
2.0 Network Access Control

2.1 The Bank shall ensure that access to networks and network services is specifically
authorized in accordance with the Bank’s Logical Access Security and IT Asset
Management policies.
2.2 The Bank shall ensure that access to networks and network services is controlled on
the basis of business and security requirements and corresponding guidelines be
defined.
2.3 These guidelines shall consider the following aspects:

2.3.1 Security requirements of the network or network service(s);

2.3.2 An identified business requirement for the user to have access to the network
or network service.
2.3.3 The users’ security classification and the security classification of the
network/network service.
2.3.4 Legal and/or contractual obligations to restrict or protect access to assets.
2.3.5 Definition of user access profiles and management of user access rights
throughout the network of the Bank.
2.4 The Bank shall ensure that logical access to networking hardware and software is
limited to properly authorized personnel.
2.5 The Bank shall ensure that access to programmable network devices (e.g., routers,
switches and firewalls) is restricted to authorized users only.
2.6 The Bank shall ensure that the use of network diagnostic and security tools is limited
to specific users and is in accordance with their job responsibilities.
2.7 The Bank shall ensure that access to all network configurations and security-related
data (e.g. dial-up numbers, IP addresses) is limited to authorized users only.
2.8 The Bank shall ensure that IP assignment to network devices is based on
restrictions to usage of public and private IP address range identified by the
concerned teams
2.9 The Bank shall ensure that the configuration files of core network devices are
backed up. Whenever changes are made in the configuration, revised configuration
file is backed up.

3.0 User Authentication for External Connections

3.1 The Bank shall ensure that remote access to the Bank’s networks is subject to
appropriate user authentication methods.
3.2 The Bank shall ensure that dial-Up access to Bank’s resources is in accordance with
the Bank’s Access Control Policy and IT Asset Management Policy.
3.3 The Bank shall ensure that Two factor authentication mechanisms are deployed
where access to critical infrastructure or applications are involved.

4.0 Equipment Identification in Networks

4.1 The Bank shall identify all the network equipment by individual names and maintain a
record of all network equipment along with location and purpose of the equipment. This
shall be part of an overall Asset Register maintained by IT Department. (Refer Asset
Management Policy)
4.2 The Bank shall ensure that hardwired communication lines (e.g., network lines,
telephone lines, etc.) are catalogued and uniquely identifiable to the system being
accessed to facilitate maintenance and security.
4.3 The Bank shall also maintain a network diagram and periodic reviews be conducted
to reflect the changes in the network architecture.

Page 9 of 23
5.0 Remote Diagnostic & Configuration Port Protection
5.1 The Bank shall ensure that all remote diagnostic connections for maintenance,
support and special services are secured and controlled.
5.2 The Bank shall ensure that any remote administration connections authorized by the
Bank shall use strong authentication (typically two-factor authentication) as well as
corresponding encryption methods (such as SSH, SSL and VPN) to secure
communication traversing the network.

6.0 Segregation in Networks

6.1 The Bank’s information systems network shall be divided into logical segments,
based on the access requirements. The criteria for division of networks shall also
consider the relative cost and performance impact of incorporating suitable
technology.
6.2 The Bank shall ensure that the connectivity between internal and external networks
is tightly controlled.

7.0 Network Connection Control

7.1 The Bank shall ensure that a Network Service Policy Table is formulated
for each service that is allowed through the firewalls. The table shall list
the service, the direction of the service, the business risks associated
with allowing the service, and the business justification for allowing the
service. The Bank shall ensure that the log files of administrator and
critical device logs are reviewed on a periodic basis.

8.0 Network Routing Control

8.1 The Bank shall ensure that all routing traffic is authorized by the Bank based on
business communication needs and in consultation with business process owners.
8.2 The Bank shall ensure that appropriate routing control mechanisms are deployed to
restrict information flows to designated network paths within the control of the Bank.
8.3 The Bank shall ensure that the network routing controls at a minimum are based on
positive source and destination address checking mechanisms.

9.0 Firewall

9.1 The Bank shall deploy Firewall technologies at each intersection between their
networks and public or third-party networks.
9.2 The Bank shall ensure that firewalls are configured on the basis of Network Service
Policy Table covering all allowable services that have been specifically authorized.
9.3 The Bank shall ensure that network firewalls regulate traffic across all connections
between the Bank’s networks and public or third-party networks, and are configured
to only permit ingress and egress traffic of authorized network protocols between
authorized hosts and networks.
9.4 The Bank shall ensure that all hosts that run applications and contain confidential
data are isolated behind a firewall from public external networks.

10.0 Intrusion Prevention System/Intrusion Detection System (IDS/IPS)

10.1 The Bank shall ensure that all communication between web servers and other
components of electronic trading systems is subjected to IDS/IPS inspection.
10.2 The Bank shall ensure that IPS/IDS events and alerts are responded to and
investigated thoroughly and in a timely fashion as per the Bank’s Incident
Management Policy.

Page 10 of 23
11.0 Data Transmission: Data over third party networks

11.1 The Bank shall ensure that any data travelling over third-party networks is
encrypted, wherever feasible. The Bank shall ensure that confidential/restricted
information transmitted over any communication network is in an encrypted form.

12.0 Data Transmission: Dial-in-Authentication

12.1 The Bank shall ensure that for confidential information, all equipments that provides
dial-in capability to the network identifies the user through a login sequence before
allowing access.

13.0 Restrictions on Use of Remote Access Software

13.1 The Bank shall implement adequate security controls to prevent users from
attaching any hardware or install remote access communications software
(software that allows a remote user to dial into a PC attached to the network and
issue commands from it as if it were attached to the network itself). The use of
personal communications equipment (modems, ISDN cards, etc.) attached directly
to personal computers with remote control software shall be prohibited.

14.0 Disabling Default Network Equipment Passwords

14.1 The Bank shall ensure that all default passwords of the network equipment are
changed during installation.

15.0 System Validation of User Required Prior to Access

15.1 The Bank shall ensure that the access to the system is configured to validate each
user based on a user ID and password.
15.2 Once verified, users shall be allowed access only to authorized applications.

16.0 Network Assessment

16.1 The Bank shall ensure that network vulnerability assessments are performed on
periodic basis by competent personnel. The risks identified shall be documented in
the assessment report.

17.0 Clock Synchronization

17.1 The Bank shall ensure that Network Time Protocol (NTP) Synchronization
is introduced for all devices in the network to ensure that all devices
have been configured to a uniform time.

18.0 Hardening

18.1 The Bank shall ensure that all network devices (server, routers and firewalls, IPS,
IDS, load balancers, switches, modems, etc.) are configured as per the Secure
Configuration Document before being put in the production environment. Changes
to these devices shall be tracked through change management process.

19.0 FAX systems and security

19.1 The Bank shall conduct periodic user awareness sessions to ensure
sensitive information over the phone or fax is not disclosed to any one
unless they verify the person at the other end.

Page 11 of 23
5. Secure Configuration

5.1 Document and apply baseline security requirements/configurations to all

categories of devices (end-points/workstations, mobile devices, operating
systems, databases, applications, network devices, security devices, security
systems, etc.), throughout the life cycle (from conception to deployment) and
carry out reviews periodically, (Refer Application Security Life Cycle Policy, User
Access Control/ Management Policy and IT Asset Management Policy)
5.2 The Bank shall periodically evaluate critical device (such as firewall, network
switches, security devices, etc.) configurations and patch levels for all systems
in the bank’s network including in Data Centres, in third party hosted sites,
shared-infrastructure locations. (Refer Patch/ Vulnerability & Change
Management Policy)
6. Application Security Life Cycle (ASLC)

This policy is intended for managing source code during Software Development Life cycle
and Application life cycle.

It provides guidelines for application and system owners for ensuring that security
requirements are met for Software Development and for access of Source code.

This policy is applicable to all employees, affiliates, including contractors, 3rd party service
providers who are involved in source code development / customization for the Bank and
system and application owners of the Bank. All are expected to comply with this policy at all
times to protect the privacy, confidentiality, and interests of the bank and its services,
employees, partners, customers, and competitors.

1. Application and System Owners –

a. Familiarize them-selves with the policy laid by the Bank for managing source code.
b. Maintain policy requirements during source code access.
c. All security best practices and coding practices would be followed during the source code
development.
d. The development would be done in isolated development environment.

2. Cyber Security Cell

a. Ensure that application and system owners are made aware about the policy laid by the
bank for managing source code.
b. Ensure that Periodic reviews are conducted to ensure that the source code does not
contain backdoors/malicious code.

3. Source Code Management

a. There shall be a repository for managing and version control of source code. Developers
must retrieve the source code only from this repository when modifying programs.
b. All modification or customizations carried out on the application shall have version control.
c. Testing team personnel shall be allowed ‘read only’ access to the source code repository.
d. Only authorized IT personnel shall have update access to the production source code
repository.

4. Version Control

a. Source code shall be held in repository with release or version number to distinguish
between different versions.
b. The content of each version shall be documented providing a brief description

Page 12 of 23
c. System documentation shall be subject to version control and versions of documentation
must be related to the corresponding application versions.

5. Review

a. During the design stage of software, along with the functional requirements specification
(FRS) a security requirements specification shall be developed.
b. The security requirements specification shall take into consideration the requirements of
this security policy including password policy, auditing and logging, login process, and
other relevant policies.
c. Code review (peer or independent) shall be conducted to ensure that the code does not
contain backdoors
d. Code review shall be performed prior to deployment of application into production
environment and deployment of any application changes for major home-grown or 3rd
party applications.
e. For customization changes, the review would be done periodically once in a year.
f. Code Review shall be performed by individual other than originating code
author/programmer.
g. The reviewer shall be aware of Secure Coding Guidelines accepted by the bank and also
other standards e.g. Open Web Application Security Project (OWASP).
h. Security review and testing of all custom developed applications shall be carried out prior
to deployment in production environment
i. All critical financial applications developed in house shall be subjected to Application
Review. CISO may seek the help of Corporate Audit / 3rd parties for conducting the
same.
j. When procuring new software, the security features of the systems shall be evaluated.
k. The ownership of the application would be documented in the name of
individual/department/designation as the case may be. The owner will be responsible for
IPR protection and Escrow arrangement for the source code.
l. In case of Web / Mobile applications, the owner of the system would be responsible for
web-admin, mobile app store update related activities.

7. Patch/Vulnerability & Change Management

The Bank has and shall continue to deploy software and systems to provide banking services
to its customers. These components shall be continuously updated to reduce the likelihood
of vulnerabilities being exploited and impacting the business.

The objective of this policy is to outline a set of guidelines to protect the systems and
software’s from known vulnerabilities and exploit.

The Patch Management Policy applies to all the Bank’s Information Assets, Business
Applications, Network/computing Devices (Servers, Desktops, Network Devices), etc.

The Bank shall ensure that all Patches are applied based on criticality and its potential
impact to the systems following appropriate testing of the patches.

The Bank shall ensure that all patches are deployed in a test environment and their impact
assessed before deploying the patches in the production environment.

The Bank shall ensure that critical patches are deployed on a priority basis, depending on
the potential impact to the systems and adequate testing of the patches in the test
environment.

Page 13 of 23
The Bank shall ensure that other patches are considered for deployment over a periodic
cycle for branches.

The Bank shall ensure that new devices are patched to the current patch level, as defined by
the operating system vendor and supported by the application, prior to the device being
connected to the production network

The Bank shall ensure that if no patch is available for an identified vulnerability, adequate
measures are implemented to protect the system/application from being exploited.
The Bank shall ensure that all business critical infrastructure and applications are scanned
for new threats and vulnerabilities periodically

The Bank shall ensure that identified vulnerabilities are addressed either by patching,
implementing compensating control or by documenting and accepting reasonable business
risk.

The Bank shall ensure that all the patches/compensating controls to be deployed in the
production environment will follow the Change Management Procedure.

All the patches need to be documented in the patch management system as to its criticality
and requirement for the systems and applications in use. It may happen that some patches
may not be required for particular systems. All required patches should be applied on the
systems between 30 to 90 days depending on the criticality of the patch, vulnerability and
exploitation potential, external dependence, rigors of testing requirements, availability of
mitigation controls, approval of exception timeline after acceptance of the risk.

The Vulnerability Assessment / Penetration Test (VA / PT) exercises would be performed as
per regulatory requirement. However, the frequency would not be less than quarterly for
critical assets and half yearly for other assets.

Compliance and Reporting: The observations related to Risk Assessment and VA / PT

exercises will be sent to the asset owners for compliance within 7 days of receipt of the
report. The asset owners are required to submit the compliance status within a month of
receipt of the report.

The compliance status would be submitted to the ITSC for review, guidance and closure.

8. User Access Control / Management

The Bank shall continue to deploy systems which are intended to be used for business
purposes in serving the interest of the Bank and the Bank’s customers in the normal course
of operations. It is thus important to protect these systems from illegal or damaging actions
by individuals, known or unknown, to avoid exposing the Bank to any legal, reputational or
financial risks.

The objective is to build an outline, for employees and other individuals performing work for
the Bank, acceptable use of Bank’s information resources i.e. Internet usage, Email and
Messaging usage, Desktop and other mobile devices like Laptop, Blackberry, iPad, etc.

The Acceptable Usage Policy applies to all individuals performing work on behalf of the Bank,
including permanent full-time and part-time employees, contract workers, temporary agency
workers, business partners, and vendors (hereinafter referred to as “Users”), using the
Bank’s Information Resources i.e. Internet usage, Email and Messaging usage, Desktop and
other mobile devices like Laptop, Blackberry, iPad, etc.

Page 14 of 23
1.0 General Usage

1.1 While the Bank's network administration desires to provide a reasonable level of privacy,
the data that users create on the corporate systems remains the property of the Bank.
1.2 Users shall ensure that they are responsible for exercising good judgment regarding the
reasonableness of personal use of Bank’s Information Resources.
1.3 Users shall note that, for security and network maintenance purposes, authorized
individuals within the Bank shall monitor equipment, systems and network traffic at any
time.
1.4 Users shall note that the Bank reserves the right to audit networks and systems
on a periodic basis to ensure compliance with this policy.
1.5 Management at all levels shall ensure that employees, vendors, contractors, third party
and external agencies are aware of and adhere to the Information Security Policies and
other guidelines issued by the Information Security Cell.

2.0 Desktop, Laptops, Blackberry, iPad, etc. Usage

2.1 The Bank shall ensure that users are responsible for the security of their desktops and
other devices in their custody and take adequate measures to restrict physical and
logical access to these devices. The data residing on these devices will be the property
of the Bank.
2.2 Users at a minimum shall adhere to the following guidelines:
2.2.1 Users shall not install any software or applications on their desktop that is not
authorized or not essential to Bank’s business.
2.2.2 Users shall not connect modems/Wireless Access Points/Broadband Data cards
from the Bank’s premises to their machines unless and otherwise approved by
the appropriate authority.
2.2.3 Users shall not disable the installed anti-virus agent or change its settings
defined during installation.
2.2.4 Users shall not disrupt the scheduled virus scan on their desktops.
2.2.5 All files received from external sources shall be scanned for virus infections
before opening.
2.2.6 User shall report to system administrator on any virus detected in the system
and not cleaned by the anti-virus.
2.2.7 Users shall not override the minimum settings configured on their desktops or
devices. Exceptions if any shall be supported by a valid business justification.
2.2.8 All necessary patches/ hot fixes for the operating system and applications
installed shall be periodically updated.

3.0 Internet usage

3.1 Users at a minimum shall adhere to the following guidelines:

3.1.1 Internet access is provided to users for the performance and fulfilment of job
responsibilities
3.1.2 Employees shall access Internet only through the connectivity provided by the
bank and shall not set up Internet access without authorization from IT
department
3.1.3 All access to Internet will be authenticated and will be restricted to business
related sites
3.1.4 For PCs in Intranet, Internet access shall be provided only through Proxy
Server. No PC in MPGB network shall be provided with direct internet access.
Any exception to above shall require exception approval process of the Bank.
If for any application Sever direct Internet access is a pre-requisite, request
should be routed through respective Head of the Deptt. to Change

Page 15 of 23
 Management (CR) Process. IT department shall maintain up to date list of such
servers / PCs.
3.1.5 Users are responsible for protecting their Internet account and password
3.1.6 In case misuse of Internet access is detected, bank may terminate the user
Internet account and take other disciplinary action as bank may deem fit
3.1.7 Users shall not modify the security setting on the internet browser, configured
per the secure configuration guidelines maintained by the Bank.
3.1.8 Users shall ensure that they do not access websites by clicking on links
provided in emails or in other websites
3.1.9 Bank reserves the right to monitor and review Internet usage of users to
ensure compliance to this policy
3.1.10 The browser shall be patched with the latest patches whenever they are made
available. User shall also click on windows Update button periodically to check
the patch status
3.1.11 “Password Save” button available under Auto-complete menu on the
browser shall be unchecked
4.0 Email Usage

4.1 Users at a minimum shall adhere to the following guidelines:

4.1.1 Email is a business communication tool and users shall use this tool in a
responsible, effective and lawful manner. Users e-mail can be terminated or
bank could take appropriate punitive action in case misuse of the e-mail
system is discovered.
4.1.2 Users shall use the standard disclaimer approved by bank at the end of the e-
mail.
4.1.3 Bank has the authority to intercept or disclose, or assist in intercepting or
disclosing, e-mail communications.
4.1.4 Personal email id which is not provided by the bank shall not be used to send
official communications.
4.1.5 Emails that are not digitally signed shall not be used for critical transactions
requiring legal authentication of sender.
4.1.6 Users owning the email account shall be responsible for the content of email
originated, replied or forwarded from their account to other users inside or
outside the Bank.
4.1.7 Users shall protect their email account on the server through strong password
and shall not share their password or account with anyone else. The user will
change the default password provided by the e-mail administrator
immediately after being notified of the change.
4.1.8 Users shall exercise caution in providing their email account or other
information to websites or any other Internet forum like discussion board/
mailing list.
4.1.9 Users shall promptly report all suspected security vulnerabilities or incidents
that they notice with the email system to the help desk or the branch /
department system administrator
4.1.10 Email on mobile devices such as blackberry and IPADs shall only be
configured and accessed after appropriate approvals from business units.
4.1.11 Mail services from other mail service providers like Gmail, Yahoo
(other than official mail service/s) are not allowed on the Bank’s
machines / infrastructure. However, on specific recommendations from
the head of the Department, these mail services may be allowed in one PC
of the department for maximum 90 days. The responsibility of the usage of
such mails will remain with head of the Department.
4.1.12 Need for exceptions will be reviewed on quarterly basis.

Page 16 of 23
5.0 Blogging and Using Social Media

5.1 Users at a minimum shall adhere to the following guidelines:

5.1.1 Access and usage of blogging and other social media websites is guided by the
Social Media Policy. The guidelines set forth in this section supplement the
Social Media Policy.
5.1.2 Users are prohibited from revealing Bank’s confidential or proprietary
information, trade secrets or any other material to public.
5.1.3 Users are prohibited from making any discriminatory, disparaging, defamatory
or harassing comments when blogging and shall take every care so that the
Bank’s reputation and/or goodwill is not at stake.
5.1.4 Users expressing his or her beliefs and/or opinions in blogs shall explicitly
ensure that the statement is personal and do not represent the views of the
Bank.
5.1.5 Apart from following all laws pertaining to the handling and disclosure of
copyrighted or export controlled materials, Bank’s trademarks, logos and any
other Bank’s intellectual property may also not be used in connection with any
blogging activity.
6.0 Prohibited Activities
6.1 Users at a minimum shall adhere to the following prohibited activities:
6.1.1 Violations of the rights of any person or company protected by copyright, trade
secret, patent or other intellectual property, or similar laws or regulations,
including, but not limited to, the installation or distribution of "pirated" or other
software products that are not appropriately licensed for use by the Bank.
6.1.2 Unauthorized copying of copyrighted material including, but not limited
to, digitization and distribution of photographs from magazines, books or
other copyrighted sources, copyrighted music, and the installation of
any copyrighted software for which the Bank or the end user does not
have an active license is strictly prohibited.
6.1.3 Introduction of malicious programs into the network or server (e.g. viruses,
worms, Trojan horses, e-mail bombs, etc.)
6.1.4 Revealing your account password to others or allowing use of your account by
others.
6.1.5 Making fraudulent offers of products, items, or services provided by the Bank.
6.1.6 Making statements about warranty, expressly or implied of products, items, or
services provided by the Bank.
6.1.7 Effecting security breaches or disruptions of network communication. Security
breaches include, but are not limited to, accessing data of which the employee
is not an intended recipient or logging into a server or account that the
employee is not expressly authorized to access, unless these duties are within
the scope of regular duties. For purposes of this section, "disruption" includes,
but is not limited to, network sniffing, ping floods, packet spoofing, denial of
service, and forged routing information for malicious purposes.
6.1.8 Port scanning or security scanning is expressly prohibited unless prior
notification and approval from Information Security Cell is obtained.
6.1.9 Executing any form of network monitoring which will intercept data not
intended for the employee's host.
6.1.10 Circumventing user authentication or security of any host, network or account.
6.1.11 Interfering with or denying service to any user other than the employee's host
(for example, denial of service attack).
6.1.12 Using any program/script/command, or sending messages of any kind, with
the intent to interfere with, or disable, a user's terminal session, via any
means, locally or via the Internet/Intranet/Extranet.
6.1.13 Providing information about, or lists of, Bank’s employees to external parties.

Page 17 of 23
 6.1.14 Sending unsolicited email messages, including the sending of "junk
mail" or other advertising material to individuals who did not specifically
request such material.
6.1.15 Any form of harassment via email, telephone or paging, whether through
language, frequency, or size of messages.
6.1.16 Unauthorized use, or forging, of email header information.
6.1.17 Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of
any type.
6.1.18 No external PCs / Laptops or any other devices would be connected to the
network without the permission of the Information Security Cell.
The recommendation for connectivity would be from the head of the
Department requiring such connectivity.
9. Authentication Framework for Customers
9.1 The Bank shall implement authentication framework/mechanism to provide positive
identify verification of bank to customers.
9.2 The Bank shall ensure customer identity information to keep secure.
9.3 The Banks shall act as the identity provider for identification and authentication of
customers for access to partner systems using secure authentication technologies.
10. Secure mail and messaging systems
10.1 The Bank shall implement secure mail and messaging systems, including those used by
bank’s partners & vendors, that include measures to prevent email spoofing, identical
mail domains, protection of attachments, malicious links etc. (Refer User Access
Control/ Management Policy)
10.2 The Bank shall document and implement email server specific controls (Refer User
Access Control/ Management Policy)

11. Vendor Risk Management

11.1 Banks shall be accountable for ensuring appropriate management and assurance on
security risks in outsourced and partner arrangements. (Refer User Access Control/
Management Policy)
11.2 Banks shall carefully evaluate the need for outsourcing critical processes and selection
of vendor/partner based on comprehensive risk assessment. (Refer User Access
Control/ Management Policy)
11.3 Among others, banks shall regularly conduct effective due diligence, oversight and
management of third party vendors/service providers & partners. (Refer User Access
Control/ Management Policy and IT Asset Management Policy)
11.4 Establish appropriate framework, policies and procedures supported by baseline system
security configuration standards to evaluate, assess, approve, review, control and
monitor the risks and materiality of all its vendor/outsourcing activities shall be put in
place. (Refer User Access Control/ Management Policy and IT Asset Management
Policy)
11.5 Banks shall ensure and demonstrate that the service provider (including another bank)
adheres to all regulatory and legal requirements of the country. Banks may necessarily
enter into agreement with the service provider that amongst others provides for right
of audit by the bank and inspection by the regulators of the country.
11.6 RBI/NABARD shall have access to all information resources (online/in person) that are
consumed by banks, to be made accessible to RBI/NABARD officials by the banks when

Page 18 of 23
 sought, though the infrastructure/enabling resources may not physically be located in
the premises of banks.
11.7 Further, banks have to adhere to the relevant legal and regulatory requirements
relating to geographical location of infrastructure and movement of data out of
borders.
11.8 Banks shall thoroughly satisfy about the credentials of vendor/third-party personnel
accessing and managing the bank’s critical assets.
11.9 Background checks, non-disclosure and security policy compliance agreements shall be
mandated for all third party service providers
12. Removable Media
12.1 Define and implement policy for restriction and secure use of removable media/BYOD
on various types/categories of devices including but not limited to
workstations/PCs/Laptops/Mobile devices/servers, etc. and secure erasure of data on
such media after use. (Refer User Access Control/ Management Policy)
12.2 Limit media types and information that could be transferred/copied to/from such
devices.
12.3 Get the removable media scanned for malware/anti-virus prior to providing read/write
access.
12.4 Consider implementing centralised policies through Active Directory or Endpoint
management systems to whitelist/blacklist/restrict removable media use.
12.5 As default rule, use of removable devices and media should not be permitted in the
banking environment unless specifically authorised for defined use and duration of use.

13. Advanced Real-time Threat Defence and Management

13.1 The Bank shall build a robust defence against the installation, spread, and execution of
malicious code at multiple points in the enterprise.
13.2 The Bank shall implement Anti-malware, Antivirus protection including behavioural
detection systems for all categories of devices – (Endpoints such as PCs/laptops/
mobile devices etc.), servers (operating systems, databases, applications, etc.),
Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including
tools and processes for centralised management and monitoring.
13.3 The Bank shall consider implementing whitelisting of internet websites/systems.
13.4 The Bank shall consider implementing secure web gateways with capability to deep
scan network packets including secure (HTTPS, etc.) traffic passing through the
web/internet gateway.

14. Anti-Phishing

14.1 The Bank shall subscribe to Anti-phishing/anti-rouge app services from external service
providers for identifying and taking down phishing websites/rouge applications.

15. Data Leak prevention strategy

15.1 The Bank shall develop a comprehensive data loss/leakage prevention strategy to
safeguard sensitive (including confidential) business and customer data/information.
15.2 This shall include protecting data processed in end point devices, data in transmission,
as well as data stored in servers and other digital stores, whether online or offline.
15.3 Similar arrangements need to be ensured at the vendor managed facilities as well.

Page 19 of 23
16. Maintenance, Monitoring, and Analysis of Audit Logs

16.1 The Bank shall consult all the stakeholders before finalising the scope, frequency and
storage of log collection.
16.2 The Bank shall manage and analyse audit logs in a systematic manner so as to detect,
understand or recover from an attack.
16.3 The Bank shall to take care to capture audit logs pertaining to user actions in a system.
Such arrangements should facilitate forensic auditing, if need be.

17. Audit Log settings

17.1 The Bank shall implement and periodically validate settings for capturing of appropriate
logs/audit trails of each device, system software and application software, ensuring
that logs include minimum information to uniquely identify the log for example by
including a date, timestamp, source addresses, destination addresses, and various
other useful elements of each packet and/or event and/or transaction.

18. Vulnerability assessment and Penetration Test (VA/PT) and Red Team
Exercises

18.1 The Bank shall periodically conduct vulnerability assessment and penetration testing
exercises for all the critical systems, particularly those facing the internet. (Refer
Inventory Management of Business IT Asset Policy)
18.2 The vulnerabilities detected are to be remedied promptly in terms of the bank’s risk
management/treatment framework so as to avoid exploitation of such vulnerabilities.
(Refer Inventory Management of Business IT Asset Policy)
18.3 Penetration testing of public facing systems as well as other critical applications are to
be carried out by professionally qualified teams. (Refer Inventory Management of
Business IT Asset Policy)
18.4 Findings of VA/PT and the follow up actions necessitated are to be monitored closely by
the Information Security/Information Technology Audit team as well as Senior/Top
Management. (Refer Inventory Management of Business IT Asset Policy)
18.5 Red Teams may be used to identify the vulnerabilities and the business risk, assess the
efficacy of the defences and check the mitigating controls already in place by
simulating the objectives and actions of an attacker. (Refer Inventory Management of
Business IT Asset Policy)
18.6 The Bank shall periodically and actively participate in cyber drills conducted under the
aegis of Cert-IN, IDRBT etc.

19. Incident Response & Management

The principle of security incident management policy is to restore a normal service

operation as quickly as possible and to minimize the impact on business operations, thus
ensuring that the best possible levels of service quality and availability are maintained.
Incident is an event that causes service disruption leading to operational impact on the
Bank’s systems. To restore the operations as quickly as possible and to minimize the
impact on business, it is important for the Bank to outline a set of guidelines for
management of such disruptions.
The objective of this Policy is to establish a set of guidelines to effectively and efficiently
manage incidents related to Information Security.

Page 20 of 23
The Security Incident Management Policy is applicable to all the security related
incidents/events affecting the Bank’s information systems.
1.0 The Bank shall ensure that the security incidents are reported in time to the
appropriate authorities and corrective actions are taken immediately to avoid the
recurrence of such events in future.
2.0 The Bank shall ensure that all contractors and third parties are made aware of the
procedures for reporting different types of security incidents (like security breach,
threat, weakness, or malfunction) that might have an impact on the security of the
Bank’s assets.
3.0 The Bank shall ensure that all reported security incidents are logged, analyzed and
classified according to predefined criteria.
4.0 The Bank shall ensure that all employees, contractors and third party users of
information systems and services are required to note and report any observed or
suspected security weaknesses in systems or services.
5.0 The Bank shall ensure that escalations and actions are as per the classification of
security incidents.
6.0 The Bank shall ensure that details of the contacts of the appropriate authorities are
maintained and information related to the security incidents are shared as required.
7.0 The Bank shall ensure that management responsibilities and procedures are
established to ensure a quick, effective, and orderly response to information
security incidents.
8.0 The Bank shall maintain a knowledge base of the past security incidents
which contains information about the type, causes, impacts and the
identified solutions.
9.0 In case a security incident has been identified where a follow-up action
against a person or an organization involves legal action (either civil or
criminal), evidence shall be collected, retained, and presented to
conform to the rules for evidence laid down in the relevant
jurisdiction(s).
20. Risk based transaction monitoring
20.1 The Bank shall implement risk based transaction monitoring or surveillance process as
part of fraud risk management system across all delivery channels.
20.2 The bank shall notify the customer, through alternate communication channels, of all
payment or fund transfer transactions above a specified value determined by the
customer.

21. Metrics

21.1 The Bank shall develop a comprehensive set of metrics that provide for prospective and
retrospective measures, like key performance indicators and key risk indicators.
21.2 Some illustrative metrics include coverage of anti-malware software and their updation
percentage, patch latency, extent of user awareness training, vulnerability related
metrics, etc.

22. Forensics

22.1 The Bank shall have support/ arrangement for network forensics/forensic
investigation/DDOS mitigation services on stand-by.

Page 21 of 23
22.2 The Bank shall periodically and actively participate in cyber drills conducted under the
aegis of CERT-In, IDRBT etc.

23. User / Employee/ Management Awareness

23.1 The Bank shall define and communicate to users/employees, vendors & partners
security policy/ies covering secure and acceptable use of bank’s network/assets
including customer information/data, educating them about cyber security risks and
protection measures at their level. (Refer User Access Control/ Management Policy)
23.2 The Bank shall encourage the users to report suspicious behaviour incidents to the
incident management team.
23.3 The Bank shall conduct targeted awareness/training for key personnel (at executive,
operations, security related administration/operation and management roles, etc.)
23.4 The Bank shall evaluate the awareness level periodically.
23.5 The Bank shall deactivate Employee Logon IDs and passwords as soon as possible,
when the employee is terminated, fired, suspended, placed on leave, or otherwise
leave the employment of the Bank.
23.6 HRD shall immediately and directly contact the Bank’s IT Cell to report change in
employee status that requires terminating or modifying employee logon access
privileges.
23.7 Employees who forget their password must call the IT department to get a new
password assigned to their account. The employee must identify himself/herself by
(e.g. employee number) to the IT department.
23.8 Employees will be responsible for all transactions occurring during Logon sessions
initiated by use of the employee’s password and ID. Employees shall not logon to a
computer and then allow another individual to use the computer or otherwise share
access to the computer systems.
23.9 The Bank shall establish a mechanism for adaptive capacity building for effective Cyber
security Management. Making cyber security awareness programs mandatory for new
recruits and web-based quiz & training for lower, middle & upper management every
year. (Recent and past cyber-attacks show; cyber adversaries are also targeting bank
employees).
23.10 The Bank shall sensitise the Board members on various technological developments
and cyber security related developments periodically.
23.11 The Bank shall provide training programmes for Board members with on IT Risk /
Cyber security Risk and evolving best practices in this regard so as to cover all the
Board members at least once a year.
24. Customer Education and Awareness

24.1 The Bank shall improve and maintain customer awareness and education with regard to
cyber security risks.
24.2 The Bank shall encourage customers to report phishing mails/ Phishing sites and on
such reporting take effective remedial action.
24.3 The Bank shall educate the customers on the downside risk of sharing their login
credentials / passwords etc. to any third party vendor and the consequences thereof.
25. Bank is getting all supports in IT solutions, IT initiatives etc. required as per
instructions/guidance issued by regulators, supervisors from time to time. All the helps
required to step up cyber security environment is being implemented through sponsor
Bank and bank with the help of sponsor Bank, will step up the required security where
ever mentioned in policy.

Page 22 of 23
26. ;|fi ukckMZ }kjk tkjh fn”kkfunsZ”kkuqlkj lk;cj flD;ksfjVh ikWfylh dk vuqeksnu funs”kd
eaMy }kjk fd;k x;k gS] bldk vuqikyu izk;kstd cSad] cSad vkWQ bfM;k ds ekxZn”ku es o
muds rdfudh ,oa vU; lg;ksx@ekxZn”kZu] tks fd le;≤ ij izkIr gksrk jgk gS] ds
vuqlkj fd;k tkosxkA ukckMZ }kjk iznRr ekxZn”ku vuqlkj lk;cj flD;ksfjVh ikWfylh vUrxZr
Cyber Security Operation Centre (C-SOC) okafNr gS] bl gsrq cSad }kjk vius i= Øekad
HO/IT/2018-19/58 fnukad 14-09-2018 ds ek/;e ls cSad vkWQ bafM;k] iz/kku dk;kZy;] xzkeh.k
cSad izHkkx] eqEcbZ ¼izfrfyfi cSad vkWQ bafM;k] iz/kku dk;kZy;] lwpuk ,oa izkS|ksfxdh foHkkx]
eqEcbZ½ ls bl fo’k;d ekxZn”ku pkgk x;k gS] rnuqlkj C-SOC ds lEcU/k esa dk;Zokgh lEiUu
dh tkosxhA mijksDr Ik'pkr~ gekjs }kjk fnukad 11-08-2021 dks izk;kstd cSad dks bZ&esy ds
ek/;e ls ;g lwfpr fd;k gS fd pwfd gekjk MkVk lsaVj izk;kstd CkSad ds MkVk lsVa j ds varxZr
gh vkrk gS ,oa cSad vkWQ bafM;k vf/kdkfj;ksa }kjk gh lapkfyr fd;k tkrk gSA vr% izk;kstd
cSad ds Cyber Security Operation Centre (C-SOC) dks gh gekjk Cyber Security Operation
Centre (C-SOC) ekuk tkos ,oa izk;kstd cSad ds CISO dks gh gekjk CISO ekuk tkos] bl gsrq
izk;kstd cSad ls ekxZn'kZu visf{kr gSaA

Page 23 of 23