KARACHI, Sept 30: The State Bank has asked banks and Development Finance Institutions or DFIs to make adequate and reliable arrangements for Information Technology or IT security and has issued a set of guidelines for this purpose.
A circular (BSD 15) issued by the Banking Supervision Department of the SBP on Thursday said "these guidelines will provide a starting point to set practices and procedures in place for enhancing IT Security."
The guidelines provide guidance on IT security concept, risk management, IT security policy and plan development, IT security areas, IT security team, awareness and training, incident management, contingency and disaster recovery planning and information system audit and certification.
The guidelines finally require banks/DFIs to have a well functioning and reliable IT security system, which is working round the clock and is continuously being improved.
The circular says the ultimate responsibility for IT security rests with the Board of Directors and the senior management of the banks/DFIs. "They must ensure that the IT systems in their respective institutions have built-in security capabilities to survive real-world threats.
In case, banks/DFIs do not have in-house expertise, they may like to engage outside IT consultants to prepare/assist them in IT security planning. Furthermore, Pakistan Banks Association will also organize training programmes on the subject to enable banks to build up their in-house capacity in this area."
"Banks/DFIs are advised to design and review their IT systems in the light of these guidelines within six months from the date of issue of this circular to ensure that adequate IT security arrangements are in place.
It may be noted that during the course of inspection of banks/ DFIs, our Banking Inspection Department will look into the adequacy of such arrangements," adds the circular.
The term IT applies not only to the stand-alone personal computers, networks and internet, but also to ATMs and other such machines. The use of information technology creates new risks, and the worst case would be the total disruption of service and its consequential financial implications. "Therefore, the banks/DFIs need to understand the importance of risk management with respect to information technology," explains the circular.
Following is the text of the guidelines:
Purpose and Nature: The objective of this document is two-fold - to increase IT Security awareness of the Banks/ DFIs, and secondly to provide them with guidelines to formulate an effective institution-wide information technology security framework in order to protect their valuable financial and technical assets.
These guidelines will provide a starting point to set practices and procedures in place that will eventually reduce the likelihood of internal or external attack on IT resources and also limit the damage caused by an inadvertent or malicious incident.
Commitment to IT Security: A clear commitment and direction towards IT security, is required from the banks/DFIs' senior management. Each bank/ DFI should ideally set up an IT steering committee with the objective of overseeing effective use of IT resources to support business objectives, identifying significant IT related risks, providing guidance in designing & modifying the IT policy to cope with the IT risks, documenting IT issues & initiatives and monitoring the performance.
The committee should be a mix of senior management, key business units' heads and IT function's senior officers. It should meet regularly. The minutes of the meetings of the IT Steering Committee should be properly drawn up and periodically presented to the Board of Directors and Senior Management.
IT Security: In today's world, the banking industry relies heavily on information systems. Banks/DFIs must, therefore, understand existing internal and external threats, such as unauthorized access to critical financial data, service interruptions, impersonating clients and theft or alteration of information.
When an institution performs financial transactions, it is very prone to such types of risk. The risk control mechanism and security policies are evolved within the organization to restrict this risk to an acceptable level. IT security is, therefore, about mitigating/minimizing risk. Risk Management
The success of an IT security programme depends on its effective risk management. With risk management, a bank/DFI can identify, assess, measure, monitor risks and take appropriate steps to reduce them.
For any effective risk management program, the following vital steps must be followed in the prescribed order:
Identification of System/Areas: As a first step, it is recommended that the organization carries out a detailed exercise to identify all systems, technology and related assets that are involved in support of critical business processes, and prioritize them with a business value (in terms of the information they process and the cost associated with them) for ease of decision-making and accurate and realistic assessment.
Banks may also consider assigning ownership within their respective organizations for identified technology and related assets with clear responsibilities to protect them.
* Risk Assessment and Re-assessment: Risk assessment helps to determine the vulnerability as well as the potential threats (and their consequences) to the identified information systems.
Risk needs to be assessed from all aspects of IT Security including physical, environmental, administrative, and technical. It should also identify threat-sources and potential vulnerabilities, the likelihood of the occurrence of an event that will exploit that vulnerability and the resulting adverse impact of that event. Risk re-assessment should be a continuing process.
* Risk Mitigation: Risk-reducing controls should be in place that mitigate or eliminate the identified risks and protect the organization's mission at the lowest cost, with minimal adverse impact to the business objectives.
The recommended procedural and technical security controls have to be evaluated and prioritized considering the operational impact of the risks, feasibility of the mitigation controls and their cost-benefit analysis.
IT Security Policy Development: IT Security Policies are critical to any organization and its security infrastructure since these in reality provide a "risk-control" mechanism and are developed in response to known risks. Security objectives can only be met in setting up a workable and organization-wide security policy.
For efficient and effective IT Security, security policy and programs should be aligned to the business objectives. It is essential that the policies be structured as lightweight as possible, without missing any important issue. One way to achieve this is to split the whole master policy framework into a number of smaller policies and arrange them in a hierarchical, but coherent, manner.
IT Security policies should follow a defined process - it is recommended that polices should be approved by the Board of Directors, disseminated and enforced, monitored and revised by Management/Board of Directors, compiled to and signed-off by the users.
Revisiting IT Security policies and procedures helps identify any weak points from the previously implemented security measures and facilitates updated risk assessment for the organization. IT Security is, therefore, an ongoing process.
Awareness & Training: Awareness and training programs are crucial to IT Security since they ensure that users are aware of the risks to IT systems and the policies in place to protect those systems, that the users pay attention to the system i.e. notify the management of any incident that appears to compromise security.
IT Security Team: To successfully implement IT Security, a lot of coordination work is required from both technical side and the business side. It is recommended that a team be formed of a competent mix of experienced technical and business human resources with a thorough appreciation and understanding of IT Security issues.
This team would streamline the IT Security related process and procedures, including incident response and management and should report to the IT Steering Committee.
Incident Management: IT Security Program will manage and mitigate the IT security risk, but even then exploitation of vulnerabilities can happen to the most well prepared organizations.
When such an adverse event occurs, a proper plan must be in place to respond to the contingency. IT Incident management is responsible for incident response planning by covering every reasonable contingency scenario. It includes the definition of an incident response team and the steps (process) to take during an incident.
Contingency & Disaster Recover Planning: Business continuity planning and disaster recovery planning are vital activities that ensure availability of resources to businesses in an event of disaster.
The first step is to consider the potential impact of each type of disaster or event. The plan must then be maintained, tested and audited by the internal auditors to ensure that it remains appropriate to the needs of the organization.
Information System Audit and Certifications: To ensure the adequacy of the adopted security plan and procedures and the effectiveness of the implemented controls, banks/DFIs should opt for a third party IT security audit.
In order to build the confidence and trust in the industry and the clients, it may be appropriate for the banks/DFIs to go for internationally recognized certifications. Effective implementation is not possible without the training and awareness of staff.