Internship Report On Prepared By - BRAC University Institutional
Contents
1. C Raid Level protection This is storage in built technology RAID levels are implemented by EMC engineer like Raid 1 0 AND Raid 5 for the case of Disk Failure The storage system automatically generates error message while any disk fails or any block corruption in HDD We have a replication in PR side internally which 1s called Clone Data of Raid 1 0 has been cloned into Raid 5 level LUNs Now in present scenario we have mounted Report DB Server in PR cloned LUNs which are fractured and synchronized everyday Tues cloned consistence data is one day old which also prevents the system from logical corruption or human s unwanted logical errors In DR site production data has been replicated from PR RAID 1 0 To DR Raid 1 0 LUNs which is called Mirroring In DR site data also replicated internally in Raid 5 level LUNs In four spaces production data has been replicated But in DR site in Raid 5 disk groups have been fractured and synch everyday for due to any inconsistence and error for any reason in Database 58 Page EN lt S 11 4 Advanced Storage Technology PR and DR site data replication amp Cloning SJIBL is the first bank that uses both Cone Fracture and Snap Shot technology for Report DB Server and UAT DB server accordingly in Bangladesh City Bank and Eastern Bank use partially of these technology but not all 1 DC DR Data Synch Mirroring Technology 2 Clones Synch Fracture 3 Snap Shot Te2. ccccccccsssccccesseccccsececeescceseesececsueceeeeueccesseecessugeceesenseeetas 24 3 2 IT Asset Management Policy csssccscsssscsssssrectonssscnenssscnsoussecsoussscneusssestousrestenssseneuusrene 25 3 2 01 Hardware Inventory Management and Tracking Policy sss sse sees eee 25 3 2 02 Hardware Repairing amp Troubleshooting POlicy sss sees eee eee eee 25 Bo WIS fe Ko LE SE EE EE E 26 Go do EN TN NN 26 po AS es OS REE EE EE once ET 26 DN 26 TT d VSS NNN 26 MON e E A E E E T A E E EEE E 27 rO PA ICO TTT 27 Eel RI PROC EP NN 27 SANDEN 28 VINEN crecian eerie toyceiebrerateneeadeereeisescouas 28 3 5 02 Benefits of Active Director sss eee eee 28 3 5 02 01 Increasing the Productivity Of USers sss sese eee 28 3 6 Change Management Policy of in house software sse ee eee eee eee eee 29 STN 30 NN 30 TEN yee ra este carer ideaces saetinese esata taacesd see tcessactposrienceetn nee satuidesesstecanesateceuaisteees 30 4 1 01 Data Center Access POLICY asiiciccsensnessechcaievevenarsieasieresavnsessincstievarsenstecsteraraeeenbeacoatenns 30 4 1 02 Server Room ACCESS Policy sss sese sees eenn nenen 31 A2 Environmental SAN e le 31 4 2 01 Data Center Environmental Safety Dolly 31 4 2 02 Data Center Security Maintenance sese eee eee eee eee eee eee eee 32 Bye Se POV UNO Te 32 6lPage Sp 44 Physical Security for IT PSS hr 32 CO O TIE sa tuentecetesseasareedeanmanndenstunseiaeecousunaeedernans dees 33 SS WON sl TT 33 e Ne TT 3
3. EMS Environment Monitoring System Auto Fire Suppression System DRS Information 8 1 Power System l a aE la 10 11 12 15 To ensure uninterrupted Power Supply 02 Two Generators are running with Auto Switching System Among of Two GENSET 330kva will run in Primary Initial stage From this 330kva load 150kva load has dedicatedly assigned for Data Center Rest 150kva GENSET will be active whenever the Primary 330kva will not trigger Full Process will be switched automatic through ATS Automatic Transfer Switch Two 02 individual ATS is connected amp changeover is activated through one Timer Primary GENSET 330kva will be trigger within 60 seconds after PDB power failure Secondary GENSET 150kva will be trigger within 120 seconds if Primary GENSET 330kva will not trigger GENSET system will take care and maintain by the Bank s Electrical Engineer CSD Division Two 02 30kva APC UPS are simultaneously running over the 24 7 by segregating the total load Both UPS are giving backup connected to the device through individual PDU Power Distribution Unit AVR Automatic Voltage Regulator is maintaining the Voltage Up gradation amp Degradation MCO Manual Change Over will be active whenever any emergency maintenance task performed 04 Four individual Main Distribution Board MDB has been defined separately for Cooling System of DC Cooling System of Power Room along with others Utili
4. major application of cryptography in the years to come 621Page G ps 12 2 01 The electronic signature The electronic will be uniquely linked to the signatory It will be capable of identifying the signatory It will be created using means under the sole control of the signatory It will be linked to data to which it relates in such a way that subsequent changes in the data are detectable pe 12 2 02 Digital signature on a message a Data origin authentication of the signer digital signature validates the message in the sense that assurance 1s provided about the integrity of the message and of the identity of the entity that signed the message b Non repudiation digital signature can be stored by anyone who receives the signed message as evidence that the message was sent and of who sent it This evidence could later be presented to a third party who could use the evidence to resolve any dispute that relates to the contents and or origin of the message 12 2 03 Input to a digital signature a The message i Digital signature needs data origin authentication and non repudiation The digital signature itself must be a piece of data that depends on the message and cannot be a completely separate identifier ii It may be sent as a separate piece of data to the message but its computation must involve the message b A secret parameter known only by the signer i Digital signature needs non repudiation its calculation must
5. rrrrrrnnnrrnnnnnnnsrrnnnrrnnnnnnnsrnnnnrnnnnnnnsssnnnsnnnnnnnnsssnnnnsnnnnnnnssee 42 ATEN 43 Internet and Web Surfing Policy sese eee eee eee eee 43 TONN 43 7 2 Requirement of internet and e mail POLICY esse sees eee eee eee 43 7 3 Internet usage policy for officers and EXECUTIVES eee 44 7 4 E mail usage policy for Officers and EXECUTIVES cecccccssseccceesececceeeceeeeesececeusecesseeecesseees 44 CHD da 2 TTT 47 MTT 47 STP NN 47 EMNE 48 o2 oe ea Bes EE EE N 48 8 3 ACCESS Control SVStem naadde NOR TRUEZ RR ayo 48 24 Surveillance Y CCTV RE 48 8 5 EMS Environment Monitoring SVStenml sss sees sees eee ee eee eee 48 8 6 Fire Suppression System rnnrnnnrnnnvnnnvnnnvnnnennnvnnnsnnnsnnnsnnnsennsennsennsvnnsennnvnnnennnennnennnennesnnesene 48 RT ENN 49 Ted 50 Software Development and ACQUISITION ccccceseccccseccecescceceesececeenececeeesecetsueceseeneceseuaeceesaneeeetes 50 9 1 Software Development POlicy sese eee eee 50 9 2 In house Software ee 51 9 3 Outsourced Sotware eTo 51 TS OL Vendor SEN e TT 51 9 3 02 Software Documentation POLICY sss sees eee eee 51 9 303 Olher REG UI SINC EE 52 ETO T 53 Core Banking SOW ES a 53 VINN e E 53 8lPage VE NN airar enn E 54 NENNE 54 Sa EE EN ee ee ere ee ee 55 DATABASE MANAGEENT AND SECURITY eee 55 Backup ANG Storage ee 55 TEN 55 B TT 55 TB PN 55 Database DB backup using various technologies sees eee ee eee eee 55 PROD EN 55 Levels of Backup
6. RESTRICTED information shall be encrypted when transmitted over an un trusted communication network All network or systems software malfunctions information security alerts warnings suspected vulnerabilities and the like and suspected network security problems shall be reported immediately only to the responsible party according to the incident handling procedure 42 Page A gt eA 5 Chapter Seven Internet and Web Surfing Policy 7 1 Introduction This policy will explain how to introduce a policy that clearly states what acceptable internet is and e mail usage The internet is an essential tool for many businesses E mail and the web offer a variety of ways to improve communications with employee customers and suppliers However allowing employees access to the internet carries risks If they accidentally or deliberately access illegal web content e g anything related to indecent material business could be open to prosecution There is a security risk employees could download and install software that may infected by a virus In addition any abuse of e mail facilities could cause internal and external problems For example sending bulk e mail could result in system overload and network congestion 7 2 Requirement of internet and e mail policy There are three major reasons to introduce policy for internet and e mail use within business e To protect the business from possible legal action resulting from p
7. Technology DBA team have implemented backups operations of SJIBL Database in three 3 methods 1 Data Pump Export Backup 2 RMAN Backup 3 Flash Back Technology Data Pump Backup NOC team takes the Before EOD backup manually One copy of BEOD data file is saved in Core DB server and a copy has moved out to Core DB File Ferver 10 101 1 71 After EOD backup is also taken by NOC team and one copy of backup has gone to tape library automatically and also moved out to Core DB file server 10 101 1 71 Image and Signature data has been also taken backup from a different schema named image user in every Friday 56 Page fm op All scripts are fired from db1 server by NOC team member by their own individual User ID with limited privileges RMAN Backup For Production Database NOC is taking backup RMAN manually NOC team member is taking RMAN backup before EOD operation every day In every day scheduled backup we are managing our backup system in below structure Regular Creation of Flash Back point The Production Database is set to flashback mode And also flashback Recovery area is setup so that in case of recovery the database point in time recovery will be fast and also provides a unified storage location for all recovery related files and activities in an Oracle database Before start EOD process EOD user made a flashback point for any kinds of emergency database restore Every EOD user has own user id and passwor
8. and Recovery SYSTEM cesses eee eee ee eee eee 56 Regular Creation of Flash Back point sse eee 57 11 4 Advanced Storage Technology PR and DR site data replication amp Cloning 0066 59 DC DR Data Synchronization Data Replication Mirroring Technology sss eee 59 Storage Clone Synch Fracture sse eee eee eee 60 NVE 61 Recommendation and Future Planning Policy sss sese sese eee ee eee eee eee 61 VNR 61 VET 61 IZ EOL se aT 61 BE EE EE EE cei 61 VTM 62 VINN NN 62 12 2 Cryptography and Digital Signature sse eee eee eee 62 12 2 01Theelectronic SIS E secre 63 12 2 02 Digital signature on a message sees eee eee 63 122 0 input toa digital Ta P red 63 12 2 04 Properties OF digital signatU Hasene 63 12 2 05 Arbitrated digital Signatures sss sees eee eee 63 12 206 Basis of signature Eee 64 9IPage 5 12 3 RENN 64 TEN 65 ENN 65 I0IPage A Executive Summary IT Policy is a systematic approach to policies required to formulate for ensuring manageability confidentiality integrity availability and security of information and information systems This Policy also covers all information that electronically generated received stored printed scanned and typed The provisions of this Policy are applicable for Shahjalal Islami Bank Limited All activities and operations required to ensure data security including infrastructure facility design physical security surveillance system network security disaster recove
9. application shall be in accordance with design specification and documentation e Source code must be available with the concerned department and kept secured f Source code shall contain title area the author date of creation last date of modification and other relevant information g Software Development Life Cycle SDLC with User Acceptance Test UAT shall be followed and conducted in the development and implementation stage h System documentation and User Manual shall be prepared and handed over to the concerned department 1 The Bank must consider necessary Regulatory Compliance requirements 9 3 Outsourced Software Policy All the software procured and installed by the Bank shall have legal licenses and record of the same shall be maintained by the respective unit department of the Bank 9 3 01 Vendor Selection Policy a There must be a core team comprising of personnel from Functional Departments IT Department and Internal Audit Department for vendor selection b Vendor selection criteria for application must address the following i Market presence li Years in operation ii Technology alliances iv Extent of customization and work around solutions v Performance amp Scalability vi Number of installations vil Existing customer reference vill Support arrangement 9 3 02 Software Documentation Policy a Documentation of the software shall be available and safely stored b Document shall contain t
10. e Data Security Storage Device 1 e Data Safe should be procured for the preservation of Data Cartridges CD DVDs License Copies Agreements etc e Security Devices to be used in the following manner l aa a Router Firewall etc Security Devices should be used in the LAN and WAN World renowned Branded Security Devices should require for the Bank There should be separate Servers for Database Application Exchange Mails amp others and the Servers should be located in different places Redundant Hardware storage e g PC Server Workstations Monitor Scanner amp Printers should be procured for instant support 2 1 02 02 Logical Security a Access into the application system a Access into the Server should strictly control using Administrative Password b Access into the Server through Workstations to be controlled and monitored by the System and Database Administrator c Access into the Workstations to be properly monitored and controlled b Usage and operations of Hardware amp Application systems 1 2 3 Usage of the Server amp Workstations to be controlled by the System Administrator Usage of Network Devices to be maintained sophisticatedly Usage of Printers Movable devices amp other computer components are to be used and maintained very carefully Usage of any movable device as if Floppy or flashes are strictly prohibited Usage of Banking Software should strictly be controlled by the system Admin
11. exists on data replication DBA can protect replication of erroneous data to DR site for any kinds of logical disaster if errors logical disaster can be identified within 30 minutes 91 Page A Sj After successful migration the DR site to Kashimpur Gazipur proposed bandwidth will be 50 Mbps as decision of IT management Storage Clone Synch Fracture In our Storage system we have implanted the Clone LUNs Synch Fracture in both DC and DR site DBAs make synch fracture on demand based on DBA s operations tasks Ultimus Report Server is running using this technology NOC member make fracture DR Clone LUNs just before EOD operation regularly for protecting any kinds of logical disaster during EOD operation Any kinds of logical disaster during EOD operation rollback can be possible in terms of this Storage Technology 60 Page A gt eA KE Chapter Twelve Recommendation and Future Planning Policy 12 1 Cloud Computing 12 1 01 Overview Cloud Computing is a recent revolution in the world of Information Technologies that enables a convenient way to share resources It is model providing on demand network access to configurable IT devices and services e g Servers Storage and Applications gathered as a network of computing resources located anywhere being shared among its users Cloud Computing can provide greater flexibility and improved levels of service while making costs more transparent and increasing institutional
12. involve a secret parameter that is known only by the signer il The only possible exception to this rule is if the other entity is totally trusted by all parties involved in the signing and verifying of digital signatures 12 2 04 Properties of digital signature a Easy for the signer to sign message There is no point in having a digital signature scheme that involves the signer needing to use slow and complex operations to compute a digital signature b Easy for anyone to verify a message Similarly we would like the verification of a digital signature to be as efficient as possible c Hard for anyone to forge a digital signature It should be practically impossible for anyone who 19 not the legitimate signer to compute a digital signature on a message that appears to be valid By appears to be valid we mean that anyone who attempts to verify the digital signature is led to believe that they have just successfully verified a valid digital signature on a message 12 2 05 Arbitrated digital signatures l Arbitrated digital signatures a meet the security requirements and 63 1Page IS Sj b Have the properties that we required for a digital signature 2 Verify and check the first MAC computed using KS 3 Recognize the main practical problem with implementing arbitrated signature 12 2 06 Basis of signature security 1 The basis of digital signature offer data origin authentication 2 Digital signature offer non r
13. mail ID for e mail communication under restricted use The groups are namely All Employees All Branches All Branch Managers All Branch Operations Manager All AD Branches All Non AD Branches All ATM Associated Branches All Departments Divisions amp Branches All Departments Divisions All individual Dept Divisions Head BACH IT Division CARD Division etc Usually no individual users are allowed for sending e mails to all ID all shahjalalislamibank com Important e mail to all ID can only be sent after approval of the contents documents from the approving authority through proper channel For approval the content should be sent to Head of operation AMD while a CC to be sent to the Head of IT and concerned head of the department division or branch manager If the approving authority approves the contents documents and sends a reply of the e mail to the sender Head of IT will be acknowledged about the approval through the reply of e mail The Head of IT will take necessary steps by which the initiator will be able to send the contents to all shahjalalislamibank com through e mail HRD will send a request for e mail ID for new employees to IT Division IT Division will create an e mail ID for new employee and duly acknowledge HRD and the concerned employee after creating the ID Subsequent updates of the list will be published accordingly Regard all types of official documents received from valid e mail D through proper channel as valid and
14. room c Access authorization list will be maintained and reviewed on regular basis 4 2 Environmental Security Policy Careful site selection and accommodation planning of a purpose built computer installation shall be conducted Data centers and computer rooms shall have good physical security and strong protection from disaster and security threats whether natural or caused by other reasons in order to minimize the extent of loss and disruption Backup media containing business essential and or mission critical information shall be sited at a safe distance from the main site in order to avoid damage arising from a disaster at the main site 4 2 01 Data Center Environmental Safety Policy a Protection of Data Center from the risk of damage due to fire flood explosion and other forms of disaster shall be designed and applied b Sufficient documentation is essential regarding the physical layout of the data centre c Documentation regarding the layout of power supplies of the data centers and network connectivity should be prepared d Floors to be raised with removable square blocks or channel alongside the wall to be prepared which allow all the data and power cabling to be in neat and safe position e Water detection devices should be below the raised floor if it is raised f Any accessories not related to Data Center should not be allowed to store in the Data Centre g Existence of Closed Circuit Television CCTVs came
15. system Therefore Bank must adopt appropriate methods to protect its information system The senior management of the Bank must express commitment to IT security by continuously increasing awareness and ensuring training of the Bank s official The policy will require regular update to cope with the evolving changes in the IT environment in the Bank 2 1 01 Policy Statement a Security means protection of Data amp Equipments from Internal and External threats b Data the priceless assets of the Bank should be protected from any level of hackers c To avoid fraud and forgery data amp equipments should be maintained in a secured manner d Priority should be given at the highest level for the security aspects of data and equipment e There should be 02 two types of Security like Physical amp Logical f Security Policy includes data data handling user amp access control of users external attack hardware and location amp position of hardware 2 1 02 Detail Policy 2 1 02 01 Physical Security a Entrance should be controlled amp monitored in the Branches during banking hour peak hour I5 Page EN lt S and after banking hour off peak hour in due course b Entrance should be controlled in the Data Center and Server Computer Room c Modern CCTV system to be implemented with proper application d Log Book is to be maintained for entrance Data Center in Head office and Server Computer Room in Branches
16. take necessary action accordingly Official documents are allowed to send to superiors Divisional or Departmental Heads Branch Managers by e mail for taking necessary action Distribution of scanned Image of signed copy of Circulars to he Departments Divisions Branches through e mail are strongly encouraged for compliance 45 Page E L 8 From now on e mails will be considered as an evidence of any pursuance 1 e requisition procedure to Divisional or Departmental Heads Branch Managers and as a receipt of circular sent thereby 9 No image or big file more than the size 10MB is allowed to send through e mail To send more than 10 MB prior permission has to be taken from the Head of IT through proper channel Branch Manager Head of the Division b Internet usage policy for executives and officers To use branch e mail internet facility is no more required To use internet for other official requirement users are requested to send a formal requisition to Head of IT through proper channel Divisional or Departmental Heads Branch Managers with justification IT Division will arrange access as per approval of Head of Operations Please mention that as per approval of the Management IP based Internet Use Policy IUP for grant permission for the internet users has already been deployed by the Bank 46 Page ia Chapter Eight Infrastructure Policy Power System Cooling System Access Control System Surveillance System CCTV
17. 0 3 5 Active Directory Policy 3 5 01 Active Directory e Focal point for network amp user management e Central authority for network amp application security e Integration point for bringing systems together 3 5 02 Benefits of Active Directory Active Directory helps small and medium size organizations with a reliable working environment for the end users which offers the highest levels of reliability and performance So users can perform their work as efficiently as possible as well as providing a more secure and manageable environment to make the lives of the domain easy to track any miss utilization amp disoperation and bring under control The following sections will review the advantages of Active Directory in these areas 3 5 02 01 Increasing the Productivity of Users a The Power of Group Policy Creating Standardized Configurations Settings and Options Automatic Access to Local Resources Enabling Features and Functions on the Fly User Profiles and Redirected Folders e Offline Folders b Windows Update Services c Remote Assistance d System Quarantine 3 5 02 02 Reducing the Burden of IT Administration a Server Performance and Reliability b Administrative Benefits of Group Policy 1 Account Password Policies i The password definition parameters ensure that minimum password length is specified at least 6 characters combination of uppercase lowercase numbers amp may include special ch
18. 10 1 Operating Policy Maker checker request received by IT through proper channel Initiated by user and approved by Branch Manager Users are created by Valid admin user of IT Division Certain limit is requested by the branch for execution of branch operation User permission is sanctioned as per request processed from branch Operating time is open as there is no time restriction has yet been instructed by competent authority The operating time schedule will be implemented as and when instructed by authority Operation Calendar for the year is set before start of the year Other holidays are set as and when required Own branch operation Remote operation Head office operation all factors are permission based through BankUlitmus system New Parameter setting is done by Head Office users IT users do it as per order circulated by FAD New GL Account is opened by FAD users as and when required as per proper noting Day end operation is done by NOC users of IT division after day close of all the branches Dummy Month End operation is performed with the end of day of previous day of end of month before end of month in the UAT environment During month end A team is formed with Business Team members Network Team members and software team members for execution of proper support to the branches and head office Similarly dummy Year end is also processed in the UAT environment for anticipating the errors or flaws Due to application of dep
19. 3 STO E a vote dus calc ceaiedupneq ie esepuieedivelncsevivosinbediediubes vowerwa tency ucssabaaibuneesseuus eetonia sndevnesactneetar 33 G COO Ss hice cep cate oss veo as poy ac cet caer sane ea EE EEE ERE 33 5 4 Password Requirements subject to CHANGE ccccccccsssecccceeesecceceeeeseceeeeeeeeeeeeeeeeeeeeeeteas 33 ETT 35 ENN 35 LJ NNN 35 bl 35 6 1 02 Networking Hardware Procurement Purchase Policy esse esse 36 6 1 03 Network SNP 36 6 1 04 Design Planning Approval Implementation amp Maintenance of LAN amp WAN 36 6 1 05 Network Security Policy sese eee 36 CLOC e erT a EE 38 6 1 07 Supervision Control amp Monitoring of Network SecuritieS rrrrunnnnnunnnnnnnnnnnnrnnnsnne 38 TR TN 38 TEPPE 39 SE EG FOC EE EE 39 6 1 11 Control amp Monitoring of LAN amp WAN functionalities sss sees eee eee eee 39 6 1 12 Local Area Networks LAN POlicy sss eee 39 6 1 13 Wide Area Networks WAN Policy sese eee ee eee 40 6 1 14 Upgrade design setup and security levels of LAN amp WAN sees 40 6 1 15 Maintain log records of LAN amp WAN StatuS sse eee eee 40 6 1 16 Router Switch Data Backup amp Restoration Policy esse eee eee eee 40 6 1 17 Redundant Access Policy from Branch to Head Office rrrrrnrarnnrrarrnnnnrrnvnnrrnnnnrrnvnnne 41 NN eT 41 SLOL OOO T 41 SALES ee ss vee ees eines NE JE 41 TIPage Sp ANNO 41 6 2 04 General Conditions for VPN sss sese 41 6 3 General Network Protections
20. Center is being cover amp monitor under the CCTV System which is equipped by 10 Cameras All of these cameras are controlled amp maintained by one DVR which 19 contained with one 500 GB 38 40 Days video backup Hard Disk a Resolution 640X512 mp b DVR HDD Capacity 500 GB c Recorded Mode When any motion will be active Frame Rate 4 1 d Working Period After 10 00 A M 2 5 Frame Rate e Non Working Period After 06 00 P M 1 6 Frame Rate f Video Backup time 38 40 Days 8 5 EMS Environment Monitoring System Cooling system Temperature Humidity Water Fire detection Smoke system all are monitored amp reported properly over the network 1 e web based interface 8 6 Fire Suppression System Auto Fire Suppression System is being live amp operational with very renowned GAS called NAFS125 along with HIT amp Smoke Sensor Two individual Cylinders for DC amp Power 48 Page ES Room dedicatedly are assigned to protect any unexpected fire incident 8 7 Co Location of DRS a b c d A Disaster Recovery Site DRS is replaced to Disaster Recovery Site service center provided by Square Gazipur Kashimpur replicating the Data Center Production Site from the previous collocation site CoLoCity ICOM Bangladesh Limited It is more than 10 km distance from our DC Co Located DRS is equipped with a set of hardware like Application server Database Server Storage Device and communication devices like ro
21. Disk amp removable disks e g DAT Tape CD DVD etc c Removable disks should be preserved under lock and key in safe custody outside location of the related office Head Office or Branch office d Branches and Head Office should preserve banking operational data in re usable data cartridges on daily basis e Banking operations data and other documents data should be preserved permanently in DAT Tape CD DVD media on half yearly basis f Backup data cartridges CD DVDs should be preserved at Head Office in a Fungus amp Dust Free Fireproof Data Safe Vault g Data Mining Center may be setup in a remote location considering number of branches and volume of data h Data may also be preserved in the internationally established and secured Data warehouse on rental basis 11 2 Backup Shahjalal Islami Bank Limited SJIBL is operating business of both Centralized and Distributed System for banking operation 93 branches with Head Office are running in Central System DBA Team follows the following as their Backup and Recovery Plan for Central Core Banking System 11 3 Backup Plan Database DB backup using various technologies Shahjalal Islami Bank Limited is taking full backup using Data Pump utility and Recovery Manager RMAN of production database as core database size is small in present time We will take incremental backup in future when the backup time of RMAN reaches more than 2 hours Backup Recovery Team IT Divisi
22. Internal Memo Circular should be generated through Intranet mail after completion of full automation Board EC Audit Shariah Memo are also to be submitted in electronic format Documents are to be prepared manually in physical format until necessary rules and regulations are not modified for digital documentations and digital signature All electronic digital documents should be tagged with digital signature 2 2 01 Organogram chart of IT Division I7IPage GS Sj Software Hard SUC Network plication Utility software L I8IPage G Serr 2 2 02 Branch Organogram with IT support Personnel Operation Manger IT Officer 2 IT Officer 1 Job Responsibility e Maintain physical security of IT room e Maintain Log Register for the personnel who visit the IT room e Maintain proper communication with IT for different purpose e Check the branch e mail and communicate it to the Operation Manager for necessary compliance e Maintain antivirus operation as per guideline provided by IT as and when required e Coordinate the auditors during IT Audit e Arrange IT Operation training within branch in association with IT as and when required e Preserve and distribute Operation Manual IT policy and other IT related documents IT circulars and guideline circulated by Head Office among the branch users for their use e Help the branch to carry out the other instructions of IT Division conveyed time
23. Internship Report On IT Policy of Shahjalal Islami Bank Ltd A study on Head Office Prepared For Md Noman Hossain Chowdhury Senior Lecturer BRAC Business School BRAC University Prepared By Shiab Khan ID 13164039 MBA BRAC University BRAC UNIVERSITY y BRAC University Date of submission 17 08 2015 Letter of Transmittal Date August 17 2015 Mr Md Noman Hossain Chowdhury Senior Lecturer BRAC University Subject Submission of Internship Report on IT Policy of Shahjalal Islami Bank Limited Dear Sir In connection of my practical orientation in Shahjalal Islami Bank Ltd I would like to submit my report to you for your perusal I have prepared this report on the basis of my practical exposure at IT Division of Shahjalal Islami Bank Ltd I enjoy preparing this report which enriched my partial knowledge of the theoretical concept I tried to reflect the operational aspects of the Bank which is complementary to the theoretical and practical knowledge I will be very glad if the report can serve its actual purpose and I am ready to explain anything to you if you feel necessary Yours Sincerely Shiab Khan MBA Program ID NO 13164039 Major in Finance BRAC University Declaration I Shiab Khan hereby declare that the report of internship Program titled IT Policy of Shahyalal Islami Bank Limited is uniquely prepared by me I confirm that the report is only prepared for
24. Level 3 Database 4 3 Fire Prevention Policy a b c d e f Wall ceiling Floor and door of Data Center should be fire resistant Fire suppression equipments should be installed Automatic fire alarming system shall be installed and tested periodically There shall be fire detector below the raised floor if it is raised Electric and data cables in the Data Center must maintain industry standard quality and to be concealed Any flammable items shall not be kept in the Data Center 4 4 Physical Security for IT Assets a b c All Information Systems shall be placed in a secure environment or attended by the officials to prevent unauthorized access Users in possession of laptop portable computer personal digital assistant or mobile computing devices for business purposes shall safeguard the equipment in his her possession and shall not leave the equipment unattended without proper security measures IT equipment shall not be taken away from sites without proper control 32lPage a Chapter Five Password Policy 5 1 Overview All employees and personnel that have access to organizational computer systems must adhere to the password policies defined below in order to protect the security of the network protect data integrity and protect computer systems 5 2 Purpose This policy amp order is designed to protect the organizational resources on the network by requiring strong passwords along wi
25. Personnel should get the minimum level of Business Foundation Training IT has to provide necessary training when New system IT through HR training branch concerned users provide training Branch has to send request for required IT related training As a substitute of arrangement of training at ITD Training material may be supplied in a central location as pdf and video CD with live training demo may be sent to branch end for necessary training 2 5 Insurance or Risk Coverage Fund Policy All IT assets should be under Insurance coverage to be maintained by Financial Administrative Division Adequate insurance coverage or risk coverage fund shall be maintained so that costs of loss and or damage of the IT assets can be mitigated 2 6 Problem Management Policy Bank shall establish a process to log the information system related problems and incidents IT division shall establish incident detection and monitoring mechanism to detect contain and ultimately prevent security incidents Process shall have the workflow to assign the issue to a concerned person to get a quick effective and orderly response As for example 1 Workflow for Hardware team 2 Workflow for Network Team 4 Workflow for Database amp Storage Team 5 Workflow for CBS Team 6 Workflow for software Team and 7 Workflow for NOC DC DR 8 Workflow for system administration Process shall be established to perform necessary corrective action within the per
26. action entered by them as marked in the application log file and transaction file against their user ID Competent authority should maintain a User list with given permissions to the individuals with duly signed and date e Log Reports L Log Reports to be maintained for access into the system and uses of different applications accordingly in detail Log Reports for all exceptions of the system should also be maintained properly f Software Security l 2 3 4 Data should be transferred using cryptography technology through WAN Sensitive Data should be preserved in the Database in encrypted format Security Software to be installed in the LAN amp WAN bridges and in the Servers Anti Virus Anti spam and Anti warm tools should be install and update in the system on a regular basis 2 2 Documentation Policy IT division shall establish document and maintain a security incident handling reporting procedure for their Information Systems a b c d e f g Documents are to be included with Notes Memos Minutes Resolutions Decisions Circulars Office Orders Instructions Letters Applications Mails Agreements Contracts Bills and any other documents used in the Banking operations Documents are to be preserved in two ways Scanning physical documents into electronic format and documents to be prepared in electronic format Manual documents are to be converted into electronic formats
27. actual proposal to be sent having necessary correction physically IT Support request form can be sent through proper channel Scanned Image of Circulars can be sent to the Divisions Branches Transmission of any confidential mater to any third party having proper approval It is not the replacement of earlier Divisional Branch e mail addresses These e mail addresses will be created by employees Name and the earlier e mail addresses will be used on behalf of Divisions Branches All employees will be eligible to get the e mail address by their Title first name short name followed by employee ID HRD HO shall send to IT division of the Name Designation and posting details of the employees 10 Email may be used personal purpose Official procedure of maintaining e mail by officers and executives a Usage of e mail for executives and officers l 2 e mail address will be created for all employees including cash in charge Cash officers will not get e mail ID Shahjalalislmaibank com has been defined as the domain name of SJIBL Using a part of employee name with his her employee ID e mail ID will be created by Head Office As an example employee name Md Aby Syeed Alamgir having his employee ID 1234 will have the e mail ID alamgir1234 Q shahjalalislamibank com which will be determined by Head Office Please mention that name title and short form of name are not allowed as email ID except MD and AMD There exist group e
28. all from core of my heart Sp Contents PN 11 NTN NN 12 ge gel 0 Vo 0 EE EEE 12 e Hees Tas PE EE ET EE EE ears 12 2 12 1o DENNE Te 13 DENNE NN TT 13 ETT TT nee an A a 15 IT Security Management POlICY eL RS Taa aae E NETTE EIA T ERT 15 EST 8 e TT 15 pl ON Ul SN 15 PLO DE e TTT 15 2 1 02 01 Physical Secur AT 15 102 PINNE 16 Ee Ree STO share e 17 2 2 01 Organogram Chart of IT DIVISION cecccccsssececeesececceesccecsesececsunecesseeeceeseuecessenecss 17 2 2 02 Branch Organogram with IT support Personnel sss eee eee eee eee 19 2 2 03 Segregation of duties for IT tasks sees 20 2 2 04 Job description JD for each Team sss sese eee eee 20 2 2 05 Scheduled roster for shifting duties ccc see eee 20 2 2 06 Fallback plans for system support PErSONNE l cccccesssccceesseccccesececeeeeceeseuseeeeseneees 20 2 3 Internal Information System Audit POLICY sese sees eee 20 LATANIE PO V e 21 2 5 Insurance or Risk Coverage Fund Policy sss sese eee 21 2 6 Problem Management Policy Luske dere 21 2 7 Risk Management ee EE EN 22 2 8 Personnel Development amp Security POLICY esse eee eee 22 2 8 01 Manpower Recruitment Policy cccccsssscssssssecsonssscncnssscneoussestonssscnenssscneoussessonsnss 22 5 Page S 2 8 02 Personnel Development Policy sss sees s sse s eee eee 22 2 8 03 Personnel Security POlicy esse eee eee 23 NENNE NN 24 OD eration Management POMC EEE EEE 24 3 1 Change Management Policy
29. aphy or other offensive material e Libeling or defaming colleagues or even external business contacts via e mail e Using the internet to commit fraud or other illegal acts Introducing internet and e mail usage policy should help avoid these risks It should also ensure that business and employee get the best possible use out of the information system Policy should state clearly what is and is not permitted by the employee using the internet or e mail It should ensure that employees are aware of the policy and the consequences of breaching them 7 3 Internet usage policy for officers and executives All Internet connections shall be routed through a DMZ firewall and Proxy Server for computers connected to SJIBL network while browsing downloading or an attachment of any incoming mail In case of any acceptation Divisional Heads Branch Managers may send formal requisition to IT Division with proper justification Head of IT decides toallowhis or her internet access from their work place However to grant permission Bank has been declared an internet restricted use policy IRUP by IP based The IRUP should have some classified policies via Proxy Server Classification of Internet policy a All Permission AP Those have all permission including social and security exchange web portal b Maximum Permission FP Those have full internet access except social web portal e g facebook com and some unnecessary web portal which are hamp
30. aracters ii Password history maintenance ensures same passwords to be used again after at least 4 times ii The maximum validity period of password shall not be beyond the number of 30 to90 days cycle 2 Account lockout Policies i Account shall be locked up after 3 unsuccessful login attempts c Software Installation Restriction Policies d Remote Installation Services e Remote Administration f Improving Fault Tolerance to Minimize Downtime g The Distributed File System 28 Page f op h Volume Shadow Copy Service 1 Advanced Server Recovery J Enhanced Security k File Level Encryption 1 IP Security m Improved Management Tools n Configure Secure Servers 3 6 Change Management Policy of in house software Live in house software may require some changes major minor in the following cases 1 Expected result is not found When new variety or exception is applied expected result may not be found Then software team modifies and executes required changes in the software 2 Requirement of additional reports When additional reports or scope is required the user sends a request to Head of IT with the details Software team does and executes required changes in the software as instructed by Head of IT The new requirement details are documented Such as new user interface of report format 3 Up gradation of software tools and data bases Change of technology may be required In house software requirement is approv
31. ation virus cleaning from the branch providing training to the mass users and the latter one for Desktop PC Printer UPS network or other equipments Employees needing computer hardware other than what is stated above must request such hardware from the IT Division Each request will be considered on a case by case basis in conjunction with the purchase committee of the Bank 3 3 Disposal of IT Assets 3 3 1 Purpose The purpose of this procedure is to establish and define standards and restrictions for the disposal of non leased IT equipment in a legal cost effective manner Shahjalal Islami Bank Limited SJIBL surplus or obsolete IT assets and resources i e desktop computers servers databases etc must be discarded according to legal requirements and environmental regulations through the appropriate personnel unit and the SJIBL upgrade guidelines Therefore all disposal procedures for retired IT assets must adhere to SJIBL approved methods 3 3 2 Scope This procedure applies to the proper disposal of all non leased SJIBL IT hardware including PCs printers handheld devices servers databases hubs switches bridges routers and so on SJIBL owned surplus hardware obsolete machines and any equipment beyond reasonable repair or reuse are covered by this procedure Where applicable it is desirable to achieve some residual value of the IT asset in question through reselling auctioning donation or reassignment to a less crit
32. chnology DC DR Data Synchronization Data Replication Mirroring Technology a DBA team member monitors the data replication between DC and DR Data Replication is based on two technologies a Synchronous b Asynchronous Synchronous Data is being mirrored to DR site by dark fibre of 4 Gbps through Fibre Cable FC constantly using Synchronous technology previously This data replication was totally depends on dark fibre where data is replicating using light technology Storage domain is kept normal state while dark fibre connectivity is being consistence state Drawbacks Sometimes it was observed that production environment went very slow during banking transaction hour Several calls were generated from branches of Bank IT Management decided to migrate from Synchronous to Asynchronous technology to rectify the problems To do so properly DBA team configuring iSCSI port to transfer data to DR Site to through Ethernet post rather than FC port Asynchronous Storage system based asynchronous replication overcomes the typical dis advantages of synchronous replication such as the requirement of a high bandwidth network connection and distance limitations In addition when purchased as part of the storage system asynchronous replication is more economical than add on replication technologies like continuous data protection Moreover there is no impact on performance of Production environment Thirty 30 minutes of time interval is
33. d B Month end and Big deployment Backup System In the period of month end we have taken extra backup if it is required Moreover in case of big deployment RMAN backup has been taken by DBA team Besides this we have enable the Flashback in our system Before big deployment or Month End we have to create restore point by Flashback technology 57 Page A lt S BEOD dmp DEN Auto Transfer gt p 10 101 101 51 Core DB File Server 1 Datapump MIG BACK DMP File BEOD AEOD amp BEOD BKP autoback DMP File AEOD FD Img bk AEOD dmp 10 101 1 71 BKP fs_db1 2 RMAN RMAN Only script Auto Transfer 3p We keep 1 days of backup of BEOD amp AEOD AEOD DMP File Manual Core amp iBanking App eee Bee 2 IULTIMUS AEOD DMP File 8 Core Application BEOD RMAN BK 4 iBanking Application Manual Taken g PP Manual Taken Manual Transfer T External HDD U Remote Area BK T Gulshan Br Taken by Tape Library by Netwoker BKP State Server Officers daily 10 101 101 53 10 101 1 48 d A Backup taken at 4 00 AM IULTIMUS DMP Eile Core amp iBanking App iBanking DB 10 101 1 36 1 Data pump BKP IBANKING IULTIMUS DMP File p S 2 RMAN iult dmp Auto 191014 e ns We keep 2 days of backup of iultimus amp ultimusext p ke ne ULE UL schema backup RMAN Backup Manual
34. de about such changes or will introduce such product Before changing any parameterization or before launching any product the business group must have confirmation from IT Division whether the system supports the changes or incorporation Banking Product Development of IT Policy of the Shahjalal Islami Bank Limited covers the procedures before launching any new product The activities will be as follows a Business Unit will ask the IT Division for parameterization of the changes or introduction of new product as per Change Request All the detail information of the request duly signed by the respective requester must be attached in separate sheet along with the Change Request Form b IT Officers will check and test the required changes in the Test Server The activities in the Test Server will be documented as Audit Log for future ready reference The results or output in the Test Server will be formally referred back to Business Unit c Considering the output of the IT Division the Business Group will finalize the product or changes and the final request will be placed to IT Division as per the same Change Request Form along with all the detail information of the products or request duly signed by the respective Requested d IT Division will do the same changes in the Test Server following the documents prepared earlier If the desired output is derived immediately will be put forward to the Business Unit for their acceptance All of th
35. diligence and professional care in accordance with professional standards and best practices 3 Serve in the benefit of stakeholders in a lawful and honest manner while maintaining high standards of conduct and character and not engage in acts discreditable to the profession 4 Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority Such information shall not be used for personal benefit or released to inappropriate parties 5 Maintain competency in their respective fields and agree to undertake only those activities that they can reasonably expect to complete with professional competence 6 Inform appropriate parties of the results of work performed revealing all significant facts known to them 7 Support the professional education of stakeholders in enhancing their understanding of IS security and control Failure to comply with this Code of professional Ethics can result in an investigation into an employee s conduct and ultimately in disciplinary measures All employees may share the Information Technology facilities of the Bank The facilities provided to the employees for conducting Bank business The Bank does permit of its employees to use of the facilities including computers printers e mail and internet access However these facilities may used by every employee since misuse by even a few individuals has the potential to negatively i
36. e the appropriate level of management as per financial discretionary power for approval Work Orders to be issued having approval of the competent authority Items components are to be received along with Challan Delivery Memo Data information is to be entered in details into the Computerized Inventory Management System Registers and transfer locate the items components accordingly Certification comments of the item component s status are to be collected before allowing payments of bills Warranty coverage and follow up for maintenance arrangement should be maintained Service agreement where applicable to be arranged 6 1 03 Network Systems Policy a b c d Systems are to be included with Network Equipments Network Firewall Cryptography Operating Systems Utility software etc For the standard setup of the network systems in the Bank Cisco Switches Cisco Routers Radio Base Station etc should be installed Industry standard architecture should be installed in setting LAN and WAN All systems should be open standard 6 1 04 Design Planning Approval Implementation amp Maintenance of LAN amp WAN a b c d e Designing the WAN setup in a ISO certification standard manner Creating and Maintaining the design documentation in a secured manner Core devices capabilities analysis and deployment planning Branch devices capabilities analysis and deployment planning Implementation planning 6 1 05 Networ
37. e the SJIBL network 6 2 03 VPN approval a Approved SJIBL employees and authorized third parties vendor support etc may utilize the benefits of a VPN which is a user managed service b VPN profiles will be created only at the request of a user s by submitting the appropriate VPN Access Request form Additionally the user must have read understood and acknowledged this policy before using the VPN service 6 2 04 General Conditions for VPN a It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to SJIBL internal networks b VPN use is to be controlled using either a one time password authentication such as a token device or a public private key system with a strong passphrase c When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped d Dual split tunneling is NOT permitted only one network connection is allowed e VPN gateways will be set up and managed by SJIBL network operational groups f All computers connected to SJIBL internal networks via VPN or any other technology must use the most up to date anti virus software that is the corporate standard provide URL to this software this includes personal computer Laptop g VPN users will be automatically disconnected from SJIBL s network after thirty minutes of inactivity The user must then logon again to reconnec
38. ed from competent authority Software 19 developed as per In house software development policy 29 Page A gt eA 5 Chapter Four Physical Security Policy Shahjalal Islami Bank requires sound business and management practices to implement in the workplace to ensure that IT resources are properly protected The responsibility of each department is to protect technology resources from unauthorized access in terms of both physical hardware and data perspectives In fact the effective security measure for assets in the workplace is a responsibility held jointly by both management and employees 4 1 Access Control Policy A list of persons who authorized to gain access to data center server rooms computer rooms or other areas supporting critical activities where computer equipment and data are located or stored shall be kept up to date and be reviewed periodically Access keys cards passwords etc for entry to any of the Information systems and networks shall be physically secured or subject to well defined and strictly enforced security procedures Automatic protection features e g password protected screen saver keyboard lock in servers computer terminals workstations should be activated if there has been no activity for a predefined period to prevent illegal system access attempt Alternatively the logon session and connection should be terminated In addition user workstation should be switched off if appropriate be
39. efficiency It is anticipated that the use of Cloud Computing services will grow significantly over the next generation This policy is intended to ensure that the use of these services 1s managed in accordance with existing IT requirements and to provide a level of Head of IT oversight to address the possibility of a higher level of risk existing because of these new and still evolving IT service models The primary reason for this policy is to facilitate a well managed and successful adoption of Cloud Computing by establishing a process that directs attention to IT related requirements management processes and risk factors 12 1 02 Scope Cloud Computing is a computing model in which technology resources are delivered over the network Rather than implementing and maintaining IT services locally customers of cloud computing buy IT capabilities from providers that manage the hardware and software that operate those services Resources including infrastructure software processing power and storage are available from the cloud However migrated cloud platforms and services cost benefits as well as performances are neither clear nor summarized Globalization and the recessionary economic times have not only raised the bar of a better IT delivery models but also have given access to technology enabled services via internet However in spite of the cost benefits many IT professional believe that the latest model 1 e Cloud Computing has ris
40. el c Be realistic in cost estimates Consider the total lifecycle costs not just the cost of implementation 12 1 05 Security Issues Weigh the security threats and opportunities that are present for public private and community Clouds Consider how disaster recovery and continuity of operations planning will be addressed Identify all systems of records to be hosted in the cloud Specify the retention time for all system backups Consider how records management and electronic discovery will be managed in the cloud environment Consider issues of data ownership and portability How would it migrate from a given Cloud Computing infrastructure to another one at some point in the future 12 2 Cryptography and Digital signature A digital signature is a technique for establishing the origin of a particular message in order to settle later disputes about what message if any was sent The purpose of a digital signature is thus for to bind its identity to a message We use the term signer for an entity who creates a digital signature and the term verifier for an entity who receives a signed message and attempts to check whether the digital signature 19 correct or not Digital signatures have many attractive properties and it is very important to understand exactly what assurances they provide and what their limitations are While data confidentiality has been the driver behind historical cryptography digital signatures could be the
41. ement Team should be formed which can work jointly with RMU division of the Bank for compliance of Basel Accord 2 8 Personnel Development amp Security Policy 2 8 01 Manpower Recruitment Policy a Educational Qualification of fresh recruitment for IT division must be minimum ICT related Graduate but in case experience personnel the qualification may be consider or relaxed b For the recruitment of IT Personnel a comprehensive test to be taken by the expertise c Internet media may be used for the total recruitment management operations 2 8 02 Personnel Development Policy a All the employees of the Bank should have sufficient IT knowledge in connection with banking operations with Information System b IT advancement up gradation and the new released technology along with Bank s own IT policies functions and planning to be informed provided at all level of management and employees c IT personnel should strengthen their skill and knowledge on latest technology to guide and drive the Bank with the newer facilities and opportunities d Bank will arrange provide advance training of the IT personnel in local and abroad e IT personnel to be attend in the Seminars Workshops Special Training Program on IT in local and abroad on importance and requirement basis 22 Page A gt Ss gt 2 8 03 Personnel Security Policy Job definition job assignment and resource allocation should be considered which might reduce the risk
42. epudiation 3 The security properties of a MAC and a digital signature The vast majority of digital signature techniques do not involve having to communicate through a trusted arbitrator A true digital signature is one that can be sent directly from the signer to the verifier For the rest of this unit when we say digital signature we mean true digital signature Digital signatures are in some senses a complimentary technology to public key encryption offering data origin authentication and non repudiation of digital messages Digital signatures have different properties and offer different guarantees to hand written signatures The security of digital signatures critically relies on the security of the keys that are used to create and verify them 12 3 Recommendation 1 Two way verification system for internet Banking After every login user will send a OTP One Time password to their email address and mobile number This OTP will use for final verification SMS Banking service should be improved Now a day s Mobile Banking is one of the popular form of banking but Shahjalal Islami Bank still failed to introduce this service Mobile Banking service should be introduced as early as possible 4 Still there are some bugs in Core Banking software which hamper EOD process of Bank These Bugs should be solved as early as possible 5 Shahjalal Islami Bank has introduced Ticket Management System for giving quick support to branch us
43. er Same can be introduced for our clients for giving quick support of SMS and Internet Banking 64 Page A gt eA 5 Chapter Thirteen Conclusion The Banking Industry has changed the way they provide services to their customers and process information in recent years Information Technology has brought about this momentous transformation Security of Information for the Bank has therefore gained much importance and it is vital for us to ensure that the risks are properly identified and managed Moreover information and information technology systems are essential assets for the Banks as well as for the customers and stakeholders Information assets are critical to the services provided by the Banks to the customers Protection and maintenance of these assets are critical to the organizations sustainability Shahjalal Islami Bank Limited takes the responsibility of protecting the information from unauthorized access modification disclosure and destruction The Bank has prepared the IT Policy as a requirement and as appropriate to the use of Information Technology for their operations It also sets forth the Code of Professional Ethics to guide the professional and personal conduct of employee s Employees of the Bank shall 1 Support the implementation of and encourage compliance with appropriate standards procedures and controls set this policy for information systems 2 Perform their duties with objectivity due
44. ered official environment of the bank e g dsebd org etc from their workplace Some limited essential newspapers are allowed the office hour c Partial Permission PP Those have government educational of Bangladesh all financial and e mail web portal d Only Permission OP Those have Bangladesh bank SJIBL official site Google mail and Foreign Remittance related web portal Western Union MoneyGram and Xpress Money etc e Limited Permission LP Only Bangladesh Bank and its e services Online CIB services LC Monitoring System Web Upload and Online Foreign Exchange Transaction Monitoring System f Restricted Permission RP Some social Security exchange web portal and essential newspapers are allowed behind the office hour before 10 00 am and after 6 00 pm On the basis of requirement of division and approved by the Head of IT security exchange web portal e g dscbd org may be allowed in the officer hour 7 4 E mail usage policy for officers and executives E mail has become an essential tool of modern business communications It is fast and efficient but can also potentially be a source of embarrassment or even litigation 1 The mails will be considered as an evidence of any pursuance i e requisition procedure to Divisional Heads Branch Managers 44 Page WN a 9 f op Leave application will not be processed through this mail Investment proposal DFA Acknowledgement can be sent to Investment Division
45. ersonnel actions employee are legally responsible for personnel actions when they are using the internet or e mail at work e To ensure that communications resources are not wasted and productivity does not suffer e To help protect the business from potentially damaging viruses which could be received or downloaded via the internet or e mail In general providing internet access and e mail facilities to our employee has tremendous benefits It can increase efficiency aid communication and help employees increase their basic IT skills Allowing employee to access the internet and e mail facilities outside working hours can be seen as a perk of the job However controlling and policing such access may be difficult Trivial abuses of the system include transferring large file attachments or wasting work time on internet surfing personal e mail or online chat More risks that are serious include Downloading files that contain viruses Obtaining copyrighted material such as music or films Transmitting valuable or sensitive business information without encryption Distributing or relaying offensive or abusive material via e mail Generating junk e mail or spam via mass mailings Accepting files from people in online chat rooms which could bypass firewalls or e mail filters 43 Page f op More misconduct that is serious may result in disciplinary or even legal proceedings This includes e Accessing or downloading pornogr
46. ese activities will be documented as a part of User Acceptance Testing e If success the same changes or parameterization will be done in the Production Server after having the Approval from Head of IT 24 Page fn GT f All the steps or activities done in the Production Server Should documented as Audit Log for future ready reference g After the completion it will be referred to the Business Unit who will then circulate to all the respective Branches informing about the changes or parameterization done in the Production Server 3 2 IT Asset Management Policy IT Assets shall be clearly identified and an Inventory with significant details must be maintained All assets associated with the information facilities must be labeled with tag and name Asset inventory must be reviewed at least once a year All data on equipment and associated storage media must be destroyed or overwritten before sale disposal or reissue Bank must comply with the terms of all software licenses and must not use any software that has not been legally purchased or otherwise legitimately obtained Software used in production environment must be subjected to a support agreement Software used in any computer must be approved by the authority Use of unauthorized or pirated software must be strictly prohibited throughout the Bank Random checks shall be carried out to ensure compliance 3 2 01 Hardware Inventory Management and Tracking Policy Pr
47. essing business I2IPage A lt S data Malicious Codes Programs that cause undesirable effect to the Information Systems Examples of malicious codes include computer viruses network worms Trojan horses logic bombs and spy ware etc Information Technology IT The term information technology means computers ancillary equipment software and firmware Hardware and similar procedures services including support services and related resources This also includes any equipment or interconnected system or subsystem of equipment which used in the automatic acquisition storage manipulation management movement control display switching interchange transmission or reception of data or information Sensitive data Sensitive data encompasses a wide range of information and can include ethnic or racial origin political opinion religious or other similar beliefs memberships physical or mental health details personal life or criminal or civil offences These examples of information are protected by civil rights Sensitive data can also include information that relates to as a consumer client employee patient or student and it can be identifying information as well like national ID or voter ID number Tax Identification number Passport number contact information address e mail account phone number KYC Client Account information A C balance and other info if any identification cards and numbers birth date a
48. figuration as per requirements and maintain documentation and standards 6 1 01 Scope a Network equipments Router Switch shall be configured in a secure environment b Groups of information services users and information systems shall be segregated in networks e g VLAN c Unauthorized access and electronic tampering shall be controlled strictly d Firewall shall be in place on the network for any external connectivity 351Page e f g f op Redundant communication links shall be used for WAN There shall be a system to detect unauthorized intruder in the network Connection of personal laptop to office LAN or any personal wireless modem with the office laptop desktop must be secured 6 1 02 Networking Hardware Procurement Purchase Policy a b c d e f g h i J k Requisitions Requirements to be generated through proper channel Requirement analysis to be carried by Information Technology Division and recommendation to be placed before the Procurement Committee Competent authority As per latest Procurement Regulation maintained by Procurement Committee of SJIBL and that will be proceed for publishing Tender Notice in the Daily Newspaper collecting spot quotations as per approval of the Competent Authority Purchase and Procurement Committee will evaluate the Tender Documents Quotations submitted by vendors Evaluation and Comparative statement with specific proposal to be placed befor
49. fore leaving work for the day or before a prolonged period of inactivity Physical security involves providing environmental safeguards as well as controlling physical access to equipment and data The following safeguard methods are believed to be practical reasonable and reflective of sound business practices 4 1 01 Data Center Access Policy a Physical security shall be applied to the information processing area or Data Center Data Centre is the restricted area and unauthorized access prohibited b Number of entrance into the Data Centre will be limited locked and secured c Access Authorization procedures will exist and apply to all persons e g employees and vendors Unauthorized individuals and cleaning crews will be escorted during their stay in the Data Centre d Bank will maintain access authorization list documenting individuals who authorized to access the data centre and that will reviewed and updated periodically e Access log with date and time will be maintained documenting individuals who have accessed the data centre f Visitor Log will exist and need to be maintained g Security guard will be available for 24 hours h There will be Emergency exit door available 30IPage G Ser 4 1 02 Server Room Access Policy a Server room has a glass enclosure with lock and key with a responsible person of the branch b Physical access shall be restricted visitors log will be exist and maintained for server
50. he followings 1 Functionality ll Security features ill Interface requirements with other systems IV System Documentation V Installation Manual vi User Manual SliPage A 9 3 03 Other Requirements a b c d e There shall have a test environment to ensure the software functionalitiesbefore implementation User Acceptance Test UAT shall be carried out and signed off before going live Necessary Regulatory Compliance requirements for banking procedures and practices in the application must be taken into account by the Bank Any bugs and or errors found due to design flaws must be escalated to higher levels in Software Vendors organization and Bank and must be addressed in time Support agreement must be maintained with the provider for the software used in production with the confidentiality agreement S2IPage ES Chapter Ten Core Banking Software Policy Core Banking Software BankUltimus should run smoothly in all the branches For which a Data Center a Disaster Recovery Site Dual Network connectivity and operating policy has been prepared which are currently in operation To support the users 24 hour support center called NOC Network Operation Center is in live The officers perform their duty in shift management of which is under Data Center team Data Center Team circulates roster duty schedule as prepared by them and approved by Head of IT at the end of each month for the next month
51. ic paperless Bank To explain procedure for periodic review of the policy and system security measures To improve the overall smooth operation and business of the Bank 14 Page A Chapter Two IT Security Management Policy IT Security Management ensures that the IT functions and operations of the Bank efficiently and effectively managed IT Division ensures maintenance of appropriate systems documentations particularly for systems which support financial reporting They have to participate in IT security planning to ensure that resources allocated consistent with business objectives Also ensure sufficient and qualified technical officials are employed in the Bank so that continuance of the IT operation area is unlikely to be seriously at risk all times IT Security Management deals with IT Security Policy Documentation Internal Information System Audit Training and Insurance IT security planner and or management shall be responsible for overall IT security management 2 1 IT Security Policy This document provides the Policy for Information System and its secured usage for the Banks It establishes general requirements and responsibilities for protecting Information and Information System The policy covers common technologies such as computers amp peripherals data and network web system and other specialized IT resources The Bank s delivery of services depends on availability reliability and integrity of its information
52. ical function 3 3 3 Definitions 1 Non leased refers to any and all IT assets that are the sole property of the SJIBL that is equipment that is not rented leased or borrowed from a third party supplier or Banks partner 2 Disposal refers to the reselling reassignment recycling donating or throwing out of IT equipment through responsible ethical and environmentally sound means Obsolete refers to any and all equipment which no longer meets requisite functionality 4 Surplus refers to hardware that has been replaced by upgraded equipment or is superfluous to existing requirements 5 Beyond reasonable repair refers to any and all equipment whose condition requires fixing or refurbishing that will likely cost equal to or more than total replacement Sn 3 3 4 IT Asset Types This section categorized the types of assets subject to disposal 1 Desktop workstations CPU Monitor Key Board Mouse 2 Laptop 3 Printers Multifunction machines Projectors 4 UPS 261Page f 0 5 Scanners 6 Servers 7 Storage 8 Tape Library 9 Firewalls 10 Routers 11 Switches 12 Racks 13 DC and DRS IT supporting equipment 14 Memory devices 3 3 5 Guidelines Disposal procedures of all IT assets and equipment will be centrally managed and coordinated by the Hardware Team of IT Division The Hardware Team is also responsible for backing up and then wiping clean of SJIBL data all IT assets
53. ine a security policy f Develop procedures for applying security policies g Develop a technical implementation strategy h Achieve buy in from users managers and technical staff 1 Train users managers and technical staff j Implement the technical strategy and security plan k Test the security and update if any problems are found D Maintain security 6 1 05 02 Modularizing Security Design Security experts promote the security defense in depth principle This principle states that network security should be multilayered with many different techniques used to protect the network and each mechanism should have a backup mechanism This is sometimes called the belt and suspenders approach Both a belt and suspenders ensure that trousers stay up A networking example is to use a dedicated firewall to limit access to resources and a packetfiltering router that adds another line of defense In general using a modular approach to security design is a good way to gain an understanding of the types of solutions that must be selected to implement security defense in depth The next few sections cover security for the following modules or components of an enterprise network a Internet connections b Remote access and virtual private networks VPN c Network services and management d Server farms e User services f Wireless networks 37 Page fo Op 6 1 06 Physical Security Security Devices to be used in the foll
54. ing shifting duties should be documented Payment will be made for duty on holydays 2 2 06 Fallback plans for system support personnel Fallback plans for various levels of system support personnel should be documented 2 3 Internal Information System Audit Policy Internal Control and Compliance Division shall carry out internal Information System Audit Internal Information System Audit Team should have sufficient IT Audit Expertise Resources and should be capable of conducting Information System Audit Information Systems shall periodically evaluated by IT auditors to determine the minimum set of controls required to reducing risk to an acceptable level An annual system audit plan shall be developed Bank shall also ensure that audit issues are properly tracked out and in particular completely recorded adequately followed up and satisfactorily rectified Auditing of compliance of computer and network security policies shall be performed periodically Use of software and programs for security audit analysis shall be restricted and controlled The Branch Department Division of Head Office shall respond appropriately to address the recommendations made in the last Audit Report This must be documented and kept along with the Audit Report 20 Page A lt S 2 4 Training Policy All officials should get proper training education updates and awareness of the IT Security activities as relevant with their job function All IT
55. iod according to the problem s severity Problem findings and action steps taken during the problem resolution process shall be documented Process shall be established to review and monitor the incidents IT division shall ensure that system logs and other supporting information are retained for the proof and tracing of security incidents 21 Page f Op 2 7 Risk Management Policy Information Systems security risk assessments for information systems and production applications shall be performed at least twice in every year A security risk assessment shall also be performed prior to major enhancements and changes associated with these systems or applications Effective risk management system shall be in place for any new processes and systems as well as a post launch review Use of software and programs for security risk assessment analysis shall be restricted and controlled The risk management function shall ensure awareness of and compliance with the IT and IT Security Policy and to provide support for investigation of any IT related frauds and incidents The risk management process shall include a A description and assessment of the risk being considered and accepted for acknowledgement by the owner of the risk b Identification of mitigation controls c Formulation of a remedial plan to reduce the risk d Approval of the risk acknowledgement from the owner of the risk and senior management e A Risk Manag
56. ior to distribution to the Division department Branch IT Division shall require to entry data into hardware Inventory Management software A non removable tracking sticker on a visible place of the hardware shall be stamped for tracking After payment is made FAD should update the Inventory through an application client provided by IT division to the person delegated by FAD 3 2 02 Hardware Repairing amp Troubleshooting Policy Each member of Hardware and System Support Team of IT Division is individually responsible for Hardware repairing maintaining troubleshooting and sending to respective Branch Department Divisions They are also responsible for Operating System Application software Antivirus Banking Software BankUltimus etc installation maintenance and troubleshooting If end user encounters any malfunction or dysfunction with desktop computer s he should immediately contact system support Team of IT Division over ticket management software telephone e mail or through a forwarding letter System Support Team members try to give solution over telephone If it is not possible to solve the problem by IT Division over telephone then depending on nature of problem one of the following two decisions could be taken a Sending one hardware engineer at Branch end or 25 1P g c A lt S b Sending PC to IT Division of Head Office for repairing of damaged component The former one is usually follows for branch LAN renov
57. istrator The Application Software only to be used as on when required Access into the database system should strictly be controlled Only authorized personnel may have access into the database as a very special case Database password should be kept in lock and key On line transactions among the branches should be checked and verified frequently in a day by the system administrator very carefully On line transactions with Head Office should be taken in a shadow file and having final checking amp confirmation those may be integrated into central systems c Sharing resources 1 Sharing of resources to be setup to avoid repetition of works and to quicker functionalities 2 Unlimited access to be prohibited always in sharing all sorts of resources 3 Sharing of resources should be controlled through maintaining passwords d Users 1 The branch incumbent should select executives and Officers as User who used to work in the Information System with Banking Software Everyone should have a user D name number employee id Every individual should maintain a password to work into the system 2 Competent authority may permit every individual User against their assigned official works jobs and responsibilities Branch incumbents are advised not togive extra limit and maintenance permission for the officials who are in probation period 16 Page 4 fn Sj Individual User should be liable for each and every trans
58. ity into data center as well as Branches Near future the Bank will be established another WAN connectivity through radio V SAT 6 1 Network Policy Prior approval from the Head of IT and Manager IT Security is required to connect one Information System with another Information System The security level of the Information System being connected shall not be downgraded a Maintenance arrangement agreement to be made with the supplier vendor or any other third party at least one calendar month prior to the expiry of free service and warranty period b Preference to be given for the maintenance arrangement agreement with the suppliers vendors c Internal setup and arrangement to be ready for support services and maintenance d Sufficient Expertise Professionals to be recruited trained for the above e Necessary equipments machineries to be procured purchased for the above f Regional Offices Branches may be allowed to complete solve minor problems of Network by any third party having permission from Head Office g Electronic and manual Log book to be maintained by Head office Regional Office and Branches for support service and maintenance record h Regional Offices Branches should send all the equipments machineries to Head Office which are non repairable out of order 1 Necessary support devices items to be stocked procured purchased for immediate support of Head Office Regional Office and Branches j Network installation con
59. k Security Policy a b c d The Network Design and its security are implemented under a documented plan Creating and maintaining the design documentation of the security area Branch security area analysis and deployment of planning Physical security for the network equipment should be ensured Specifically 36 1Page f 0 i Access Physical amp Logical should be restricted and controlled ii These should be housed in a secure environment e The sensitive information should be kept in restricted area in the networking environment f Unauthorized access and Electronic tampering is to be controlled strictly g Security of the network should be under dual administrative control h Core Firewalls devices are in place on the network for any external connectivity 1 Redundant communication links are used for WAN 6 1 05 01 Network Design Following a structured set of steps when developing and implementing network security will help to address the varied concerns that play a part in security design Many security strategies have been developed in a haphazard way and have failed to actually secure assets and to meet a customer s primary goals for security Breaking down the process of security design into the following steps will help effectively plan and execute a security strategy a Identify network assets b Analyze security risks c Analyze security requirements and tradeoffs d Design a security plan e Def
60. ks and security concerns The following factors should be considered during cloud computing a Idea behind cloud computing b Monetary cost benefits of using cloud with respect to traditional premise computing c Security issues of cloud computing We have tried to find out the cost benefit by comparing the Microsoft Azure cloud cost with the prevalent premise cost 12 1 03 Policy Use of Cloud Computing services must be formally authorized in accordance with the IT Division 6lIPage EN Sj Use of Cloud Computing services must comply with all current laws IT security management policies and risk Use of Cloud Computing services must comply with all privacy laws and regulations and appropriate language Cloud Computing services will not be avail without any writing approval of IT Division The Head of IT division will certify that security privacy and other IT management requirements that adequately addressed prior to approving use of Cloud Computing services The Cloud Computing service may not be put into production use until IT Division has provided written approval 12 1 04 Guidance Many issues should be considered carefully before adopting a Cloud Computing solution The list below features some of the more important issues to consider using Cloud Computing a More efficiency or effectiveness for the IT investment b Need for a specific Cloud Computing characteristic elasticity scalability usage based mod
61. loyment for modification of any function of service charges government duties if bugs are found it is fixed in the UAT After successful day end and as per service providers recommendation live process is updated Ad branches SWIFT operation is done by SWIFT interface of BankUltmus As per requirement of SWIFT authority at least one SAA user is required to send al the message of AD branches S3IPage fn GT Some of the users of a branch must have to have training of BankUltimus This training provided by IT has a nature TOT so that the trainees may train their other users of the branch The A list of operation path User manual soft copy centrally located in the following address path IT users are not authorized to make or authorize any financial transaction 10 2 User Support Policy As per working process of IT department Ticket software Schedule wise NOC Saturday daily month end yearend support type by phone e mail ticket physical on spot Cards Department for ATM card support 10 3 Maintenance Policy As per agreement service provider provide support Agreement is duly renewed to ensure proper services Database maintenance is under Database policy After migration of all the branches the previous data of PCBANK2000 is preserved in three locations File Server in our DC In the Vault DVD of IT Division archive room In a portable Hard disk in our DC DVD In Dhaka Main Branch We have redundant connectivity fo
62. mpact productivity disrupt Bank business and interfere with the work or rights of others Therefore all employees expected to exercise 65 IPage A lt S responsible and ethical behavior when using the Bank s Information Technology facilities Any action that may expose the Bank to risks of unauthorized access to data disclosure of information legal liability or potential system failure is prohibited and may result in disciplinary action up to and including termination of employment and or criminal prosecution The use of the Bank s information technology facilities in connection with Bank business and limited personal use 15 a privilege but not a right extended to other organizational employees Users of the Bank s computing facilities are required to comply with all policies referred to in this document The policy covers the usage of all of the Bank s Information Technology and communication resources including but not limited to e All computer related equipment including desktop personal computers PCs portable PCs terminals workstations PDAs wireless computing devices telecomm equipment networks databases printers servers and shared computers and all networks and hardware to which this equipment is connected e All electronic communications equipment including radio communicators voice mail e mail fax machines wired or wireless communications devices and services internet and intranet and other on line
63. my academic requirement not for other purpose It might be with the interest of opposite party of the corporation I also assure that this report is not submitted anywhere of Bangladesh before me Shiab Khan ID NO 13164039 Major in Finance MBA Program BRAC University Acknowledgement At first I want to express my gratitude to Almighty Allah for giving me the strength and the composure to finish the task within the scheduled time Then I am very grateful to the Shahjalal Islami Bank Ltd for providing me the opportunity to complete my internship program I received cordial cooperation from the officers and members of staffs of Shahjalal Islami Bank Ltd IT Division I want to express my cordial gratitude to them for their cooperation without which it would not be possible to complete the report I would like to express my deep sense of gratitude amp sincere appreciation to my internship supervisor Mr Md Noman Hossain Chowdhury Senior Lecturer BRAC Business School BRAC University for his continuous support amp guidance during the practical orientation period His suggestions and comments were really a great source of spirit to make the report a good one Finally I am really thankful to Mr Md Rafiqul Islam Executive Vice President amp Head of IT Mr Md Rezaul Karim Executive officer of the Shahjalal Islami Bank Ltd IT Division for giving me the excellent opportunity to do my practical orientation in their branch Thanks
64. ncryption or sealed amp signed by authorized officials into a secured vault This should not be done without special authorization by 33IPage 11 ES the IT Division since it would reduce the security of the user s password Account lockout threshold 3 failed login attempts Account lockout duration the account lockout should be between 30 minutes and 2 hours Password protected screen savers should be enabled and should protect the computer within 5 10 minutes of user inactivity Computers should not be unattended with the user logged on and no password protected screen saver active Users should be in the habit of not leaving their computers unlocked User can press the CTRL ALT DEL keys and select Lock Computer 34 Page ES Chapter Six Network Policy The Shahjalal Islami Bank Limited has the responsibility for securing its networking systems against unauthorized access while making the systems accessible for legitimate and administrative usages This responsibility includes informing persons who use the network systems of expected standards of conduct and encouraging their application It is important for the user to practice ethical behavior in computing activities because the user has access to many valuable and sensitive resources and the user is computing practices can adversely affect the work of others Improper use and abuse of networks will not be permitted Presently SJIBL has two fiber optic WAN connectiv
65. nd parents names All of this data belongs to the bank s employee customer of the bank We should have full rights to access and use this information and also have rights to know how others are doing the same Just like other belongings we should be protective of this information too 1 3 Scope of the Policy This document addresses uses and security considerations of information systems of the Bank in the following areas a IT Security Management b IT Operation Management c Physical Security d Information Security Standard e Access Control Security f Data Security g Application Security h Network amp Communication Security 1 Software Development and Acquisition j System Support Management k Business Continuity and Disaster Recovery Plan D Security Risk Assessment amp Management m Procurement and Service Provider Management 1 4 Objectives of the Policy This Policy defines the requirements of the Bank which must adhere The objectives of the policy are a To establish a standard IT Policy amp IT Security management b To Identify the Information System Risk and their management c To communicate the responsibilities of the IS users for the protection of the system d To prioritize information and information systems those require protect 13 Page e h ES To aware and training the users associated with managing the IT infrastructure To establish a technology based electron
66. ng facility or which is used in violation of Banks rule or policy Shahjalal Islami Bank Limited also reserves the right periodically to examine any system and other usage and authorization history as necessary to protect its computing facilities 66 Page ay 67IPage
67. of human error theft fraud or misuse of facilities Security should be addressed at the recruitment stage Managers should ensure that job descriptions are addressed with all relevant security responsibilities and in confidentiality agreement To ensure the awareness of information security threats and concerns are equipped to support organizational security policy in course of their work User should be trained about security procedures and the correct use of information processing facilities 23 Page ES Chapter Three IT Operation Management Policy IT Operation Management covers the dynamics of technology operation management including change management asset management operating procedures and request management The objective is to achieve the highest levels of technology service quality by minimum operational risk 3 1 Change Management Policy Changes to information processing facilities and systems shall be controlled A formal documented process followed for change details which must governed for all changes of business application implemented in the production environment Audit logs of changes shall be maintained User Acceptance Test UAT for changes and upgrades in application shall be carried out before deployment As the business practices have been changing day by day it is required quite often to change parameterization of existing products or to introduce new product The Business Unit of the Bank will deci
68. ographically Separate of the related office Head Office or Branchoffice There should be at least one backup copy kept on site for time critical delivery Branches and Head Office should preserve Network related data such as router images amp configurations in our FTP server as well as Network Administrator s PC on weekly basis The backup log sheet is maintained checked amp signed by Team Leader The backup inventory is maintained checked amp signed by Team Leader The ability to restore from backup media is tested at least quarterly Backup Media must be labeled properly indicating contents date etc Backup CD DVDs should be preserved at Head Office in a Fungus amp Dust Free Fireproof Data Safe Vault 40 Page A Sj 6 1 17 Redundant Access Policy from Branch to Head Office The Branch will consider a disaster branch if both of the link goes down amp unable to restore more than 6 hours Hence in that situation the steps will be followed as guided by System Support Team 6 2 VPN Policy 8 2 01 Purpose The purpose of this policy is to provide guidelines for Remote Access Virtual Private Network VPN connections to SJIBL banking network 6 2 02 Scope This policy applies to all SJIBL employees Link Vendors and others including all personnel affiliated with third parties utilizing VPNs to access the SJIBL network This policy applies to implementations of VPN that allow direct access to SJIBL network from outsid
69. on of Shahjalal Islami Bank Limited possesses two teams who are responsible for taking core data backup manually Teams are 55 Page fo Op 1 DBA Database Administration Team 2 NOC Network Operation Centre Team The responsibility of Backup and Recovery system of SJIBL is belongs to DBA team members DBA team members will monitor the total backup and recovery system and follow up with NOC member for regular operation Each working day NOC team takes Before End of Day EOD data backup manually after close marking of all Ultimus Branches and After EOD backup is also taken everyday manually We used to take RMAN before start of EOD operation as well as fracture the DR Clone LUNs to ensure for the one day back data Moreover DBA team sends important copies of backup data to remote place to Gulshan Branch in two Portable Hard Disk Drive HDD alternatively Portable HDDs are carried in and out by Assigned Officers from IT Division Levels of Backup and Recovery system NOC team takes schedule backups of Before EOD BEOD and After EOD AEOD in various levels and managing backup and recovery system which increases the higher level of data protection resolution These levels have decreased the disaster levels The levels are Daily Backup System Month end and large deployment Raid Level protection Advanced Storage Technology PR and DR site data replication amp Cloning TOP gt A Daily Backup System Oracle Database Backup
70. owing manner a Router Firewall etc Security Devices should be used in the LAN and WAN b World renowned Branded Security Devices should be setup for the Bank c There should be separate room for implementation of security devices router and other network devices d Redundant Hardware e g Router Switch Firewall optical converters etc should be setup for instant support Bank requires that sound business and management practices must be implemented in the workplace to ensure that information and technology resources are properly protected It is the responsibility of each department to protect technology resources from unauthorized access in terms of both physical hardware and data perspectives In fact the effective security measure of assets in the workplace is a responsibility held jointly by both management and employees Physical security involves providing environmental safeguards as well as controlling physical access to equipment and data The safeguards methods are believed to be practical reasonable and reflective of sound business practices 6 1 07 Supervision Control amp Monitoring of Network Securities a Controlling the Securities through Intrusion Prevention System IPS or Intrusion Detection System IDS b The network team should properly monitor network Monitoring software may be used for proper monitoring c Supervision and monitoring of Securities area at all level of HO and Branches d Internet th
71. r every branches There must be some risk to become down both the links although SJIBL considered alternate E1 providers of the connectivity service providers for each branch When two links become down at a time we seek support from up to top authority of the service providers Branch may be advised as per the rise of severity level Level One Day close operation time is very near and connectivity is still down The branch manager is acknowledged about the details of the matter Users are requested to wait patiently till next day before start of day at the worst situation Level Two Next day branch operation start time is over still the link is down Remote transaction and Card transaction status option upon the branch is made to disable To keep the minimum level of customer service up the latest customer balance with card transaction details from last day card transaction upon the branch is sent through e mail The e mail is to be received by other source by smart phone other source of e mail services Branch may provide customer services only deposit and withdrawal by validating the printed reports received from IT and Card Division 54 Page ia Chapter Eleven DATABASE MANAGEENT AND SECURITY Backup and Storage Policy 11 1 Scope m a Data means all sorts of information kept in printed or electronic format of Shahjalal Islami Bank Limited b Data should be preserved in a secured manner in printed format and in fixed Hard
72. r the development purchase of software as the guideline b The Bank should have Core Banking Solution Software c The Bank should have the target detail plan to be a paperless Bank and to incorporate all electronic services facilities using the latest technology d Software system to be ISO standard and if possible those to be Capacity Maturity Model CMM level 4 or 5 e Software system should be in 3 tier architecture whatsoever purchase or develop f The Bank should have a skilled software development team who are capable to develop open amp industry standard systems using the latest tools g Software development to be structured amp documented which should include the followings 1 System Survey ii System Analysis i System Planning amp Design iv Pseudo Coding v Interface Design vi Assembly Module Object Procedure Functions amp Library File design and coding vii System testing vili System implementation ix System documentation h A skilled Software Team will develop the in house software as required by Head Office and Branches 1 User Manuals are to be ready provided 50 IPage A lt S 9 2 In house Software Policy a Detailed design and technical application requirements shall be prepared b Criteria for acceptance of the requirement shall be defined and approved by the concerned business unit c Application security and availability requirements shall be addressed d Developed functionality in the
73. ra is must for DC and it should be monitor regularly h Data Centre must show the sign of No eating drinking or smoking 1 Dedicated Office Vehicles for any emergency purpose should always be available on site Availing of public transport should be avoided while carrying critical equipments outside the bank s premises to avoid the risk of any causality j Address and telephone or mobile numbers of require emergency contact persons e g Fire service police station service providers vendor and all IT personal should be available to cope with any emergency k Proper attention must be given with regard to overloading of electrical outlets with too many devices Proper and practical usage of extension cords should be reviewed annually in the office environment D Power supply system and other support units must be separated from production site and placed in secure area to reduce the risks from environmental threats m Power supply from source Main Distribution Board or Generator to Data Center must be dedicated Electrical outlets from these power sources for any other devices must be restricted and monitored to avoid the risk of overloading n Development and test environment shall be separated from production 31 IPage 0 fm ON Data Center shall have dedicated fulltime supported telephone communication 4 2 02 Data Center Security Maintenance a b c Level 1 Physical Entrance Level 2 Operating System
74. reats protection e Integrations with system admin securities 6 1 08 Password Control a Access into the Network Equipments should strictly be controlled using Administrative Password b Access into the Network Equipment through Workstations to be controlled and monitored by the Administrator c Access into the Network Equipment to be properly controlled d Password to be maintained as strictly confidential System Administrative Password should be preserved in safe custody e Users should be liable to maintain his her own password and the Password should not be maintained by a name or any likings f Password may be chosen with mixed characters e g 32bQt_N and to be of at least eight characters which detail mention on password policy chapter 5 g The maximum validity period of password should be 60 days h The maximum number of invalid logon attempts should be 03 Three consecutive times 1 Password history maintenance is enabled in the system to allow same passwords can be used again after at least 4 times j Password entries must be masked k The terminal inactive time allowable for users should be set where necessary 1 Sensitive passwords have to be preserved in a sealed envelope with movement records for usage in case of emergency 38 IPage A Sj m Audit trail should be available to review the user profile for maintenance purpose 6 1 09 Policy Statement a b c d e f Network to be se
75. ry and business continuity planning use of hardware and software data disposal and protection of copyrights and other intellectual property rights Information Technology IT is the bedrock for the Bank s survival and development in a rapidly changing global environment and challenges us to devise bold and courageous initiatives to address a host of vital skilled human resources In addition an Information Technology Policy built on reliable human resources and infrastructure constitutes the fundamental tool and means of assessing planning managing development change and for achieving sustainable growth Every progressive Bank has its own IT Policy and an implementation strategy to respond to the emerging global reality and thus avert becoming a victim of the digital divide Information Technology Security ITS achieved by implementing a suitable set of controls including policies procedures and standards Specific Security Policy is required to establish for all information computer users of the Bank This approved IT Policy has been updated to reflect the rapidly changing Technologies within the Bank to assist users of these facilities to ensure that the facilities are properly protected and those specific IT security objectives are met Following the IT Policy information system services of the Bank in accordance with Information Technology standards guidelines and best practices of the Bank can ensuring that its information technolog
76. services e All software including purchased or licensed business software applications Bank written applications employee or vendor supplier written applications computer operating systems firmware and any other software residing on Bank owned equipment e All intellectual property and other data stored on Bank equipment e The policy will also apply to all users whether on Bank property connected from remote via any networked connection or using Bank equipment e All of the above are included whether they owned or leased by the Bank or are under the Bank s possession custody or control The policy also applies to software contractors and vendors suppliers providing services to Bank that bring them into contact with SJIBL s Information Technology infrastructure The Bank employee who contracts for these services is responsible to provide the contractor vendor supplier with a copy of only required clause of this policy before any access given to the Bank Information System It is the responsibility of all operating units to ensure that this policy clearly communicated understood and followed To protect the integrity of Bank s computing facilities and its users against unauthorized or improper use of those facilities Bank reserves the right without notice to limit or restrict any individual s use and to inspect copy remove or otherwise alter any data file or system resource which may undermine the authorized use of any computi
77. slated for disposal as well as the removal of SJIBL tags and or identifying labels The Hardware Team is responsible for selecting and approving external agents through proper channel for recycling hardware and or sanitizing hardware of harmful toxins before shipment to landfills 3 3 6 Practices Acceptable methods for the disposal of IT assets are as follows a Sold in a public forum b Auctioned online c Sold as scrap to a licensed dealer d Used as a trade in against cost of replacement item e Reassigned to a less critical business operation function f Donated to schools charities and other non profit organizations g Recycled and or refurbished to leverage further use within limits of reasonable repair h Discarded as rubbish in a landfill after sanitization of toxic materials by an approved service provider as required by local regulations 3 4 Operating Procedure Policy Operating procedures shall be documented maintained and available for the users related to their job function Changes to operating procedures must be approved by management and documented Operating procedures shall cover the followings where appropriate a Documentation on handling of different processes b Documentation on scheduling processes system start up close down End of Day restart and recovery centralized decentralized c Documentation on handling of exception conditions d Schedule system maintenance 27 Page f
78. t from others Only authorized persons are allowed to know or gain access to the information stored or processed by Information Systems in any aspects Integrity Only authorized persons are allowed to make changes to the information stored or processed by Information Systems in any aspects Availability Information Systems should be available to users at any given or specified period depending on business need IT Policy A documented list of management instructions that describe in detail the proper use and management of resources relating to IT with the objective to protect these resources as well as the information stored or processed by Information Systems from any unauthorized disclosure modifications or destruction Official Persons employed by the Bank irrespective of the employment period and terms Data Center DC A centralized data processing facility that houses Information Systems and related equipment A data center or data centre or datacentre or datacenter is a facility used to house computer systems and associated components such as telecommunications and storage systems It generally includes redundant or backup power supplies redundant data communications connections environmental controls e g air conditioning fire suppression and security devices Computer Room Server Room A dedicated room for housing computer Server s and other necessary equipment either in the Branch or in the Head Office for proc
79. t to the network Pings or other artificial network processes are not to be used to keep the connection open h The VPN concentrator is limited to an absolute connection time of 24 hours 41 Page G er 6 3 General Network Protections Internal network addresses configurations and related system or network information shall not be publicly disclosed All internal networks with connections to other networks or publicly accessible computer networks shall be properly protected Security measures shall be in place to prevent unauthorized remote access to the systems and data Computer users are prohibited from connecting workstations to external network by means of communication device such as dial up modem wireless interface or broadband link if the workstations are simultaneously connected to a local area network LAN or another internal communication network unless with the approval of the Head of IT Computer users shall not connect any unauthorized Information System device to Bank s Information System without prior approval of manager IT security Proper configuration and administration of information communication systems is required and shall be reviewed regularly Connections and links made to outside network shall not compromise the security of information system of the Bank Connecting privately owned computer resources to Bank s internal network requires approval from Manager IT security CONFIDENTIAL
80. th protection of these passwords and establishing a minimum time between changes to passwords 5 3 Scope This policy amp order applies to any and all personnel who have any form of computer account requiring a password on the organizational network including but not limited to a domain account and e mail account 5 4 Password Requirements subject to change Those setting password requirements must remember that making the password rules too difficult may actually decrease security if users decide the rules are impossible or too difficult to meet If passwords are changed too often users may tend to write them down or make their password a variant of an old password which an attacker with the old password could guess The following password requirements are given below 1 Minimum Length 6 characters recommended for singly usage and 8 characters for dual usage 2 Maximum Length 14 characters 3 Minimum complexity No dictionary words to be included Passwords should use three of four of the following four types of characters 1 Lowercase 2 Uppercase 3 Numbers 4 Special characters such as amp 4 Passwords are case sensitive and the user name or login ID is not case sensitive 5 Password history Require a number of unique passwords before an old password may be reused This number should be no less than 03 6 Maximum password age 90 days 7 Minimum password age 2 days 8 Store passwords using reversible e
81. to time 19 Page f op 2 2 03 Segregation of duties for IT tasks Segregation of duties is a key concept of internal controls of an organization Increased protection from fraud and errors the Bank must balanced with the increased of cost and effort required Segregation of duties should be exists for IT tasks of all IT personnel 2 2 04 Job description JD for each Team Job Description or better known in short as JD is a document that used to indicate scope of work for the employee It is often used in hiring process as well as job design This piece of document gives an employee a good picture of what his her responsibility is and a manager good picture of who does what in the team Shahjalal Islami Bank Limited creates a flexible employee centric JD instead of a static organization structure centric one The Bank looks very fundamental and simple following issues in Job Description Identify Goals Share Goals with Team Team to Build JDs Analyze undesired task Assign undesired task Hiring Process Keeping them high level Encourage employees to share and Goal Focused not JD Focused Job description JD for each individual of IT department division and Branch IT support unit with fallback support personnel should be documented 2 2 05 Scheduled roster for shifting duties In the roster for shifting duties the employer operates 24 hours in a day seven days in a week all year round Scheduled roster for the personnel do
82. tup within the Head Office Back Office Disaster Recovery Center Central Bank Local amp Foreign Banks Branches Remote sites Valued Clients and other regulatory bodies to share the resources and to provide better services Security measures should strictly be maintained before adding any node within the network Security Policies of the Bank to be implemented for network Network setup should be in international standard architecture and structured format Network equipments devices and accessories should be international standard Network Management Software to be used for Network Monitoring and management 6 1 10 Firewall Policy a b c d e f g h i j k D There should be a system to detect the unauthorized intruder for network All ports except usable ones shall be blocked Data rate per port per channel has to be limited Ingress Egress packets must be logged and stored NAT shall be used as much as possible Network Security Policy Security means protection of Data amp Equipments from Internal and External threats Data the priceless assets of the Bank should be protected from any level of hackers To avoid fraud and forgery data amp equipments should be maintained in a secured manner Priority should be given at the highest level for the security aspects of data and equipments There should be 02 two types of Security like Physical Security amp Information Security Security Polic
83. ty Rest of the area from DC amp Power Room utility and so on 47 Page f op 8 2 Cooling System AT DC To maintain perfect Cooling System in DC there are two Precession ACs run out through the 24 7 basis by turns 12 Hours at a stretch where each Precession AC belongs 39 5 KW equivalent to 13 16 Ton AT Power Room To maintain perfect Cooling System in Power Room there are two ACs run out through the 24 7 basis 6 Hours at a stretch by turns where each AC belongs 3 Ton 8 2 01 Operational Activities a A Temperature 18 to 26 C has been set up at each PAC for Data Center whenever the temperature goes over 18 to 26 C both the PAC Precession AC becomes active amp will run till the room temperature goes down below 20 C and then one PAC becomes shut down b Humidity is being auto maintained by PAC c Both the PAC is being auto Switch over by turns according to schedule Time duration 24 hours d Built in auto notification system appears in its display 8 3 Access Control System a For Data Center the Access Control System is operating Card or Finger Punching b Access in Data Center along with its surrounded restricted area is being controlled amp maintained by Access Control System c Attendance record of all IT officials also maintained from this Access Control System d One manual access log is being maintained for Vendors amp others for DC 8 4 Surveillance System CCTV Entire Data
84. uter switch firewall is equipment to support the live systems in the event of a disaster All logistics support amp services including security at the DR site is satisfactory Real times data replication performs on routine basis which is effectively monitor amp reported by DBA Team 49 Page ES Chapter Nine Software Development and Acquisition For any new application or function for the Bank requires analysis before acquisition or creation to ensure that business requirements are met in an effective and efficient manner This process covers the definition of needs consideration of alternative sources review of Technological and economic feasibility execution of risk analysis and cost benefit analysis and conclusion of a final decision to make or buy Computers and networks shall only run software that comes from trustworthy sources No software shall be loaded onto a Bank s computer without prior approval from competent authority IT division shall protect their Information Systems from known vulnerabilities by applying the latest security patches recommended by the product vendors or implementing other compensating security measures Before security patches are applied proper risk evaluation and testing should be conducted to minimize the undesirable effects to the Information Systems 9 1 Software Development Policy a The Bank should have written operation manuals for each and every department to be followed fo
85. y and business systems may be protected and controlled ll IPage ES Chapter One Introduction 1 1 Introduction This document describes Information Technology IT Policy of Shahjalal Islami Bank Limited SJIBL IT policy like other organization policy is generally focused on what should be done and on what parties are responsible for different activities However policy generally steers clear of describing how these activities should be performed That instead is the role of procedures and standards discussed in this Policy All concerned both in the Branches or in the Head Office of the Bank shall observe and follow the guidelines provided in this document The policy statements developed for all levels of users acting in different roles in the IT system of the Bank including general users of different software used in the Bank all officials of SJIBL is responsible for maintaining the system and the members of the top management of the Bank 1 2 Definitions Information System An electronic information system that processes data electronically through the use of information technology including but not limited to computer systems servers workstations terminals storage media communication devices network resources and any other input output devices Confidentiality The principle of confidentiality means keeping information given by or about an individual in the course of a professional relationship secure and secre
86. y connectivity should be physical and redundant may be wireless Virtual Private Network should be setup in connection with WAN through Service Providers Bridge Tunnel Data should be transmitted through WAN using cryptography technology Security measures should be taken into consideration in WAN connectivity and usage at a highest level of priority as per security policies of the Bank 6 1 14 Upgrade design setup and security levels of LAN amp WAN a b c d Upgrade of the WAN setup in an ISO certification standard manner Upgrade of Core devices and deployment planning Upgrade Branch devices and deployment planning Security measures should strictly be analysis before adding any new node within the Network 6 1 15 Maintain log records of LAN amp WAN status a b c Design and approval of network monitoring software with log report option Supervision and monitoring of network monitoring software with log report option Archive planning of logs reports 6 1 16 Router Switch Data Backup amp Restoration Policy a b c d e f g h 1 j Data means all sorts of information kept in printed or electronic format in The Shahjalal Islami Bank Limited Data should be preserved in a secured manner in our designated FTP server Hard Disk PC for Network Administrator s amp removable disks e g CD DVD Removable disks should be preserved under lock and key in safe custody outside Location ge
87. y includes data data handling user amp access control of users externalattack hardware and location amp position of hardware There should be a team of Network Administrator assigned by the competent authority for the Head Office to follow up and maintain security of all networks 6 1 11 Control amp Monitoring of LAN amp WAN functionalities a b c d e Bandwidth consumption analysis Bandwidth management Load Balancing management NOC member functionalities formation Network management software to be used for Network Management protocol SNMP 6 1 12 Local Area Networks LAN Policy a b c d Cabling should be structured Fiber optic cable to be preferred for LAN cabling initially Cat5 Cat6 cable may be used Rack Patch Panel Cable Management Unit Patch Cord Drop Cable Face Plate RJ45 etc are to be used in connection with LAN setup Separate Domain VLAN for each Department Division is to be setup in the Switch IP based network to be setup for nodes and all IPs are to be maintained confidentially 39l P age e fm ON Network policies to be determined in the server for each domain 6 1 13 Wide Area Networks WAN Policy a b c d e f Physical Fiber optic cable connectivity should be preferred for WAN setup within HO and Branch LANs Wireless connectivity may be set before having physical connectivity for WAN For the full setup of on line Banking primar
Download Pdf Manuals
Related Search