rnfiqp,R sflril*qfo,rsfuE+cvcTicrddRffiqitljlffifuffiqqnorqicrq : {i&rfi, qrq ($, gq{ - 400 0s1

tfr: +91 222653 002+ . fr-w :+91 222653 O150

t-td : dfi bt@nabard.org . iE-qrfe : www.nabard.org

National Bank for Agriculture and Rural Development

Dept. of Financial Inclusion & Banking TechnologyHead Office : BKC, Bandra (Ef Mumbai - 400 051Tel. : +91 2226530024. Fax: +91 22 2653 0150E-mail : dfibt@nabard.org . Website : www.nabard.org

Ref No..NB.DFlBT/ 5413- 58L4

30 March 2015

/ c9s-36/ zot4-ts

Circular ruo. 49 /DF|BTO+/zltg

The Chairman and Managing Director/ Chief Executive officers

State Cooperative Banks

District Central Cooperative Banks

Madam/Dear Sir

Security measures in CBS environment -Credit Information Company Membership (ClC),

tnformation Technotogy Policy (lT Policy), Information Security Policy (lS policy), SMS Alerts

Facility and FIU-lND Registration

The co-operative sector has migrated to CBS platform and there are many requirements in the changed

environment' where banks now require to adopt appropriate governance framework, technology

management methodologies and fool proof security mechanisms.

RBI has issued instructions to banks for adopting security and risk mitigation measures , taking up

membership of Credit Information Companies and introducing SMS Alerts facility to custome,rs on all financial

tra nsactions.

RBI circular No. RBI/ 2Ot4-L5 /435 dated 15 January 2015 requires that the banks obtain membership of all

fourCredit Information Companies , viz, Credit information Bureau(lndia) Limited, Equifax Credit Information

Services Limited, Experian Credit Information Company of lndia Private Limited and CRIF High Mark Credit

Services private Limited by t5 April 2015. Unfortunately many of the Banks under co-operative structure are

not complying with these three regulatory requirements making them vulnerable in the new environment. A

reference is also invited to NABARD CircularNo.160/ DOS-13/ 20LL dated 25 august 201L.. (Copy enclosed)

We therefore advise you to put in place an lT and lS Policy approved by the Board, SMS alert facility for

financial transactions without any further delay, but not later than 30 June 2015. Regarding becoming

members of ClCs, RBt has already given a timeline of 15 April 2015 which should be adhered to. Banks should

also get themselves registered with FIU-lND for sending necessary reports.

Compliance to these requirements would also form part of supervisory observation of the bank.

(Chief General Manager)

rii{rtH}tvrqtTaking Rural India >> Forward

L

NB.DoS.HO.POL.CFMC /.1884.1 P.80 / 2011-12

Circular No..160....../ DoS -13..... I 2011

1. The ChairmanAllthe Regional Rural Banks in the Country

2. The Managing Directors /Chief Executive OfficersAllthe State Cooperative Banks /Central Cooperative Banks in the Country

Dear Sir

25 August 201 1

Frauds in the computerised environment

As you are aware, application of information technology has already been recognised

as an effective tool to run the systems efficiently and securely. lt helps in creating

new opportunities for the organisation and help it in moving ahead of its competitors.

At present, when all the RRBs in our country are set to become CBS compliant as on

30 September 2011, a few Cooperative Banks had also gone ahead in this direction.

Although,mosi of the Cooperative Banks have introduced computerisation for their

front office operation, only a few have done back office computerisation.

2. As banks are investing in technologies to ensure secure and efficient banking

channels, it is necessary for them to adopt appropriate Governance framework,

technology management methodologies and foolproof security methanisms.

However, it is observed that a majority of the Cooperative Banks and RRBs have not

employed qualified computer personnel. They have not taken suitable steps for

human resource development in the area of information technology by providing

training to existing staff. There is lack of awareness among staff on security system

available with the technology especially maintaining secrecy of Passwords. There is

lack of awareness at management level for adoption of technology, governance, risks,

controls, etc. Some of the banks depend fully on service providers for managing the

system without entering into comprehensive agreement on ethical aspects of the

company and personnel employed by the company. Some of the banks even have

allowed the persons working for the computer agency to transact entire operation of

the bank.

3. In past two years some incidences of cyber fraud have come to our notice. In one

case fraud was perpetrated by the employee of the service provider in collusion with

some of the account holders by making fraudulent credit entries in the SB accounts of

the depositors which were subsequently withdrawn by them. In another case the BM

in collusion with the service provider had defrauded the bank. In one case the junior

officer misused the password of the BM and defrauded the bank.

&,

4. Vulnerability in lT arises as creation and authentication of financial transactions on

computer system is done electronically. Unless sufficient control and security features

are incorporated in computer system, fraudulent transactions can enter into the

system. Two basic principles on which such controls will be established are i) the

principle of least privilege means every individual is given access to the sensitive

information / data or programme strictly required for his job nothing more ii) the

principle of maker and checker means for each transaction, there must be at least two

individuals, one individual may create the transaction and other should confirm or

authenticate the same. Some of the suggestions for prevention of frauds in

computerised environment are given as under:

A) General measures

(i) Systems and equipment needs of the bank should be planned for at least three to

five years. lt should be subject to annual review by Top Management.

(ii) The hardware and software purchase standards need to be standardised.

(iii) Hardware should be tested and proven one with adequate warranty.

(iv) The software acquired from outside should be ensured to conform to bank's

requirements with adequate controls and should be tested and audited before

acceptanOe.

(v) ln-house software development should be standardised and periodical systems

audit/review should be conducted.

(vi) Systems in banks should be well documented and kept upto-date and secure.

Changes to the system need to be controlled.

(vii) Data processing procedures, backup procedures etc., should be evolved covering

all computer systems of the bank and made known to all concerned.

(viii) System administration procedures and duties of personnel should be clearly spelt

out for every computer installation and made known to the employees.

(ix) Confidentiality of information should be categorised and access rights must be

specified.

(x) Customer complaints relating to computer areas should be looked at from the

computer systems point of view. Computer Planning and Policy Departments

(CPPDs) should be associated with this exercise.

(xi) Security procedures covering hardware, software backup, storage of both

computer records and reports, stationery etc., should be standardised.

(xii) Computer audit should be made a meaningful exercise by involving the auditors

at the system development stage itself. The officers trained in systems audit by Indian

banks' Association (lBA) in their long term training programmes can be utilised for this

purp9se.

7)

(xiii) Operational auditors should be trained for audit around the computer, as part ofinternal audit of branches.

(xiv) Quarterly snap inspections of the branches should be made by the branch level

senior officers and/or by Zonal Office/Regional Office officers, to especially verifywhether drawing power/limit, interest rates etc., are correctly entered.

B) Administrative measures

(i) Banks must add relevant paragraphs covering computerised aspects, while issuinggeneral Administrative instructions. To this extent there is need for awareness of

various systems in the banks in non-computer departments, e.9., credit, deposits,

development, general operations department, systems and procedures department,etc.

(ii) Training of operational level officers needs to be streamlined to include the

computer aspects of each topic in each session.

(iii) Standards should be evolved as regards

a. On line storage periodicity.

b. Storage of historical data.

c. Procedures regarding old records.

d. Appiication-wise back up procedures and off-site storage of backups, etc.

e. Uninterrupted power supply should be ensured.

f" Back up of files should be taken up at periodical intervals and kept at a nearby

office.

g. Employees in EDP Cells, computer areas should be screened and should be

carefully selected. At their unwillingness to work, they should be replaced.

C) Preventive Vigilance measures

(i) In every computer installation at least two persons should be charged with theduties of a) System administration b) Data based administration and processing. Their

duties should be spelt out. Necessary back up officers should be trained and kept

ready.

(ii) Rotation of duties across computerised offices/branches should be ensured in

such a way that while the acquired skills are not wasted, access to those applications

whose programmes have been developed by concerned persons, is denied to them.

Also, it should be ensured that this segregation is observed in subsequentrotations/postings.

(iii) Every bank should have at their Head Office, CPPD, a library containing

authenticated manuals and documentation for system software and application

software programmes with their source codes and hardware manuals

u

(iv) Procedures should be established for conveying sensitive control information,

such as, limits, drawing power, interest rates, charges, forex rates etc., by the

concerned divisions to computer section.

D) Insurance

It id prudent to obtain insurance cover in respect of particular risks within the bank,

e.9., some of the risks such as cost of replacing data, software and equipment. lt may

also be possible to insure the consequential losses to a bank following damage to

computer resources and consequent business interruptions. However, insurance

should not be regarded as substitute for a good control mechanism. lt may also be

prudent to identify types of losses that are not covered by insurance and lay greater

emphasis on control mechanism in respect of such areas as a matter of policy.

5. In view of above, you are requested to review the lT system of your bank afresh

and incorporate proper control measure for uninterrupted functioning of the bank.

6. A note containing problems with passwords and password management principles

is enclosed in the Annexure for your reference.

7, Please acknowledge receipt of this circular to our concerned Regional Office.

Yours faithfully

sd/-

(G.C.Panigrahi)

Chief General Manager

Y.

Annexure

Some Problems with Passwords

1. To remember passwords, user write them down.

2. Users choose easy-to-guess passwords, such as the name of a family member orthe month in which their birthday occurs.

3. Users do not change passwords for prolonged periods.

4. Users failto appreciate the importance of passwords.

5. Users disclose their passwords to friends or work colleagues.

6. Some access control mechanisms require users to remember multiple passwords.

7. Some access control mechanisms do not store passwords in encrypted form.

8. Passwords are not changed when a person leaves an organisation.

9. Passwords are transmitted over communications lines in clear text form.

Some Password Management Principles

1. A large set of passwords should be acceptable to an access control mechanism.

2. An access control mechanism should not permit passwords to be chosen that arebelow a minimum length.

3. An access control mechanism should not permit users to choose weak passwords- for example, words that are found in a dictionary or words containing minimumvariation in the letters chosen.

4. Users should be forced to change their passwords periodically.

5. Users should not be permitted to reuse passwords that they have used during,say, the past 12 months.

6. Passwords should be encrypted via a one-way function whenever they are storedor transmitted.

7. Users should be educated about the importance of password security, theprocedures they can use to choose secure passwords, and the procedures theyshould follow to keep passwords secure.

8. Passwords should be changed immediately if there is a possibility they have beencompromised.

9. An access control mechanism should limit the number of password entry attempts.

Source : Information Systems Control and Audit - Ron Weber