Guidelines 1 on Information Technology Security



Similar documents
Performing Effective Risk Assessments Dos and Don ts

Chapter 4 Information Security Program Development

Risk Management Guide for Information Technology Systems. NIST SP Overview

NIST National Institute of Standards and Technology

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

California State University, Chico. Information Security Incident Management Plan

Data Security Incident Response Plan. [Insert Organization Name]

University of Sunderland Business Assurance Information Security Policy

Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

UF Risk IT Assessment Guidelines

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

ISO Controls and Objectives

HIPAA Security Alert

How To Audit The Mint'S Information Technology

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

7. Public Key Cryptosystems and Digital Signatures, 8. Firewalls, 9. Intrusion detection systems, 10. Biometric Security Systems, 11.

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Information Security Incident Management Guidelines

ISO27001 Controls and Objectives

Network Security: Policies and Guidelines for Effective Network Management

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Information Security Management System Policy

Office of Inspector General

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Information Security Management System Information Security Policy

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Ohio Supercomputer Center

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Standard: Information Security Incident Management

Utica College. Information Security Plan

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Information Security Program CHARTER

PBGC Information Security Policy

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

UF IT Risk Assessment Standard

Information Security Policy. Chapter 11. Business Continuity

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

BUSINESS CONTINUITY PLANNING

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

The potential legal consequences of a personal data breach

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Does it state the management commitment and set out the organizational approach to managing information security?

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Information Security Program

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines

VMware vcloud Air HIPAA Matrix

Information Technology Security Review April 16, 2012

Operational Risk Publication Date: May Operational Risk... 3

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Information Security Program Management Standard

INFORMATION TECHNOLOGY SECURITY STANDARDS

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

INFORMATION SECURITY STRATEGIC PLAN

Disaster Recovery and Business Continuity Plan

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

RISK ASSESSMENT On IT Infrastructure Mr Pradhan P L & Prof P K Meher

Wright State University Information Security

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Information Security Policy

CISM Certified Information Security Manager

The Ministry of Information & Communication Technology MICT

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Threat Management: Incident Handling. Incident Response Plan

IT Security Incident Management Policies and Practices

HIPAA Security COMPLIANCE Checklist For Employers

Unit Guide to Business Continuity/Resumption Planning

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Legislative Language

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

FACT SHEET: Ransomware and HIPAA

VA Office of Inspector General

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Information Security: Business Assurance Guidelines

Practical Overview on responsibilities of Data Protection Officers. Security measures

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

Business Continuity Plan

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Third Party Security Requirements Policy

Transcription:

Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical role of financial institutions for a country and the extreme sensitivity of their information assets, the seriousness of IT Security and the ever-increasing threats it faces in today s open world cannot be overstated. As more and more of our Banking Operations and products & services become technology driven and dependent, consequently our reliance on these technology assets increases, and so does the need to protect and safeguard these resources to ensure smooth functioning of the financial industry. State Bank is, therefore, setting down guidelines for IT Security through the understanding and addressing off the following areas: Commitment to IT Security IT Security IT Security Risk Management IT Security Policy Development IT Security Awareness & Training IT Security Team Contingency & Disaster Recovery Planning These guidelines are meant to help the Banks/DFIs achieve adequate levels of IT Security. Purpose and Nature The objective of this document is two fold to increase IT Security awareness of the Banks/DFIs, and secondly to provide them with guidelines to formulate an effective institution-wide information technology security framework in order to protect their valuable financial and technical assets. These guidelines will provide a starting point to set practices and procedures in place that will eventually reduce the likelihood of internal or external attack on IT resources and also limit the damage caused by an inadvertent or malicious incident. Commitment to IT Security A clear commitment and direction towards IT Security, is required from the banks/dfis senior management. Each bank/dfi should ideally set up an IT Steering committee with the objective of overseeing effective use of IT resources to support business objectives, identifying significant IT related risks, providing guidance in designing & modifying the IT policy to cope with the IT risks, documenting IT issues & initiatives and monitoring the performance. The committee should be a mix of senior management, key business units heads and IT function s senior officers. It should meet regularly. The minutes of the meetings of the 1 These guidelines should be read in conjunction with the introduction along with the glossary, which contains an explanation of the abbreviations and other terms used in these guidelines. Page # 1

IT Steering Committee should be properly drawn up and periodically presented to the Board of Directors and Senior Management. IT Security In today s world, the banking industry relies heavily on Information systems. Banks/DFIs must, therefore, understand existing internal and external threats, such as unauthorized access to critical financial data, service interruptions, impersonating clients and theft or alteration of information. When an institution performs financial transactions, it is very prone to such types of risk. The risk control mechanism and security policies are evolved within the organization to restrict this risk to an acceptable level. IT Security is, therefore, about mitigating/minimizing risk. Risk Management The success of an IT Security program depends on its effective risk management. With risk management, a bank/dfi can identify, assess, measure, monitor risks and take appropriate steps to reduce them. For any effective risk management program, the following vital steps must be followed in the prescribed order: Identification of System / Areas As a first step, it is recommended that the organization carries out a detailed exercise to identify all systems, technology and related assets that are involved in support of critical business processes, and prioritize them with a business value (in terms of the information they process and the cost associated with them) for ease of decision-making and accurate and realistic assessment. Banks may also consider to assign ownership within their respective organizations for identified technology and related assets with clear responsibilities to protect them. Risk Assessment and Re-assessment Risk assessment helps to determine the vulnerability as well as the potential threats (and their consequences) to the identified information systems. Risk needs to be assessed from all aspects of IT Security including physical, environmental, administrative, and technical. It should also identify threatsources and potential vulnerabilities, the likelihood of the occurrence of an event that will exploit that vulnerability and the resulting adverse impact of that event. Risk re-assessment should be a continuing process. Risk Mitigation Risk-reducing controls should be in place that mitigate or eliminate the identified risks and protect the organization s mission at the lowest cost, with minimal adverse impact to the business objectives. The recommended procedural and technical security controls have to be evaluated and prioritized considering the operational impact of the risks, feasibility of the mitigation controls and their costbenefit analysis. IT Security Policy Development IT Security Policies are critical to any organization and its security infrastructure since these in reality provide a risk-control mechanism and are developed in response to Page # 2

known risks. Security objectives can only be met in setting up a workable and organization-wide security policy. For efficient and effective IT Security, security policy and programs should be aligned to the business objectives. It is essential that the policies be structured as lightweight as possible, without missing any important issue. One way to achieve this is to split the whole master policy framework into a number of smaller policies and arrange them in a hierarchical, but coherent, manner. IT Security policies should follow a defined process it is recommended that polices should be approved by the Board of Directors, disseminated and enforced, monitored and revised by Management/Board of Directors, compiled to and signed-off by the users. Revisiting IT Security policies and procedures helps identify any weak points from the previously implemented security measures and facilitates updated risk assessment for the organization. IT Security is, therefore, an ongoing process. Awareness & Training Awareness and training programs are crucial to IT Security since they ensure that users are aware of the risks to IT systems and the policies in place to protect those systems, that the users pay attention to the system i.e. notify the management of any incident that appears to compromise security. IT Security Team To successfully implement IT Security, a lot of coordination work is required from both technical side and the business side. It is recommended that a team be formed of a competent mix of experienced technical and business human resources with a thorough appreciation and understanding of IT Security issues. This team would streamline the IT Security related process and procedures, including incident response and management and should report to the IT Steering Committee. Incident Management IT Security Program will manage and mitigate the IT security risk, but even then exploitation of vulnerabilities can happen to the most well prepared organizations. When such an adverse event occurs, a proper plan must be in place to respond to the contingency. IT Incident management is responsible for incident response planning by covering every reasonable contingency scenario. It includes the definition of an incident response team and the steps (process) to take during an incident. Contingency & Disaster Recover Planning Business continuity planning and disaster recovery planning are vital activities that ensure availability of resources to businesses in an event of disaster. The first step is to consider the potential impact of each type of disaster or event. The plan must then be maintained, tested and audited by the internal auditors to ensure that it remains appropriate to the needs of the organization. Information System Audit and Certifications To ensure the adequacy of the adopted security plan and procedures and the effectiveness of the implemented controls, banks/dfis should opt for a third party IT Page # 3

security audit. In order to build the confidence and trust in the industry and the clients, it may be appropriate for the banks/dfis to go for internationally recognized certifications. Conclusion A completely secure, zero risk system is one which has zero functionality. Latest technology high-performance automated systems bring with them new risks in the shape of new attacks, new viruses and new software bugs, etc. IT Security, therefore, is an ongoing process. Proper risk management keeps the IT Security plans, policies and procedures up to date as per new requirements and changes in the computing environment. To implement controls to counter risks requires policies, and policy can only be implemented successfully if the top management is committed. And policy s effective implementation is not possible without the training and awareness of staff. Page # 4

GLOSSARY Access A specific type of interaction between a subject or entity and an object or resource which results in a flow of information from one to another or in the subject or entity changing the observable properties of the object or resource. For example, the logging on to a computer system, for the purpose of gaining entry to a word processing application or gaining entry to stored information. Attack The act of aggressively trying to bypass security controls on an IT system or network. The fact that the attack is made does not mean it will succeed. The success depends on the vulnerability of the system, network or activity and the effectiveness of safeguards in place. Disaster Recovery Planning The process of developing a plan to restore information technology operations in the event of a disaster. Impersonation An attempt to gain access to an IT system by posting as an authorized user. Information Asset A component or part of the total information system to which the department directly assigns a value to represent the level of importance to the business or operations/operational mission of the department, and therefore warrants an appropriate level of protection. Assets types include: information, hardware, communication equipment, firmware, documents/publications, environmental equipment, people/staff, infrastructure, goodwill, money, income, organizational integrity, customer confidence, services and organizational image. IT Security The protection resulting from an integrated set of safeguards, designed to ensure the confidentiality of information electronically stored, processed or transmitted; the integrity of the information and related processes; the accountability of the information stored, processed or transmitted; and the availability of systems and services. Malicious Incident An adverse event associated with an IT system(s): (a) that is a failure to comply with the departmental security regulations or directives; (b) that results in suspected or actual compromise of classified information; or (c) government property or information. Risk Intuitively, the adverse affects that can result if vulnerability is exploited or if a threat is actualized. in some contexts, a risk is a measure of the likelihood of adverse effects or the product of the likelihood and the quantified consequences. There is no standard definition. Security Incident An adverse event associated with an IT System(s): (a) that is a failure to comply with Departmental security regulations or directives; (b) that results in suspected or actual compromise of classified information; or (c) government property or information. Sensitivity The characteristic of a source, which implies its value or importance to an organization, or the injury, or harm that could result from its deliberate or inadvertent discloser, modification, loss or denial. Potential Threat Any potential event or act that could cause one or more of the following to occur: unauthorized disclosure, destruction, removal, modification or interruption of sensitive or critical information, assets or services. A threat can be natural, deliberate or accidental. Vulnerability A quantifiable, threat-independent characteristic or attribute of any asset within a system boundary or environment in which it operates and which increases the probability of a threat event occurring and causing harm in terms of confidentiality, availability and/or integrity, or increases the severity of the effects of a threat event if it occurs. Page # 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information